VIRUS-L Digest Monday, 26 Jun 1989 Volume 2 : Issue 142 Today's Topics: Mac anti-viral archives Documentation anti-viral archives Re: Saveinfo.exe (PC) Disk corrupting .exe virus New Virus - Fu Manchu? (PC) Re: New Virus - Fu Manchu? (PC) VKILLER 2.20 (Atari ST) available on ssyx Re: Saveinfo.exe (PC) The Little Vaccine that Didn't (Mac) WordPerfect Corp. on the Israeli Virus (PC) Anti-viral software postings Re: Virus policy -------------------------------------------------------------------------------- Date: 22 Jun 89 12:25:58 GMT From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Mac anti-viral archives # Anti-viral archive sites for the Macindroids... # Listing of 22 June 1989 cs.hw.ac.uk Dave Ferbrache NIFTP from JANET sites, login as "guest". Electronic mail to . Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The Mac index for the virus archives can be retrieved as request: mac topic: index For further details send a message with the text help The administrative address is ifi.ethz.ch Danny Schwendener Access is through SPAN/HEAPNET, but can also be reached using X.25 and modem ports (no direct dialins, though). Archives are in process of moving to a new machine. pd-software.lancaster.ac.uk Steve Jenkins I'm not sure of access, but you Brits ought to know by now. :-) rascal.ics.utexas.edu Werner Uhrig Access is through anonymous ftp, IP number is ??.??.??.??. Archives can be found in /mac/virus-tools. Please retrieve the file 00.INDEX and review it offline. Due to the size of the archive, online browsing is discouraged. sumex.stanford.edu Bill Lipa Access is through anonymous ftp, IP numbers are 10.0.0.56 and 36.45.0.87. Archives can be found in /info-mac/virus. Administrative queries to . Submissions to . wsmr-simtel20.army.mil Robert Thum Access is through anonymous ftp, IP number 26.0.0.74. Archives can be found in PD3:. Please get the file 00README.TXT and review it offline. - -- Jim Wright jwright@atanasoff.cs.iastate.edu ------------------------------ Date: 22 Jun 89 12:27:00 GMT From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Documentation anti-viral archives # Anti-viral archive sites for the scholarly crowd... # Listing of 22 June 1989 cs.hw.ac.uk Dave Ferbrache NIFTP from JANET sites, login as "guest". Electronic mail to . Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The index for the **GENERAL** virus archives can be retrieved as request: general topic: index The index for the **MISC.** virus archives can be retrieved as request: misc topic: index **VIRUS-L** entries are stored in monthly and weekly digest form from May 1988 to December 1988. These are accessed as log.8804 where the topic substring is comprised of the year, month and a week letter. The topics are: 8804, 8805, 8806 - monthly digests up to June 1988 8806a, 8806b, 8806c, 8806d, 8807a .. 8812d - weekly digests The following daily digest format started on Wed 9 Nov 1988. Digests are stored by volume number, e.g. request: virus topic: v1.2 would retrieve issue 2 of volume 1, in addition v1.index, v2.index and v1.contents, v2.contents will retrieve an index of available digests and a extracted list of the the contents of each volume respectively. **COMP.RISKS** archives from v7.96 are available on line as: request: comp.risks topic: v7.96 where topic is the issue number, as above v7.index, v8.index and v7.contents and v8.contents will retrieve indexes and contents lists. For further details send a message with the text help The administrative address is lehiibm1.bitnet Ken van Wyk new: This site has archives of VIRUS-L, and many papers of general interest. Access is through ftp, IP address 128.180.2.1. The directories of interest are VIRUS-L and VIRUS-P. There may also be mail access. This archive may go away with the departure of Ken. lll-winken.llnl.gov Vijay Subramanian This site has archives of VIRUS-L, and many papers of general interest. Access is through ftp, IP address 128.115.14.1. There are quite a number of subdirectories living under /virus-l. I have been unable to get through for several months; I understand they are having trouble upgrading their network. pd-software.lancaster.ac.uk Steve Jenkins I'm not sure of access, but you Brits ought to know by now. :-) unma.unm.edu Dave Grisham This site has a collection of ethics documents. Included are legislation from several states and policies from many institutions. Access is through ftp, IP address 129.24.8.1. Look in the directory /ethics. - -- Jim Wright jwright@atanasoff.cs.iastate.edu ------------------------------ Date: 22 Jun 89 07:45:28 GMT From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Re: Saveinfo.exe (PC) In article <0007.8906201731.AA26692@spot.CC.Lehigh.EDU> VIRUS-L@IBM1.CC.Lehigh.EDU writes: | I just downloaded a program named safeinfo.exe from a bbs | at (201)473-1991. safeinfo (tm) is a trademark of | safeware (TM) incorporated. the program is a clone of norton's | sysinfo with more features. | | what makes it worthy of mention here is the fact that safeware (TM) | runs an internal test upon itself each and every time it is loaded. If you like this idea, you can use it with your own programs. A shareware package ($10-$15) called CAware allows "your C programs to be self-aware". The registration fee gets you source code. This is available from the IBMPC anti-viral archive sites. - -- Jim Wright jwright@atanasoff.cs.iastate.edu ------------------------------ Date: Tue, 20 Jun 89 12:28:35 BST Sender: Virus Alert List From: "David.J.Ferbrache" Subject: Disk corrupting .exe virus Original-From: Fridrik Skulason I have just run into a virus, that does not fit the description of any other virus that I know of. It is an .EXE file infector and does not touch .COM files. Every time an infected program is run, a random number is generated. In most cases nothing happens, but sometimes the virus will select a free cluster on the current drive, and mark it as bad. On the computer where I found it originally, 10Mbytes out of 20 had been marked as bad. This virus stays resident in memory, and hooks INT 21. When an uninfected program is run, it is first infected. This virus uses a few tricks to avoid detection, but I have not quite finished disassembling it yet. It seems to refrain from infecting programs, if disk protection software is installed. This virus does not appear to be a modification of the other .EXE infectors that I know of (Jerusalem & April-1), but I am not quite sure of it, since I do not have a copy of those viruses. If you have heard of this virus please let me know. I will distribute a report, when I have finished disassembling the virus. (Quite a job, since it is very large). ------------------------------ Date: Thu, 22 Jun 89 11:54:55 BST Sender: Virus Alert List From: LBA002%PRIME-A.TEES-POLY.AC.UK@ibm1.cc.lehigh.edu Subject: New Virus - Fu Manchu? (PC) Reference: Computer Guardian 22nd June 1989 A new virus? The first issue of Virus Bulletin (a newsletter specialising in viruses) announces Fu Manchu. This new virus is said to insert obscene comments into printed documents after the keying of 4 names:- Botha, Reagan, Waldheim & Thatcher. Any sitings (or suggestions for new names, or the text of the obscene comments?) Rgds, Iain Noble PS I've discovered that GateKeeper won't work on our ancient 128/512k Macs to stop reinfection with the dose of nVirB we have going around. Am I right? If I am any helpful suggestions? ------------------------------ Date: Thu, 22 Jun 89 14:25:21 BST Sender: Virus Alert List From: "David.J.Ferbrache" Subject: Re: New Virus - Fu Manchu? (PC) Iain, Please find enclosed a brief description of the Fu Manchu virus: Fu Manchu Parasitic virus - resident Type description: The virus occurs attached to the beginning of a COM file, or the end of an EXE file. It is a rewritten version of the Jerusalem virus, and most of what is said for that virus applies here with the following changes: a. The code to delete programs, slow down the machine, and display the black 'window' has been removed, as has the dead area at the end of the virus and some sections of unused code. b. The marker is now 'rEMHOr' (six bytes), and the preceeding 'sU' is now 'sAX' (Sax Rohmer - creator of Fu Manchu). c. COM files now increase in length by 2086 bytes & EXE files 2080 bytes. EXE files are now only infected once. d. One in sixteen times on infection a timer is installed which runs for a random number of half-hours (maximum 7.5 hours). At the end of this time the message 'The world will hear from me again!' is displayed in the centre of the screen and the machine reboots. This message is also displayed every time Ctrl-Alt-Del is pressed on an infected machine, but the virus does not survive the reboot. e. There is further code which activates on or after the first of August 1989. This monitors the keyboard buffer, and makes derogatory additions to the names of politicians (Thatcher, Reagan, Botha & Waldheim), censors out two four-letter words, and to 'Fu Manchu ' adds 'virus 3/10/88 - latest in the new fun line!' All these additions go into the keyboard buffer, so their effect is not restricted to the VDU. All messages are encryted. > PS > > I've discovered that GateKeeper won't work on our ancient 128/512k Macs > to stop reinfection with the dose of nVirB we have going around. Am I right? > If I am any helpful suggestions? Hmm, the documentation for gatekeeper says that it should operate on Mac with 128K Rom or better, including Mac 512Ke, Plus, SE, II etc. If this does not apply to your Macs then I suspect that vaccine is the only alternative (or possibly one of the watch inits if you only require notice of possible infection without the comprehensive error checking applied to resource writes by vaccine). Sorry I can't be of more help - ------------------------------------------------------------------------------ Dave Ferbrache Internet Dept of computer science Janet Heriot-Watt University UUCP ..!mcvax!hwcs!davidf 79 Grassmarket Telephone +44 31-225-6465 ext 553 Edinburgh, United Kingdom Facsimile +44 31-220-4277 EH1 2HJ BIX/CIX dferbrache - ------------------------------------------------------------------------------ ------------------------------ Date: 22 Jun 89 01:35:49 GMT From: koreth@ssyx.ucsc.edu (Steven Grimm) Subject: VKILLER 2.20 (Atari ST) available on ssyx Version 2.20 of George Woodside's VKILLER virus killer program for the Atari ST has been posted to comp.binaries.atari.st and is available from the archive on ssyx.ucsc.edu. The archive can be accessed via anonymous ftp to address 128.114.133.1, or by sending the message send binaries/volume5/vkiller.220 part01 part02 part03 part04 to archive-server@ssyx.ucsc.edu. - --- These are my opinions, which you can probably ignore if you want to. Steven Grimm Moderator, comp.{sources,binaries}.atari.st koreth@ssyx.ucsc.edu uunet!ucbvax!ucscc!ssyx!koreth ------------------------------ Date: 21 Jun 89 23:06:58 GMT From: stripes@wam.umd.edu Subject: Re: Saveinfo.exe (PC) In article <0007.8906201731.AA26692@spot.CC.Lehigh.EDU> VIRUS-L@IBM1.CC.Lehigh.EDU writes: [stuff deleted] >safeware (TM) is a unique new concept in shareware. all safeware (TM) >products run safeware's (TM) proprietary selftest (TM) module as soon >as they are loaded. [stuff deleted] Of corse as soon as safeware's (TM) proprietary selftest gets too popular (assumeing they intend to sell the selftest to other programers, or that they become massavaly popular...) a new virus could just remove the checking code. (same deal for Word Perf.) To make a selftest strong you have to make them non-standard. (i.e. change the code on every release even if the last release was fine, make it diffrent for each product, and whenever else you can). - -- stripes@wam.umd.edu "Security for Unix is like Josh_Osborne@Real_World,The Mutitasking for MS-DOS" "The dyslexic porgramer" - Kevin Lockwood "Dammit Jim, I'm a Doctor not an Excorsist" - One of Bones' lines in a previous ST:V script... ------------------------------ Date: Fri, 23 Jun 89 13:01:22 PDT From: dplatt@coherent.com (Dave Platt) Subject: The Little Vaccine that Didn't (Mac) I recently had an interesting experience in which a network of Macs was heavily infected by a virus, even though the Macs' owners had installed Vaccine. The cause, it turned out, was due to the use of an old (and arguably obsolete) version of TOPS! Y'all might want to be alert for similar situations in your own areas. I first found out about the infection when we had our corporate artwork scanned at a local desktop-publishing service bureau, and converted to EPS format. Out of curiousity, I took a look at the Mac EPS file's resource fork, to see if it included a PICT resource. It did... and it also had an INIT 29 resource. Uh oh. I called the service bureau and talked to the woman who had done the scanning; she was surprised at the infection, and said "We've got virus protection for all of our machines". I stopped by the service-bureau earlier this week to have our artwork rescanned (not because I was afraid to use the infected copy, but because I wanted it in portrait layout rather than in landscape form). I also took along a diskette of antivirals and offered to clean up their network; they were most willing to have me do so. Their main network (which uses MacServe for file-sharing) was in good shape. One application on the server's hard disk was infected by nVIR A, but the systems were otherwise quite clean. All machines booted with Vaccine, which was properly configured and appears to have been effective in preventing virus-spread. Their secondary network was another case entirely... it was _lousy_ with copies of INIT 29. Their Mass Micro file-server disk, and the disk on the machine used for scanning, were riddled with this pest... there must have been almost 100 infected files. I cleaned up the infection with Disinfectant, and checked Vaccine. It was configured with the "Always compile MPW INITs" option turned on; I turned it off, having heard that some viruses could possibly sneak past Vaccine when this option was selected. I then rebooted both machines from their hard disks. To my surprise, the Vaccine icon did not appear during startup, even though the "Show icon" option was selected. Some fiddling with ResEdit showed that Vaccine protection was not functioning... I could create CODE resources without triggering an alert. I suspected that the copies of Vaccine installed on these two machines might have been damaged somehow, so I replaced them with a copy from one of the MacServe client-machine startup disks, which I had determined was functional. No good... Vaccine would not install itself at boot time. I tried installing GateKeeper... same result... it would not install at boot time. At this point, a little light began to dawn. I took a look at the System (6.0) and the other files in the System folder. Lo and behold, the version of TOPS in use on these machines was dated 1987. Bingo. This version of TOPS was released before Apple developed the "INIT 31" mechanism that runs INIT resources stored outside of the System file. The TOPS Installer program that comes with this version installs its own version of INIT 31, which (I believe) runs the INIT resources in INIT and RDEV (Chooser) files in the System folder. However... the INIT 31 installed by TOPS does *NOT* run INIT resources contained in Control Panel (cdev) files! As a result, neither Vaccine nor GateKeeper was being installed at boot time. Vaccine showed up in the Control Panel, but it wasn't functioning. [GateKeeper is smart enough to keep itself out of the Control Panel display if its INIT has not run... a nice touch, Chris!] The fix for the problem was simple: I replaced the System files on these machines with cleaner versions (with Apple's own INIT 31 intact), and copied all of the fonts and desk-accessories from the old files to the new ones. Vaccine now installs itself at boot time, and TOPS works too. I've recommended that the service-bureau purchase a more up-to-date version of TOPS, so that they don't run into this same problem if they ever reinstall the out-of-date version that they're using now. The moral of the story: whether you're using Vaccine, GateKeeper, SAM, or some other anti-viral shield INIT, you should double-check to make sure that it's actually being installed at start-up time and is providing the desired protection for your system. Simply dragging the file into your System folder and rebooting is _not_ sufficient to guarantee that your system is protected! Dave Platt FIDONET: Dave Platt on 1:204/444 VOICE: (415) 493-8805 UUCP: ...!{ames,sun,uunet}!coherent!dplatt DOMAIN: dplatt@coherent.com INTERNET: coherent!dplatt@ames.arpa, ...@uunet.uu.net USNAIL: Coherent Thought Inc. 3350 West Bayshore #205 Palo Alto CA 94303 ------------------------------ Date: Fri, 23 Jun 89 17:19:19 pdt From: well!odawa@lll-winken.llnl.gov (Michael Odawa) Subject: WordPerfect Corp. on the Israeli Virus (PC) My colleague Derrick Shadel asked if I would post this note: ----- I would like to add some information to the excellent analysis Y. Radai reported regarding the Israeli virus and its effect on WordPerfect 4.2. We would first like to concur that this is really a strain of the Israeli virus which infects many other programs besides WordPerfect. Thus the term "WordPerfect Virus" would not be an appropriate appelation for this agent, and indeed would only add to the confusion. Since that name also unfairly characterizes our product, we would appreciate it not being used. Thank you. Second, we have obtained a copy of the virus through the good offices of Lance Nakata of Stanford University, and can confirm Radai's description of how the infector interacts with our product. When the Israeli virus infects an .EXE file, it reads the length field of the header. WP 4.2, like a large class of similar programs, has some additional information appended to the "normal" .EXE data. This information includes the overlays and some text messages used during the operation of the program. This is why the .EXE length was not increased and why the virus was inserted into the middle of the program. It was actually added to the end of the normal part of the .EXE and overwrote a portion of the overlays that are appended. When WP 4.2 starts up it searches for the .EXE so it can open and use the overlays and text messages that are part of that file. In the process of infecting the .EXE, data areas were changed that WP 4.2 uses to determine if the correct .EXE was found (we do this because it might be someone's old WP 4.1 .EXE that was found). This results in the error message about WP.EXE not being found. I hope this helps you to better understand why WP 4.2 reacts differently when it is infected with the Israeli virus. With WP 5.0 the overlays and text messages are kept in a separate file called WP.FIL. Since the .FIL and .EXE are separate, the floppy with the .EXE can be write protected without adversely affecting the way WordPerfect runs. I hope this information is helpful to those who have investigated this problem. We appreciate your work, and hope that together we can find a way to free ourselves of these malicious and destructive viruses. Derrick Shadel WordPerfect Corp. - ----- forwarded by: Michael Odawa Software Development Council odawa@well.uucp ------------------------------ From: The Heriot-Watt Info-Server Date: Mon, 26 Jun 89 10:31:31 BST Subject: Anti-viral software postings Just a quick note to let people know that the following anti-viral software has been posted to USENET news. comp.binaries.atari.st Virus killer version 2.20 Flu viral simulator comp.binaries.mac Virus detective 3.0.1 Cheers Dave Ferbrache ------------------------------ Date: Mon, 26 Jun 89 12:43:06 EDT From: lmi312@leah.Albany.EDU (TheBabeWithThePwr) Subject: Re: Virus policy > Here at Old Dominion University, our internal auditors have asked that a > virus policy be adopted. We are forming a working group, composed of a > mainframe systems person, pc/lab person, and academic services person. > > I joined this list in the hopes of learning from those who have gone > before! I am seeking any advice, or policies set up by other > institutions which could help us define our own. > > I suppose we would like to address prevention, detection, and recovery, as > well as procedures for dealing with anyone caught trying to infect any > of our systems. > > Any responses would be GREATLY appreciated. Although there is no real policy set at my school, SUNY Albany, there was a student who did write and release a virus on our system. To the best of my knowledge, he was fined and disusered...supposedly he is now attending MIT. ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253