VIRUS-L Digest Tuesday, 19 Sep 1989 Volume 2 : Issue 195 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Article on Datacrime virus re: Iceland/Saratoga viruses (PC) October 12/13 (PC) VirusDetective questions (Mac) Re: Virus? or what? (PC) TYPO vs. Ping-Pong (PC) More on October 13 virus (PC) --------------------------------------------------------------------------- Date: Mon, 18 Sep 89 08:23:21 -0400 From: "Bruce Guthrie" Subject: Article on Datacrime virus "Computer Virus Sparks a User Scare" "Some Analysts Say the 'Friday the 13th' Fears Are Overblown" by John Burgess Washington Post, Sep 17 1989, pg H3 A computer "virus" that springs to life destructively on Friday the 13th is on the loose, and across the country computer users are rushing helter-skelter to protect their machines against it. Yet, with fewer than 10 verified sightings in a country with tens of millions of computers, some experts are saying the threat is being absurdly overblown. "At this point, the panic seems to have been more destructive than the virus itself," said Kenneth R. Van Wyk, a security specialist at Carnegie-Mellon University's Software Engineering Institute. He has been taking 20 phone calls a day for advice on the subject. Written as pranks or tools of sabotage, viruses are software programs designed to spread surreptitiously through computer interconnections and the exchange of the floppy magnetic storage disks on which computer programs and data are recorded. Once introduced into a machine, they transmit their own instructions to the computer, causing it to destroy data or display a surprise message on the screen. The new one is known variously as the Datacrime, Columbus Day, and Friday the 13th virus. Aimed at IBM-compatible personal computers, it is designed to lie dormant and unnoticed in a machine until Oct. 13, a Friday, and then activate as soon as an unwitting user turns on the machine and "executes" a program. (Many computers have internal calendars that make such date-activated instructions possible.) At that time, a message flashes on the screen: DATACRIME VIRUS. RELEASED 1 MARCH 1989. Simultaneously, the virus erases a section of the machine's disk storage unit that serves as an index to the information on the disk [the FAT]. People with something more than basic technical knowledge can fix the problem and recover the data, however. The federal government views viruses as a grave threat to the nation's information systems and has set in motion special programs to guard computers against them and to punish people who introduce them. The phenomenon received widespread public attention last fall, when a virus written by a Cornell University graduate student swept through the federally supported Internet research network, replicating itself automatically over and over and temporarily tying up 6,000 machines in one day. The Datacrime virus, however, is targeted at computers that for the most part are not linked in networks. And it comes at a time when publicity has led many users to take the basic precautions of "safe computing," avoiding free software that is posted on bulletin boards, where the viruses may lurk, and using only programs that come in factory-sealed containers. The Software Engineering Institute knows of fewer than 10 cases, Van Wyk said. International Business Machines Corp. said Thursday is it not directly aware of any. "If it was out there in any number," said Bill Vance, director of secure systems for IBM, "it would be spreading and be more noticeable." October 13, he said, is not likely to be "a major event." At Centel Federal Systems of Reston, however, a different mood prevails. It has been operating a toll-free hotline on the virus, with six people working full-time. It has received more than 1,000 calls, according to Tom Patterson, senior analyst for security operations at the federal systems unit, which is owned by independent telephone company Centel Corp. of Chicago. Patterson said he began working on the virus about five weeks ago, after receiving a tip from an acquaintance in Europe that hackers there were planning to modify an existing virus and, by dialing up electronic bulletin boards across the Atlantic, release it in this country. Subsequent investigation turned up specimens in this country fitting the description he had received. Patterson said he had dissected a version of it and, in tests, found that it could penetrate a number of software products that are supposed to keep viruses out. In recent days, he found one on the machines of a Centel client. "The virus is out there," Patterson said. "It's real." Also active in the campaign is John McAfee, a virus-protection specialist based in Santa Clara, Calif., who runs a bulletin board on which he offers anti-viral programs. His phone line has been constantly busy in recent days. Concern has heightened with each new report of the virus in the computer trade press and on at least one wire service, the Associated Press, leading some security specialists to see the panic as a self-fulfilling prophecy by the media. Others wonder whether companies that make anti-viral products are not happy to see the scare being pumped up. "The more panicked people get," said Jude Franklin, general manager of Planning Research Corp.'s technology division, "the more people who have solutions are going to make money." For $25, which it says is necessary to cover the cost of a disc, shipping, and handling, Centel is offering software written by McAfee that searches for the virus. Patterson said Centel would be losing money on the discs [!] but is doing it anyway. "I'm not trying to hype this," he said. "I'm working 20-hour days... to get the word out." ------------------------------ Date: Mon, 18 Sep 89 11:44:14 -0400 From: "Y. Radai" Subject: re: Iceland/Saratoga viruses (PC) David Chess writes: >There seem to be three different viruses in this general family: > > - One is a resident EXE-file infector that infects every tenth > EXE file executed, and sometimes will mark a free cluster on a > hard disk as bad (the "damage" routine). I've seen this one > called the "Saratoga 1". > - The second ... is just like the first, except that it checks > the segment of the INT13 vector, and if it's not 0070 or F000, > it doesn't do anything. I've seen this called the "Saratoga 2", > and also the "Icelandic Disk-Crunching virus" .... > - The third differs from the first in that it bypasses INT21 ... and > doesn't have the "mark a cluster bad" code. It doesn't have the > INT13 check that the second version does. Fridrik Skulason calls > this, quite reasonably, the "Icelandic Virus, version 2". > >Does this check correctly with everyone? .... The facts reported by David are correct, except that the first ver- sion infects every *second* EXE file executed instead of every tenth one. Btw, though it was originally reported that the Saratoga was disco- vered "some months earlier" than the first Icelandic virus, it later turned out that the Saratoga is actually a hack of Icelandic-1. Since I recently tried to clarify for myself the same question which David raises, I can present the following table summarizing the main differences between the versions: Version: Saratoga Icelandic-1 Icelandic-2 -------- ----------- ----------- File length increase(*): 642 656 632 Infects 1 file out of every 2 10 10 DOS services via interrupts? Yes Yes No Marks a cluster as bad? Yes Yes No Checks Int 13h Segment? No Yes No Signature(**): PooT 18 44 19 5F 18 44 19 5F First appearance: July 89 June (Feb?) 89 July 89 (*) The total length is rounded up to the next higher multiple of 16, if necessary. (This happens with *any* EXE-infecting virus.) (**) This is the last 4 bytes of the virus (used to determine if a file is already infected). I consider the bypassing of interrupts which Icelandic-2 performs to be very significant. I think ARC513.EXE (a hacked version of SEA's ARC) also did this, but it was a Trojan, not a virus. Among viruses, I heard of a strain of the Jerusalem virus which infects by direct BIOS access instead of by Int 21, though I'm not sure if that strain ever spread publicly. At least one version of the Vienna virus (not the one in Ralf Burger's book) is worthy of mention here since it overwrites 1 out of 8 files with code containing a far jump to the BIOS initialization routine. Have I forgotten any cases? The important thing about all this is that although the spreading of such viruses has been predicted for a long time, the authors of most monitoring programs, such as FluShot+, have either failed to find a solution or have ignored these predictions entirely. As far as I know, there is only one program so far which can stop such viruses and Trojans, and that is Fridrik Skulason's F-LOCK. If anyone knows of any other such program, I'd like to hear of it. Y. Radai Hebrew Univ. of Jerusalem ------------------------------ Date: Mon, 18 Sep 89 12:22:00 -0500 From: Meesh Subject: October 12/13 (PC) I'm the editor of our university's computing newletter. I need to know how users can detect the October 12/13 virus ahead of time. Is there a way at all? I don't want to alarm users, but I feel they should know about the possible existence of this problem. Thanks. [Ed. In VIRUS-L volume 2 issue 192, Charles M. Preston states that a) Viruscan V36 can detect Datacrime and that b) Datacrime can be identified by the hex string EB00B40ECD21B4 (1168 version) or 00568DB43005CD21 (1280 version). Note that a hex string search can be done via the DEBUG 'S' command (e.g., "S CS:100 FFFF hex_string" at the DEBUG prompt), if my memory of MS-DOS is correct.] Michelle Gardner Coordinator, Information Services Information Technology University of Houston ------------------------------ Date: 18 Sep 89 20:53:56 +0000 From: awinterb@udenva.cair.du.edu (Richard Nixon) Subject: VirusDetective questions (Mac) Has anyone used VirusDetective for the Mac? We've used it, but it seems to detect viruses in files that we doubt are affected. How reliable is this bit of software? ...!ncar!udenva!awinterb or according to rumor awinterb@du.edu ------------------------------ Date: Mon, 18 Sep 89 14:30:23 -0400 From: dmg@retina.mitre.org (David Gursky) Subject: Re: Virus? or what? (PC) Interesting that a new virus ("3555") should show up so soon after the stories about the alleged Datacrime attack, set for Oct. 13., especially one that has some resemblence to Datacrime. BTW, the Washington Post ran an article on Computer Viruses in yesterday's Business section. Ken Van Wyk is quoted extensively, which probably accounts for the article's general sanity (vis-a-vis some "Sky is falling" type articles). David Gursky ------------------------------ Date: Tue, 19 Sep 89 00:36:29 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: TYPO vs. Ping-Pong (PC) I just finished examining the Typo virus. This virus is rather new - it was first detected in Israel this summer. It creates errors in printouts, by (sometimes) replacing some characters or digits. (By the way - a surprisingly large number of viruses seems to have originated in Israel. First to arrive were the two versions of the April 1. virus (sURIV 1.0 and sURIV 2.0) that later were merged into one virus, (sURIV 3.0) which evolved into the well-known Jerusalem virus (sUMsDos) variant. That virus was then used as a basis for the "Fu Manchu" virus. Later the two boot sector viruses, Typo and SWAP, arrived. Finally, just a few days ago a new virus, MIX1 was reported. Anyhow - as has been reported before (Y. Radai and others) the TYPO virus is closely related to the Ping-Pong or "Italian" virus, which is one of the most common viruses around. In fact, the viruses are so similar that some anti-virus programs even identified Typo as the Italian virus. This is not so surprising, since the boot sectors are almost identical. Almost - but not quite. The differences between the boot sectors are: Some local variables have been moved. For example, the word containing the location of the original boot sector is now located two bytes earlier than before. The signature (two bytes that the virus uses to see if a diskette has already been infected) has been changed. The activation times have been changed. Ping-Pong had an "activation window" (a second or so long) every half hour. Typo will become active 112.5 seconds after power-on, and will stay active most of the time. The major differences between the two viruses are in the other part of the virus code, which is not stored in the boot sector, but in the cluster the viruses mark as "bad" in the FAT. Of course, there are quite a few interesting things the viruses have in common. Typo contains the same "bug" as Ping-Pong does, that prevents it from working on '286 and '386 machines. It is possible to remove Typo with some programs designed to remove Ping-Pong. Since the signature is stored in the same place on both viruses, it is possible to inoculate diskettes against one of them, but not both. Fridrik Skulason University of Iceland frisk@rhi.hi.is Guvf yvar vagragvbanyyl yrsg oynax ................. ------------------------------ Date: 19 Sep 89 08:42:00 +0700 From: "Hartmut Haberland,03.1.5" Subject: More on October 13 virus (PC) Danish TV (Channel 2) had a brief report on the October 13 virus in the evening news yesterday. It has obviously emerged at the Danish Post Giro office in Copenhagen and created a lot of panic. The report was the usual sort of journalists' blather, basically implying that Viruses are God's punishment for pirate copying. Still, one gets nervous. I'll take a backup of all harddisks here at Roskilde University just before the date (something one should do anyway ...), I mean in our department, but what else can one do? Please advise (I'm following the newsletter, of course) ... Hartmut Haberland hartmut@jane.ruc.dk or RUCHH@NEUVM1 (on what some people call Because It's There NET) ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253