VIRUS-L Digest Monday, 25 Jun 1990 Volume 3 : Issue 116 Today's Topics: re: FORM-Virus (PC) VSHIELD and WIN 3.0 (PC) New files on MIBSRV (PC) Re: Help requested with a purported Yankee Doodle infection (PC) Warning - Flipper virus (Mac) Re: UnVirus (PC); Public Domain Re: Mainframe attacks (MVS) Re: Mainframe attacks (MVS) Re: Discussion: definitions of common computer beasts (ie. viruses..) New files on MIBSRV (PC) On Tippett's "Kinetics..." Re: GateKeeper Aid 'ADBS' Query (Mac) 1704-virus (PC) Anti-viral philosophies Re: FORM virus (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: 18 Jun 90 15:00:50 -0400 From: "David.M.Chess" Subject: re: FORM-Virus (PC) Norbert Hanke : > One of our users just encountered a new boot sector virus which calls > itself FORM-Virus. It is not detected by SCANV63. We recently got a sample of that from Switzerland as well. It infects both floppy diskettes and the bootable partition of hard disks. The only side-effect I've found is that it will cause the speaker to click while typing under some circumstances. Usual disclaimers, of course; what you've seen may not be the same virus that I've seen! DC ------------------------------ Date: Mon, 18 Jun 90 17:02:00 -0400 From: LINDYK@Vax2.Concordia.CA Subject: VSHIELD and WIN 3.0 (PC) I have not encountered any difficulty in running the two together. VSHIELD is loaded at the beginning of my autoexec.bat and subsequently I load WIN 3.0 from a menu. If anybody does have problems with this or a different configuration, I'd also like to hear about it. Bogdan KARASEK lindyk@vax2.concordia.ca ------------------------------ Date: Mon, 18 Jun 90 11:51:04 -0500 From: James Ford Subject: New files on MIBSRV (PC) The following files have been placed on MIBSRV.MIB.ENG.UA.EDU (130.160.20.80) for anonymous FTPing in the directory pub/ibm-antivirus: chkup39.zip - CheckUp V3.9 netsc63b.zip - McAfee's NetScan program V63B. (taken from Homebase) vcopy63.zip - McAfee's VCOPY program V63. (taken from Homebase) secur109.zip - SECURE V1.09, tsr that prevents all known and unknown viruses. (*NOTE: Description taken from SECURE.DOC. I have no knowledge of the program myself....JF) vtac42.zip - PC environment security program. If you do not have FTP ability at your BITNET site, send a one line mail message HELP to BITFTP@PUCC. - ---------- He who never sticks out neck, never wins by nose. - ---------- James Ford - JFORD@UA1VM.BITNET, JFORD@MIBSRV.MIB.ENG.UA.EDU THE University of Alabama (in Tuscaloosa, Alabama USA) ------------------------------ Date: 19 Jun 90 08:58:54 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: Help requested with a purported Yankee Doodle infection (PC) DLV@CUNYVMS1.BITNET (Dimitri Vulis) writes: >1. Can someone refer me to a document, or a previous discussion on this news- >group, where this virus is discussed? What does it do? There are actually two different virus groups called "Yankee Doodle". Both are from Bulgaria, but they are different in several ways. Group 1: "Old Yankee" infects only .EXE files. When an infected program is run, the virus does a full-depth recursive search on the current directory, until a non-infected file is found, which will then be infected. The virus then plays the Yankee Doodle tune and transfers control to the original program. It does not remain resident in memory. Infected files are marked by placing the word "motherfucker" at the end. Two variants are known one 1961 byte and another, shorter one, only 1621 bytes, which does not play the tune - it does nothing but replicate. More variants are expected in the future, as the author has distributed the source to the virus. Group 2: TP's "Yankee Doodle". Versions 26-44+ of the TP series of viruses (which includes the "Vacsina" viruses as well) also play Yankee Doodle. Versions 26-32 play it when Atrl-Alt-Del is pressed, 33-43 play it at 5pm, but versions 44- have only a 1-in8 chance of playing it at that time. Those viruses are resident, and quite a bit longer than the other ones 2-3.5K Compared to many other viruses, the "Yankee-Doodle" viruses are fairly harmless, but nevertheless a problem. >2. Can someone please recommend a PD or shareware program for *scanning* >existing executable files for this speciaes of virus (and others, if possible) . Three program that can (I think) find all the known variants VIRSCAN from IBM SCAN from McAfee F-PROT my own - which can remove them all as well :-) - -frisk - -- Fridrik Skulason University of Iceland | Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 | ------------------------------ Date: 19 Jun 90 10:51:23 +0000 From: mumhongh@vax1.tcd.ie Subject: Warning - Flipper virus (Mac) A virus known as "FLIPPER" has 'woken up' on the Apple Mac in the Arts. It was removed by Disinfectant in early June, but it is possible it is still on some user disks. Please check yours using Disinfectant! ------------------------------ Date: Wed, 20 Jun 90 15:07:52 +0300 From: Y. Radai Subject: Re: UnVirus (PC); Public Domain David Chess asks: >If you don't consider it proprietary, I'd be curious to know what >the scanning algorithm is that it doesn't slow down as the number >of viruses increases. A word to the wise is sufficient, isn't it? Well, the word in this case is "hashing" .... BTW, the implementation of the new UnVirus has since been speeded up so that it's now almost 4 times as fast as SCAN. I was also asked in a personal letter what I meant when I wrote in the same posting: > *freeware* (often erroneously called "public domain" software). Since "public domain" is a legal term, some of what I'm about to write may not be entirely accurate, but I think my conclusion will still be valid. As I understand it, "public domain" means (at least approxi- mately) *not copyrighted*. Previous postings here on copyrighting have indicated that a program written after 1 Mar 89 (the date the U.S. became a signatory to the Berne Convention) is automatically copyrighted at the moment of creation, without need for a copyright notice. It therefore seems to me that a program written after this date (in the U.S.) can be PD only if its author explicitly states that he releases it to the public domain or that he waives all his rights. And such cases constitute only a very small portion of the programs available on most so-called "PD" servers, even if we restrict our- selves to freeware. True, a program written before 1 Mar 89 is not copyrighted unless it bears a copyright notice of the form "Copyright year name", and many authors thought they could write "(C)" instead of "Copyright", which is incorrect. So maybe such programs would be considered PD if such a matter ever came to court. In any case, the *concept* or *definition* of "public domain" is very different from that of "freeware", and that's all I was claiming. Disclaimer: I have no legal background; if anyone with such a back- ground finds an error in what I've written, I shall repent. Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI1@HBUNOS.BITNET RADAI@HUJIVMS.BITNET ------------------------------ Date: 20 Jun 90 19:42:55 +0000 From: CAH0@gte.com (Chuck Hoffman) Subject: Re: Mainframe attacks (MVS) TONY@MCGILL1.BITNET (Tony Harminc) writes: > I think mainframe hacking was much more popular in those days simply > because mainframes were all there were. That also was about two years before the time that the Security group at SHARE formed, which developed the specifications for the product which became ACF2 in 1978. Simultaneously, IBM was secretly developing RACF. By the early 80's, ACF2 was beginning to dominate the MVS system security market, and it became much more difficult for hackers who were not in the systems programming groups to make significant intrusions into MVS systems. RACF was slow to develop because, in many people's opinions, it was conceptually a poor design. These days, though, many MVS sites do use it. It is true that some of the architectural features of the original MVS still exist in MVS/XA, making it possible to obtain system privileges. Those who have been involved with MVS systems programming over the years know the features well. But on systems which are routinely managed by ACF2, TopSecret, or RACF, it is very difficult for a person outside the systems programming group to exploit those features. There also are extensive auditing tools and methods for monitoring systems, and, unlike micros, MVS systems generally do not update or upgrade themselves while they are running. It is still possible, but unlikely. With 15 years on MVS systems in many companies, 10 on ACF2 and RACF protected systems, I personally have never heard of a case of an unauthorized system update caused by someone outside the systems programming group. I'm sure they're there, but if they were common, I guess I would have heard about a few through one of my employers, or through my consulting business, or through the ACF2 conventions, through SHARE, or through the regional ACF2 user's group I was heavily involved with. I didn't. Things are about to become tighter, too. Computer Associates is in the process of raising the rating of ACF2 and Top Secret from C2 to B1. On Digital VAXs, the VMS system technically is C2, but in my opinion the architecture is so cumbersome that systems managers have some justification when they say that you need system privileges all the time just to do a job. Yes, it's C2, but so many people end up with privileges that it hardly matters. - -Chuck - - Chuck Hoffman, GTE Laboratories, Inc. cah0@bunny.gte.com Telephone (U.S.A.) 617-466-2131 GTE VoiceNet: 679-2131 GTE Telemail: C.HOFFMAN ------------------------------ Date: 21 Jun 90 03:49:45 +0000 From: woody@chinacat.Unicom.COM (Woody Baker @ Eagle Signal) Subject: Re: Mainframe attacks (MVS) While we are talking mainframe attacks, way back in 1976 or so, some of my crowd of hackers, discovered that if you ran a program that upped your privlege level temporarily in order to run (there were several), then hit CTRL and BREAK backand forth several times rapidly, the os would get confused. Then when you exited your session, your account table was dumped back to disk with the result that when you logged on again, you had A0 (system administrator) privelege, and could do anything you jolly well pleased. The hole was plugged within a couple of days, but I understand that certain other accounts were created in the mean time that allowed unfettered access to the machine. I once had a psychology prof, who imparted a real jewel to the class. "Things take more time than they do" A paraphrase of that: "Operating systems are as secure as they are. Cheers Woody The above attack was made on CP-V on a Xerox Sigma 6 or 7. ------------------------------ Date: Thu, 21 Jun 90 11:27:56 +0000 From: jerry@matt.ksu.ksu.edu (Jerry Anderson) Subject: Re: Discussion: definitions of common computer beasts (ie. viruses..) Here are my definitions of virus, worm and Trojan horse: virus - a dependent self-replicating program. worm - an independent self-replicating program. Trojan horse - a program with a hidden agenda. By dependent, I mean that a virus "lives" within another program. I do not believe that the definition of a worm has anything to do with networks. I think that association has risen due to the infamy of the Internet worm. I took the definition for a Trojan horse directly from Maarten Van Swaay. I also think that a Trojan horse is the program that carries the "payload," not the payload itself. (Remember, the Trojan horse of literature *contained* the suprise.) When describing virii, worms, etc, many people end up by saying something like "... and does something bad, like erase your files." Granted, the people who create these things and set them loose quite often put in something nasty, but that isn't really part of what they are. It is simply how they are used. If someone writes a program with a beneficial hidden agenda, the program is still a Trojan horse. - -- I like girls - German girls. Jerry J. Anderson Computing Activities BITNET: jerry@ksuvm Kansas State University Internet: jerry@ksuvm.ksu.edu Manhattan, KS 66506 ------------------------------ Date: Thu, 21 Jun 90 08:26:31 -0500 From: James Ford Subject: New files on MIBSRV (PC) The following files have been placed on MIBSRV.MIB.ENG.UA.EDU (130.160.20.80) in the directory pub/ibm-antivirus for anonymous FTPing. fprot110.zip - FProtect vsum9006.zip - Virus Summary Listing (current as of June 1990) (Thanks to Jim Wright for sending FPROT110 to me......) - ---------- James Ford - JFORD1@UA1VM.BITNET, JFORD@MIBSRV.MIB.ENG.UA.EDU ------------------------------ Date: 21 Jun 90 15:42:17 -0400 From: "David.M.Chess" Subject: On Tippett's "Kinetics..." Various people have mentioned Dr. Peter Tippett's paper "The Kinetics of Computer Virus Replication" here recently. We wrote a brief reply to the paper awhile back, and I thought it might be reasonable to post it. This isn't an Official IBM Statement or anything like that, just the reaction of the researchers here at the High Integrity Computing lab. (I don't know how people in general can get a copy of the paper itself, I'm afraid. I don't know whether it's been formally published anywhere; the copy we have was apparently handed out at a press conference.) The conclusions in Dr. Tippett's paper are based on a very simple model of uncontrolled, exponential growth. We are not convinced that the assumptions or conclusions of the paper are correct, and they do not seem to be supported by the actual data available to us. The model neglects several effects that we think are crucial to understanding virus spread. We think substantially more work in modelling virus spread will be required before it's possible to make valid quantitative predictions. Tippett's analogy with runaway biological growth neglects the paths along which programs are shared (the "sharing topology"), and incorrectly models the effects of widespread scanning on virus growth. Our own preliminary studies of very crude models which incorporate program sharing and scanning indicate that, under certain conditions, the fraction of infected machines can stabilize at a much lower value than Tippett suggests ( < 1% in some cases). Furthermore, if the scanning rate for a known virus were sufficiently high, the exponential growth of the virus population predicted by Tippett would reverse, and the virus would eventually become extinct. This is in contradiction to Tippett's conclusion that scanning is ineffectual. (To anyone interested in looking into some good work on modelling the spread of biological viruses, we'd suggest consulting recent issues of the journal "Mathematical Biosciences".) Our own data on virus incidents do not show any trend towards explosive growth, neither for viruses in general nor for the 1813 and Brain viruses which Tippett discusses. We would be very interested in seeing other reliable data on virus populations as a function of time. We are rather confused at Tippett's assertion that "systems management software" can contribute to real improvement in the problem, whereas other methods cannot. No evidence is presented for this in the paper, and it would appear that the same analysis that is used to claim that scanning is ineffective could be applied to virtually any other method of reducing the virus population, including the use of systems management software. We believe that, in order to make reasonable predictions about the population dynamics of computer viruses, we need to formulate more realistic models which incorporate some aspects of the virtual and physical connectedness of the world's computers and at least a minimal understanding of human habits. The analysis and interpretation of such a model will not be easy, but the success that mathematical epidemiologists have achieved in understanding the spread of some infectious diseases encourages us to think that we will be able to do it. DC ------------------------------ Date: Thu, 21 Jun 90 17:47:00 +0700 From: h+@diab.se (Jon W{tte - SoftWare konsult) Subject: Re: GateKeeper Aid 'ADBS' Query (Mac) Maybe the ADBS weren't where it belonged, or was patched to load another resuorce. (an ADBS is a driver routine for the Apple Desktop Bus, if memory serves me right) Just a guess... ------------------------------ Date: Fri, 22 Jun 90 10:05:12 -0400 From: 9991@db0tuz01 Subject: 1704-virus (PC) We got a virus problem at our site (FU-Berlin, Neurobiology): several of our AT's got a virus infection. It's very likely that we have the old 1704 virus or one of its children with the same head. Does anybody know of a way how to get rid of this virus (without erasing all infected *.COM files)? It seems the virus knows of the old start address of the program but where the hell does he hide it? Any advises or recommondations are welcome. Thanks in advance E.Lieke. ------------------------------ Date: 22 Jun 90 13:32:33 -0400 From: Bob Bosen <71435.1777@CompuServe.COM> Subject: Anti-viral philosophies >> Like to get some opinions on this one. If you could only get >>one program for your pc/pc-xt/pc-at or clone, what would it be? > This is a question that keeps coming up and while I agree that >McAfee's products are the best for someone who knows what they >are doing, they are not products that are suitable for environments >with vast numbers of PCs and semi-educated users... > > 1- Can you imagine trying to install monthly updates on 5000 PCs... >.... > What I perfer is a package that resides in the background of the > user's PC and reports any change to the environment with no > appreciable hit to performance My thanks to Padgett for so clearly expressing what I have been unable to say on this forum. As a vendor, it's hard for me to come here and initiate discussions about my own products. Be warned: I am speaking about my own commercial product here. Our "SafeWord VIRUS-Safe" performs exactly as Padgett describes above. It was designed with EXACTLY this kind of situation in mind. It also maintaines a detailed log of changes to files so a virus researcher can figure out what kind of virus may have been polluting things. The log reveals the date and time of detected changes, before-and-after signatures using any industry-standard signature algorithms, length changes, etc. If That's what you are looking for, please give me a message. Bob Bosen Enigma Logic USA tel: (415) 827-5707 Bob Bosen ------------------------------ Date: Sat, 23 Jun 90 20:01:14 +0200 From: swimmer@fbihh.informatik.uni-hamburg.de (Morton Swimmer) Subject: Re: FORM virus (PC) I'm sorry I didn't post this before, but the way things are at the moment, I rarely get to eat. The Form virus is a Swiss product. It has apparently infected most of the schools in canton Zug so I'm not surprised that you have got it at ETH Zuerich. To make it short: it is indeed a boot sector virus. It will infect floppies as well as hard disks. It has a damage: on every 24th of any month it will make the keys click, but it doesn't seem to work on my machine. Otherwise it is not destructive. It is well programmed, and doesn't seem to have been derived directly from any other virus. Normally it should not bother you. I had promised an antivirus for it, but time didn't allow it. Like most boot sector viruses, it can be removed (or at least deactivated) by booting from a _clean_ disk and using the SYS command to overwrite the virus boot sector. Cheers, Morton Virus Test Center ------------------------------ End of VIRUS-L Digest [Volume 3 Issue 116] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253