VIRUS-L Digest Thursday, 15 Feb 1990 Volume 3 : Issue 43 Today's Topics: Re: The ethics of virus eradication Re: Many WDEF reports (Mac) Strange Macintosh Beeps (Mac) Algorithms WDef hits Carleton Undetectable Virus (Mac) Re: The AIDS "Trojan" is a Copy Protection System Re: Forwarded: Re: *UNCONFIRMED* PC virus Dr. Popp Universal Virus Detector New virus in Canada??? (Mac) UNIX discussions? Re: Many WDEF reports (Mac) Virus Buster (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk --------------------------------------------------------------------------- Date: 14 Feb 90 20:06:52 +0000 From: jalden@eleazar.dartmouth.edu (Joshua M. Alden) Subject: Re: The ethics of virus eradication FEDERMAN@IPFWCVAX.BITNET writes: >This week (Feb 5th-9th, 1990) marked the first occurrence of PC >computer viruses on our campus. First our Library received the census >disk, which we were warned of, and secondly a faculty member was >infected by Jerusalem B. I was able to clean-up this system with some >effort in about an hour. This was the last thing I did on Thursday >afternoon. On Friday, I posted mail to all campus mainframe account >holders (most of our campus users since our PC network is just in the >beginning phase) about the two incidents, and how to avoid virus >infections. In this E-mail message, I was particularly careful not to >mention the name or department of the faculty member involved. > >Well, that didn't work. The faculty member was extremely angry about >the E-mail message. I did mention the type of program that was the >supposed virus vector. He contended that anyone on campus would figure >out his identity from the type of program (fractals), since he was >teaching a continuing course on the subject. I won't go into the >details of the venom that was directed my way. > >My questions are these - what should I have done? Kept the infection >secret? Are computer viruses a Social Disease? Are we physicians who >are supposed to swear some form of Computerized Hippocratic Oath of >confidentiality? Or, do we paint a Scarlet-V on the heads(or >terminals) of those unfortunate ( careless enough) to become infected? >I would like to hear of similar experiences and policies enacted to >deal with virus infections. Alan - It sounds to me as though you did exactly the right thing. Taking reasonable care not to reveal who was affected by the virus was a responsible action. So was informing as many people as possible of the incident in order to prevent any more damage. I don't know how you phrased the e-mail message, but my guess is that you did not insult the faculty member, nor imply awful things about his character. Why he was upset I really can't imagine; most of us have been infected at one point or another, whether through carelessness, lack of knowledge, or whatever. Having been hit with a computer virus certainly shouldn't be cause for ostracism or any other sort of punitive behavior. Furthermore, unless that fractals program was a very specific one, I doubt that it pointed to him any more specifically than any other program that generates wierd graphic output. In high school, a friend of mine and I used to generate pretty color designs on his PC using a Mandelbrot program. I wouldn't worry about it too much, unless the professor continues to give you trouble about it. Education is the key in the anti-viral world, as it is in any situation involving an epidemic. Trying to conceal outbreaks, especially when the worst result is embarrassment, is foolish. - -Josh. /--------------------------------------------------+-------------------------\ |Josh Alden, Consultant, Kiewit Computation Center | HB 48, Dartmouth College| | Private mail: Joshua.Alden@dartmouth.edu | Hanover, NH 03755 | | Virus mail: Virus.Info@dartmouth.edu | (802) 295-9073 | ------------------------------ Date: Wed, 14 Feb 90 12:16:31 -0600 From: John Norstad Subject: Re: Many WDEF reports (Mac) CHESS@YKTVMV.BITNET (David.M..Chess) writes: > Curious as to why we're seeing all these WDEF reports, and not similar > numbers of reports of other widespread viruses. Has it just become a > tradition to report WDEF on VIRUS-L, or is WDEF better at spreading? > If the latter, does anyone have a good feeling for what about WDEF > makes it so (um) virulent? DC WDEF now appears to be the most widespread of all the Mac viruses - more widespread than even nVIR A and B. I don't know why. I do know that by the time it was discovered in early December of 1989, it had already spread very widely. We clearly didn't catch it until it had been around for quite some time. One reason for not being detected earlier is almost certainly that WDEF contained special code to get past all but one of the popular virus protection INITs. All of these INITs have since been improved to catch WDEF, but when it first began to spread only AntiToxin would catch it - it got past Vaccine, GateKeeper, SAM Intercept, and the Virex INIT. This is a problem with the general-purpose suspicious activity monitor virus protection INITs on the Mac - with enough effort a new virus can evade their protection measures. A properly used checksumming system is clearly the most reliable way to catch new viruses. This topic has been beaten to death on virus-l. The problem with such systems is convincing users to make use of them. WDEF is also clearly one of the most buggy Mac viruses. It doesn't attempt to do any damage on purpose, but it does contain bugs which can and do cause almost anything to go wrong with the proper functioning of Macintoshes. We've seen everything from problems with the proper display of font styles to trashed disks. I don't think it's necessary for everybody to report every sighting of WDEF here on VIRUS-L. I gave up trying to keep track of all the sightings a long time ago - it's everywhere. It's also interesting that WDEF appears to be much more widespread outside the university environment than any of the previous Mac viruses. The so-called "serious business community" (as if universities somehow don't count in capitalist America) is getting hit hard. Perhaps the silver lining in this very dark cloud will be an increased awareness of the problem among the public, and perhaps people will even finally start to take measures to protect their machines. The Mac anti-viral community did an excellent job of combatting WDEF. Within two days of the discovery of the virus we had disassembled and analyzed the virus and informed the public with accurate, complete information. Within a week there were tools available for detecting and eliminating the virus. Within two weeks there were tools available that actually worked properly :-). We have established a very effective group on the Internet of anti-viral tool authors (commericial, shareware, and freeware) and other experts which goes into high gear whenever a new virus, Trojan, or other kind of destructive Mac software appears. John Norstad (author of Disinfectant) Northwestern University jln@acns.nwu.edu ------------------------------ Date: Wed, 14 Feb 90 16:07:15 -0500 From: dmg@lid.mitre.org (David Gursky) Subject: Strange Macintosh Beeps (Mac) If you do not have Macintalk in your System Folder, the nVIR virus will cause the Mac to beep (or make whatever sound is selected as the System Beep) on a periodic basis. The period is well defined, but I do not know it. If Macintalk is installed, the Mac will speak "Don't worry". WDEF does not make any noises. ------------------------------ Date: Wed, 14 Feb 90 14:25:36 -0500 From: David_Conrad%Wayne-MTS@um.cc.umich.edu Subject: Algorithms Could someone provide a bibliography on the subject of data verification algorithms (CRC, MD4, ...)? Reply to me or the list. Assume access to good public and university libraries. Thank you, David R. Conrad BITNET: David_Conrad%Wayne-MTS@um.cc.umich.edu "You cannot propel yourself forward by patting yourself on the back." ------------------------------ Date: Wed, 14 Feb 90 15:37:00 -0600 From: "Paul Duckenfield (Consultant, User Services)" Subject: WDef hits Carleton For the past four or five months, the Carleton College Micro Lab has been plagued by inexplicable crashes. In the past month, the crashes have escalated in volume to as many four or five a day. Here is our configuration- Macintosh IIcx file server o 2 MB RAM o twin 40MB HD's (one internal, one external, both Apple) o AppleShare v2.0.1 22 Macintosh Pluses in a Lab (LocalTalk) o 2.5MB RAM o Running RAM disks 8 Macintosh Pluses in a remote lab (served by TOPS Repeater) o same as above 10 Staff Macs scattered throughout offices o various types (CX, Plus, SEHD) All running System 6.0.3 (except CX's which run 6.0.4) sometimes we run the Apple Print Spooler, but sometimes we have trouble with that. Symptoms: o Print Spooler crashes 15 minutes before server (that is why we don't always use it) o Internal HD light on server turns on and stays on o Everyone gets the "watch" when they attempt to access the server and it never goes away o restarting the IIcx and the workstations temporarily solves the problem (until the next crash!) What we did: Reformatted the HD from scratch and reinstalled software. The server still crashed. Then we ran Disinfectant v1.6. It told us that the server was infected with WDef. We removed WDef. Problems began appearing a few days later, same as before. Again we checked for WDef, but it wasn't there. A few days later, it reappeared (it is possible that it accidentilly found its way in through a server administration disk). Finally, we killed the DESKTOP file to prevent WDEF from having a refuge of any sort. This appears to have worked for there haven't been any crashes in awhile. Conclusions- o WDef is never "really" eradicated, even when Disinfectant kills it. Like pnuemonia, it goes away, but lasting damage remains. o WDef infections to file servers can be prevented by canning the DeskTop file which is unused. o WDef is extremely virulent and elusive. Paul Duckenfield Micro Consultant Carleton College User Services DUCKENFP@CARLETON.EDU ------------------------------ Date: 14 Feb 90 21:58:28 +0000 From: harvey@nems.dt.navy.mil (Betty Harvey) Subject: Undetectable Virus (Mac) I have seen two Macintoshes that have a virus that I can't seem to recognize. I have run Disinfectant 1.6 because I thought it was the WDEF virus that I have been reading about but disinfectant didn't find anything abnormal. I have also ran several other virus eradicaters and they didn't recognize anything out of the ordinary. Symptoms: The system file increases in size and the date changes each time the system is rebooted. One system file was 2 meg long before all application program ceased to work. Applications unexpectedly stop. The system hoses up occasionally when going to the printer. Is anyone aware of any new viruses or what I might be dealing with. We had a massive outbreak of Scores and nVir about 1 year ago, but have had fairly healthy machines since then. /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ Betty Harvey | David Taylor Research Center | Office Automation/Microcomputer Support Branch | Bethesda, Md. 20084-5000 | | (301)227-4901 | /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\\/\/ ------------------------------ Date: 14 Feb 90 16:49:40 +0000 From: attcan!ram@uunet.UU.NET (Richard Meesters) Subject: Re: The AIDS "Trojan" is a Copy Protection System Interesingly enough, much of the previous discussions that I read on this topic (and posted on, as well) has little to do with the fact that a demo version of the software can have a self-destruct mechanism (a time bomb). However, what we are dealing with here is the fact that this program does not destroy itself, but rather renders all your programs and data un-usable. In fact, you have no evidence to back up the fact that even if I did send in the money for the purchase of the program, that I would get the fix back. The fact that the address was an unknown post-office box in Panama seems to indicate that the whole thing was a scam. I agree that if the persons receiving this program had read the notice, they probably wouldn't have installed the program, but don't confuse that with justifying the actions taken by the program after installation. The issue here is, in my opinion, twofold. First, did the auhor of this trojan commit a fraudulent act. And can someone who sends you an un-solicited copy of a program make you pay for the use of the package. This was NOT a demo version of the software, from all indications. Regards, - ------------------------------------------------------------------------------ Richard A Meesters | Technical Support Specialist | Insert std.logo here AT&T Canada | | "Waste is a terrible thing ATTMAIL: ....attmail!rmeesters | to mind...clean up your act" UUCP: ...att!attcan!ram | - ------------------------------------------------------------------------------ ------------------------------ Date: 15 Feb 90 00:31:53 +0000 From: kelly@uts.amdahl.com (Kelly Goen) Subject: Re: Forwarded: Re: *UNCONFIRMED* PC virus rogers@marlin.nosc.mil (Rollo D. Rogers) writes: >hi, does anyone else have knowledge/experience with this alleged PC >virus? > >[Ed. As with all such reports, I urge people to NOT BELIEVE this >without some reliable third party confirmation. We've all seen that >rumors can be just as time consuming as The Real Thing...] > >Forwarded mail follows: >Date: Tue, 13 Feb 90 14:52:02 -0800 >From: Yong Kim >Subject: Re: virus > >... >this one lives in the setup-memory (CMOS) that was backed up by the >computer battery. >... Well sorry this one isnt plausible... infectious code will not be using CMOS to spread from(standalone...) just isnt enough memory in there on standard AT architectures...on Micro-channel there is enough space... however the data is simply read or written not executed... (n.b. I have run into programs which through programming mistakes rendered CMOS data unusable... but not a virus living in there...caused by poor coding though not a virus or trojan) this one kind of reminds me of the hilarious(at least to myself and chuck forsberg) MODEM virus SCARE of 1988(NO IT wasnt and isnt REAL)... cheers kelly p.s. on microchannel architectures there is adequate unused space in cmos adapter ram... but another cooperating process would be needed to read the cmos for the code and place it into main memory as code cannot be executed in CMOS RAM Buffers... ------------------------------ Date: Wed, 14 Feb 90 19:26:00 -0500 From: WHMurray@DOCKMASTER.NCSC.MIL Subject: Dr. Popp >Ed: ... did he break any U.S. laws? Will Dr. Popp be >tried here or in Britain? Just a few thoughts...] Dr. Popp was arrested in Willowick, OH on an extradition warrant. He is not charged with any crime in the US. His defense against extradition is technical, i.e., being treated for mental problem, not substantive. [It is a mere coincidence that Dr. Popp and RTM hold degrees from the same elite institution. Few inferences would be justified.] William Hugh Murray, Fellow, Information System Security, Ernst & Young 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ------------------------------ Date: Wed, 14 Feb 90 18:49:00 -0500 From: "Science:Controlled Paranoia" Subject: Universal Virus Detector I agree with Russell McFatter's [russ@alliant.Alliant.com] rules in that they would work. However, I don't believe it would be successful with some shareware products, or quick-fixes/patches. Not that any of us INTENTIONALY program that way, but at 3 in the morning when a quick long jump will solve the problem over rewriting an entire 5000 line module... And as (it would seem) more people contract viruses through shareware than anything else, the problem is compounded. I am curious as to why everyone seems to stick to a Universal Virus Detector that 'detects on the fly.' Wouldn't it be more feasible for a Universal Virus Detector to act as more of a high-security Operating System, than a program? Let me elaborate... Boot up a PC from a clean DOS, then implement this Virus Detection Operating System (VDOS). VDOS now clamps down on every interrupt, AND watches for every redirect interrupt command. Then you give it a program to check. VDOS pseudo-executes the program, checking for every possible outcome and attempts to write to disk. Any attempt to write to an area locked out by you constitutes a virus. (Or at least something not kosher...) Theoreticallly, so long as the VDOS isn't contaminated, and so long as you don't add a program that hasn't been checked, you're clean. The positives for this are 1. Unhampered program execution. 2. More control over Virus checking then 'check on the fly' detection. (algorithms can be more complex...) The negatives are 1. Time to detect. I'm figuring this may take awhile for long programs. It may not even be feasible with large menu driven programs... (DBase IV, and Lotus 1-2-3, for example) to check every possible outcome or result...(But if you're willing to wait an hour to backup your hard drive, maybe its worth it?) 2. Wouldn't defend against viruses that just replicate themselves, unless you looked for it specifically. 3. Of course it's not 100% fool-proof. Overall though, you could have more complex algorithms than a virus-scanner, plus more control than a memory resident detector (flu-shot). But then this was all just a thought, anyway. (Oh, once you've finished with the program, you then reboot to Normal DOS, with the knowledge of whether or not you have an infected disk...) Charles Cafrelli Bitnet: IAQR100@INDYVAX Computer Constultant for the IUPUI English Department Disclaimer: "I don't know what they're saying, and they don't know what I'm saying." ------------------------------ Date: Wed, 14 Feb 90 21:37:07 -0700 From: Ben Goren Subject: New virus in Canada??? (Mac) I have heard rumors from people here at Arizona State University that there is a new Macintosh virus on the loose. I am currently trying to trace these rumors, and will let the list know when I hear anything. It is supposed to be intentionally and maliciously destructive, has not yet made it out of Canada, and "Disinfectant probably won't catch it." (the person who said that was not an overly experienced Mac user). Let's keep our fingers crossed that this is just a rumor. ........................................................................ Ben Goren T T T / Trumpet Performance Major )------+-+-+--====*0 Arizona State University ( --|-| |---) Internet: AUBXG%ASUACAD@ASUVM.INRE.ASU.EDU --+-+-+-- ........................................................................ ------------------------------ Date: Thu, 15 Feb 90 04:24:18 +0000 From: SMSgt Michael L. Shamel Subject: UNIX discussions? I have just started monitoring this group and am new to the unix environment. Has there been any discussion on viruses trojans or other nasty things that unix systems are vulnerable to? I am particularly interested in how one guards against things sent through the internet either by regular mail, or some of the UUCP processes. uux seems like a particularly good candidate for mischief. If this subject has come up before, please point me in the direction of the proper archive. Thanks Mike Shamel.... ------------------------------ Date: 15 Feb 90 01:48:18 +0000 From: MINICH ROBERT JOHN Subject: Re: Many WDEF reports (Mac) CHESS@YKTVMV.BITNET (David.M..Chess) writes: > Curious as to why we're seeing all these WDEF reports, and not similar > numbers of reports of other widespread viruses. Has it just become a > tradition to report WDEF on VIRUS-L, or is WDEF better at spreading? > If the latter, does anyone have a good feeling for what about WDEF > makes it so (um) virulent? DC I don't know about the "tradition" part, but WDEF is easily the most virulent entity on the Mac, and probably any computer. The only way to make it spread faster would be to have all the Macs connected together with zero protection of the desktop files. All it takes is one insertion of an infected disk, and the unprotected machine gets it. Kind of like what some weird people used to (still do, perhaps?) think about AIDS (the human kind.) "Touch someone and you get it." Robert Minich minich@a.cs.okstate.edu Oklahoma State University ------------------------------ Date: Thu, 15 Feb 90 15:36:24 +0200 From: Yuval Tal Subject: Virus Buster (PC) About a month or so, I've posted a message about beta testers for the next version of Virus Buster. Well, a few days after posting this message, a big software house here, in Israel, have asked Uzi, the second author, and me about whether we agree to sell Virus Buster to them. After thinking about it, we've decided to agree and sell Virus Buster to them. Here I would like to thank all the beta-testers who accepted to test Virus Buster. Thank you guys! But now, of course, it would be improper to ask them to test it. Another version with bugs correction will probably be released soon, but I can't promise. Thank you very much, Yuval Tal +--------------------------------------------------------------------------+ | BitNet: NYYUVL@WEIZMANN Domain: NYYUVAL@WEIZMANN.WEIZMANN.AC.IL | | InterNet: NYYUVAL%WEIZMANN.BITNET@CUNYVM.CUNY.EDU | +----------------------+---------------------------------------------------+ | Yuval Tal | Voice: +972-8-474592 (In Israel: 08-474592) | | P.O Box 1462 | BBS: +972-8-421842 * 20:00-7:00 * 2400 * N81 | | Rehovot, Israel | FidoNet: 2:403/136 (CoSysop) | +----------------------+---------------------------------------------------+ | "Always look on the bright side of life" *whistle* - Monty Phython | +--------------------------------------------------------------------------+ ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253