VIRUS-L Digest Wednesday, 8 Feb 1989 Volume 2 : Issue 39 Today's Topics: On COMMAND.COM viruses... (PC) Re: Master Virus Listing info request Virus Manual/Computer Phreak's Cookbook/Bit Jammer's Bible (c) Brain (PC) Re: Anarchist Cookbook for Computers How To Book, 2 New Macintosh Virus (from Newsgroups: comp.sys.mac) Latent Mac viruses?? --------------------------------------------------------------------------- Date: Tue, 7 Feb 89 10:36:40 est From: ubu!luken@lehi3b15.csee.lehigh.edu Subject: On COMMAND.COM viruses... (PC) This latest occurrence of the Lehigh Virus made me realize (again) how blatantly hole ridden the COMMAND.COM file is. The last couple hundred bytes in every version of COMMAND.COM (that I've seen) contain all 00s (for stack space while the program is executing). Also, the *very first* instruction in the file is a JMP. What's worse, almost all PCs have a COMMAND.COM file in their root directory. It doesn't take a rocket scientist to figure out how to exploit these similarities. The best thing that a person can do (imho) to protect themselves from a "garden variety COMMAND.COM virus" is to remove their computer(s) from this homogeneous environment by placing a statement like: SHELL=C:\BIN\DOS\COMMAND.COM /P in each CONFIG.SYS file, thus booting from a COMMAND.COM in a different directory, would help. Also, put a: SET COMSPEC=C:\BIN\DOS\COMMAND.COM in each AUTOEXEC.BAT file. This will allow normal functioning in MS-DOS without leaving a COMMAND.COM file wide open to viruses. Once exception to this (at least in the case of Zenith MS-DOS) is with the FORMAT command; it requires a COMMAND.COM file in the root directory to format a bootable disk. That is, the authors of FORMAT (Microsoft? Zenith?) didn't adhere to the standard way of pointing to the COMMAND.COM (heavy sigh)... I realize that this has all been discussed before on VIRUS-L, and that it certainly isn't going to stop all viruses (!). It will, however, at least hide a major Achilles Tendon in MS-DOS. Of course, if *everyone* did the above, then the environment would once again become homogeneous, so each person should find a different "hiding place" for their COMMAND.COM file. Also, the best solution would be for Microsoft to change some of their programming practices. Static memory allocation is asking for problems. It's also surprising how many programs place a JMP statement as their very first instruction. For what it's worth, Ken ------------------------------ Date: 7 Feb 89 From: J. D. Abolins Subject: Re: Master Virus Listing info request For Paul Bienevue's question about a master virus listing, I don't of a comprehensive existing one yet. There are several of us who are attempting to get a list going. The DIRTY DOZEN listing by Eric Newhouse has a virus section. It is the only widely available attempted virus listing I know of. But the listing is woefully out of date (although for other malicious programs it is excellent.) In communicating with Eric again on the Crest BBS, he told that he plans one more Dirty Dozen listing- version 9.0. After that, he might be "retiring" from makingmore such listings. In any case, we (the people working on a virus listing) aim to continue the virus listing past the Dirty Dozen if it should cease. A general question: What are some of the taxonomical conventions for virus cases? Ie; naming schemes for the cases.Some have been discussed here lately. Of course, there is the approach of naming the case after it first major reported site (eg; Lehigh virus, Jerusalem virus, etc.) But such conventions can create problems, including giving the im- pression that the case is localized and by causing adverse publicity for the site named.I would like to have the choices of conventions so that a "neutral" scheme could be used for virus listing. The other names could given as "aliases, AKA's) Thank you. J.D. Abolins / 301 N. Harrison Str. #197 / Princeton, NJ 08540 USA (609) 292-7023 ------------------------------ Date: Tue, 07 Feb 89 11:37:08 EDT From: 34AEJ7D@CMUVM.BITNET Subject: Virus Manual/Computer Phreak's Cookbook/Bit Jammer's Bible We would like very much to capture a copy of this publication. (Please, no flaming diatribes about the evils of reading such material.) We now have fairly good evidence that it is already in circulation at at least one institution with which we have close ties and with whom we share a certain common body of studetns. The potential result of that is not hard to assess. Additionally, this list itself has already offered an awareness of such a publication to the student community. We need to be aware of what we could be up against. Please reply to me privately, for obvious reasons. ............................................................................ |W. K. "Bill" Gorman "Do Foust Hall # 5 | |PROFS System Administrator SOMETHING, Computer Services | |Central Michigan University even if it's Mt. Pleasant, MI 48858| |34AEJ7D@CMUVM.BITNET wrong!" (517) 774-3183 | |Disclaimer: These opinions are guaranteed against defects in materials and| |workmanship for a period not to exceed transmission time. | |..........................................................................| ------------------------------ Date: Tue, 7 Feb 1989 09:41 PAC From: Marty Zimmerman Subject: (c) Brain (PC) I'm looking for any information or advice on the "(c) Brain" virus. Has anyone documented the means by which this thing breeds? Thanks in advance for your help. P.S. - please reply directly to me, unless you think your comments would be of interest to everyone. Marty Zimmerman University of Idaho Computer Services [Ed. Take a look at J.D. Abolins's message in this digest.] ------------------------------ Date: Tue, 7 Feb 1989 12:38 EST From: Bruce Ide Subject: Re: Anarchist Cookbook for Computers If they tell you how to write 'em, the are also telling you what to look out for and how to destroy them. I'd buy the book. -Grey Fox ------------------------------ Date: Tue, 07 Feb 89 19:12:53 MEZ From: Konrad Neuwirth Subject: How To Book, 2 I just wanted my $0.02 to the discussion about a HOW TO book. I don't think it is a bad idea to publish a virus. If someone types in the virus from the book I cited earlier, almost nothing happens. and if he just changes the routines which do something to the system (the writer uses a "SHELL") it should be easier to write a antidote. I know it is not easy to find about how the code was originally written, but it should be easier to scan a program or anything infectable for a certain bit of code, which can come from the book. - -konrad p.s.: the book doesn't give a listing of an antidote. maybe that would be an idea worth thinking about... ------------------------------ Date: 7 Feb 89 15:29:46 GMT From: hammen@csd4.milw.wisc.edu (Robert J. Hammen) Subject: New Macintosh Virus (from Newsgroups: comp.sys.mac) This is some info on a new Mac virus. This article was originally posted on CompuServe, and reposted on Delphi by Robert Wiggins: Reposted message at the request of the author, Thierry DeLettre: Until now, all known Macintosh viruses could be easily detected by the additional resources they created. Now, it's over... There is at least one virus that creates no additionnal resource. This virus is called ANTI, and infects only applications (and other files, ID=1 resource. It inserts a JSR at the beginning of the resource and all the virus code at the end. It seems to be very recent, but we have already found infected Macintoshes in Paris and Marseilles, and it is probably making its way fast across all Europe. This virus is _not_ detected by VirusDetective or other utilities. It installs itself even when Vaccine is on. Vaccine beeps only if the 'Always compile MPW Inits' is _not_ checked. Virus Rx does not detect ANTI's presence in other files, but, when infected itself, changes its name to 'Throw me in the trash'. It doesn't seem to infect all applications, but only some (the ones with a CODE 1 resource called 'Main'). We haven't found how it works yet. It doesn't seem to change the System file, which doesn't contain a CODE resource. The contagion seems to be spread by the Finder. To see if an application is infected, you have to open its CODE ID=1 resource with ResEdit and search for the ASCII string 'ANTI'. You can also use the advanced features (resource fork search) of GOfer. We haven't yet found the way to remove it, but only a way to deactivate it by changing the first words of the virus code to a RTS. There is a strange story about this virus. Two years ago, Apple France's developper's support manager, Alain Andrieux, wrote a utility for his own use called 'Stamp', with which he marked the programs he gave to developpers. If a confidential program was given out, he could easily know where it came from. His program added a CODE resource to the marked files, but did _not_ change anything in the CODE 1 resource. In January 89, a 'new' version of this program (Stamp 1.0b5) began to spread in the French Mac community. When run, this program installs the 'ANTI' virus into the marked or checked applications and/or into the Finder. These infected applications and Finders then become contagious themselves. It seems the virus author stole the source code of this program, changed it into a virus installer, then gave it away. Obviously, inserting a virus installer in an Apple program was done to damage Apple France's reputation... Thierry D, Chief Mac Sysop, Calvacom . P.S. A copy of the virus has been sent to Jeffrey Shulman and Robert Woodhead, so that they can update their anti-viruses consequently. . P.P.S. I don't have access to other major American on-line services, so please upload the above information where you can. Thierry can be reached via CompuServe at 76670,2260. /////////////////////////////////////////////////////////////////////////// / Robert Hammen | hammen@csd4.milw.wisc.edu | uwmcsd1!uwmcsd4!hammen / / Delphi: HAMMEN | GEnie: R.Hammen | CI$: 70701,2104 | MacNet: HAMMEN / / Bulfin Printers | 1887 N. Water | Milwaukee WI 53202 | (414) 271-1887 / / 3839 N. Humboldt #204 | Milwaukee WI 53212 | (414) 961-0715 (h) / /////////////////////////////////////////////////////////////////////////// ------------------------------ Date: Tue, 7 Feb 89 17:04:31 -0500 (EST) From: Mark Thormann Subject: Latent Mac viruses?? Hi. I was wondering if anyone had heard of any latent versions of nVir, Scores, etc. which waited until a certain number of copies had been made or a certain date passed before appearing. Would one of the current virus detectors spot one of these things before it activated? Any specific experiences anyone has had like this? If you reply to this mailing list, please carbon copy to me. Thanks, Mark Thormann Carnegie Mellon U. ARPANET: mt19@andrew.cmu.edu ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253