VIRUS-L Digest Tuesday, 21 Nov 1989 Volume 2 : Issue 245 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: re: Known PC Virus List (PC) RE: Internet Worm Statistics... Re: Ping Pong virus (PC) at UIUC Eagle Virus Detection Utility and Final Report (PC) No Virus Found (Mac) Most common virus (PC) More on VACSINA (PC) --------------------------------------------------------------------------- Date: 20 Nov 89 00:00:00 +0000 From: "David.M..Chess" Subject: re: Known PC Virus List (PC) Quite welcome for the format, and thanks for the acknowledgement! A few small notes/questions: - I notice the "Missouri" and "Nichols" viruses aren't listed. Did they turn out not to really exist, or to be viruses that are known under some other name? - For completeness, you might want to include the 1704-C, as well as the 1701, 1704, 1704-B and 1704-format? (The 1704-C has the same in-clear section as the 1704-format, but doesn't have the disk-formatting code.) I know you have a sample! *8) - Suspect you didn't mean to mark "Self-Encryption" for the 1168 and 1280 viruses? They don't do it in the same sense that the DataCrime II, the Syslock, or the 17xx series do; the only thing that's "encrypted" in the 1168/1280 is the logo string, and that's just stored XORed with hex 55. That's not the -interesting- kind of self-garbling: the kind that makes the invariant part of the virus smaller. Nice list! DC ------------------------------ Date: Mon, 20 Nov 89 11:54:35 -0500 From: dmg@lid.mitre.org (David Gursky) Subject: RE: Internet Worm Statistics... As some of you may recall, Cliff Stoll (author of "Stalking the Wily Hacker" CACM May '88 and _The Cuckoo's Egg_ Doubleday 1989) asked people to submit tales, horror stories, and so on about the Morris Internet Worm. Cliff then performed some statistical analysis on the resulting data, and published the results as part of his paper "An Epidemology of Viruses & Network Worms". presented at the 12th National Computer Security Conference last month in Baltimore (see pages 371 -> 373 of the proceedings for the section of Cliff's article on the Morris Work). ------------------------------ Date: Mon, 20 Nov 89 16:40:30 -0500 From: Melinda Varian Subject: Re: Ping Pong virus (PC) at UIUC Although I recognize that this is not the appropriate forum for discussion of the BITFTP server, since BITFTP has been being discussed here, I would like to correct some misapprehensions: BITFTP does handle binary files; indeed, it distributes hundreds of them everyday. BITFTP is currently designed to be used only within the BITNET/ EARN/NetNorth network; it distributes all files (both binary and text) in NETDATA format, which means it cannot send files through mail-only gateways into other networks. I have addressed the original complaint about BITFTP that was broadcast to this list, i.e., that it was not accepting FTP requests for the UXE.CSO node. Requests to that node had regularly been resulting in hung FTP sessions, but I believe that I have now circumvented that problem, so I am again accepting requests to access it. Anyone wanting further information on BITFTP should send mail or an interactive message to BITFTP@PUCC. Melinda Varian [Ed. Thanks for the clarification!] ------------------------------ Date: Mon, 20 Nov 89 19:13:00 -0500 From: IA96000 Subject: Eagle Virus Detection Utility and Final Report (PC) Final report on virus contained in file EAGLE.EXE: 1) It DOES contain a form of Jerusalem B. It WILL spread to other files once EAGLE.EXE has been loaded into memory. 2) If the system being run has a '286 or higher processor and if COMMAND.COM is found in the root directory, the program will DESTROY the boot and FAT tables on the disk. No question about this folks! It overwrites the sectors with the ASCII 246 character. 3) When EAGLE.EXE is loaded, ONLY the Jerusalem B virus is spread to other files. The trojan part of the program is part of EAGLE.EXE, not part of the virus itself. 4) Viruscan (SCAN.EXE) WILL NOT detect any viruses in the EAGLE.EXE file. This appears to be because EAGLE.EXE has been compressed and a DOS loader has been added to the head of the file and is not the fault of Viruscan. 5) Once EAGLE.EXE has been run,SCAN will detect the Jerusalem B virus in memory when SCAN's "M" command line switch is used. 6) A write protect tab WILL stop the destruction of the Boot and FAT on a floppy. Numerous methods have been tried to stop the destruction of the Boot and FAT on a hard disk and none appear to be effective. 7) After considerable study it has been determined that the EAGLE.EXE program was written in (take a guess) a version of compiled Basic. 8) We have no way to know that author intended for the program to contain the Jerusalem virus. It is quite possible this IS the case since the specific compression program used would not allow the program to load, if the virus had infected the file AFTER it had been compressed. To recap: The program name is EAGLE.EXE and contains the Jerusalem virus. It was uploaded to a BBS with a description line saying it would produce a VGA animation of an EAGLE in flight. If COMMAND.COM is present in the root directory of the default drive and if the processor is a '286 or higher (including a '486) EAGLE.EXE will write over the Boot and both FAT areas with the ASCII 246 character. Detection: The good people at SWE have written a small program named EAGLSCAN.EXE which will probe any file with an extension of .EXE to determine if it is the EAGLE.EXE program renamed. I do not know the particulars of the program but I have tested it, and it is very fast! It will if you desire scan one .EXE file or all .EXE files on your disk. If a file is found be EAGLE.EXE renamed or has the exact same identification strings, it will be flagged and you will be notified. If you would like a copy of EAGLSCAN.EXE please send a formatted 5.25 inch, 360k disk to the following address with return postage, (stamps are fine) and you will receive the program along with a commented dis-assembly of the EAGLE.EXE file. Please enclose a return address label for the disk mailer. SWE 132 Heathcote Road Elmont, New York 11003 EAGLSCAN IS NOT Shareware, nor is it in the public domain. The authors have consented to supply anyone who reads Virus-L with a copy free of charge (except for postage which you must supply). That is about it for now. As far as I am concerned we have found everything we need to know. EAGLE.EXE contains both a virus and a very nasty trojan horse if the conditions are right! For whatever it is worth, my opinion is that you should send for a copy of EAGLSCAN. It does not cost you anything except for postage and it might come in handy! ------------------------------ Date: 20 Nov 89 15:09:00 -0800 From: harvard!applelink.apple.com!D1660%GARP.MIT.EDU@vma.cc.cmu.edu Subject: No Virus Found (Mac) To put everyone's mind at ease: In Virus-L Digest #242 Tom Southall of American University asks help with an apparent virus problem. I was able to go down to American University today and take a look at the Macs there. I could find no evidence of any viral activity. What I did find was some things put onto the systems by students and set to be invisible. These definitely accounted for the changing system file size, and perhaps for the other problems experienced there. Paul Cozza ------------------------------ Date: 21 Nov 89 14:16:38 -0400 From: Subject: Most common virus (PC) Can we know which type of VIRUS is most common on the Personal Computer ? Thank in advance ------------------------------ Date: Tue, 21 Nov 89 06:02:39 -0500 From: Subject: More on VACSINA (PC) Hi, we just completed our virus catalog entry for the VACSINA virus and checked with some friends. One of them: David M. Chess pointed out that we overlooked a fact. Well it is a very important fact: VACSINA contains an update facility. The last 4 bytes of an infected file contain F4 7A 05 00. The F4 7A is the VACSINA id and 05 00 is the version number ( lo byte first ) so we have version 0005 of VACSINA. If the virus finds anything less than 0005 it will reconstruct the original file and then it will infect with the new version of VACSINA. Now we understand why the author left so much space in the head of the virus. Also the 3 byte used for the 'VACSINA-TSR is in memory' flag contain a 05 so future versions of VACSINA will know if an older version of VACSINA installed its TSR. If anybody has virus infected files that show F4 7A 06 00 or higher please post a note. Thanks to David again! Chris ***************************************************************** * Torsten Boerstler and Christoph Fischer and Rainer Stober * * Micro-BIT Virus Team / University of Karlsruhe / West-Germany * * D-7500 Karlsruhe 1, Zirkel 2, Tel.: (0)721-608-4041 or 2067 * * E-Mail: RY15 at DKAUNI11.BITNET or RY12 at DKAUNI11.BITNET * ***************************************************************** ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253