VIRUS-L Digest Tuesday, 5 Dec 1989 Volume 2 : Issue 253 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: New papers on IBMPC viruses Viruses on Demos and diagnostics Request for Submissions Re: Linkable virus modules The Norton "virus" Re: Virus attack [AMIGA] Re: Viruses and Anti-Semitism... Yale virus (PC) Jerusalem-B (PC) Preventing the "Ping Pong" virus (PC) Re: JUDE Virus (Mac) Morris Trial Postponed --------------------------------------------------------------------------- Date: Mon, 04 Dec 89 14:45:21 -0600 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: New papers on IBMPC viruses Two papers have been added to the anti-viral archives. solomon.lst List & description of less common viruses msdosvir.a89 Virus catalog, with extensive information solomon.lst A description of some of the more recent and obscure viruses by Dr. Alan Solomon. The viruses described include: Ogre Typo Dark Avenger Vacsina Mix1 Fumble Dbase For each virus covered, the following topics are discussed. Recognition and detection How the virus copies itself What the virus does How to get rid of it Other information Technical details This information is extracted from the documentation for an anti-viral package, and was sent by the author. msdosvir.a89 The autumn '89 issue of Dr. Klaus Brunnstein's virus catalog for MSDOS computers. Viruses covered in this are: Autumn Leaves = Herbst = "1704" = Cascade A Virus "1701" = Cascade B Virus Bouncing Ball = Italian = Ping Pong = Turin Virus "Friday 13th" = South African Virus GhostBalls Virus Icelandic#1 = Disk Crunching = One-in-Ten Virus Icelandic#2 Virus Israeli = Jerusalem A Virus MachoSoft Virus Merritt = Alameda A = Yale Virus Oropax = Music Virus Saratoga Virus SHOE-B v9.0 Virus VACSINA Virus Vienna = Austrian = "648" Virus A typical entry would have the following sections and subsections: ==== Computer Virus Catalog 1.2: ==== Entry, Alias(es), Virus Strain, Virus detected when, where, Classification, Length of Virus ---- Preconditions ---- Operating System(s), Version/Release, Computer model(s) ---- Attributes ---- Easy Identification, Type of infection, Infection Trigger, Interrupts hooked, Damage, Damage Trigger, Particularities, Countermeasures, Countermeasures successful, Standard means ---- Acknowledgement ---- Location, Classification by, Documentation by, Date ==== End of Virus ==== An update scheduled for the beginning of the year should almost double the number of viruses cataloged. Jim ------------------------------ Date: Fri, 01 Dec 89 14:45:00 -0500 From: Peter W. Day Subject: Viruses on Demos and diagnostics Communications Week 11/27/89 p.25 quotes John McAfee to the effect that most virus infections in the corporate world are caused by infected demonstration software and diagnostic software sent by software developers, distributors and other vendors to their customers. ------------------------------ Date: Sun, 03 Dec 00 19:89:13 +0000 From: greenber@utoday.UU.NET (Ross M. Greenberg) Subject: Request for Submissions (In addition to contacting Ed Wilding, you may also contact me: I'm an editorial board member.. Ross M. Greenberg, greenber@utoday.uu.net) - -------- Call For Papers and Submissions for Virus Bulletin------ Anyone wishing to write on any of these topics, or wishing to receive the Virus Bulletin notes for contributors should contact Edward Wilding, Editor, Virus Bulletin, Haddenham, Aylesbury HP17 8JD, UK. Tel. 0844 290396., Tel Int. +44 844 290396., Fax 0844 291409,. Fax Int. +44 844 291409. For circulation to Virus Bulletin Editorial Board and all interested parties. Virus Bulletin copy submission deadlines 89/90. Issue 1.6 December 1989 Friday 1st December 1989 Issue 1.7 January 1990 Friday 22nd December 1989 Issue 1.8 February 1990 Friday 19th January 1990 Issue 1.9 March 1990 Friday 23rd February 1990 Issue 1.9 April 1990 Friday 23rd March 1990 Issue 1.10 May 1990 Friday 20th April 1990 (Please note that the copy deadline for Issue 1.7 (January 1990) is before the Christmas recess). Forthcoming Subjects The following is a list of possible articles in forthcoming editions. These are only suggestions and I welcome other ideas or more extended examination than listed. 1. Should we trust public domain anti-virus software? There are many arguments both for and against public domain anti-virus software - this article should attempt to outline its pros and cons and provide some guidelines for prospective users. 2. Practical steps for non experts in dealing with a network computer virus attack. What should be done immediately by systems administration in the face of such an attack? 3. Procedural steps to preventing computer virus infection. A checklist of procedures and rules which if observed will minimise the risk of a virus attack. 4. Anti-virus software evaluation in a corporate environment. By which criteria do large corporate microcomputer using organisations judge such software. Is there consensus on this point? 5. How do you test the value of an anti-virus package without having access to computer viruses? 6. 'Lab' viruses versus 'real world' viruses. Is it necessary for researchers to create viruses? What are the benefits and does experimentation present any dangers? 7. Towards a common terminology and nomenclature. 1701, Fall, Cascade, Hailstorm, 1704 - how do we overcome the fact that there is no agreement or consensus about naming or classifying viruses? Why is this? Equally, can we develop an agreed glossary of terms about the types of virus and their methods of infection? 8. Does commercial interest on the part of the 'virus industry' worldwide inhibit the anti-virus war? 9. Case studies. I should very much like to recieve good case studies which detail an actual virus attack, its impact, and the methods used to clear the infected system and restore operations. Specifics about the organisation need not be stated but a clear description of the affected computer environment is necessary. 10. Worm programs. Classifying network vulnerabilities and/or analysis of recent worm programs such as Internet or the two well known NASA SPAN attacks. Are there any universal procedures or methods to prevent such attacks and/or control them? 11. Statistics about virus attacks. Will it ever be possible to collate accurate data about the propagation of computer viruses? Refusal to report incidents means that at best we can only guess about the spread of specific viruses. Can we tell how fast a virus will spread by its design? 12. Mainframe viruses/ replicative attack programs. Fact or fantasy? Specific incidents would be helpful. What factors have served to suppress mainframe virus writing / propagation / reports? Patches (to increase general security) for specific machines would be welcome. 13. Forensic evidence. Most countries have no effective legislation to combat computer misuse. Even if laws to criminalise virus creation are introduced (such as that recommended by the Law Commission, UK, or implemented by the state of California, USA) the courts will face a difficult task in prosecuting. Are methods available to trace or identify computer virus writers? Would this evidence be sufficient to convict in a court of law? - --- Virus dissections (the analysis of a specific computer virus) are always welcome. These should not exceed 2200 words. Also details for programmers providing virus hexadecimal patterns, infective length, entry point and offset. ------------------------------ Date: 04 Dec 89 04:17:15 +0000 From: munnari!cavs.syd.dwt.oz.au!johng@uunet.UU.NET (John Gardner) Subject: Re: Linkable virus modules IA96@PACE.BITNET (IA96000) writes: >1) A new or existing virus is developed and produced as a linkable > object file. > >2) Said object file is then either directly linked into an executable > file at link time, or placed in a run-time library. There is a virus on the amiga that looks for an executable that is in the startup batch file and moves the executable`s code into a data segment and inserts itself into the code segment. If it can't find the startup file it then inserts itself into the dir command. It is easy to spot as one of your commands changes size, and you just have to delete that command to kill it. - -- PHONE : (02) 436 3438 ACSnet : johng@cavs.dwt.oz "But that wasn't the question !" - Do Androids Dream Of Electric Sheep ------------------------------ Date: Sat, 02 Dec 89 23:44:00 -0500 From: Subject: The Norton "virus" Has anyone that has seen this NORTSHOT.ZIP know if the McCafee SCANRES or EXERUN will detect it if you run the obnoxious file. I have heard that the file doesn't bother anything unless you explicitly execute it and that SCANV doesn't detect it. Maybe these will find it if it is executed? [Kids, don't try this at home!!] Chris ACSCS@SEMASSU Business Info. Systems Major Southeastern Massachusetts University N.Dartmouth, MA 02747 ------------------------------ Date: Tue, 05 Dec 89 13:59:28 +0000 From: rwallace@vax1.tcd.ie Subject: Re: Virus attack [AMIGA] armhold@topaz.rutgers.edu (George Armhold) writes: > My question is, could this virus (Byte Bandit) have been responsible > for the problems we had printing? We had the right printer driver, > and the preferences settings all seemed OK but it just would not print > properly. It changed type style randomly, stopped printing half way > through a job, and wouldn't abide to margin settings. I've never had > this type of problem before with Scribble!, which leads me to believe > that the virus might have had something to do with it. I know that > virii on the Mac tend to affect printing. Has anyone else experienced > this situation? I've never heard of Byte Bandit affecting printing, but you generally can't predict what a virus will do on someone else's system. There are too many variables and virus code is generally too badly written. The only answer is, if the problems show up with the virus in memory and not without it then the virus caused them. "To summarize the summary of the summary: people are a problem" Russell Wallace, Trinity College, Dublin VMS: rwallace@vax1.tcd.ie UNIX: rwallace@unix1.tcd.ie ------------------------------ Date: 05 Dec 89 07:51:49 +0000 From: boulder!boulder!johnsonr@ncar.UCAR.EDU (JOHNSON RICHARD J) Subject: Re: Viruses and Anti-Semitism... dmg@lid.mitre.org (David Gursky) writes: >I could not help but notice that the lastest version of nVIR adds new >resources called "JUDE". ... Jude is >German for "Jew". Call me paranoid, but could there be some >connection? >My personal suspicion is that this clone was created by some >anti-semitic group in Germany... Well, my personal opinion is that someone used a random name generator to pick a four character resource type. Then again, it could be a virus from the depths of the USSR's intelligence community, released to sow dissension among groups in W. Europe and distract them from the momentous events in E. Europe. What use is speculation, though? When someone catches the "author" of this latest nVIR clone, I think the first question he or she will be asked by the tabloid reporters is, "Was the virus a feeble attempt at an anti-semitic statement?" Until then, I'll stick to the random name "theory." | Richard Johnson johnsonr@spot.colorado.edu | | CSC doesn't necessarily share my opinions, but is welcome to. | | Power Tower...Dual Keel...Phase One...Allison/bertha/Colleen...?... | | Space Station Freedom is Dead. Long Live Space Station Freedom! | ------------------------------ Date: Fri, 01 Dec 89 16:17:37 -0500 From: Naama Zahavi-Ely Subject: Yale virus (PC) Hello! The Yale/Alameda virus is essentially harmless. The message you report was not present in the version of the virus that I am familiar with; are you sure it comes from the virus and not from some line in the autoexec.bat file? If it does come from the virus, then you are dealing with a different version than the one I know and you should take my information with a grain of salt. The Yale virus that I know is a boot sector virus. It is easy to get rid of -- boot the computer from a clean, write-protected floppy and give the command SYS x:, with x: being the drive holding the infected disk. The Yale virus that I know does not infect hard disks. I hope this helps! Best wishes, - -Naama ------------------------------ Date: Mon, 04 Dec 89 10:37:00 -0500 From: TTHOMAS@ccmail.sunysb.edu Subject: Jerusalem-B (PC) At S.U.N.Y, Stony Brook, two of our computer labs (about 30 PS/2 50 and PC/XT machines) have been hit by the Jerusalem-B virus. We have used B.R.M's UNVIRUS, and IMMUNE programs to successfully combat it so far. Could someone please send me a detailed description of what exactly this critter does. Thanks in advance. ================================================================= THOMAS B. THOMAS Micro Systems/Analyst Instructional Computing BITNET: TTHOMAS@SBCCMAIL Computing Center INTERNET: TTHOMAS@CCMAIL.SUNYSB.EDU State Univ. of New York VOICE: (516) 632-8031 Stony Brook, NY 11794-2400 ------------------------------ Date: Mon, 04 Dec 89 10:42:00 -0600 From: "Roger Safian, VAX Systems Group" Subject: Preventing the "Ping Pong" virus (PC) Greetings, We seem to have an outbreak of the "Ping Pong" virus here at Northwestern University. I am wondering if there is some sort of anti-ping-pong utility out there. Is there such a thing that would allow writes to a disk, but only if it is not to the boot blocks? What is the best way to combat this beast. I think we have version B here, as it infects floppies as well as hard disks. On a related subject, what is the latest version of viruscan? Thanks in advance Roger Safian ------------------------------ Date: 04 Dec 89 21:09:00 +0100 From: muellerm@inf.ethz.ch Subject: Re: JUDE Virus (Mac) Yes the "Jude" virus is for real. However, so far it only has shown up at the University of Zurich and Swiss Federal Institute of Technology (ETH) Zurich, Switzerland. It is an exact clone of nVIR type B; the only difference being the name of the viral resource which has changed form "nVIR" to "Jude". VirusDetective 3.1 positively identifies the new virus as nVIR strain. Both Vaccine and GateKeeper successfully prevent an infection. GateKeeper will, however, let through some of the "Jude" resources, but no contagious infection results. New versions of Disinfectant (version 1.3) and other anti-viral tools should be out real soon. Markus Mueller Institut fuer technische Informatik und Kommunikationsnetze Eidgenoessische Technische Hochschule CH-8092 Zurich Switzerland Switch : muellerm@inf.ethz.ch ARPA : muellerm%inf.ethz.ch@relay.cs.net UUCP : muellerm%inf.ethz.ch@cernvax.uucp X.400 : G=markus;S=mueller;OU=inf;O=ethz;P=ethz;A=arcom;C=ch ------------------------------ Date: Tue, 05 Dec 89 11:23:25 -0500 From: Kenneth R. van Wyk Subject: Morris Trial Postponed [Ed. Thanks for typing this article in, Tom!] Quoted from COMPUTERWORLD - December 4, 1989 - page 17 `Morris seeks classified data' by Michael Alexander, CW Staff SYRACUSE, N.Y. -- The trial of Robert T. Morris Jr., the young hacker alleged to have launched a worm into the Internet last year, was postponed last week after his lawyer notified the court that he needs access to classified information he claimed is critical to the case. Additionally, Morris' lawyer, Thomas Guidoboni, charged that the government had not responded quickly enough to requests for a list of computer sites allegedly struck by the worm. "The trial was postponed at my request over government opposition because we needed more time to prepare," Guidoboni said. In a motion filed Nov. 21 for a continuance, Guidoboni said that the defense had filed for a motion under the Classified Information Procedures Act (CIPA) requesting classified information important to the case. In the same motion, Guidoboni said the government had failed to provide him with a complete list of the institutions that the government intended to prove had been affected by the worm and a list of witnesses it intended to call. "I have been told that some of the information that is useful to my case is classified," Guidoboni said. "It may or may not be. I don't want to overplay it or belittle it, but we needed some time to get that worked out. "Less than two weeks before the trial [on Nov. 20], the government added new names to the list that were not mentioned in the indictment as well as filed a motion to withdraw one of the original names mentioned," Guidoboni said. "I wanted time to look into that." In opposition to the motion for a continuance, government lawyers said that the national security issues raised in the CIPA motion were being resolved and would have no effect on the defense's ability to proceed or on the timing of the trial. Responding to the issue of not having responded in a timely manner to the defense's requests for a list of victims or witnesses it intended to call, "the government has complied with all court orders to provide discovery," said Mark Rasch, trial attorney for the Justice Department. In addition, the defense has had ample opportunity to request and receive additional information related to the case, he said. The government is seeking in a motion to remove the U.S. Air Force Logistics Command at Wright Patterson Air Force Base in Dayton Ohio, from a list of four sites mentioned in the jury indictment as having been allegedly hit by the worm. Rasch declined to comment on why the government wishes to remove this particular site from its list of victims, while adding that it intended to offer evidence on 16 sites in all. Guidoboni filed an objection to that motion last week, and a decision is pending. Last week, U.S. District Judge Howard Munson agreed to continue the case to the week of Jan. 8. A new trial date has not been set. ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253