VIRUS-L Digest Wednesday, 8 Aug 1990 Volume 3 : Issue 139 Today's Topics: SAM Loophole (Mac) 4096 (PC) 453 Virus (PC) Re: other ways for viral injection ? Gatekeeper Aid 1.0.2 (Mac) Joshi Remover (PC) CVIA Alert (PC) Viruscan Site Licensing VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Fri, 03 Aug 90 12:27:30 -0400 From: Subject: SAM Loophole (Mac) Another Loophole in SAM Intercept Folks: We have discovered another loophole that can allow a person to bypass the floppy scan in SAM intercept. If you are in an application and want to open a file on a floppy, SAM will scan the floppy you insert. If, however, while in the File Open dialog box, you click on EJECT and insert another floppy, this floppy (and any other subsequent floppies you insert) are not scanned by SAM. This "loophole" in SAM would allow you to infect your unit if there is a virus on the second or later floppies. Since most viruses go on to infect the system files, SAM would pick up the infection the next time you reboot your machine (provided you have configured your copy to scan the system folder at startup) We have notified Symantec of this loophole and would appreciate further confirmation. ------------------------------ Date: 3 Aug. 1990 From: Padgett Peterson Subject: 4096 (PC) I have been surprised to the the excitement caused by this virus. Admittedly, it uses some "stealth" techniques to hide itself, but the "stealth" itself should be detectable in memory. Certainly a thorough virus checking routine will not rely on DOS to provide accurate information. Next, despite roumors of CMOS and Modem viruses, to be able to become resident in an XT class machine, some memory MUST be used somewhere and this is detectable. Thus there are (at the moment) three checkpoints: either available memory has been reduced, interrupts are being vectored into never-never land (virus hiding in unassigned memory - note: this may not be obvious from the interrupt table), or crashes will occur often as the virus is overwritten. While I have not yet seen the 4096 (a copy is coming but not yet arrived), I feel certain that it is detectable reasonably easily in memory - if not directly then by its process of hiding. As soon as I determine an easy way to detect it, the answer will be posted. In the meantime, booting from a write- protected floppy and running a clean SCAN of version 53 or later is known to be effective. ------------------------------ Date: 3 August, 1990 From: Padgett Peterson Subject: 453 Virus (PC) Otto Stolz was kind enough to forward to me a hex dump of the 453 virus and the following information is now available: 1) Appender class, does not become resident. 2) Signature: The virus looks for 9090h as the last two bytes in a file, virus assumes infected if found & skips file. 3) Replication: Virus looks only for uninfected .COM files in current default directory 4) Trigger: None 5) Bomb: None 6) Evasion: None 7) Comments: Very crude structure with much unnecessary PUSHing & POPing. several places are noticed where more complex instructions could be used more efficiently. All calls are functions of Interrupt 21h. No trigger or bomb is present though numerous NOPs and extraneous JMPs provide plenty of space for addition. 8) Note: The apparent string "TUQ.RPVS" is simply a sequence of PUSH instructions rendered as ASCII. ------------------------------ Date: 04 Aug 90 17:58:51 +0000 From: rick@pavlov.ssctr.bcm.tmc.edu (Richard H. Miller) Subject: Re: other ways for viral injection ? lath@geocub.greco-prog.fr (Laurent Lathieyre) writes: > Alike, did some Trojan horses be discovered in some >operating systems ? I wonder if operating systems shouldn't >preferably be delivered in source form rather than in >compiled form... A nice thought, but very impratical for the following reasons: 1) Many users of PC level products just want to load their systems and go. To require them to compile and build their O/S would effectively eleminate their ability to install the systems themselve. Thus a PC "expert" would come in and do it. This could also lead to even more problems since this person COULD insert whatever was desired and the user would probable not know the difference. 2) The amount of time and effort to build an O/S cna be very long, especially when one moves into the mini and mainframe arena. It takes almost 24 hours of wall time to build OS-1100 for Unisys machines. I don't even want to think how long it would take to compile and build MVS from source. 3) When you release source and the tools to build the O/S, local code WILL creep into the O/S. Maintenance and upgrades become a royal pain, especially when no one documents what they did. ["I know I will remember what I did two years from now and why when we have to upgrade"]. 4) O/S source is a trade secret for many vendors. (As one vendor found out going against IBM) - -- Richard H. Miller Email: rick@bcm.tmc.edu Asst. Dir. for Technical Support Voice: (713)798-3532 Baylor College of Medicine US Mail: One Baylor Plaza, 302H Houston, Texas 77030 ------------------------------ Date: 06 Aug 90 07:50:15 +0000 From: ut-emx!chrisj@emx.utexas.edu (Chris Johnson) Subject: Gatekeeper Aid 1.0.2 (Mac) Gatekeeper Aid 1.0.2 has finally been released. A short descrip- tion of it and details of where it can be found are included below. Gatekeeper Aid is a Startup document (INIT) designed to auto- matically hunt and kill all known strains of the WDEF virus, as well as possible future strains and related viruses. It should be used to augment the Gatekeeper anti-virus system and may also be used to augment other anti-virus tools. Version 1.0.2 of Gatekeeper Aid is designed to correct a number of problems that surfaced in version 1.0.1. A complete list of these problems is included in the documentation. In addition, version 1.0.2 improves Gatekeeper Aid's protections and adds some new features including the ability to retroactively correct a bug in existing versions of Gatekeeper that is responsible for about 90% of all the Internal Errors reported. Users of Gatekeeper Aid are strongly encouraged to upgrade to this latest version. Users of anti-virus systems that don't automatically detect AND REMOVE the WDEF virus are strongly encouraged to use Gatekeeper Aid to augment their current systems. Also included with Gatekeeper Aid 1.0.2 is a document which pro- vides a quick preview of Gatekeeper 2.0. Gatekeeper Aid 1.0.2 has been posted to comp.binaries.mac and should appear there relatively soon. It will also be sent to the info-mac archives at sumex.stanford.edu and to the simtel archives. It is immediately available in the microlib/mac/virus directory on ix1.cc.utexas.edu and ix2.cc.utexas.edu (take your pick). - ----Chris (Johnson) - ----chrisj@emx.utexas.edu DISCLAIMER: My employer is neither involved with, nor responsible for, Gatekeeper and Gatekeeper Aid. ------------------------------ Date: Tue, 07 Aug 90 01:48:41 -0400 From: Subject: Joshi Remover (PC) Here is a program to remove the Joshi virus from hard disks. It can be assembled by using DEBUG (Like this). DEBUG A MOV DX,0080 MOV CX,0001 MOV BX,0200 MOV AX,0201 INT 13 CMP AH,0 JNE 13C MOV CX,0008 MOV AX,0301 INT 13 CMP AH,0 JNE 150 MOV CX,0009 MOV AX,0201 INT 13 CMP AH,0 JNE 13C MOV CX,0001 MOV AX,0301 INT 13 CMP AH,0 JNE 150 INT 20 MOV AH,9 MOV CX,145 INT 21 INT 20 DB 'Read Error$' MOV AH,9 MOV DX,159 INT 21 INT 20 DB 'Write Error$' N RMJOSHI.COM RCX :80 W Q To restore the disk to its origonal condition (like using it on and uninfected hard disk), use this program. DEBUG A MOV DX,0080 MOV CX,0008 MOV BX,0200 MOV AX,0201 INT 13 CMP AH,0 JNE 122 MOV CX,0001 MOV AX,0301 INT 13 CMP AH,0 JNE 136 INT 20 MOV AH,9 MOV DX,12B INT 21 INT 20 DB 'Read Error$' MOV AH,9 MOV DX,13F INT 21 INT 20 DB 'Write Error$' N RETURN.COM RCX :50 W Q This will return the hard disk to it's origonal state (before RMJOSHI was executed). Be sure to boot off an unifected diskette before using these programs. Since Joshi Virus redirects attempts to read or write to the virus, these programs will not work if the virus is active in memory. These programs may be used by anybody, as long as they are not modified or used in another program.... ------------------------------ Date: Mon, 06 Aug 90 17:38:05 -0700 From: Alan_J_Roberts@cup.portal.com Subject: CVIA Alert (PC) This is a forward from Aryeh Goretsky of the Computer Virus Industry Association: ================================================================ Note: Contact information from the following CVIA Membership Alert has been removed from the posting, but has been submitted separately to the Virus-L moderator. August 6, 1990 CVIA Membership Alert Originating Members: [Information Removed] Alert Type: Initial Infection Spread Library Entries: AirCop; 1253; Leprosy Entry Types: Boot Sector; Multipartite; COM Infector The second U.S. occurence of the AirCop virus was reported from Fremont, California on August 3. The virus had infected a retail software distributor on multiple machines. The virus appears identical to the original AirCop reported by Microsoft. The virus was traced back to a software duplicator in Taiwan. An unusual virus, called the 1253 virus, has been reported in Austria and submitted to the CVIA library. The virus infects COM files, floppy diskette boot sectors, and hard disk partition tables. Either of the three forms of the virus are sufficient to transfer an infection to the other. In its COM infector form, it increases the size of infected files by 1253 bytes. The virus activates on December 24th and corrupts all data on the hard disk and on any inserted floppies. An interim detector for the virus is available now to liaison persons. The Leprosy virus has been reported at 11 separate sites in Northern California within the past five days. The outbreak appears to stem from a file uploaded to bulletin boards within the Bay Area called 486COMP.ZIP, which promises to compare the user's system to a 80486-based PC. The Leprosy virus is a slow replicator and there is little chance of contracting this virus ouside of the BBS channels or from an intentional infection. A detector is available, however, for liaison persons if requested. John McAfee ------------------------------ Date: Wed, 08 Aug 90 09:28:26 -0700 From: Alan_J_Roberts@cup.portal.com Subject: Viruscan Site Licensing This is a forward from John McAfee: ================================================================== Brian Aslakson posted a Virus-L message concerning the cost of service licenses for VIRUSCAN. Just so there is no misunderstanding, I'd like to point out the differences between our service licenses and our site licenses. Site licenses, for large volume organizations, bottom out at $1.90 per machine. They allow the use on any machine in the licensed organization. Service licenses, on the other hand, are used by organizations that want to license only a few copies, but want to carry those copies to other organizations, or sites, and scan any and all machines at the site. A service organization may license, say, one copy, but use the copy on hundreds of machines a day. As a result, each service copy of SCAN may generate multiple support calls to our office each week, as viruses are detected and removal or containment assitance is requested. Support costs us time and money, but it is provided at no charge to our clients. Accordingly, our service licenses cost more, per copy, than our site licenses. Brian suggests that $5,800 for 100 service copies is unreasonable. I can't say. The folks on our support lines (and not a few of the users of SCAN), however, seem to feel otherwise. John McAfee ... ...-.... ------------------------------ End of VIRUS-L Digest [Volume 3 Issue 139] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253