VIRUS-L Digest Wednesday, 4 Oct 1989 Volume 2 : Issue 212 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Virus Commentary Re: Virus Commentary The invincible virus (Ghost virus) (Atari ST) Information wanted Re: New virus? (Mac) nVIR B Details (Mac) Submission for comp-virus New Mac Virus - Further Diagnostic Help Where to Get Mac Anti-Virals datacrime II antidote (PC) OGRE virus in Arizona (PC) --------------------------------------------------------------------------- Date: Sun, 24 Sep 89 15:12:00 -0600 From: Frank Starr <55srwlgs@sacemnet.af.mil> Subject: Virus Commentary Sabotaged Program Reactions - An Editorial Review by Frank Starr The continuing threat of virus and Trojan Horse programs - which I prefer to call sabotaged programs, has begun to spark some reaction from the upper levels of the Department of Defense. Concurrent with the discovery of the so-called "Columbus Day Time Bomb", previously known as the Datacrime Virus, has come a series of directives which may serve to eliminate the use of all forms of shareware by D.O.D. personnel on D.O.D. microcomputers. Air Force users first received word of the Columbus virus from a message published by the USAF Office of Special Investigation, republished and mass mailed through MILNET/DDN, the D.O.D. e-mail system. Two suspected sources have been listed - a European extremist group in the spiritual sway of Bader Meinhoff, and a Norwegian group displeased with celebrations honoring Columbus, while ignoring Norse discoveries preceeding those of European explorers. Later communiques identified the virus as the Datacrime variety, capable of trashing the FAT area of a hard drive. From the first message to all others received to date, a prevailing directive has been to cease using all software downloaded from private bulletin boards. Various interpretations have gone so far as to conclude that only vendor supplied software should be used, to the absolute exclusion of everything else, whether shareware available for purchase after an initial test period, or freeware for which no fee or donation is ever asked. All of this confusion promises to cause a lot of D.O.D. micro users to cut themselves off from anything except commercial software, purchased through government contracting channels. This in spite of the fact that there have even been reports about commercial software occasionally being sabotaged by temporary employees (as reported in an issue of Government Computer news about a year ago. Sorry, specific issue forgotten). There are a number of micro bulletin boards in D.O.D., some of which offer shareware software for evaluation to potential customers. Some of the SYSOPs of these systems forsee a call to close down operations, based on reactions to sabotaged software threats, and rough drafts of official regulations to control software on D.O.D. micros (see the September/October C2MUG bulletin, page 5). Although there are some advisories for users to back up all software on D.O.D. micros, more attention seems to be going towards the elimination of all non-contract software on D.O.D. micros. Since sabotaged programs are more often reported in connection with softwaree downloaded from public RBBS systems, this game plan can be understood, if not readily supported. However, with micro user education still a lower priority object in many areas, and software backup not a widespread practice, it seems that, especially with funding cuts a now and future reality, more attention would better be given to how to defend against sabotaged programs, and perhaps the avoidance of all forms of shareware could be reevaluated. Frank Starr ------------------------------ Date: Sun, 24 Sep 89 18:03:00 -0600 From: "Frank J. Wancho" Subject: Re: Virus Commentary Frank, I just read and reread your editorial. I fear that possibly many people will misread it, overlooking certain key words and phrases, such as "may" in "may serve to eliminate," "various interpretations," "foresee," "seems" in "more attention seems to be," etc. The actual point of your editorial, with which I agree, is in your last sentence, which should have been a paragraph by itself (starting with the word, "However," and broken into several sentences: Micro user education is still a low priority activity in many areas, and software backup not a widespread practice. With funding cuts a now and future reality, more attention should be given to defending against sabotaged programs. Then, perhaps, the trend toward avoiding all forms of shareware could be reevaluated. - --Frank ------------------------------ Date: 03 Oct 89 14:17:35 +0000 From: erwinh@solist.htsa.aha.nl (Erwin d'Hont) Subject: The invincible virus (Ghost virus) (Atari ST) First I would like to make my excuse for not giving enough information in my last (and first in my career) message to usenet. I asked some information about the Ghost Virus on the Atari ST, well I forgot to mention the computersystem and the kind of information I requested Well here goes all or nothing : Since a few months I'm being bugged by a virus that inverses the mousepointer. So after I figured that it could be a virus, I pulled out my trusty Viruskiller (VDU - Virus Destruction Utility V1.4) and became aware of this "Ghost Virus". After wiping the virus from all my disks I thought I would be save, but none could be more true. This virus returned every time. Maybe it is a link-virus that somehow manages to copy itself into the bootsector so that it can begin it's faul work again. But the VDU doesn't reconize any link-virus on any of my disks, so my question to all of you is : Is there some way to get rid of this virus without formatting all my disks ?? Erwin WARNING : Never crunch a file or disk without checking it !!!!!!!!!!!!!! ------------------------------ Date: 04 Oct 89 02:50:40 +0000 From: cvl!cvl!umabco!bgoldfar@uunet.UU.NET (Bruce Goldfarb) Subject: Information wanted I am looking for addresses (phone numbers ideal) for the Computer Virus Industry Association and the National Bulletin Board Society. Any and all help is deeply appreciated. Bruce Goldfarb umabco!bgoldfar@cvl.umd.edu (or) cvl!umabco!bgoldfar ------------------------------ Date: Mon, 02 Oct 89 16:05:35 -0400 From: Joe McMahon Subject: Re: New virus? (Mac) >Subject: New virus? (Mac) I'm afraid so... >We here at the University of Rochester may have discovered a new >virus, or a variation on a theme. What it does is infect Macwrite ... (sundry details omitted) > ... Disinfectant 1.1 doesn't work, so please email me the >latest version of disinfectant to try... I'm afraid it won't help. You should send some mail to John Norstad *immediately* and let him know about it. He may request a copy of your infected files. His net address is in the Disinfectant documentation. >The virus definitely attacks Macwrite. It adds a str ID 801 and >modifies the icon to say Macwite instead of the standard application >icon. The application increases in size by 104 bytes, 56 in the >string. they are added in sector 014F, according to Fedit Plus 1.0. Actually, you should check it out with ResEdit and see what resource they get added to. Ditto for the System; look for INIT resources. There are a few that are supposed to be there, but the virus may add new ones. (more details omitted) This sounds very much like a new virus. Have you Vaccine or GateKeeper installed? Either should keep infections from spreading, unless the virus is doing its own disk I/O at the driver level (very dangerous and could lead to screwed-up disks). Things to try: - Write-protect a known-clean version of MacWrite and try running it on the infected system. - Change another application's signature (type/creator) to MacWrite's and see if the virus tries to infect it. - Name MacWrite something else and see if it is attacked. - Look at the system healp with Macsbug and and try to identify all of the resources loaded into it. This may help in tracking down the infection mechanism. I'd appreciate hearing further details; post them to me personally if you'd like. --- Joe M. ------------------------------ Date: Tue, 03 Oct 89 10:16:41 -0400 From: Joe McMahon Subject: nVIR B Details (Mac) asks: >I recently came across the nVIR B virus on a cluster of Macs. I removed >it using Disinfecant 1.5 and appears to be gone. > >What problems does nVIR B cause? Does it delete files, do annoying things, >or simply spread? Being a semi-public cluster, how much of a concern >is its presence? It does annoying things (beeps or says "Don't Panic"). Since it also grabs space in the system heap AND installs a VBL task, it can cause memory problems and timing problems, causing printing failures and crashes. Its presence is always a concern. Think of it as a public health problem. Your cluster, if left infected, would be a reservoir of infection and a potential source of spread, no matter how much time other clusters spent cleaning themselves up. Get Vaccine or GateKeeper installed on those Macs. Now. You must have either not had them installed, or someone has been turning them off. If you suspect that someone is deliberately infecting the cluster, you might want to set up a virus-scanning station that all disks must be passed through before they are used on your cluster. The Disinfectant documentation will tell you how to do this. --- Joe M. ------------------------------ Date: 04 Oct 89 13:08:50 +0000 From: kkk@ohdake.uta.fi (Kimmo Kauranen) Subject: Submission for comp-virus Where could I get a copy of "Proceedings..." Hey! There is been in some articles a mention about the book "Stephen J. Ross (ed.) Computer Viruses - Proceedings of an Invitational Symposium, Oct 10-11,1988. New York: Deloitte, Haskings & Sells, 1989." I 'd like to get it, but where could I order it? Thanks beforehand Kimmo Kauranen ------------------------------ Date: Wed, 04 Oct 89 09:51:17 -0400 From: Joe McMahon Subject: New Mac Virus - Further Diagnostic Help Try using GateKeeper and shutting down ALL accesses to files. See if that will show you what's being copied into the files. It should be in the GateKeeper Log. --- Joe M. ------------------------------ Date: Wed, 04 Oct 89 09:46:05 -0400 From: Joe McMahon Subject: Where to Get Mac Anti-Virals CTDONATH@SUNRISE.BITNET asks: ...where can we get the most recent versions {of anti-viral software} ? On BITNet, the LISTSERV at our node (SCFVM) has a virus-removal package consisting of Disinfectant, Virus Rx, Vaccine, GateKeeper, and some other files. You can subscribe to this package and receive updates automatically by obtaining a LISTSERV password and AFD ADDing the package. On Internet, sumex-aim.stanford.edu has anti-virals in the /info-mac/virus directory. apple.apple.com in the pub/dts/mac/tools directory has the newset version of Virus Rx. Hope this helps. --- Joe M. ------------------------------ Date: 04 Oct 89 18:14:00 +0700 From: NOAM@SARA.NL Subject: datacrime II antidote (PC) On or after the 12th of October, an undetermined number of computer 'viruses' are scheduled to start erasing the data of their unsuspecting hosts. One virus in particular, known as 'DATACRIME II', is an especially nasty specimen, as it not only spreads very rapidly, but also formats the hard disk of any computer it infests, permanently destroying all of the contents. DATACRIME was first detected in the Netherlands, and the leading computer publication of that country, PERSONAL COMPUTER MAGAZINE, commissioned computer expert Rikki Cate to write an 'antidote' program for its readers. Cate, an American who lives in the Netherlands, is a programmer specialized in this kind of work. Cate's Cure was an overnight sensation. Featured on radio, television and in Holland's leading newspapers, thousands of copies were distributed within the first few days and it has already inspired a number of hastily composed imitations. Even the Dutch police have begun distributing a version of their own. Cate's Cure, however, claims superiority to all of these. It is much faster, it actually removes the virus, it repairs damaged programs, it automatically searches all the directories on the hard disk, and it provides permanent protection against formating of the hard disk or new infections by the virus. None of the other programs released have any of these features. This is believed to have been confirmed in an independent test carried out by the Dutch Railways. In view of the huge demand and the clear anxiety indicated by that, Cate has decided, with the approval of PCM, to make the antidote more widely available at a cost of $10 per disk. Additional information can be obtained from her directly by calling 31-20-981963 in Amsterdam. Fax: 31-20-763706, telex 12969 neabs nl, Fido 2:280/2, electronic mail 31-20-717666, all marked to her attention. [Ed. Any chance of getting a copy of Catee's Cure on this side of The Pond, for electronic distribution?] ------------------------------ Date: Wed, 04 Oct 89 10:18:00 -0700 From: Subject: OGRE virus in Arizona (PC) Original_From: Paul Balyoz A new, extremely nasty virus has been discovered on some IBM PCs in the state of Arizona. This virus, known as OGRE, has been found on some disks in Flagstaff and nearby areas. This is the first recognition of said virus that has come to my attention. This memo gives a description of the virus and possible ways of recognizing and removing it. DESCRIPTION The OGRE virus tries to infect any disks it sees that haven't yet been infected with itself. It counts the number of disks it has infected as it goes along. It does no harm until after it has infected a certain number of disks. After that point it will display a message on the screen at boot time identifying itself as the COMPUTER OGRE dated April 1, and telling you to leave your machine alone as it begins "stomping" blocks on the disk randomly, by writing blocks full of one character all over the disk. This holds true for both floppy disks and hard disks. The damage done in this manner is virtually irrepairable. Once this happens the hard disk usually needs to be reformatted (which effectively erases everything on on disk). If backup copies of the files from that disk were made, it can be restored back onto the reformatted disk, and all is well again (until the next time). If you see this message appear on your screen, ignore the warning and TURN YOUR COMPUTER OFF IMMEDIATELY! The quicker you turn it off, the less damage it will have done. The first blocks it destroys are the boot blocks and file and directory information; files go after that. If stopped in time, the files on the disk may be retrieved using various disk utility programs. TECHNICAL DETAILS The OGRE virus spreads by writing copies of itself onto 3 unused blocks on the disk. It then marks those blocks as being "bad," so that normal disk usage won't ever choose those blocks for storing ordinary data. Thus the virus can stay on the disk without being bothered. The important step is when it modifies the boot blocks of the disk so that next time the disk is booted, the special code on those three blocks is executed, and the virus can try to infect new disks. Thus, every time the disk is booted thereafter, the OGRE code is executed, and can do what it has been programmed to do. Because the OGRE virus operates at such a "low level," none of the existing virus detection/elimination programs currently in existence for the IBM PC will work. Note that OGRE doesn't create or modify any of the files on the disk at the time of infection, nor does it effect the FAT in any way. Thus it is virtually undetectable by present means, until special programs are developed to detect and remove it. RECOGNIZING THE VIRUS If you have a "disk zap" or "sector edit" type of program, you can use that to see if the OGRE virus has infected each of your disks. You'll want to search the disk for the string "OGRE" (those four upper-case ascii characters) or "COMPUTER OGRE" to be sure. You will know by the surrounding text if each occurrance of the string is truly the virus or not. The software package "Norton Utilities" has a program that can do this sort of disk-searching function. The most important place to look are the boot- blocks on the disk. If the string exists in that area, your disk is probably infected. Note: It is possible for normal information on the disk to spell out the string "OGRE" just by chance. As I understand it, that string being found in the boot-blocks nearly guarantees infection. The text before and after the string must be viewed to be sure. There is a date of April 1, and a copy- right notice, as well as the English text that it can display. You will know from the context whether your disk is infected or not. CLEANING AN INFECTED DISK File copying will "clean" an infected disk. Because OGRE doesn't effect any files, per se, a good method for cleaning up an infected disk that hasn't been "stomped on" yet would be to copy all of the files off that disk onto a freshly formatted one. Of course you'll want to be sure that the virus isn't running while you do this, or it will quickly infect the new disk as well! Boot your computer from an original system disk that was distributed with your computer. Make sure it is write-protected before booting. If this disk has never been un-write-protected, then it can't ever have been infected. Then go ahead and format the new disk, and copy your files to it. The infected disk you just copied all the files off of can now be formatted to clean it up, and files copied back onto it again. FUTURE VIRUS DETECTION IDEA Checksum the boot blocks. A program should be written to run a set of checksums on the boot blocks of your disk, and remember the number somewhere. When run thereafter it can recompute the checksum and compare it to the one recorded previously. If the two checksums do not match exactly then the boot blocks have been modified, which is not a normal thing to have happen. The program can then notify the user that, "The boot blocks on this disk have changed; you may have a virus." If this program were written and launched from the AUTOEXEC.BAT file on all bootable disks, then the user would know immediately if they were infected. Of course, the OGRE virus would have already been executed once by then, since the disk was booted before the AUTOEXEC.BAT file was read, so it may have infected another disk; but it won't have gone on the rampage yet. The user would thus have pre-knowledge of the infection, and can combat it before any damage is done. DISCLAIMER I have not personally seen the virus nor any disks damaged by it. SOURCE INFORMATION This new virus was discovered by members of the staff at Computer Solutions here in Flagstaff Arizona. They are working on disassembling the virus and will hopefully come up with a virus removal procedure or program. The current theory is that it originated somewhere in the Phoenix area, but nothing is sure yet. Computer Solutions is trying to contact as many people as they can to warn them about this new problem. You are encouraged to make copies of this memo in any form and distribute them to anyone who might need to know this information. You can contact Computer Solutions at 602-774-1272 during the day. submitted by: *usual disclaimers* --------------------------------------------------------------------- - Bob Wier Northern Arizona University Ouray, Colorado & Flagstaff, Arizona ...arizona!naucse!rrw | BITNET: WIER@NAUVAX | WB5KXH ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253