VIRUS-L Digest Thursday, 9 Nov 1989 Volume 2 : Issue 237 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Re: Where are the Sophisticated Viruses? Chinese Viruses Re: Macwight Virus (?) Jerusalem virus (PC) virus problem undecidability KillVirus INIT (Mac) Re: Macwight Virus (?) MacWight? (Mac) Dukakis Virus (Mac) RE: future viruses on a PC Pull plug before cleaning --------------------------------------------------------------------------- Date: Wed, 08 Nov 89 13:15:35 +0000 From: christer@cs.umu.se (Christer Ericson) Subject: Re: Where are the Sophisticated Viruses? In article <0002.8911062045.AA11747@ge.sei.cmu.edu> ctycal!ingoldsb@cpsc.ucalga ry.ca writes: >There are probably two reasons why the viruses you suggest do not >exist: > 1) If the system code is bypassed, then it must be rewritten. > Most hackers are not at that level. Those that are that > proficient are busy making money. > 2) Code to do all the stuff needed would be quite large, and > therefore noticeable. If you add 20 K to somebody's > programs they will likely notice. I don't agree with you on any of these points, Terry. Say, on the Macintosh all calls to ROM are done through trap vectors in RAM. These trap vectors are patched by the system file (to fix bugs), by some programs and by all anti-virus tools. However, it doesn't take a genius to figure out that one could restore the trap vector to it's original value and thereby bypassing the "safe" system. (Alright, we don't have the bug fixes installed, but it's easy to mimic what is done by the system file. (For instance by simply calling the very same routine.)). A patch like this wouldn't occupy much space and is quite simple to write. I'd guess I could write a virus using the above technique in a day or two, which would be undetectable by all existing anti-virus tools, and along with me so could lots of other people. However some of us are busy making money, as you said, and we who are just working (:-)) probably have some sense of moral, stopping us from bringing total chaos to the computer society. > Terry Ingoldsby /Christer | Christer Ericson Internet: christer@cs.umu.se | | Department of Computer Science, University of Umea, S-90187 UMEA, Sweden | | >>>>> "I bully sheep. I claim God doesn't exist..." <<<<< | ------------------------------ Date: Wed, 08 Nov 89 13:20:38 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Chinese Viruses I just saw a note on comp.risks about viruses in China. > Ministry of Public Safety of People's Republic of China found this >summer that one tenth of the computers in China had been contaminated by >three types of computer virus: "Small Ball", "Marijuana" and "Shell", China >Daily reported. The "Small Ball" is probably just a variant of Ping-Pong, "Marijuana" is the same virus as "Stoned" or "New Zealand", but what is "Shell" ?? Anybody got an idea ? - -frisk ------------------------------ Date: Wed, 08 Nov 89 12:08:20 -0500 From: dmg@lid.mitre.org (David Gursky) Subject: Re: Macwight Virus (?) In Virus-L V2 #235, "Gregory E. Gilbert" asks about the "Macwight" (sic) virus. Recently, there was a report of a virus that attacked MacWrite from the University of Rochester. Since the initial report however, nothing has been heard from them. ------------------------------ Date: Wed, 08 Nov 89 11:54:42 -0600 From: ST7751%SIUCVMB.BITNET@VMA.CC.CMU.EDU (Chris Beckenbach) Subject: Jerusalem virus (PC) The Jerusalem virus has turned up here at Southern Illinois University, also. From dissecting a copy of the virus, and an article in the February 15, 1989 edition of Datamation ("The Virus Cure", by John McAffe, Pp. 29-40), the Jerusalem virus (called the Israeli virus in the Datamation article) does the following: When an infected .EXE or .COM file is loaded and run, the Jerusalem virus checks to see if it is already resident in the computer. If not, it sets itself up to intercept DOS INT 21h, then proceeds to run the infected program normally. Whenever a call is made to INT 21h to execute a program (function 4Bh), the virus will append itself to the program file on the disk and set itself up as the entry point for that program. This adds 1808 bytes of length to the file, but does not change the time/date stamp. If the disk is write-protected, no error will be given, and the file will not be infected. The copy of the virus that I have been looking at infects .EXE files multiple times (the Datamation article says that this is a bug that has been "fixed" by hackers in other versions), so usually the major problem with this virus will be that it will waste memory and disk space. John McAfee's article also says that this multiple infection does not occur with .COM files, but I have not verified this. The most serious aspect of this virus is that when the system date is Friday the 13th (except when the year is 1987--this virus was first discovered in 1987, so this was probably written in to give it time to spread) any call to execute a .COM or .EXE file will result in the file's being deleted from the disk. I have been informed that Flushot will take the virus out of infected programs, so if you have the virus and Flushot, you might want to try this. Hope this has been of help. Chris Beckenbach ST7751@SIUCVMB Computer Science major Southern Illinois University Carbondale, Illinois "I think, therefore I think I am--I think." ------------------------------ Date: Wed, 08 Nov 89 16:32:00 -0500 From: Peter W. Day Subject: virus problem undecidability A note to the virus-l digest of 6-Nov-89 said that "the virus problem (at least detection anyway) is undecidable." Does anyone know if there are any papers where this result is proved? Or where the problem is shown to not be NP complete? Or even where the problem is stated precisely? Thanks, Peter Day Emory University ------------------------------ Date: Wed, 08 Nov 89 17:04:50 -0500 From: Joe McMahon Subject: KillVirus INIT (Mac) Yes, the KillVirus INIT contains a "dummy" nVIR resource which it will attempt to install into the System file. This resource will trigger most less-sophisticated virus detectors. In addition, KillVirus is supposed to be able to automatically uninfect files infected with the A strain of nVIR. I haven't tested this, but I wouldn't want to bet the farm on it. --- Joe M. ------------------------------ Date: 08 Nov 89 22:41:56 +0000 From: jap2_ss@uhura.cc.rochester.edu (The Mad Mathematician) Subject: Re: Macwight Virus (?) In article <0004.8911081210.AA26585@ge.sei.cmu.edu> C0195%UNIVSCVM.BITNET@VMA.C C.CMU.EDU (Gregory E. Gilbert) writes: >Is there such a beast? Macwight is a name someone here at the U of R gave to an error we found in a few copies of Macwrite. Something or someone changed the icon of Macwrite to show the word Macwite instead of the lines, and the name of the the application to Macwite or Macwight. After the first few reports, I got a copy to play with for a while, but it was taken and given to someone else. Since then I haven't seen another, nor have any of the student consultants. I don't know if this was a true virus, but it a copy of Macwrite changed before the consultant's boss' eyes, ie the name changed from Macwrite to Macwite, and upon inspection via Resedit the icon was found to have changed. >Gregory E. Gilbert The Mad Mathematician jap2_ss@uhura.cc.rochester.edu Mad, adj. Affected with a high degree of intellectual independence. Ambrose Bierce, _The_Devil's_Dictionary_ ------------------------------ Date: Wed, 08 Nov 89 18:17:21 -0500 From: Joe McMahon Subject: MacWight? (Mac) You may (or may not :-) remember the discussions we had here on the list about this. As far as I remember, there was never a specific demonstration that there was a virus involved. That doesn't mean that there wasn't; it just means that there were never quite enough facts presented to make a case either way. I'd leave it off for now, or mention it as a "rumored sighting" or whetever. Safest not to mention it, especially since it was never pinned down and analyzed. --- Joe M. ------------------------------ Date: Wed, 08 Nov 89 18:20:42 -0500 From: Joe McMahon Subject: Dukakis Virus (Mac) The "Dukakis Virus" was a self-perpetuating HyperCard script. When the stack containing it was opened, it would first try to install itself into the Home stack. The version in the Home stack would then spread to other stacks. Editing it out of the Home stack and installing an "ON SET" script was sufficient to block it. It was released on CompuServe and apparently was not set up to have a long enough incubation time before it first went off. I believe it was stamped out pretty quickly, but it did exist. Worst, the actual script was published in the InfoMac digest... --- Joe M. ------------------------------ Date: Wed, 08 Nov 89 22:40:00 -0600 From: "David Richardson, UTA" Subject: RE: future viruses on a PC Pull plug before cleaning frisk@rhi.hi.is writes >jim frost writes: >>Limiting Propagation Rates. [edited out list of viruses that limit propogation rates] [frost goes on to point out how some of todays viruses meet some criteria of the "ultimate virus", and mentions the threat of AIDS and other anti-disinfecting viruses] >>By now you should get the idea that almost every virus we've seen is >>primitive, although several showed some of the survival traits which I >>outline above. Given the limited resources of PC environments, it's >>unlikely that you'll get a very sophisticated virus. > >I must disagree. In the PC environment it is not a question of limited >resources, but rather the fact that any user process has full access to >ALL resources and can even directly manipulate the hardware if required. >So, my opinion is that it is even easier to write a sophisticated virus on >the PC than in most other environments. The PC user has one weapon that is impactical on a mainframe: THE PC USER CAN TURN OFF HIS MACHINE AT ANY TIME AND DISINFECT HIS SYSTEM VERY EASILY. NO VIRUS (THAT I KNOW OF) CAN LIVE THROUGH A COLD BOOT. As long as PCs retain an OFF switch, then we have the ultimate power over our compters, viruses or not. - -David Richardson b645zax@utarlg.bitnet, @utarlg.arl.utexas.edu UTSPAN::UTADNX::UTARLG::B645ZAX phone +1 817 273 2231 ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253