VIRUS-L Digest Friday, 17 Feb 1989 Volume 2 : Issue 50 Today's Topics: INIT29 in documents (was: AppleShare network security) (Mac) virus book Hardware-induced virus reported in Communications of the ACM ANTI virus report (Mac) Closed virus list proposal --------------------------------------------------------------------------- Date: Thu, 16 Feb 89 16:12 GMT From: Danny Schwendener Subject: INIT29 in documents (was: AppleShare network security) (Mac) > [...] Since there is now a > virus (INIT 29) that attaches itself to documents, I am understandably > nervous about unknown files lying around on the server. A copy of the INIT29 virus in a 'plain' document (i.e. with a file type different to 'INIT','CDEV' or 'RDEV') will not be executed. It just uses up unwanted space. Still, that PageMaker could break the network security of Appleshare is rather odd. - -- Danny Schwendener ETH Macintosh Support ------------------------------ Date: Thu, 16 Feb 89 13:21 EST From: Subject: virus book I ordered the virus book "viruses/high tech risk.." from abacus $18.95+ship.. 4 day delivery. It looks interesting. I will read it over the weekend and send a description monday. James Peterson, sys engineering LIU/South Peterson@liuvax.bitnet 516/283-4000 x351 ------------------------------ Date: Thu, 16 Feb 89 16:50 EDT From: Subject: Hardware-induced virus reported in Communications of the ACM >From Communication of the ACM, February 1989, Volume 32 Number 2, Page 274 Nova University and ErrorNot Isolate Particular Computer Virus A hardware-induced computer virus could potentially affect 25 million microcomputers, according to a recent discovery by researchers at Nova University and ErrorNot Corporation. The researchers say the virus is the result of faulty programming in the microcode of a device used in computers. Research indicates this virus causes data corruption, and its random pattern of attack with small data destruction makes it difficult to identify. The virus's dormancy period varies from weeks or months to even years. Nova University's Computer Science Department has assembled the results of its findings (TR-881101-1) and a risk-assessment program that helps users determine their susceptibility to the virus. Both are available on a disk for $5 from Dr. Edward R. Simco, Dean, Computer Science Department, 3301 College Avenue, Fort Lauderdale, FL 33314; (305) 475-7563. The researchers at ErrorNot Corporation have created a slotless device they say is effective in eliminating the virus. For more information contact William R. Griffin, President, ErrorNot Corporation, 3200 North Federal Highway, Suite 120, Boca Raton, FL 33431; (407) 395-2306. Anyone heard about this from any other source? Anyone at Nova University or ErrorNot who would like to elaborate? Cheers... Mark James Burge mjburge@owucomcn ------------------------------ Date: Fri, 17 Feb 89 02:42:00 +0100 Sender: Virus Alert List From: Danny Schwendener IDA Subject: ANTI virus report (Mac) This is a report on the ANTI Virus. For any information, please contact me directly at the following address: Danny Schwendener ETH Macintosh Support, ETH-Zentrum, m/s PL, CH-8092 Zuerich, Switzerland UUCP: macman@ethz.uucp BITNET: macman@czheth5a.bitnet Internet: macman@ifi.ethz.ch AppleLink: macman%czheth5a.BITNET@DASNET# Note: This is an extract of the full report. Sensitive information has been removed. The full report has been sent to known authors of virus detectors and vaccines. Please distribute this version of the report as widely as possible. I don't have access to CompuServe, GEnie or CalvaCom. A. HISTORY The virus initially appeared in France. So far, it has been signaled in Paris, Marseille and a few other places in France. Thierry Lalettre, chief moderator of the Macintosh forum in CalvaCom, alerted by user contributions in his forum, posted a warning to CompuServe and mailed samples of the virus to a few authors of macintosh vaccines and viral detectors, including myself. Note: CalvaCom (formerly Calvados) is Europe's largest commercial electronic conferencing system, in the same spirit as CompuServe or GEnie, but mainly directed at owners of Apple products. B. OVERVIEW The ANTI Virus is a program that attaches itself to the end of the main code resource of an application. It patches the main code so that it is invoked in the first place each time the application is started. An infected application will try to infect the system heap, if it wasn't already infected beforehand (the system heap means the part of the system that has been loaded into memory at boot-time. ANTI does *not* infect the file 'System'). The virus does nothing hazardous besides propagating itself. It is less contagious than the INIT29 virus, but more than nVIR. The hypothesis made by Thierry Lalettre, stating that Apple France Developer Support Manager Alain Andrieux' program 'Stamp 1.0b5' has been purposely recompiled by an unknown person to include special infection code, is wrong. A disassembly of all resources in the application only showed up that it was infected in a normal way by the ANTI virus. Thierry also stated that the virus only attacks applications with CODE ID=1 named "Main". This is not correct. Actually, the virus propagates to all applications whose main code entry starts with a JSR. Most compilers create this type of applications, and some of them, including MPW, name the CODE ID=1 resource "Main". Under certain circumstances, the virus also propagates to all other kind of applications (i.e. the ones which don't start with a JSR). The virus assumes that the main program entry of the application to infect is contained in CODE ID=1. This is the case in all normal applications. Applications whose main routine is contained in a CODE resource different from ID=1 will either not be infected or crash. Portions of the code suggest that the virus has been written as part of a copy-protection scheme. C. DETECTION The virus can be detected by several means: - - it adds 1344 bytes to the CODE ID=1 resource of the file. An infected application will have grown by 1K. The modification date is changed to the date and time of the infection. - - it contains seven occurrences of the hex sequence $16252553. The last occurrence of this sequence is located 43 bytes before the end of the CODE ID=1 resource. The virus uses this sequence to detect if a System or an application has already been infected. - - the virus also contains a 9-char. pascal string 'ANTI ' (hence its name) followed by the hex sequence. The 9-byte string is followed by the pascal string '#000000'. - - it patches _MountVol and _OpenResFile. Trap watcher programs like GateKeeper, RWatcher or Vaccine will successfully prevent infections. There is however a restriction with Vaccine: As the virus temporarily uses the pointer to the global variables (A5) for internal tasks, Vaccine will not be able to access the screen to display a warning alert. If the option "Always compile MPW INITs" is unchecked, it will beep and wait that the user presses 'y' (allow resource copy) or 'n' (don't allow copy). If the option is checked, Vaccine will allow the infection without warning the user. So be careful if you use that option. The next release of VirusDetective will be able to find this kind of virus by looking for specific hex sequences. D. REPAIR Note: I personnally don't endorse this. Badly repaired applications may cause much more harm than the virus itself could ever do. An infected application should be deleted. I'm including this information for those who forgot to backup their disks. The virus starts with the following hex sequence: 000000: 6000 0028 0000 0000 1625 2553 0723 3030 000010: 3030 3031 0941 4e54 4920 1625 2553 0723 000020: 3030 3030 3030 xxxx xxxx xxxx xxxx contains the saved values for the instruction words that have been patched by the virus. To repair an application: 1- Be sure you're working in a clean environment (uninfected Finder and ResEdit). 2- Open the CODE ID=0 resource. Write down the word at position 16 (first word of the third line if opened with ResEdit). This value tells you at what position within the CODE ID=1 resource you have to look for the patch, and is usually $0000. 3- Search in the CODE ID=1 resource for the hex sequence I described above. write down the value I noted as 'xxxx xxxx'. 4- Still in CODE ID=1, find the location of the patch, with the value you found in step 2. The first word of the patch should be $4EBA. 5- Replace the patch by the two words you found in step 3. 6- Remove the whole virus code (everything from the virus start to the end of the resource). This step is not absolutely necessary. D. INTERNAL WORKINGS The _MountVol patch works as follows: - - Call original _MountVol - - Check if mounted volume is a floppy drive. If not, exit. - - Check if floppy is old (400K) or new (800K) and if the disk is single-sided or a double-sided. According to the result, read in either logical block 192 or 384. - - check for our hex sequence in position 8 of the block. If found, JSR to the code in position 0 of the sector, then exit. Note: The virus does not contain any portion of code that writes something directly to a logical block. Also, the code that will be executed if the search is successful is not known at this point. This routine has a strong ressemblance to existing copy-protection schemes. It is very possible that the virus is part of a copy-protection. I won't comment on copy-protection per se, but I find using viruses as part of a product's protection scheme extremely unethical. ------------------------------ From: David.J.Ferbrache Date: Fri, 17 Feb 89 10:32:13 GMT Subject: Closed virus list proposal A proposal for a closed virus technical list -------------------------------------------- Following my original message concerning authentication, I have a proposal which I wish comments on, namely the formation of a new virus list (in addition to VIRUS-L) with a closed membership. As you may be aware the issue of viruses is, and is likely to remain, exceptionally sensitive. Subscribers to VIRUS-L who are industrial or commercial concerns are naturally extremely reticent to disclose any details of infections on open lists, equally researchers in the field are loath to circulate any technical details over and above those concerning the symptoms of the virus, and the disinfection methods. I my case I am researching the area of viruses, attempting to analyse the techniques of concealment utilised by viruses with a view to the analysis of future trends in the threat from viruses, and to develop possible counters to virus infection. Such work requires a degree of technical information which many people will not reveal on an open list, nor will they mail such information to a correspondant on the list without authentication. Therefore (and I have discussed this informally with Ken) I would like to propose: 1. The establishment of a closed additional virus list with membership by invitation initially, followed by additions only on request with suitable authentication. (Checks with establishment, through known contacts etc) 2. That the materials discussed on the closed list are monitored by a moderator who would be responsible for circulating any non-sensitive material to VIRUS-L and VALERT-L. Eg, initial contact reports to VALERT-L, symptoms and information on disinfection software to VIRUS-L. 3. That VIRUS-L remain an open list for discussion on all aspects of viruses (hopefully people will realize that reports of new viruses must still be public and contain sufficient details to identify the virus, and take elementary precautions). Finally regarding the security of the new list, I suspect that we can take one of two approaches, 1. Handle traffic in an unencrypted manner and assume the possibility of interception on route either by intermediate uucp sites or by ethernet taps. 2. Encypt end-to-end with the obvious handling and key management difficulties. I think everyone who subscribes to this list should realize that the threat from computer viruses is likely to grow rapidly, as will the difficulties of monitoring the spread of new strains and the development of disinfection software. This is an area where a world wide list such as that proposed can make a major contribution in acting as a clearing house for virus information. It is vital however that the members of such a list trust both the integrity of the list and of the members (who would preferably be either academic researchers in the field, or representatives of companies or known consortia). Comments please, either to the VIRUS-L discussion list or by email to me personally. I will collate the comments and discuss the outcome with Ken, and then mail the list concerning whether the formation of the new list will go ahead. Dave Ferbrache Personal mail to: Dept of computer science Internet Heriot-Watt University Janet 79 Grassmarket UUCP ..!mcvax!hwcs!davidf Edinburgh,UK. EH1 2HJ Tel (UK) 031-225-6465 ext 553 ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253