VIRUS-L Digest Tuesday, 19 Dec 1989 Volume 2 : Issue 263 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Re: Use of Digital Signatures SCAN Update for AIDS Trojan (PC) Source for virus detction programs (PC) WDef and Gatekeeper Aid. New/Old(?) Possible Virus (PC) AIDS TROJAN RESEARCH Re: AIDS Trojan (PC) Aids cures (PC) --------------------------------------------------------------------------- Date: Mon, 18 Dec 89 14:20:55 +0200 From: Y. Radai Subject: Re: Use of Digital Signatures When I submitted my contribution on Signature Programs (Issue 256) I wouldn't have been surprised to be criticized for something I wrote, but I hardly expected to be criticized for something I *didn't* write! According to William Murray (#257), > The insistence of Mr. Radai et. al. that, >since it is possible to detect and bypass any control, that all is >futile does not stand up. .... >It is time to stop condemning the useful out of hand. Those who insist >upon doing so are contributing to the problem rather than the solution. Just where, Mr. Murray, did you find in anything which I wrote, that I "insist" that "all is futile" or that I "condemn the useful"??? I never said anything remotely resembling these things. The point I was making was: Security of the algorithm is not enough; what's important is the security of the implementing program. Where's the futility in that? Well, maybe Mr. Murray thinks that these conclusions are somehow implied by the position that it's possible to detect and bypass any control. (Actually, I never said even *that*, but for sake of argu- ment, let's suppose that I did.) Just how is that supposed to imply that all is futile?? My actual opinion is quite the opposite: it's that even if we can't create a perfect checksum or other anti-viral program, we should make an effort to think of all possible holes in the system, and the more we block, the better. There is absolutely no implication of futility or condemnation of the useful either here or in my original posting. In the future, Mr. Murray, please try to read more carefully before attributing positions to others. There were also some peculiar claims in the paragraph following Mr. Murray's opening line "I suspect that Y. Radai misses the point of Bob Bosen's posting." However, I'll leave it to Bob himself to decide which of us missed the point of his posting, Mr. Murray or me .... Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI1@HBUNOS.BITNET P.S. I have not been receiving Virus-L regularly for the last cou- ple of months. If there have been more recent (and hopefully more re- levant!) replies to my posting which call for an answer from me, please be patient. ------------------------------ Date: Sun, 17 Dec 89 13:53:12 -0800 From: Alan_J_Roberts@cup.portal.com Subject: SCAN Update for AIDS Trojan (PC) Forwarded for John McAfee: Even though the AIDS Trojan is not a true virus, the widespread mailings of the diskette have created a high probability that we will see continuing problems from this logic bomb. Accordingly, I have updated SCAN (V52) to detect the installed hidden logic bomb, and SCANRES (V52) will prevent the diskette's INSTALL program from installing the time bomb to begin with. John McAfee ------------------------------ Date: 18 Dec 89 15:15:41 +0000 From: attcan!ram@uunet.UU.NET (Richard Meesters) Subject: Source for virus detction programs (PC) Hi all, I'm looking for a source for public-domain PC virus protection/detection programs, preferrably in the Toronto area. If anyone has a number I can call, please respond via e-mail Regards, Richard Meesters ------------------------------ Date: Mon, 18 Dec 89 12:16:09 -0500 From: "Gregory E. Gilbert" Subject: WDef and Gatekeeper Aid. I booted some Macs with Gatekeeper Aid installed this AM. I was immediately presented with a rather sharp looking dialog announcing that the "Implied Loader ABDS" virus(?) was found and removed. Is this the Wdef virus? If so, why not call it such AND what is an "Implied Loader ABDS". Of course, if this is Wdef you can add the University of South Carolina to the list of where the virus has spread. If not I apologize to Chris Johnson and all subscriber's for my ignorance (it has been peaking lately!). Greg Postal address: Gregory E. Gilbert Computer Services Division University of South Carolina Columbia, South Carolina USA 29208 (803) 777-6015 Acknowledge-To: ------------------------------ Date: Mon, 18 Dec 89 13:02:41 -0500 From: Arthur Gutowski Subject: New/Old(?) Possible Virus (PC) Someone here at Wayne State just sent me a note about some strange symptoms he's been having. Can anyone out there verify if this is indeed a virus, and if so which one? Here's the info I have (emphasis mine): "Here's what I know. I *believe* that a disgruntled staff member *may* have put the virus into my computer directly since the same problem occurred six months ago to another administrator in the library. He had a student computer expert solve the problem, but this student is no longer with us. "I have an IBM XT with 640 and a 20meg hard drive. I've had SCANRES (Ed.v39) on the system since October 11. The infection got in since then. SCANRES says that the system is clean. I examined the AUTOEXEC and CONFIG.SYS files. They look clean to me. Problems so far include: WordPerfect 4.2: The cursor keys add extra random characters such as a 'z' or 'k'. I also got the message 'ARSOLE' and the system then locked up from another cursor key sequence. DESKTOP in PCTOOLS. The calculator locked up. I had to do a cold reboot. "I replaced my base files with the SYS command on Friday and haven't noticed any problems yet, but the problems that I described above are extremely intermittent." Please reply to me, and I'll post a follow-up later. Thanks, Art Arthur J. Gutowski /=====\ Antiviral Group / Tech Support / WSU University Computing Center : o o : 5925 Woodward; Detroit MI 48202; PH#: (313) 577-0718 : : Bitnet: AGUTOWS@WAYNEST1 Internet: AGUTOWS@WAYNEST1.BITNET : ----- : -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- \=====/ Have a day. ------------------------------ Date: Sun, 17 Dec 89 17:54:00 -0500 From: IA96000 Subject: AIDS TROJAN RESEARCH I have been asked to pass this message along to VIRUS-L and VALERT-L by the fine people at SWE who have been hard at work researching the AIDS problem. I pass this message along unmodified exactly as it was received from SWE. AIDS "TROJAN" DISK UPDATE - DECEMBER 17, 1989 First, let us say for the record that everything reported so far by Mr. McAfee is correct. Our tests bear out the results he has obtained. Having followed the messages and updates so far, and after conducting extensive tests, SWE has no doubt that there is more than one version of the "trojan" disk in circulation. In certain aspects, the two AIDS "trojan" disks we are testing act differently. One has a counter in it and one activates on the first re-boot! SWE has been working 24 hours a day since we received a copies of the AIDS disks. Let me clarify that statement. We did not receive these in the mail directly from the "trojan" authors. We received our copies from two of our clients. The suspicion that some form of encryption is being used is accurate. The versions of the disks we tested checks the following criteria: 1) The version of DOS in use. Both major and minor numbers are used. The major number would be 3 and the minor number would .30 in DOS version 3.30. 2) The file length, date and time stamp of certain files are checked. 3) The amount of total disk space and free disk space are checked. These three items are then combined and processed into the "initial" encryption key. A form of public key encryption is then used to perform the actual encryption. This was determined by the brute force decryption method. SWE has several 80486's and access to a VAX and they were put to work decrypting the files. It was made easier by the fact that the original contents of the test disk were known. One nasty little trick the AIDS "trojan" uses is that after each file is encrypted the encryption key is modified slightly. Fortunately, the authors did not use a long encryption key. Files encrypted using the public key protocol become harder to decipher as the length of the encryption key increases. Government studies indicate that a file encrypted using this protocol, with a 200 digit key could take as long as ten (10) years to decrypt, if you devoted a CRAY exclusively to the problem! SWE first suspected and tested for the public key encryption method for several reasons. The major reason was the lack of access people outside of the United States would have to the DES encryption formula. For those not aware, the U.S. Government guards the DES formula, and software which makes use of this formula may not be exported out of the United States. Should it turn out that the DES formula was also used, the authors of the AIDS "trojan", could possibly be prosecuted under United States statutes pertaining to national security. The second reason deals with the DES encryption method. Students of cryptology are well aware that the DES formula has been considered vulnerable for some time now. It is also a well know fact that DES specific processors have been produced, which make "cracking" a DES encrypted file much easier than the public key method. The DES method also limits to a greater degree the length of the encryption key. Combining these two reasons along with the extraordinary expense the authors of the AIDS "trojan" went to, we guessed that they would also use a "first class" encryption method. It also makes sense from another point of view. Since the "trojan" authors have gone to great care and expense, it seems prudent they would not want to use an encryption method which could easily be copied and distributed as a "master" cure all. Public key encryption is perfect in this regard. Many different versions of DOS are now in use, and depending upon the version of DOS in use and other factors the "trojan" checks for, the decryption methods which must be used will vary for different "trashed" disks. This is not to say that other copies of the AIDS "trojan" will use this same encryption method, or create the encryption keys in the same manner. That is yet to be determined! Once we were able to decipher one file, it was a relatively simple matter to decipher the rest. We have been able to completely restore a disk trashed by the version of AIDS "trojan". SWE went about this research in a different manner than everyone else. We have not reverse engineered the "trojans" to any great extent, nor do we plan to do so. This is best left to Mr. McAfee and the other experts. It is our considered opinion that Quick Basic along with several machine language modules were used to develop these "trojans". Reverse engineering a Quick Basic program along with the libraries included at link time produces huge amounts of code. As far as releasing the "fixes", not enough is yet known by SWE to be able to provide a substantial program. We need more information about how many versions of the AIDS "trojan" are in circulation, as well as samples of these for study. SWE has no intention of publicly releasing a "fix" at this time or in the future. It is our opinion that the best course SWE can take is to share our knowledge with others who have the knowledge and experience to take what we learned and investigate further. To that end, SWE is willing to forget past differences with a specific company and share our files as well as the "fixes" and our knowledge on cryptology with them, for the good of the computing community. If they are interested, leave a public message on your BBS in the virus SIG. Some type of agreement can be reached if you are interested in doing so! The opinions and statements expressed herein are those of SWE. These are based on research done on two copies of the AIDS "trojan" disk we have tested. Findings produced by other people working on this problem may agree, vary, or contradict our findings. So be it! SWE is not competing with anyone else working on this problem. We present this information solely to acquaint the computing community on the details we have discovered so far. The information contained in the message above was supplied by the people at SWE, who have postponed their vacation closing to conduct research into the AIDS problem. It is my opinion that everyone should band together on this one! The AIDS disk seems to be very complicated and it will probably take the combined knowledge of everyone working on this disaster to come up with a solution. ------------------------------ Date: 18 Dec 89 19:07:43 +0000 From: Ralph Mitchell Subject: Re: AIDS Trojan (PC) dmg@retina.mitre.org (David Gursky) writes: >The AIDS Trojan Horse discussed by Alan Jay and John McAfee raises some >interesting questions about accountability. >[...] >In the broader case, could the perpetrators be extradicted to one of >the European countries that have better relations with Panama, and be >held liable for damages even though the license says not to use the >application without first paying for it. There is no actual address on the documentation that comes with the disk. The only way to find out where to send the money is by running the install program, thought it doesn't even say that in the notes... Of course, by that time, it is firmly ensconced on your hard disk... Ralph Mitchell - -- JANET: ralph@uk.ac.brunel.cc ARPA: ralph%cc.brunel.ac.uk@cwi.nl UUCP: ...ukc!cc.brunel!ralph PHONE: +44 895 74000 x2561 "There's so many different worlds, so many different Suns" - Dire Straits "Never underestimate the power of human stupidity" - Salvor Hardin, Foundation ------------------------------ Date: Sun, 17 Dec 89 21:14:50 -0500 From: Christoph Fischer Subject: Aids cures (PC) A I D S - D I S C E T T E =========================== Dr. Solomon and I just had a phone conversation on possible cures for the affects of the AIDS disc. In STAGE ONE (the disc has been installed but the filenames are not encrypted) Several hidden directories, a file REM.EXE, and an altered AUTOEXEC.BAT have been installed. Some sources suggest removing these directories, the added files, and restoring the original AUTOEXEC.BAT will cure all effects of STAGE ONE. Because of the uncertainty what else the program does, people who want maximum security are advised to copy the files to diskettes after the above procedure. Low-level format the discs and restore all programs and data. Dr. Solomon and I are not sure that all discs behave the same way. Our samples don't touch harddiscs higher than C: (D:, E:, ...) but there are reports of discs that do! (maybe just rumors?) STAGE TWO is entered after 90 executions of the AUTOEXEC.BAT with our samples but there are victims that claim that their version of the software skips STAGE ONE. In STAGE TWO the program encrypts the filenames and alters other things. A mockup is started after reboot from the harddisc that gives you a correct directory listing plus an added comment that the lease of the CYBORG software has expired. In this stage the disc contense appears to be useless. Dr. Solomon was the first to discover a principle behind the encryption and is working on a program to recover the original filenames. We both think that this mechanism should only be used to backup all data of an infected disc. A LOW-LEVEL format of the harddisc and reinstallation of programs and data are the safest means to remove all affects. Sincerely Chris Fischer (University of Karlsruhe, West-Germany) and Dr. Alan Solomon (S&S Enterprises, Chesham, Bucks, Great-Britain) ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253