VIRUS-L Digest Friday, 10 Aug 1990 Volume 3 : Issue 140 Today's Topics: 4096 (PC) postscript trojan "Re: other ways for viral injection C" Disk Manager (PC) Re: 4096 Virus and Checksums (PC) Re: F-PROT experience (PC) CVIA Virus Alerts (PC) Bouncing ball? (PC) Re: Summary Of Laserwriter Viruses Re: 4096 Virus and Checksums (PC) Extremely virulent virus problem (PC) help!!! (Mac) Re: Antivirus-viruses Cost of Protection (Philosophy) Disk Killer bug (PC) SCAN, Zenith ZDS (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: 08 Aug 90 15:43:04 -0400 From: "David.M.Chess" Subject: 4096 (PC) Padgett Peterson : > I have been surprised to the the excitement caused by this virus. > Admittedly, it uses some "stealth" techniques to hide itself, but > the "stealth" itself should be detectable in memory. Yep, the 4096 is easily detectable in memory. I think the main cause for worry has been the feeling that there are lots of people out there who don't use virus scanners, and whose main hope of noticing an infection is noticing file lengths (or contents) changing, or programs malfunctioning. A "stealth" style virus with few bugs will tend to be less noticeable by those means than a non-stealthy one. I definitely agree, though, that for users who have a good virus-scanning program, the 4096 is no more worrisome than a comparable non-stealthy virus would be. DC P.S. Detecting a virus in memory is a little more prone to false alarms than detecting one in files, because after an infected system has been cleaned up the virus signature may still make it into memory, because it is still in the "cluster gas" somewhere on the disk, and may get loaded into unused parts of disk buffers or whatever. ------------------------------ Date: 08 Aug 90 20:27:25 +0000 From: treeves@hpuxa.ircc.ohio-state.edu (Terry Reeves) Subject: postscript trojan A few days ago there was a series of messages about a laser writer trojan horse that set the password to some unknown value. A fix was also posted. (a program that could reset the password without knowing the old one.) Noone said what the name of the trojan horse was, or what it claimed to be good for. Does anyone know? The fix included the caveat that it would probably fail on postscript clones. Ok. We have a kyocera Q8010 that has apparently been hit. Or some bright reader of comp.virus suddenly realised printers have passwords and just sent down the commands to change it from 0 to whatever. Yes, the fix failed on this clone. I am in contact with Kyocera, but I am not sure they will be able to help. I fear they will say you can't reset passwords without knowing the old one. It occurs to me that maybe the fix program fails because the password is in a different spot in the eprom. Any ideas? Specifically woud the authors of the fix routines be interested in adapting them to this printer if I could get them technical info like the location of the password? Anyone agree with me that maybe the password should be in cmos so we could open the case and yank the battery? Not that agreeing with me will do much good - but I'd feel better. Terry Reeves The Ohio State University REEVES.2@OSU.EDU ------------------------------ Date: Thu, 09 Aug 90 11:55:07 +0700 From: Jan Christiaan van Winkel Subject: "Re: other ways for viral injection C" lath@geocub.greco-prog.fr (Laurent Lathieyre) writes: >I wonder if operating systems shouldn't >preferably be delivered in source form rather than in >compiled form... And even that does not guard you against the virus/trojan Ken Thompson described in his Turing award lecture. How can you guarantee that the compiler/assembler or linker does not insert some extra code, recognizing the fact that it is compiling/assembling/linking the new version of the compiler, operating system or whatever? Therefore I do not agree with mr. Lathieyre: It is better to have one source of your O/S. I'd rather boot off one of the suppliers disks than off on I built myself using God knows what utilities... JC ___ __ ____________________________________________________________________ |/ \ Jan Christiaan van Winkel Tel: +31 80 566880 jc@atcmp.nl | AT Computing P.O. Box 1428 6501 BK Nijmegen The Netherlands __/ \__/ ____________________________________________________________________ ------------------------------ Date: Thu, 09 Aug 90 15:01:00 +0300 From: Y. Radai Subject: Disk Manager (PC) Michael Greve wrote that his machines have become infected with the 4096 even though the hard disks are protected with Disk Manager. Several people reacted by saying that Disk Manager is disk partition- ing software, not anti-viral software. Well, I don't think Michael is that far off. True, Disk Manager is disk partitioning software. But it includes an option to make a par- tition READ-ONLY. In principle, this should prevent infection of any file on such a partition. Of course, since this is only software pro- tection, it can probably be circumvented. But I think that it should be effective against all current file viruses, including the 4096. So if this option has actually been used on one of the partitions, files *on that partition* should be protected against the 4096. Note that I said that it should be effective against *file* viruses. I don't recall if it's possible, under Disk Manager, to arrange for the boot sector to be in the read-only partition. If it is, then this should also work against ordinary boot-sector viruses. However, it won't work against partition-record viruses, like the Stoned (= Mari- juana) and EDV. Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET (Note new address) ------------------------------ Date: Thu, 09 Aug 90 15:21:00 +0300 From: Y. Radai Subject: Re: 4096 Virus and Checksums (PC) Steve Albrecht asks about the following statement by Dr. Highland on the 4096 virus: > "This recently published computer virus is particularly > disturbing in that...checksum techniques likewise appear to > be useless, the virus `disappears' during the checksum > process..." > >Can someone please elaborate on how the virus avoids the checksum >process, or perhaps direct me to more detailed information on this >virus? > >In particular, does it avoid all checksum algorithms, or only >certain ones? How does it avoid detection from the checksum >operation? The virus "disappears during the checksum process" only in the sense that files infected by this virus do not appear to have been altered *IF THE VIRUS IS IN MEMORY WHEN CHECKSUMMING IS PERFORMED*. Didn't Dr. Highland mention this in his article? The same is true of some other viruses, incl. EDV and Number of the Beast (V512). From this it is obvious that the answer to your question whether it avoids *all* checksum algorithms is affirmative. But this is only under the above circumstances. The remedy is obvious: Instead of performing checksumming from your hard disk, do it only after cold booting from your original (write- protected) DOS diskette, with the checksum program and database also on a diskette. This will ensure that RAM is uninfected when the check- sum program is run. (At least it's much surer than depending on checks such as those advocated by Jim Molini and Chris Ruhl on this forum several months ago.) Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET (Note new address) ------------------------------ Date: Thu, 09 Aug 90 15:32:00 +0300 From: Y. Radai Subject: Re: F-PROT experience (PC) Sigurd Andersen asks for opinions on F-PROT. In my opinion, this package of 21 utilities includes some excellent programs. I'll des- cribe only a few of them: F-DRIVER is a small device driver which (1) checks RAM for boot-sec- tor and partition-record viruses when it is initially activated and (2) checks each program which is about to be executed to see if it contains a known file virus. If so, it stops execution. F-LOCK is a RAM-resident program which monitors suspicious activi- ties. It is effective not only against known viruses but also against Trojans and unknown viruses. In this respect, it resembles FluShot+. However, it is designed to stop even viruses which write to the disk by jumping directly to an interrupt handler instead of diverting interrupt vectors in the normal way. In practice, this does not work on all such viruses (e.g. it does not seem to be effective against the 4096), but since the idea behind the prevention of such viruses seems to be sound, it's possible that this is just a bug which will soon be removed. F-DISINF scans boot sectors and partition records for known viruses and optionally removes them. F-FCHK scans files for known viruses and new mutations of them and can cure such files in almost all cases. F-SYSCHK scans memory for known viruses. F-MMAP displays a map of memory. It includes memory blocks which other such utilities do not show (e.g. those near the TOM, where most boot-sector viruses hide, and I think even those above the 640K mark). What I *don't* like in the package are the "self-checking" programs. I think there are better ways of achieving the same thing. But, of course, you don't have to use everything in the package. The prices for F-PROT are as follows: > Educational institutions: 1-14 computers $15 > 15-500 computers $1 per computer > over 500 computers $500 > > Everybody else: 1-7 computers $15 > 8-500 computers $2 per computer > over 500 computers $1000 F-DRIVER corresponds (approx.) to McAfee's VSHIELD, while F-DISINF and F-FCHK do the equivalent of McAfee's SCAN and CLEAN (on almost the same number of viruses). Prior to Ver. 1.11, F-FCHK was quite slow. But its speed has since been improved. It still takes about 50% more time than SCAN, but it can probably detect more mutations of known vi- ruses since it uses 2 or 3 identifying strings for almost every virus. Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET (Note new address) ------------------------------ Date: Wed, 08 Aug 90 17:23:07 -0700 From: Alan_J_Roberts@cup.portal.com Subject: CVIA Virus Alerts (PC) This is a forward from Aryeh Goretsky of the Computer Virus Industry Association: ================================================================ Note: Contact information from the following CVIA Membership Alert has been removed from the posting, but has been submitted separately to the Virus-L moderator. August 8, 1990 CVIA Membership Alert Originating Members: [Information Removed] Alert Type: Initial Infection Spread Library Entries: Joshi; 4096 Entry Types: "Stealth"; Boot infectors; File Infectors A widespread outbreak of the Joshi virus has been reported in the Detroit area. More than two dozen computer stores, small businesses and individual users have reported infections within the past three days. The virus is the "A" variety. The transmission vector into the Detroit area has not yet been determined, although some signs point to a national computer store chain. Many of the local retail outlets of this national chain have reported infections. This virus is spreading more rapidly than any previous virus that has been tracked by this organization. As a point of comparison, the Sunday virus (a relatively fast replicator) was in the public domain (U.S.) for more than eight months before it reached a point of consistent multiple daily reports. The Dark Avenger followed a similar course. The Joshi virus has been in the U.S. public domain for less than 45 days, and we are currently receiving more reports of this virus per day than for the Sunday and Dark Avenger combined. We cannot account for this anomaly. Perhaps it has something to do with being the first known "Stealth" partition table infector, or perhaps with an opportunistic event such as the high volume distribution of infected diskettes or hardware. In any case and alert is in order. An interim remover for the Joshi is available to liaison persons in the event an infection is detected. An August seventh report of the 4096 virus in Vermont marks the first CVIA reported occurrence of this virus in New England. We are continuing to receive multiple daily reports of this virus from geographic areas previously reported as affected. John McAfee 408 988 3832 ------------------------------ Date: 09 Aug 90 13:17:41 +0000 From: yacullo@remus.rutgers.edu (mike yacullo) Subject: Bouncing ball? (PC) Starting around the beginning of May, our office's IBM/PCs began showing a strange thing on their screens: A "bouncing ball" type of graphic which floats around the screen, bouncing off the boundaries. The ball appears when I'm in DOS, and disappears when an application is run. It's not there all the time, and I don't know what triggers its appearance. Anyway, what I'm getting at is: 1) Has anyone else come across this phenomenon? What is it? 2) Is it a symptom of a deeper problem? My boss is telling me to ignore it, but I'm nervous that it might be connected to a virus. Thanks for your help, Mike yacullo@remus.rutgers.edu ------------------------------ Date: Wed, 08 Aug 90 16:09:11 -0700 From: cos@lclark.BITNET Subject: Re: Summary Of Laserwriter Viruses Could someone please mail me a summary of the discussion on Laserwriter Viruses, specifically: Do they exist and how can they be detected? Thanks. john costello lewis and clark college ACS cos@lclark ------------------------------ Date: 09 Aug 90 20:11:15 +0000 From: vail@tegra.com (Johnathan Vail) Subject: Re: 4096 Virus and Checksums (PC) 70033.1271@CompuServe.COM (Steve Albrecht) writes: In browsing through the April 1990 issue of Computers and Security, Volume 9, No. 2, I read the following comments of Dr. Harold Highland on the 4096 virus: "This recently published computer virus is particularly disturbing in that...checksum techniques likewise appear to be useless, the virus `disappears' during the checksum process..." Can someone please elaborate on how the virus avoids the checksum process, or perhaps direct me to more detailed information on this virus? Back when it was fun to hack with viral code I thought it would be necessary to avoid the checksum built into the .EXE header. The first approach was to compute a new checksum based on the entire new file. A better and more efficient way is to simple force the checksum of the actual added virus code be zero. That way, any checker will take the CS of the original file data and add it to the CS of the added virus code. This being zero it will result in the same CS as the original. This method will easily spoof checksums but not CRCs or LRCs. And I still don't know how to spoof a combination of these. I think that there are programs that will wrap around an executable and detect any changes made to itself. These can't be beat by the method described above. Probably what happens here is the the virus code gets executed first after being loaded. It then relocates itself and hides its tracks. Then it can pass control back to whatever program it has infected. The resulting load image is the same as it would have been without a virus. Just some random musings... jv [Ed. Unless I'm mistaken, the 4096 doesn't use this sort of mechanism to hide from checksums; it traps the interrupts that read files and disinfects files on the fly so that a checksum/crc/whatever actually sees the non-infected files.] The inability of snakes to count is actually a refusal, on their part, to appreciate the Cardinal Number system. -- "Actual Facts" _____ | | Johnathan Vail | n1dxg@tegra.com |Tegra| (508) 663-7435 | N1DXG@448.625-(WorldNet) ----- jv@n1dxg.ampr.org {...sun!sunne ..uunet}!tegra!vail ------------------------------ Date: Thu, 09 Aug 90 11:47:54 -0700 From: Carol anne Clayson Subject: Extremely virulent virus problem (PC) We're having a problem with an extremely virulent virus. Aside from infecting programs, it seems to store itself in parameter ram as well, so soley reformatting the hard drive doesn't kill it. It seems to lock up Windows, Harvard Graphics, and several other graphics based programs. We've managed to get it off of our machine, but we're not sure what floppies have been infected and what ones have not. We're looking for a virus checking program that would recognize and remove this virus. Does one exist and if so, where can we get it? Please reply by email (clayson@gandalf.Colorado.EDU) as I do not read this newsgroup. Thank you very much. C. A. Clayson - ------- ------------------------------ Date: Thu, 09 Aug 90 21:27:38 -0400 From: cindy Subject: help!!! (Mac) I've got something I think could be a virus on my mac pc, but I'm not sure. I inserted a floppy and got a wierd flashing dialogue box flashing and saying "pl ease insert disc" in a different font than it should, and then the computer loc ked up irrevocably, forcing me to turn it off. I have a hard disc, and when I started up again, a game locked up when I played it. Same thing...turned off the computer. And after that, whenever I tried to insert a floppy (having restarted from the hard disc) I got that same wierd dialogue box, and lock-up. I have disinfectant 1.7, and gatekeeper that came out in may (I think), AND vaccine recent edition, and none of those came up with anything. ResEdit didn't show anything unusual, either. So I thought too many DA's, shut almost all down, no change. Finally I threw up my hands, replaced the finder, system, and general files, and it works (for now). What the heck? Is there a new virus out there that would cause all that? my disc isn't full! I'm afraid there's somthing lurking around on my hard disc I can't see. can anyone help? Please e-mail cindy (cxb135 at psuvm.psu.edu) ------------------------------ Date: 09 Aug 90 16:43:10 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: Antivirus-viruses In addition to the viruses described in the original posting, some of the variants of Yankee Doodle are anti-virus viruses - they modify the Ping-Pong virus, so it will self-destruct. - -frisk - -- Fridrik Skulason University of Iceland | Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 | ------------------------------ Date: 9 August, 1990 From: Padgett Peterson Subject: Cost of Protection (Philosophy) I am astounded by the assertation that $5800 for 100 service copies of McAfee's SCAN is considered excessive. Considering the continuing effort, response time, and updates required, the cost seems minimal compared that of sending technicians out unarmed (yes, we have a service license). Just the savings in time alone in battling infections and the knowlege of what you are facing justifies the cost. More important, at a time when many manufacturers require individual copies for each CPU, the concept of the service and site license, both available from McAfee and very few others, are godsends to overworked staffs. Besides which, I can think of very few packages available for $58 each, much less ones that can be used on any machine. No-one thinks twice about the telephone company charging more for a business line than for a residential one. Similarly, the $25 "shareware" fee for home use cannot be equated to the unlimited use "service license" fee. If an alternative is desired, nothing is stopping anyone from writing their own software. For me, the price is cheap and the concept well worth supporting. Padgett Peterson Personal Opinions ------------------------------ Date: 09 Aug 90 14:54:08 -0400 From: "David.M.Chess" Subject: Disk Killer bug (PC) The Disk Killer virus has a bug (at least one) that causes it to sometime/often/usually mark the wrong sectors as bad in the FAT when it infects a diskette. If the diskette is later written to, this often results in the virus's on-disk code being overlayed, rendering the diskette non-bootable and non-infectious (although the boot sector is still there, so scanners will still see it as infected). Does anyone know in any detail under what circumstances the bug shows up? From some limited testing, it looks as though the wrong sectors are marked bad if a freshly- formatted diskette is used in a machine with the virus in memory, but the right sectors are marked bad if the diskette already has considerable stuff on it when it becomes infected. Does this sound right to others who have looked at it? DC ------------------------------ Date: 10 August, 1990 From: Padgett Peterson Subject: SCAN, Zenith ZDS (PC) After my last posting, Mr. McAfee called to tell me that it is not necessary to boot from a write-protected floppy for SCAN to detect a virus resident in memory & dangerous ones are checked for each time SCAN runs (to check for all memory resident viruses, the /m option should be used). Since some machines require special drivers for fixed disk access that would not be on the floppy, this is good to know. During our installation of Enigma-Logic's Virus-Safe on PCs we experienced problems on a limited but significant number of Zenith 158 & 159 (PC & XT) machines: Each time one booted up, a changed boot sector was reported. Use of DEBUG revealed that something in the OS was periodically placing a time stamp in the boot record (logical sector 0) and Virus-Safe was properly flagging the change. Hard drives formatted with the signatures ZDS3.1 and ZDS3.2 (Z-DOS ver 3.1 & 3.2) were the most prevalent. A call to Zenith revealed that they had had some reports of that type and would have to get back with me about exactly what was going on. They also stated that while some anti-virus routines had reported difficulty, others did not. When I have more information, it will be passed on. In the meantime, if you have a Zenith that reports constant changes to the boot sector, this may be the problem (then again, maybe you have a boot sector infector). ------------------------------ End of VIRUS-L Digest [Volume 3 Issue 140] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253