VIRUS-L Digest Wednesday, 7 Feb 1990 Volume 3 : Issue 33 Today's Topics: WDEF in Toronto (MAC) GateKeeper Aid on AppleShare Server (Mac) Idea for WDEF Innoculation (Mac) Disinfectant 1.6 (Mac) Advice for cluster managers The V-847 virus (PC) WDEF A (Mac) "Mosaic" and "FontFinder" Trojan (MAC) Viruses 4096 and 1260 on BBS (PC) RE: Trojan Alert (MAC) More about WDEF WDEF Virus (Mac) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk --------------------------------------------------------------------------- Date: Tue, 06 Feb 90 09:05:42 -0500 From: "Kevin Adams" Subject: WDEF in Toronto (MAC) Humber College in Toronto has been hit by the WDEF virus. We first detected it when machines began crashing (mouse still moved cursor around the screen, but no other response). It had managed to infect the desktop of our server by the time we caught up with it.. We had resident virus protection in place, but it was too old to snag WDEF. We brought it under control with Disinfect 1.5 and Eradicat'Em. We tried Gatekeeper Aid prior to Eradicate'Em, but it seemed not to work on our IIcx's and SE30's. We've also survived NVIR A and NVIR B. >From the reports I've read NVIR and WDEF both have no malicious intent, and that any damage they cause are 'side effects'. Is this accurate? It seems very strange to me that Virus writers would launch their missiles with no payload... Kevin Adams User Services Group Humber College of Applied Arts and Technology ------------------------------ Date: Tue, 06 Feb 90 11:23:00 -0500 From: Roberta Russell Subject: GateKeeper Aid on AppleShare Server (Mac) I installed Gatekeeper Aid on our AppleShare File and Print Server today. When I rebooted the server, I got the message "GateKeeper Aid encountered FCB expansion." Can someone tell me what this means? Thanks, Roberta Russell Academic Computing, Oberlin College prussell@oberlin.bitnet prussell@ocvaxc.oberlin.edu ------------------------------ Date: Tue, 06 Feb 90 12:23:51 -0500 From: Jason Ari Goldstein Subject: Idea for WDEF Innoculation (Mac) Just like everywhere else the WDEF is thriving here at Carnegie-Mellon Univ. I recently removed WDEF A & B off of 15 disks of a friend of mine. When I commented to somone here about the virus they said there was nothing they could do to stop it, except remove it once a machine got infected. I don't know much about Macs (Being a PC person) but if I understand correctly every time the disk is inserted the they Virus is sread to the disk. Well, why doesn't someone write an innoculation directly based on the virus itself. Everytime a disk is inserted in the drive it would be checked for infection if so it would remove WDEF if not it would then 'innoculate the disk' with itself. Eventually, WDEF would be wiped out the same way it was spread initially. The only problem with this is that it is a virus also, but with the proper prompts (allowing the user the choice of being innoculated) I don't think this would be a problem. I know I would mind not ever being infected by a virus that kills other viruses. In the mean time, about 75% of the time I in a cluster I remove WDEF A or B from either a hard disk or someone elses floppies. Later... me - ------------------- Jason Goldstein Internet: jg3o+@andrew.cmu.edu Disclaimer: I represent me and only me not CMU, not my folks, not anyone. "Thank the lord my PC came in the mail yesterday" - me Over, Finished, Gone, Done, Out. ------------------------------ Date: Tue, 06 Feb 90 12:58:46 -0600 From: Fung P Lau Subject: Disinfectant 1.6 (Mac) I have recently read something about Disinfectant 1.6 from this newsgroup. Its author said that there was no Disinfectant 1.6 and it maigt cause potential porblems on virus detection. Someone in our lab downloaded it and has been using it without any obvious trouble. I would appreciate any further comments on this application. So, again, is there any upgraded version of Disinfectant after version 1.5 ? If not, is there any more information about this "fake" Disinfectant ? ------------------------------ Date: Tue, 06 Feb 90 14:36:30 -0600 From: Meesh Subject: Advice for cluster managers I'm preparing a guide to microcomputer cluster security for the microcluster managers here at the Univ. of Houston. What kind of information would you want to see in such a publication? What kind of advice would you offer to someone who's just setting up a cluster? Send replies to me: acs1w@elroy.uh.edu acs1w@uhvax.bitnet Michelle M. Gardner Coordinator, Computing Information Services Information Technology Division ------------------------------ Date: 06 Feb 90 16:57:00 +0700 From: T762102@DM0LRZ01.BITNET Subject: The V-847 virus (PC) The V-847 Viruses ----------------- This virus was imported in Bulgaria by foreigner student from Greece. He claimed that the virus code was created and published by the PIXEL magazine. The virus is supplied as a program in BASIC, which when run creates a .COM-file which in fact contains the real virus. The virus is extremely stupid. It infects only .COM-files in the current directory of the current drive. However, it infects *all* these files at once. The only way to spread the virus is to run an infected file when one of the directories listed in the PATH variable is current. Then each time a file from this directory is run, all files in the current directory will get infected. The virus is not memory resident. It becomes active only when an infected file is run. The virus *prepends* itself in front of the infected files. Their size increases by 847 bytes, most of which contain garbage. Each infected file contains the generation number of the virus. There are no effects before the 5th generation. After the 5th generation however, when you attempt to execute an infected file, you will succeed with probability of only 1/2 (the lowest bit of the system timer is used as a random number generator). If the chances are against you, you will receive the message: "Program sick error:Call doctor or buy PIXEL for cure description" and the program will terminate. This virus was also hacked a bit. There are two known mutations in Bulgaria, however they are not widely spread. In fact, they are very rare. The first is optimized and is 345 bytes long. The second is even more optimized. Its length is only 299 bytes. ------------------------------ Date: Tue, 06 Feb 90 16:46:51 -0600 From: "James N. Bradley" Subject: WDEF A (Mac) Today, while I was disinfecting a Macintosh IIx with Disinfectant 1.6 I got a report saying that the desktop was infected at 3:36 p.m. on 2/6. Now, it just happened that it WAS 3:36 p.m. while I was doing the disinfecting. I was using a locked disk which checked clean both with Disinfectant 1.6 and Gatekeeper Aid. Since the locked disk was clean, it couldn't have infected the HD, right? The person involved swears that no other disks had been in his drives today. Any ideas? Jim Bradley Acknowledge-To: ------------------------------ Date: Tue, 06 Feb 90 15:01:22 -0700 From: Peter Johnston Subject: "Mosaic" and "FontFinder" Trojan (MAC) Since my first posting of the two trojans we have detected here at the University of Alberta, a few things have occurred. This update is an attempt to share what we have learned so far: On a suggestion from Paul Cozza, we determined that both the trojans we detected are stopped by SAM (Symantec Anti-viral for the Macintosh) Intercept. The version tested was quite an old one, but Paul suggests that all commercially released versions should also stop the trojan from doing its nastiness. When we tested SAM, the Mac was invariably left hung when we "Denied" the permission SAM was requesting, but upon re-booting, the disks were found to be undamaged. Several of the anti-viral software developers have contacted us for further information on this trojan, and we have assisted them wherever possible. I would expect versions of many of their packages able to detect this trojan to start appearing in the near future. I have received as of this date no reports of infection from any other sites. Remember, though the trigger date of 10 Feb 90. I'll feel a little more relaxed after that date. University Computing Systems has prepared a client hand-out that describes in relatively non-technical terms what both of these trojans do and what users can do to combat them. Unfortunately, a lot of the information is specific to the University of Alberta, but if anyone is interested, we would be pleased to provide copies of both for your use, or upload them to VIRUS-L, depending on the demand. Please contact me if this would be of assistance to you. We are continuing our investigations, and will report additional information as we uncover it. You will also likely start receiving informational reports from some of the anti-viral software developers as to the internal characteristics and structure of these trojans. The one gratifying aspect of this whole episode is the speed with which the warning was spread, and the prompt and professional response we here in the far north received from the anti-virus community as a whole. This trojan is dangerous, no question about it. But not nearly as dangerous as a full fledged viral version having the same type of destructive tendancies. Having a mechanism in place to react to these attacks is a pretty powerful deterrant force. In the meantime, please continue to recommend that your Mac users make regular backups and to practice "safe computing". I still feel that user education is one of the most powerful weapons we have to combat malicious code attacks... Peter Johnston, P. Eng. Senior Analyst, University Computing Systems, 352 - GenSvcBldg, The University of Alberta Edmonton, Alberta CANADA T6G 2H1 Phone: 403/492-2462 FAX: 403/492-7219 EMAIL: usergold@ualtamts.bitnet ------------------------------ Date: Tue, 06 Feb 90 22:57:40 -0400 From: GEORGE SVETLICHNY Subject: Viruses 4096 and 1260 on BBS (PC) In Virus-L v3 issue31, ddb@ns.network.com (David Dyer-Bennet) writes concerning the 4096 and 1260 viruses: >John McAfee writes: >: The strangest part of the virus is that it is also able to >:trap all other disk reads and writes, and whenever an infected file is >:accessed by any program, the virus performs a disinfection of the >:program on the fly. > infected file? > >As a BBS sysop, I find this a particularly amusing feature: it assures >my users that anything downloaded from my BBS is not infected with >this class of virus! The concept of BBS's as *the safest* source of >software (at least in this one regard) is rather amusing. What David forgets to mention is that the BBS is the safest source of virus-free files *as long as the BBS is infected* with these viruses. Will Sysops now start deliberately infecting their boards with these viruses so as to assure the users clean files? Is your BBS infected, Dave? ;-) ---------------------------------------------------------------------- George Svetlichny | Department of Mathematics | Pontificia Universidade Catolica | So it goes..... Rio de Janeiro, Brasil | Kurt Vonnegut Jr. | usergsve@lncc.bitnet Fido 4:4/998 | ---------------------------------------------------------------------- ------------------------------ Date: Tue, 06 Feb 90 22:21:23 +0000 From: <2wsa067@GC.BITNET> Subject: RE: Trojan Alert (MAC) One real quick question about this new Mac virus. Do any other programs detect it (i.e.Virus Rx, Interferon, etc.)? And what versions if any are you using to detect it? Thanks, Ed Vasko ------------------------------ Date: 07 Feb 90 06:03:18 +0000 From: wcpl_ltd@uhura.cc.rochester.edu (Wing Leung) Subject: More about WDEF Can someone tell me is WDEF an illegal string in the resource code? How about the program called WDEF uploaded in comp.binaries.mac? In fact, I've found some WDEF resource code in system version 6.0.3. Please tell me more about this resource code. Peter - -- _ _ ____ ____ _ * Internet: wcpl_ltd@uhura.cc.rochester.edu (/ / // / // ) (/ * BITNET : WCPL_LTD@UORDBV / / / // //___/ _/ * DecNet : UORHEP::PETER /_/_/ //__/ // _/\___/ * UUCP : ...rochester!uhura!wcpl_ltd ------------------------------ Date: Wed, 07 Feb 90 08:59:00 -0500 From: MOSES@urvax.urich.edu Subject: WDEF Virus (Mac) I have been away from my office and my macintosh network for three months and when I come back and read my bitnet messages I see there is a new virus call WDEF. Can I get some info on this. What virus detectors can I use to check out my network? How can it be eradicated? What are its characteristics? Please send your response directly to me. Thanks a bunch. Salonge Crenshaw University of Richmond Richmond, VA 23173 Bitnet: Moses@URvax Phone : 804-289-8861 ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253