VIRUS-L Digest Monday, 18 Jun 1990 Volume 3 : Issue 115 Today's Topics: Re: Password Standards Checking New PC Virus (PC) armageddon the GREEK virus (PC) What do I do about Yankee Doodle RE: GateKeeper Aid 'ADBS' Query (Mac) Virus Catalog Mainframe attacks (MVS) Re:Vanishing Disk Space Gatekeeper Aid and the ADBS "virus" (Mac) GateKeeper Aid 'ADBS' Query (Mac) Re: Password Standards Checking F-PROT via FTP (PC) Help requested with a purported Yankee Doodle infection (PC) Discussion: definitions of common computer beasts (ie. viruses..) FORM-Virus (PC) Re: Password Standards Checking VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: 15 Jun 90 10:24:40 +0000 From: berg@cip-s01.informatik.rwth-aachen.de (Solitair) Subject: Re: Password Standards Checking You should try the alt.security list. There has been a fairly elaborate discussion about this topic on that newsgroup. - -- Sincerely, | berg@cip-s01.informatik.rwth-aachen.de Stephen R. van den Berg | ...!uunet!mcsun!unido!rwthinf!cip-s01!berg ------------------------------ Date: Fri, 15 Jun 90 15:44:09 -0500 From: Christoph Fischer Subject: New PC Virus (PC) We reveived a HEX-Dump of a new virus via FAX (disk is still in mail) from what we analysed sofar we can tell it is the sought after AMBULANCE CAR VIRUS. infects COM files (796 Bytes long), does multiple infections upon invocation! More after the complete analysis. Christoph Fischer ***************************************************************** * Christoph Fischer * * Micro-BIT Virus Team / University of Karlsruhe / West-Germany * * D-7500 Karlsruhe 1, Zirkel 2, Tel.: (0)721-37 64 22 * * E-Mail: RY15 at DKAUNI11.BITNET * ***************************************************************** 'Christoph Fischer VIRUS-L@IBM1.CC.LEH 6/15/90 New virus (PC) ------------------------------ Date: Thu, 14 Jun 90 02:08:06 +0700 From: Hmm70@GRATHUN1.BITNET Subject: armageddon the GREEK virus (PC) ***************************************************************************** * * * Vaccine for the >> Armagedon the GREEK << virus * * * * (c) copyright 1990 George Spiliotis * * English documentation by Lefteris Kalamaras * ***************************************************************************** This is a public domain program. It is in NO way allowed for anyone to sell this program or its documentation for profit. (Usual public domain rules apply) DISCLAIMER The author of this program is in NO way liable for any damage caused by this program, its use or its modifications. (Usual disclaimer rules apply) "Armageddon the GREEK" scan I received a copy of a program recently, which contained a virus SCAN V62 could NOT identify! After having worked on its code for some time, I discovered the following: 1) The virus becomes resident in memory 2) It infects .COM files ONLY 3) It sends the message "Armageddon the GREEK" to the 4 com ports from time to time It is possible that this virus is a modified existing one in which the author, by changing the message to "Armageddon the GREEK", managed to get SCAN V62 inoperative. This program is a vaccine for "Armageddon the GREEK". It can also scan and clean modified versions of this virus if the only thing changed is the message. You can stop the vaccine from cleaning the infected files from the virus by specifying "/n" in the command line. VALIDATE gave the following results: File Name: scanarma.exe Size: 7,584 Date: 6-1-1990 File Authentication: Check Method 1 - C9FC Check Method 2 - 192C Examples: (SCANARMA c: (checks drive c:) (SCANARMA a:\temp (checks drive a: dir temp) (SCANARMA /n b: (checks b: but does NOT clean the infected files) ( Good Luck! For more information, you can contact the author of the vaccine, George Spiliotis at the address below, or call LinK BBS in Athens, where you will find the latest version of the vaccine, or send a message to LEKA@GRATHUN1 to contact Lefteris Kalamaras. George Spiliotis 26-28 Digeni st. Voula Athens, 16673 GREECE or Lefteris Kalamaras 43 Serifou st. K.Patissia Athens 11254 Greece BBS phone : 30-1-867-4834 voice # : 30-1-864-5363 BitNet : LEKA@GRATHUN1 or ELKALAMARAS@VASSAR ------------------------------ Date: 15 Jun 90 20:21:28 +0000 From: ctycal!ingoldsb@uunet.UU.NET (Terry Ingoldsby) Subject: What do I do about Yankee Doodle We have had an outbreak of the Yankee Doodle virus (as detected by ViruScan). We now realize that we have a variety of tools to detect viruses, but now that we've caught it we don't know what to do about it. Any suggestions? We are not an Internet site, but might be able to persuade a local site to get us something. Help. - -- Terry Ingoldsby ctycal!ingoldsb@calgary.UUCP Land Information Services or The City of Calgary ...{alberta,ubc-cs,utai}!calgary!ctycal!ingoldsb ------------------------------ Date: Fri, 15 Jun 90 16:31:53 -1100 From: Michael Perrone Subject: RE: GateKeeper Aid 'ADBS' Query (Mac) It could be a WDEF clone, or a new implied loader type virus. Gatekeeper aid is designed to detect and remove any virus of this type. Michael Perrone, Portland State University, Computing Services; Macintosh Programming and support. ------------------------------ Date: 16 Jun 90 00:38:54 +0000 From: afraser@gara.une.oz.au (J. Barichnakov) Subject: Virus Catalog Does anyone know when the next version of the virus catalog is to be published??????? I am presently writing a paper based on Computer Viruses and would appreciate any information that can be found. (Thanks to those people that have already sent me the Virus catalog's MSDOSVIR.A89 and MSDOSVIR.290). Thank's In Advance afraser@gara.une.oz.au ------------------------------ Date: Fri, 15 Jun 90 22:13:25 -0400 From: Tony Harminc Subject: Mainframe attacks (MVS) In 1974 the University of Toronto installed MVS for academic computing. Within one week of installing this supposedly secure system, an integrity exposure had been found and exploited by the community of undergrad hackers who had spent a lot of effort hacking the older (and known to be full of holes) MVT. (Historical details on request if anyone cares.) I think mainframe hacking was much more popular in those days simply because mainframes were all there were. I don't know of any viruses, but some quite diabolical things were invented. Certainly Trojans were common on the APL system, and a couple were successfully perpetrated on the operations staff. There were also a couple of schemes concocted to clog up the network with endlessly shuttling files. ("The network" then consisted of two computers.) ------------------------------ Date: 14 Jun 90 17:14:52 +0000 From: bytor@milton.u.washington.edu (Michael Lorengo) Subject: Re:Vanishing Disk Space Please disregard the previous message, it seemed that it was a word perfect file that was eating up disk space, it seemed a station was left in word perfect, on the directory screen, and the a certain file on that station grew to 66,433,323 bytess once we deleted that file, the problem was gone. ------------------------------ Date: Sat, 16 Jun 90 17:17:14 -0500 From: chrisj@emx.utexas.edu (Chris Johnson) Subject: Gatekeeper Aid and the ADBS "virus" (Mac) A copy of a posting by Hervey Allen (HALLEN@oregon.uoregon.edu) was recently relayed to me by Werner Uhrig. Mr. Allen was looking for an explanation of the nature of the 'ADBS' virus that Gatekeeper Aid had recently discovered on a co-worker's Mac IIcx. Here's the story: First, the co-worker is using version 1.0 of Gatekeeper Aid. That version is seriously flawed by one major bug which was caused by a terribly inaccurate sentence in Inside Macintosh. Unfortunately for us all, the bug didn't cause any problems for me or my 1.0 testers, so it wasn't caught until it was released. :-( Anyway, please upgrade to the current version which is 1.0.1. Anyway, the 'ADBS' problem is unrelated to that one major bug. The source of this problem is the selection by Adobe of the 'ADBS' file creator code for their Adobe Separator utility. You see, 'ADBS' (as a resource type) had been reserved by Apple since 1987 for storing the code that drives the Apple Desktop Bus. Since all file creator codes are represented in the Desktop file as resources of the same type, having a program on a disk with a file creator code of 'ADBS' results in the creation of an 'ADBS' resource in the Desktop file. Gatekeeper Aid knows that resources of types reserved for storing executable code don't belong in non-executable files like the Desktop, so it alerts you to their presence and removes them. This means that as soon as Gatekeeper Aid notices that 'ADBS' has been added to the Desktop file, it will remove it. Of course, this also means that as soon as the Finder next comes across the Adobe Separator utility, it will look in the Desktop file to make sure it's entry is there. The Finder will then discover that Separator doesn't have an entry (the 'ADBS' resource has been removed by Gatekeeper Aid), so the Finder will add the 'ADBS' back into the Desktop file, and the cycle begins anew once more. I don't know whether Apple's creator code registration folks inadvertantly allowed Adobe to give 'ADBS' to Separator because they were unaware of this issue, or whether Adobe just made an unfortunate selection of creator codes, but I have heard from one gentleman at Adobe about this matter. I suggested to him that Separator's creator code should be changed at the next opportunity. I don't know whether or not the code actually will be changed as it should be, but I hope so. Are there any Adobe folks out there? Can you get this changed? (As an aside, Separator is not the only program ever to receive a file creator code that was already assigned to an executable resource type. Two other utilities exist with this problem. One uses the 'FKEY' type and the other uses the 'FMTR' type.) Anyway, Gatekeeper Aid 1.0.1, in addition to correcting the major bug mentioned earlier, deals more gracefully with this 'ADBS' problem. First, it attempts to determine whether or not suspicious resources in the Desktop file are actually legitimate Desktop file entries before removing them. Second, it doesn't refer to suspicious resources found in places they don't belong as "viruses" - this conclusion was unfounded and caused too much concern among those who saw the alerts. Suspicious resources are now referred to as merely "Implied Loader resources", which is what they actually are. So, once again, please upgrade to version 1.0.1 of Gatekeeper Aid. Not only did it eliminate one very nasty bug, but it eliminates these false alarms in the Desktop file. By the way, Gatekeeper Aid 1.0.2 has been in beta testing for months now. If everything goes well with the testing of the latest beta, it could be released in the next several weeks. Sadly, though, I can't make any guarantees. I hope this helps, - ----Chris (Johnson) - ----Author of Gatekeeper - ----chrisj@emx.utexas.edu ------------------------------ Date: Sat, 16 Jun 90 18:40:00 -0400 From: R3B@VAX5.CIT.CORNELL.EDU Subject: GateKeeper Aid 'ADBS' Query (Mac) Quote "A member of our computing center uses GateKeeper Aid on her Macintosh IIcx and has received the following message: GateKeeper Aid found an "Implied Loader 'ADBS' virus in the Desktop file on the "Animal Sanctuary" disk. The virus was removed. " I think that all you need to do is to update Gatekeeper Aid to v. 1.0.1 The earlier v. did not like Adobe Separator's icon (and maybe some other things). - ---------------------------------- Richard Howland-Bolton Manager Publications Computing Cornell University Internet: R3B@VAX5.CIT.CORNELL.EDU Compuserve: 71041,2133 Voice: (607) 255-9455 FAX: (607) 255-5684 Etc, etc. - ---------------------------------- ------------------------------ Date: 17 Jun 90 16:27:05 +0000 From: bnrgate!.bnr.ca!hwt@uunet.UU.NET (Henry Troup) Subject: Re: Password Standards Checking TS0258@OHSTVMA.BITNET (Chuck Sechler) writes: >Basically, we want to know if there has been any work on MVS and CMS platforms , >to keep users from picking obvious passwords, like their name, password same >as userid, password is a word, etc. On MVS we are working on Top Secret Under VM/SP (CMS) we use VMSECURE, which has a user exit facility that can be and is used for this kind of checking. It also stored password encrypted, and keeps the last 'n' passwords to prevent reuse. It also provides password aging, proxy login, and a number of other nice features. Disclaimer: no longer a system programmer, just a happy user... - -- Henry Troup - BNR owns but does not share my opinions ..uunet!bnrgate!hwt%bwdlh490 or HWT@BNR.CA ------------------------------ Date: Mon, 18 Jun 90 11:46:38 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: F-PROT via FTP (PC) I have been trying (unsuccessfully) to upload F-PROT to SIMTEL20, but those of you wanting to obtain a copy of the package via FTP can get it from chyde.uwasa.fi (128.214.12.3). It can be found as fprot110.zip in the "pc/virus" directory. - -frisk ------------------------------ Date: Mon, 18 Jun 90 10:07:00 -0400 From: Dimitri Vulis Subject: Help requested with a purported Yankee Doodle infection (PC) Hello, A little while ago I snailed some diskettes to a colleague in Poland. He has just sent me e-mail saying that the executable files are infected with the Yankee Doodle Virus. This is the first time I hear of this virus, of course. :) Since the files were PKZIPped before shipping, it's reasonable to conclude that the machine they came from is also infected. Questions: 1. Can someone refer me to a document, or a previous discussion on this news- group, where this virus is discussed? What does it do? 2. Can someone please recommend a PD or shareware program for *scanning* existing executable files for this speciaes of virus (and others, if possible). Thanks, Dimitri Vulis Department of Mathematics City University of New York Graduate Center Administrator of RUSTEX-L, the Russian text processing mailing list ------------------------------ Date: Sun, 17 Jun 90 22:21:07 +0200 From: swimmer@fbihh.informatik.uni-hamburg.de (Morton Swimmer) Subject: Discussion: definitions of common computer beasts (ie. viruses..) I haven't recieved as many definitions as I hoped, but I decided to post the ones I recieved anyway. ============ This is how it started: ============== [MS: I wrote...] I have been increasingly perplexed by the fact that there seems to be little consensus on what the definition of the term "Computer Virus" actually includes. This goes for other computer "beasts" such as "Trojan Horses" and "Worms". I would be interrested in hearing what other people think a virus is. Here are my own definitions: Computer Virus: a non-autonomous program that has the ability to copy itself onto a target. Trojan Horse: an autonomous program that has a function unknown (and unwanted) by the user. Worm: a program or set of programs that have the ability to propagate throughout a network of computers. Please note that both worm and virus definitions do not include the possibility of a payload. This may or may not be a weak point. Also note that the definitions of virus and trojan differ greatly from how Cohen defines them. This is intentional as I feel that Cohen's definition of virus is too broad (it can include a normal program such as DISKCOPY!). I'm not happy with my definition of worm myself. Also, (and this should be obvious) none of my definitions are very formal. [MS: with payload I meant a routine that does something unrelated to the propagation of the virus or worm.] ============= [MS: Padgett Peterson wrote...] I agree with you completely & thing the whole question of definitions is getting out of hand: the public is calling ANYTHING out of the ordinary a virus and Dr. Tippett is not helping matters. [MS: what did Dr. Tippett say?] To me, the primary difference between a virus and a worm is that a virus is parasitical (cannot exist by itself) while worms are stand-alone entities. To simplify things, I put together a list of seven elements of malicious software. Not all will contain each but helps for classification: 1) Insertion - The introduction of software to an environment. 2) Evasion - Actions taken to avoid detection. 3) Mutation - Adaptation to a system or environment. 4) Replication - The means for propagation. 5) Trigger - Signal for change from covert to overt action. 6) Action - The overt action. 7) Eradication - Removal of the infection following action. Further subclassifications would identify the particular type such as for (4), type (a) might identify singular procreation (worms) while type (b) might be parasites (viruses) . The DATACRIME virus for instance contained a code segment to permit the initial version to be distributed as a standalone (4a) but which mutated (3) into a parasite (4b) once exposed to executable files. For instance, only worms and viruses contain elements (3) and (4) and differ only in method. Logic Bombs are characterized by having (2) & (6) only. A trojan horse on the other hand may also contain (5). Obviously, all malicious software requires (1) but this may be treated as a separate issue. I developed this list some time ago but have been reluctant to pulish it as it is essentially a check-list for modular malicious software, however in view of some other postings, this does not have further validity and may help in understanding just what these constructs do. [MS: thank you for posting it anyway. I feel that your checklist is not precise enough. Or maybe I just haven't understood it fully.] Padgett Peterson arget: A program. ============= [MS: Paul Shields wrote...] [MS: my own stuff deleted] Ok, here is how I use the terms: virus: a parasitic program capable of infecting (attaching itself to) other programs, so that it will be executed when the infected program is executed. trojan horse: a program that appears to be another program in order to trick a person into executing it or upon executing it to reveal a secret, such as a password. [MS: I would leave out the bit about the secret. It makes the definition too specific] worm: an autonomous program designed to "stay alive" by executing itself as many times as possible, possibly taking advantage of propagation through computer networks. [MS: Hmm, I dont see how this definition defines anything. A virus tries to "stay alive" by spreading as far as possible. In effect it is being executed "as many times as possible". I always related worms to networks.] [MS: the rest deleted. It was a comment on my use of the word "payload"] ============ [MS: Thomas E. Zmudzinski wrote...] [MS: ...my posting deleted...] As the Japanese would say, a most honorable first attempt. I'm afraid that you're about to get zapped by the bane of lexicographers, accuracy vs. depth of understanding. [MS: I can protect myself with the shield of seniority. I've been dealing with viruses for quite awhile.] It's roughly analogous to the Completeness Theorem in Mathematics. If you define a set "A" and someone finds something that should be a member outside of your definition, you need to expand your definition. If this is carried to extremes, you eventually have a very long definition that can never be complete [see BLIVET below]. [MS: or else you use Occam's razor and reduce the definition to the least common denominator. This is what I try to do without reaching to the absurd: "Any routine is a virus".] First, I see a problem in tying your definitions for types of malicious code to "program(s)". There are other forms of "life" out there. There are BAT file viruses [see Ralf Burger's _COMPUTER_VIRUSES,_a_high-tech_disease_], [MS: Ralf is an idiot. His ideas are rarely original. Many come from Cohen, others from other Chaos Computer Club members.] modem viruses, and other such critters that are not "programs" unless one really stretches the definition. My Random House dictionary says a program is "a systematic plan for the automatic solution of a problem by a computer", then turns around and defines a computer as "a mechanical or electronic apparatus capable of carrying out repetitious and highly complex mathematical operations at high speeds". [I wonder what they would think of a PostScript virus? :{D] [MS: I don't see this necassarily to be a problem. A program is an executable entity. It needs a platform to run on, be it the machine, the shell, BASIC (dread the thought), or whatever. A good definition for a virus should be independent of the platform.] Second, I won't buy your definition of a trojan horse as "an autonomous program...". A "trojan horse" *is* a "payload", not a "program". A "trojan horse program" is a program that contains a trojan horse, and "trojan horse code" is somewhat redundant but designates the code segment that performs the malicious operation(s). [MS: I may need to capitulate on the term Trojan Horse. My definition rests mostly on the analogy of the Trojan Horse as described by Homer in the Illiad. It was a seemingly harmless object (the wooden horse) that fooled the Trojans, but it contained a hidden (or covert) body of warriors. Unfortunately many people have chosen to call the warriors the Trojan Horse. I am not sure whether my definition is better, but it sticks closer to the analogy.] [Want a real zinger? Slip this trojan horse into someone's AUTOEXEC.BAT, they will *NEVER* forgive you. [MS: ...something ugly deleted...] My suggested definitions? Well,... BLIVET (n) [Classically and empirically defined as "10 pounds of horsesh*t in a 5 pound bag"] Unrestricted use of a limited resource (e.g. spool space on a multiuser system). COMPUTER VIRUS (n) A self-replicating segment of executable instructions. PEST (n) A set of instructions that self-replicates uncontrollably, eventually rendering a network or system unusable via a blivet attack. PHAGE (n) An autonomous program that inserts malicious code into other autonomous programs (e.g. a computer worm or probe that carries a virus or trojan horse). PROBE (n) A non-self-replicating, autonomous program (or set of programs) that has the ability to execute indirectly through a network or multipartition computer system (e.g. various hacker utilities). TRAPDOOR (n) A method of bypassing a sequence of instructions, often some part of the security code (e.g. the computer logon). TROJAN HORSE (n) A segment of executable instructions hidden within an apparently useful program or command procedure that, when invoked, performs some unwanted function. WORM (n) A self-replicating, autonomous program (or set of programs) that has the ability to propagate through a network or multipartition computer system but does not insert. [MS: ...the entertaining last bits deleted...sorry] ========================================== There were not as many postings as I had expected. This may mean that everyone is perfectly happy with my definitions. On the other hand, many, like myself, are not so happy about them. In that case I will still continue to collect definitions and summerize them. When I have enough, perhaps we can finally get some consensus on the issue. We will then have a sort of "VIRUS-L Standard Dictionary of computer beasts". After all, where else can one get so many speciallist together? I will also punch in other definitions that I have found on printed media. I wanted to have done it by now, but an injury has prevented me from carrying the books to university. By the next time I post I should heve them. Cheers, Morton PS: I can be reached using these addresses: swimmer@fbihh.informatik.uni-hamburg.de swimmer@rz.informatik.uni-hamburg.dbp.de ------------------------------ Date: 18 Jun 90 16:22:00 +0100 From: Norbert Hanke Subject: FORM-Virus (PC) One of our users just encountered a new boot sector virus which calls itself FORM-Virus. It is not detected by SCANV63. These are the symptoms: - the boot sector is replaced by virus code - 1k of bad block(s) is allocated The first of those bad sectors contains near its end the text "The FORM-Virus sends greetings to everyone who's reading this text.FORM doesn't destroy data! Don't panic! Fuckings go to Corinne." The second bad sector looks like the original boot sector. Before we start further investigations: Did anyone of you see this virus before? Norbert Hanke ETH Zurich ------------------------------ Date: Mon, 18 Jun 90 11:55:53 -0400 From: wcs@erebus.att.com (William Clare Stewart) Subject: Re: Password Standards Checking TS0258@OHSTVMA.BITNET (Chuck Sechler) writes: ]Basically, we want to know if there has been any work on MVS and CMS platforms , ]to keep users from picking obvious passwords, like their name, password same ]as userid, password is a word, etc. On MVS we are working on Top Secret ]package, and it has some interesting capabilities for restriction, including ]generating random passwords, when a user if forced to change their password, ]but it is not ready yet. Some UNIX platforms check passwords against very ]large lists of restricted words(like 50000 or more). Any thoughts? Should this ]be on a different list? A good place to start would be misc.security, which is a moderated newsgroup so I'm not crossposting this. I don't know about MVS, since I'm mainly a UNIX junkie, but a lot of the problems are common. UNIX System V enforces a couple of checks: the password has to be at least 6 characters long, including at least two non-alpha characters, and can't contain the login name (or variants of it, including cyclical permutaations and maybe spelled-backwards.) Other systems (?BSD?) also check the password in /usr/dict/words (the standard spelling dictionary on BSD). If you want to implement one of these, be careful that the password doesn't show up during the run of the checking program (e.g. ps -ef shows "grep secretword /usr/dict/words", or whatever equivalents MVS has.) Newer systems designed for the government market, such as AT&T UNIX System V/MLS (Which is B1-rated), implement the government guidelines for machine-generated passwords, but there are mixed opinions about how useful this is - assuming a good generation algorithm which produces a large search space (>2**24), it's hard to generate passwords that people won't write down on yellow-sticky-notes. Smaller search spaces (e.g. 2**16, which is all too easy to get on UNIX) are easily susceptible to brute-force search. - -- Thanks; Bill # Bill Stewart AT&T Bell Labs 4M312 Holmdel NJ 201-949-0705 erebus.att.com!wcs # Actually, it's *two* drummers, and we're not marching, we're *dancing*. # But that's the general idea. ------------------------------ End of VIRUS-L Digest [Volume 3 Issue 115] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253