VIRUS-L Digest Friday, 3 Nov 1989 Volume 2 : Issue 231 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Brain Virus info needed (PC) Jerusalem Virus (PC) Re: Checksum programs WANK Antidote (VAX/VMS/DECnet) Virus Invasion of Hardware? Macintosh Virus List (Mac) Identify Ashar Virus re: VGA2CGA infected with virus? (PC) --------------------------------------------------------------------------- Date: Fri, 03 Nov 89 10:01:04 -0600 From: Mitch Cottrell Subject: Brain Virus info needed (PC) Help Help Help We have been infected with two virus strains... Jeruslum-B and Pakastani Brain... I have gotten some information on Jeruslium... but have not been able to get any info on brain other than how it replicates itself.. I still dont know what system damage it can do other than eat up a couple sectors of disk space. Please let me know if you have any info on this virus or a source for info. ps. I have already tried McAfee Associates BBS. Thanks... Acknowledge-To: ------------------------------ Date: Fri, 03 Nov 89 24:41:00 -0500 From: "Chris_C.Conner" <13501CCC%MSU.BITNET@IBM1.CC.Lehigh.Edu> Subject: Jerusalem Virus (PC) The computers(PC) in many of the labs on campus(MSU) have been struck by the Jerusalem Virus. I used SCAN.EXE (I don't know what version) and identified it as the Jerusalem Virus. Irealize there have been quite a few articles about it in the recent digests, but thinking I was not susceptible, I didn't bother reading any of them. Could someone please send me any information on what the virus does, what I can do to get rid of it, and any other shareware that could help out. CCC ------------------------------ Date: 03 Nov 89 17:44:32 +0000 From: kerchen@iris.ucdavis.edu (Paul Kerchen) Subject: Re: Checksum programs In article <0002.8911031455.AA13850@ge.sei.cmu.edu> len@csd4.csd.uwm.edu (Leona rd P Levine) writes: >The checksum program and the checksum should be stored in a place that is >different on each machine. Furthermore, there is no special "best" >crc or testing algorithm, many will do with varying polynomials. True, but the checksum program must have some way of knowing what these algorithms are and where the checksums are stored. If the `sum program can find these things, so can a virus. If the `sum program must be told where these things are then there is no problem; the virus cannot find the info it needs because it isn't on the system. However, that could become tedious for administrators who oversee tens or hundreds of machines, detracting them from their real work. >A satisfactory system is one in which each user can use a polynomial >of his/her choice and where the list of files and their crc's >(for example) is stored in some arbitrary location. No virus writer >will be looking for YOU, rather just a collection of systems that >are alike enough to infect. Again, where are these polynomials stored? One must keep this fact in mind: a virus can do anything a legitimate program can do. A "good" virus will be able to adapt to minor changes in systems and find out where these things are hidden. I don't mean to play the devil's advocate here, but I think it's important to realize that no solution will be a 100% solution. There are a lot of people who read this newsgroup, some of whom may not realize this point, and it always pains me to hear about someone who invested all of their trust into some vaccine, only to get burned by the next virus to come down the pike; they didn't realize the complexity of the problem and jumped right on to someone's bandwagon. Folks have to realize that all of the vaccines, filters, shields, latest & greatest methods, etc., will only slow viruses down; they won't stop them. Of course, if the resposible computing community can make it so difficult for the degenerate virus writers to make a living, perhaps those degenerates will find something else to occupy their time, like making crank calls or torturing small woodland animals. Paul Kerchen | kerchen@iris.ucdavis.edu ------------------------------ Date: Fri, 03 Nov 89 13:10:39 -0500 From: TBUTLER@NSSDCA.GSFC.NASA.GOV Subject: WANK Antidote (VAX/VMS/DECnet) *********** WANK WORM VACCINE ************** A vaccine to combat the WANK worm has been developed by Bernard Perrot of the Institut de Physique Nucleaire, Orsay, France. The vaccine consists of creating a bogus file which you put in SYS$SYSTEM:RIGHTSLIST.DAT. When the worm tries to use the information in this file, the worm-code generates errors and blows up causing the attacking worm to die. The vaccine does NOT affect the remote system - it only kills the worm. This vaccine will stop attacks from any attacking nodes, it should therefore greatly reduce the "annoyance level" of attacks by reducing the volume of audit trails. ******************* IMPORTANT IMPORTANT IMPORTANT *********************** PLEASE READ!!! THIS VACCINE WILL ONLY WORK AGAINST **CURRENT** STRAINS OF THE WORM. WE BELIEVE HOWEVER THAT TO ELIMINATE THIS WORM FROM THE NETWORK, THIS TECHNIQUE WILL HAVE TO BE USED ON AS MANY SYSTEMS AS POSSIBLE. IT IS THE ONLY WAY TO ATTACK THE WORM AT IT'S SOURCE (short of system management action on the infected node...and a lot of system managers are either asleep, ignorant, lazy or??? and therefore the worm has been running on some systems for days). ****************************************************************************** This method has been tested on VMS 4.7 thru VMS 5.2 systems. In order to correctly implement this fix, the following steps must be performed: 1) If you have previously implemented any of our suggestions regarding file protection or ACL's on RIGHTSLIST.DAT, it is necessary to undo them restoring SYS$SYSTEM:RIGHTSLIST.DAT to its original configuration. 2) RENAME the file SYS$SYSTEM:RIGHTSLIST.DAT to some other name of your choosing. 3) To make VMS operate correctly with the rightslist file in a new location, issue the following command, and also add it to your system startup procedure: $DEFINE/SYSTEM/EXEC RIGHTSLIST The worm won't find the file because it can't translate the logical symbol. 4) Take the 4-line file listed below, protect it W:R and do not put an ACL on it. Name it SYS$SYSTEM:RIGHTSLIST.DAT. You *WANT* the worm to access this file! Users on your system will translate the system logical RIGHTSLIST and things will work correctly. When an infected system attacks your node, the first thing it does is copy your sys$system:rightslist.dat file and tries to get your local usernames. This dummy file will cause the attacking worm to abort with a fatal error when it tries to use the information it finds in the bogus file. If you have followed each of the above steps, VMS will run normally, and you will not be vulnerable to the CURRENT strains of the worm which are running aroung the network. The following file should be copied into SYS$SYSTEM:RIGHTSLIST.DAT exactly as it appears below: - -------------------------- CUT HERE - RIGHTSLIST.DAT ----------------- DUMMY MAINTENANCE RECORD 0123456789012345"'F$PID(ON) 0123456789012345'F$PID(ON) 0123456789012345BATCH - --------------------------- CUT HERE ---------------------------------- John McMahon of NASA/GSFC Advanced Data Flow Technology Office has created a command procedure that will have the same end-result as the above instructions. It is available by copying WANK_SHOT.COM from NSSDCA::WANK_SHOT.COM or 6277::WANK_SHOT.COM. This command procedure uses a modification of the above procedure using a SET FILE/ENTER command to set up an alias for RIGHTSLIST.DAT rather than the RENAME command above. Knowledgable system managers may want to decide for themselves which version they prefer. Todd Butler Ron Tencati SPAN/GSFC Routing Center Manager SPAN Security Manager (301)286-7251 (301)286-5223 6277::Tbutler or NSSDCA::tbutler 6277::Tencati or NSSDCA::Tencati ------------------------------ Date: Fri, 03 Nov 89 13:38:54 -0500 From: "Gregory E. Gilbert" Subject: Virus Invasion of Hardware? Is it possible to write a virus that will invade hardware? Has it been done? Just curious. Gregory E. Gilbert Computer Services Division University of South Carolina Columbia, South Carolina USA 29208 (803) 777-6015 Acknowledge-To: ------------------------------ Date: Fri, 03 Nov 89 13:50:53 -0500 From: "Gregory E. Gilbert" Subject: Macintosh Virus List (Mac) Recently I have been writing an article on Macintosh infections. In writing the article I tried to compile an exhaustive list of Macintosh viruses. Below is the list. If anyone has anything to add to the list I would appreciate them notifying me so I can update the list. Thanks much! ================================= CUT HERE ================================== Macintosh Infections - ---------------------- There are about eight Macintosh infections that are known at present (a list of infections and the years in which they first appeared can be seen in the following table). - ------------------------------------------------------------ Infection Strains Clones - ---------- ------- ------ Scores(Spring 1988)* nVir(Early 1988) nVir A(?) nVir B(?) Hpat(Late 1988) AIDS(Late 1988) MEV#(March 1989)) nFLU(August 1989) INIT 29(Late 1988) ANTI(Early 1989) MacMag(December 1987)** Dukakis(Early 1988?) SNEAK(?) San Jose Flu(?) - ------------------------------------------------------------ * - also known as the NASA virus ** - also known as the Drew Virus, Brandow Virus, and the Peace Virus ================================== AND HERE ================================= Gregory E. Gilbert Computer Services Division University of South Carolina Columbia, South Carolina USA 29208 (803) 777-6015 Acknowledge-To: ------------------------------ Date: Fri, 03 Nov 89 14:41:00 -0500 From: SHERIFF@steffi.acc.uncg.edu Subject: Identify Ashar Virus We encountered a boot sector virus yesterday that we have not seen, can anyone help with identification and explanation? The virus has only been identified on disks that also contain the Pakistani Brain Virus. Further, we have only seen it on three diskettes, thus far. When we run Viruscan 0.7V42 on an infected disk, here is what we see: " Found Pakistani Brain Virus in boot sector. Found Ashar Virus in boot sector. Disk B: contains 1 directories and 5 files. ld viruses found. " Please also observe that the number of viruses found is oddly noted. I have only noticed that phenomenon when the Ashar virus has been identified. Light shed by anyone concerning this virus would be greatly appreciated. Tom Sheriff Microcompuer Support Manager UNC Greensboro - Greensboro, NC SHERIFF@UNCG.BITNET SHERIFF@STEFFI.ACC.UNCG.EDU ------------------------------ Date: 01 Nov 89 15:16:07 -0500 From: "David Chess" Subject: re: VGA2CGA infected with virus? (PC) I have a sample of this thing (or what I assume is the same thing) now; it seems to be a rather silly overwriting-virus (that is, rather than arranging to execute more or less silently before the victim, it simply arranges to execute *instead of* the victim; the victim code, at least much of it, no longer exists). It also seems to be written in a Borland language, perhaps Turbo Pascal. It's very possible that it's based on the Turbo Pascal overwriting-virus "Number One", source for which was published in the Burger book "Computer Viruses, a high-tech disease". I haven't taken it apart enough to know, for instance, what damage if any it does, or when it prints its message; it's hard to reverse-compile compiler output, and this virus isn't likely to spread very far (since an infected file is obviously infected, in that it doesn't do what it used to...). DC ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253