VIRUS-L Digest Tuesday, 26 Sep 1989 Volume 2 : Issue 204 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Administrative announcement Re: Good viruses? New versions of scanv and scanres (PC) IBM Virus (from EXPERT-L list) (PC) Re: Copyrights and shareware... Security procedures on LANs re: 123 virus (PC) re: More Datacrime hoopla, propoganda, and general paranoia re: datacrime & fdisk (PC) preventing virus attacks (PC) --------------------------------------------------------------------------- Date: Tue, 26 Sep 89 07:00:00 From: krvw@sei.cmu.edu (Kenneth R. van Wyk) Subject: Administrative announcement It seems like just yesterday that I took a vacation and VIRUS-L was down for a week... Well, it's going to happen again. This time I'll be in Hawaii for two weeks on my honeymoon, far away from any computer and very much out of SkyPager range. I'll be leaving Friday, October 6 and returning on Monday, October 23. During this time, no VIRUS-L digests or comp.virus articles will be distributed. However, feel free to send in messages for subsequent posting upon my return. Also, VALERT-L will remain active and (as always) unmoderated, but is to be used for VIRUS WARNINGS ONLY (violators will face my wrath when I get back :-). Also as always, the CERT can be contacted via cert@SEI.CMU.EDU or (412) 268-7090 (24 hour hotline) for Internet security issues. Sorry about any inconvenience. Things will return to their normal (hectic) pace when I get back. Ken van Wyk ------------------------------ Date: Tue, 26 Sep 89 07:38:39 -0400 From: dmg@retina.mitre.org (David Gursky) Subject: Re: Good viruses? A good virus is an oxymoron. All a potential attacker would do is take the infector code and transplant a logic-bomb or time-bomb code to it. This does raise an interesting question though for health checks. Suppose a company has stringent rules about protecting desktop computers from viruses. How do you go about ensuring the rules are being followed? One thought I had was the user of "Tiger Teams". What this Tiger Team would do is work at night and attempt to infect some of the corporation's desktop computers with a "benign" virus (one that produces a warning message, but takes no malicous action, akin to the MacMag virus). The Tiger Team would operate under strict supervision, and a computer that was successfully penetrated would be "quarantined" until the following day. The next day, the user would get a visit from the Computer Center folks and get a nice (or not so nice; depending on how often in the past the user had been successfully "attacked" by the Tiger Team) lecture on anti-virus methods. Obviously, the virus would have to be carefully controlled. The disks would have to be kept under lock and key when not in use, and under supervision when in use. Comments? David Gursky Member of the Technical Staff, W-143 Special Projects Department The MITRE Corporation ------------------------------ Date: Tue, 26 Sep 89 07:14:43 -0500 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: New versions of scanv and scanres (PC) Recent updates, hot off the presses! scanv38.arc Update to replace previous versions of viruscan. Note that the documentation has an incorrect version number in it. This is how the archive was released. (The updates have been fast and furious, so it's understandable.) Also note that the size of the executable is larger than what John McAfee promised it would always be. I guess when he said "always", he didn't forsee the number of revisions of the program he'd be releasing. Executable is version 0.5v38. scanres8.arc Update to replace previous versions of scanres. It is possible that the previous version I sent was identical to an even more previous version I sent. In any case, this one's NEW. :-) Again, note that the docs and the program disagree on version number. Executable is version 0.8v38. SCANV38.ARC Scans hard drives and reports viruses found. SCANRES8.ARC Resident program scans progs for viruses before executing. Jim ------------------------------ Date: Thu, 21 Sep 89 20:38:00 -0400 From: Ken Hoover Subject: IBM Virus (from EXPERT-L list) (PC) [Ed. This message was forwarded from the BITNET mailing list, EXPERT-L.] Original-Date: Mon, 18 Sep 89 17:38:00 EDT Original-From: Sanjay Hiranandani On Friday morning at 8:00 AM, I came into the Sibley facility, sat down at IBM #18, and invoked Foxbase. Instead of the familiar welcome screen, the machine hung. Other pieces of software throughout in the facility had recently quit working for no apparent reason. Gregg said "I think there might be a virus here," (or words to that effect); from that time to now, Gregg and I have spent most of our waking hours trying to figure this out. This comes at a specially bad time for Gregg because he's in the middle of training new operators and so on. Here is a brief summary of what is now known about the virus: 1. Approximately seven of the Sibley facility's IBM PS/2's have been found to be infected with a highly contagious IBM virus "time bomb". Gregg and I have developed a reliable test for the program and will soon complete its eradication from the facility. Some users' personal applications and disks, however, are probably infected. 2. The DMPC program (disk manager) which is intended to restrict users from copying or deleting our software, is effective in protecting programs from being corrupted -- but only for those programs for which DMPC has been properly configured to monitor. 3. The virus rewrites *.EXE and *.COM files with many changes including the virus code itself. In most cases, these changes are tolerated by the program and it continues to work. In the case of Word Perfect (WP.EXE) and Foxbase (FOXPLUS.EXE), the changes make the program completely nonfunctional. In other programs, small difference are noticed: small rectangles of the screen display may get misplaced, for example. 4. An infected *.EXE file can be recognized by the hex string 10078419C5, a five byte string which apparently takes over the 21st through 25th bytes near the beginning of the file. This is not the only change, but it is a consistent one. Infected copies of WP.EXE, FOXPLUS.EXE, APL.EXE, ED.EXE, NU.EXE, etc., etc., all had this same string in the exact same location. No uninfected software had this string anywhere. Uninfected IBM's had no sign of this string anywhere on their hard disks. 5. This same string also occurs in what appears to be the virus code itself, which is written to the "slack area" of *.EXE files between the end-of-file and the end of the file's actual allocated disk space. Often, maybe always, the end-of-file marker is overwritten. Secondly, a certain fixed distance after the occurence of 10078419C5 is the ascii text "COMMAND.COM", a further clue for identifying this virus. 6. Files modified by the virus show NO SIGN AT ALL of any change to the DOS directory command. The number of bytes and the date and time of last modification are unchanged, when in fact a file is infected. 7. When a file is fragmented on the disk, individual fragments may become separately infected. 8. Setting a file's attributes to "read-only" or "hidden" does NOT protect it. 9. Setting the write protect tab on a diskette appears to protect diskettes in the 3.5" drives at Sibley. Executing a program from a locked 3.5" diskette on an infected machine generates a "Write protect error writing drive A" message. The program on the diskette remains uninfected. 10. When an infected machine's internal clock-calendar is changed to register a date of 10-13-89 (Friday the 13th), all *.EXE and *.COM files will DELETE themselves when a user tries to execute them (for example, if a user types WP, for WordPerfect, the WP.EXE file would be deleted, and the message "Bad command or file name" would be displayed on the screen). This condition applies when the system date is 10-13-89, but not 10-12-89 or 10-14-89 (we speculate that it may apply to every Friday the 13th, but this has not been tested). Attempts to execute a program from an unlocked diskette will cause the deletion of the program, regardless of whether it was previously infected. The virus deletes programs in a normal fashion, and these files are probably recoverable. Of course, all these recoverable files are infected anyway, and not really worth recovering (unless the virus begins to kill data files as well). 11. When the system date is 10-13-89, the virus attempts to delete DMPC-protected software (the warning bleep sounds), but fails. Such programs continue to work even on machines heavily infected with non-DMPC protected software. 12. After working all day Friday fighting this virus, I spoke with my girlfriend, who had heard something on National Public Radio about a virus which becomes active on October 13. In the meantime, Gregg heard a rumor about an October 12th virus. From a friend in Michigan, I heard about an October 12th virus which supposedly would attach itself to *.COM files and disable the hard disk by overwriting track 0. I don't know whether these other reports are of the same exact virus (with a few wrong facts), or whether there is some national "collective action" to write lots of different viruses which all spring into view on the same day or so. (I incline toward the first view, Gregg toward the second). Please let me know if I can be of any further assistance in getting rid of this thing. Larry Kestenbaum, Sibley PTOP Gregg Cirielli, SIbley FTOP ------------------------------ Date: Tue, 26 Sep 89 09:20:16 -0400 From: dmg@retina.mitre.org (David Gursky) Subject: Re: Copyrights and shareware... In Virus-L Digest V2 #203, an anonymous author (IA9600 -- ) writes: this is not so. shareware is for the most part copyrighted and mr. mcafee's software does indeed carry a copyright! as the owner of a work which is copyrighted, j. mcafee caN CALL IT SHAREWARE OR ANY OTHER NAME HE DESIRES, EVEN FREEWARE, AND STILL MAINTAIN THE ABSOLUTE RIGHT TO DETERMINE WHO MAY OR MAY NOT DISTRIBUTE HIS COPYRIGHTED WORK! A copyrighted work is the sole property of the holder of the copyright.like it or not, that is the law of the land. until such time a case comes to court, copyrighted shareware remains the property of the copyright holder, who may decide who has the right to distribute such work. - ----- I do not contest that the author of a computer application (especially a copyrighted application) is entitled to set whatever conditions they want on the use or distribution of their work, and I have stated so before. But this is a different issue than whether such an application qualifies as "Shareware", "Freeware", etc. Shareware has a specific meaning: software (copyrighted or otherwise) that is distributed outside of commercial channels, that is paid for if the user decides to use it. Freeware is a subset of this; the cost of a freeware application is zero. Nowhere in this definition is there a prohibition of the distribution of copyrighted software! Any author is welcome to put whatever restrictions they want on their work, no question about it. When those restrictions go beyond a certain point, they author cannot fairly call their work Shareware, IMO. This is getting/has gotten outside of the scope of Virus-L. If individuals wish to send me e-mail about it, fine. Otherwise I consider the subject closed. ------------------------------ Date: Tue, 26 Sep 89 10:04:00 -0400 From: "No trouble, please" Subject: Security procedures on LANs Here at the University of NC at Greensboro, we have taken the step of putting all of our network login software on notchless diskettes. This means that nothing can be writtien to this diskette, and nothing can be written to the network itself (except to personal account areas). So, any viruses that someone brings in are confined to his/her own diskettes. It also saves us from the thankless task of going through everything periodically and erasing files users have left on our disks! [Ed. That is the same setup that we used at Lehigh University. It seemed to work pretty well but you still have to trust the security of the network OS (Lehigh uses Novell) and the physical security of the file servers. What are other LANned sites doing to address this (on PCs and on Macs)?] Kyle Barger UNCG Student & Academic Computer Center Part-Time Employee BARGERK@UNCG.BITNET DISCLAIMER: these are my opinions; not neccessarily those of UNCG ------------------------------ Date: 26 Sep 89 00:00:00 +0000 From: David.M..Chess.CHESS@YKTVMV Subject: re: 123 virus (PC) Not sure I entirely understand this; if the virus infects -only- 123DOS.EXE, how did you get it? How would it spread? (Why, that is, would an infected copy of 123DOS.EXE ever find itself running with access to an uninfected copy; why would there ever be two different copies of the file on the same machine?) DC ------------------------------ Date: 26 Sep 89 00:00:00 +0000 From: David.M..Chess.CHESS@YKTVMV Subject: re: More Datacrime hoopla, propoganda, and general paranoia. > (it is, after-all, a "time-bomb" virus, that activates on specific > dates, in this case, Friday the 13ths). No, no! The DataCrime viruses activate whenever the date is October 13th -or later-; no Friday-check. (Sorry to pick on you, but people keep getting this wrong! Other points are well taken.) DC ------------------------------ Date: Tue, 26 Sep 89 10:16:50 -0400 From: "A.R. PRUSS" <2014_5001@uwovax.uwo.ca>, 2014_5001@uwovax.uwo.ca Subject: re: datacrime & fdisk (PC) re: datacrime & fdisk (PC) In article <0005.8909251230.AA29228@ge.sei.cmu.edu>, MATHRICH@UMCVMB.BITNET (Ri ch Winkel UMC Math Department) writes: >>From: IA96000 >>if you use fdisk to create a dummy partition of lets says 2 >>cylinders and then create a second normal active dos partition >>will this prevent the virus from destroying track zero? > > It depends on how it accesses the disk. If it uses bios calls (INT > 13H), it will still attack physical cyl 0 on the disk. If it uses the > [correct info deleted to conserve space] Is it not simpler to back the FAT/boot sectors up to floppy and then restore them? You can use Norton Utilities Advanced for that, or a quick little utility that I will release within a week. What I would like to know, however is whether just rewriting the boot and FAT sectors will be sufficient? Alexander Pruss, at one of: Department of Applied Mathematics, Astronomy, Mathematics, or Physics University of Western Ontario pruss@uwovax.uwo.ca pruss@uwovax.BITNET A5001@nve.uwo.ca ------------------------------ Date: 26 Sep 89 17:06:57 +0000 From: usenet@saturn.ucsc.edu (Usenet News Account) Subject: preventing virus attacks (PC) subject mentioned, so here goes (with a dumb idea). Will changeing a file attribute to READ ONLY stop or slow down a virus? What about write locking a whole Directory? Does hiding a file or directory have any effect??? I'm guessing that a virus will disregard any attribute settings. -ted- ted@helios.ucsc.edu From: ted@helios (Ted Cantrall) Path: helios!ted ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253