VIRUS-L Digest Thursday, 20 Apr 1989 Volume 2 : Issue 94 Today's Topics: Viruses, Networks, and NFS: Questions AppleShare volumes (Mac) Forwarded: DenZuk Virus (PC) Hiding Viruses by Intercepting Output --------------------------------------------------------------------------- Date: Thu, 20 Apr 89 07:58:06 PLT From: Joshua Yeidel Subject: Viruses, Networks, and NFS: Questions Joe Sieczkowski's recent remarks about the possibility of NFS-borne viruses lead me to the following questions: I understand that EXECUTING an infected program stored on an NFS server could infect the client system. I'm wondering if NFS has loopholes such that a client can be infected by a server WITHOUT the client requesting execution of a server-based program (for example, via a worm process, a bogus remote procedure call, or ???) Anyone who knows NFS well is hereby invited to speculate. We are a few weeks away from getting our first NFS machines, so I'm not very familiar with the ins and outs (I don't have documentation yet, either). This is not a burning issue, just a question which our security task force is bound to ask sooner or later. ------------------------------ Date: Thu, 20 Apr 89 11:14 EST From: Roberta Russell Subject: AppleShare volumes (Mac) I have a question about virus infections on an AppleShare file server. If I partition the server into two "volumes", and if one of these volumes becomes infected, will that infection spread to the other volume? I'm not talking here about users infecting the other volume, but about the infection spreading across the server from one volume to another (users would have access to only one volume). Since both volumes share the same operating system, I'm assuming this would be true, but would appreciate more informed opinions. Thanks, Robin Russell Oberlin College Computing Center prussell@oberlin (bitnet) prussell@ocvaxa.oberlin.edu (internet) ------------------------------ Date: Thu, 20 Apr 89 09:44:35 PDT From: rogers@marlin.nosc.mil (Rollo D. Rogers) Subject: Forwarded: DenZuk Virus (PC) Here are more details as a follow-up to the message i forwarded to you yesterday on this suspected new virus. This person is seeking assistance to find a way to eradicate the infection and perhaps disassemble a copy of it too.. ------- Forwarded mail follows: Original-Date: Thu, 20 Apr 89 10:12:40 EST Original-From: iuvax!bsu-cs.bsu.edu!atariman@ucsd.edu (Jeff Scott) Here is some general information about the 'DENZUK' virus. No specific information is available as to it's origin, what it actually does, or how long it takes to do it. The 'DENZUK' virus. The DENZUK virus first started showing up here at Ball State University, Muncie, Indiana around the 16th of April. It was first noticed because everytime that the computer is re-booted, a graphic display will show up and the letters DEN ZUK * will slide in from the sides of the screen. (The * is a graphics symbol resembling the AT+T logo) then the system will roboot. The display only lasts for about 3 seconds and will only be seen on a graphics screen (CGA is the only one that has been checked). If the disk is not write protected, the virus (I call it that, but techincally it might be a worm, we really don't know) will write a counter to the disk. After about 5 times of rebooting, the disk will become useless. The information is still there, but the disk is un-usable. (It might overwrite the directory blocks or something simular). The 'DENZUK' virus can be transfered to either other bootable disks or DATA DISKS (unbootable disks). It was thought for a while that the virus could possibly be transfered to disks with a write protect tab in (as it is possible to do that on IBM PC's), but this can only be done in certain instances. This instance would be if the write-protect tab was squeezed or torn a bit. The virus is transfered to another disk whenever another disk is accessed (either read or write) and that disk will then have the virus. The only way known of checking for that virus is to reboot the computer with the disk you want to check in the A: drive. This will work with system or data disks to check for the virus. This is not to say that this is a sure- fire way of checking for DENZUK. It may well keep a counter to count up the number of times re-booted and not start showing the display until a certain number. That would give it time to propagate even more. It has also been found out that the virus writes to the first track. This may be where the actual program is, or it could be where the counters are kept, or both... At this point, we do not know what, if anything, this virus will do to a hard drive. That is all that we know right now, if we learn any more I will try to keep you informed. Jeff Scott Computer Competency Ball State University ------------------------------ Date: Thu, 20 Apr 89 16:06 EST From: Subject: Hiding Viruses by Intercepting Output Some time ago, a person brought up the idea of a virus that would intercept the sector reads. If the sector that was read was the one in which the virus lived, then the virus would return bogus data. Someone else responded with a reason why this would not be an easy task to do. Could anyone tell me how this method of hiding a virus would fail? Consider the virus using this technique to be a boot sector virus. John Wagner RITRC jww7917@ritvaxa ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253