VIRUS-L Digest Tuesday, 20 Feb 1990 Volume 3 : Issue 45 Today's Topics: Upcoming Virus Conference BRAIN, OHIO, SCANV57 (PC) The 1559 virus (PC) Disinfectant 1.6 (Mac) Re: Many WDEF reports (Mac) Mosaic and FontFinder Trojans (MAC) -- Update #2 Re: UNIX discussions? McAfee's SCAN makes National News in Canada Re: The AIDS "Trojan" is a Copy Protection System Re: Identification strings Re: There is no Ultimate Anti-Viral Solution! Government Newsletter Re: CMOS viruses? Nonsense! (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk --------------------------------------------------------------------------- Date: Fri, 16 Feb 90 12:34:00 -0500 From: David@DOCKMASTER.NCSC.MIL Subject: Upcoming Virus Conference The 3rd Annual Computer Virus Clinic will be held on March 14-15 (Wednesday-Thursday) at the World Trade Center in New York City. VIRUS-L followers may be interested to note that V-L moderator, Ken van Wyk, will be one of speakers, along with such other virological luminaries as Drs. Harold J. Highland and Fred Cohen. The sponsor is the DPMA Financial Industries Chapter. Information is available via (800)835-2246 (voice!), or by mail to Box 894 Wall Street Station New York, NY 10268 I understand 8 or so products will be shown, for those who like to see the way things work, and there will be a reception at Windows on the World after the sessions the first day. There will be two session "tracks," nominally Management and Technical (from what I've heard, these names are misleading), and while the sessions will be more PC than MAC oriented (when such a distinction applies; for example, the "How Do You Test an Anti-Virus Product?" talk will cite DOS features and program tools), MAC areas will be receiving adequate treatment. In spite of one speaker known for his views that viruses are a fad, and some speaker/topic pairs that seem to be at every virus conference (and who will therefore sound very familiar to those who regularly go to these things), it seems to be a potentially interesting meeting, more so because of the potential of an open panel discussion (panelists as yet unspecified) scheduled for the second day. All "facts" above I have only heard from the man setting up the conference; I've seen nothing in writing. The 800 number should yield yield more current information (and, I presume, information on travel, lodging, etc.). ------------------------------ Date: Fri, 16 Feb 90 10:35:39 -0500 From: Mike Kapfer TSG Subject: BRAIN, OHIO, SCANV57 (PC) Last night we discovered the Brain virus in one of our student labs. As a precautionary measure, we now require that all students get their diskettes certified by Computer Services before using them in our labs. While scanning these disks, we have also discovered the OHIO virus. Now, for the clincher. If the virus is active (The Brain virus), SCANV57 will NOT discover it when it does it's memory check. Nor will it discover it in the BOOT sector of the infected diskette. When the machine is booted from a "clean" floppy, SCANV57 identifies the virus. My question is: what is the point in scanning memory for a virus if it will not pick up an active virus? Michael Kapfer: Old Dominion University: Norfolk, VA: USA: (804) 683-3189 ------------------------------ Date: 16 Feb 90 19:51:00 +0700 From: T762102@DM0LRZ01.BITNET Subject: The 1559 virus (PC) Hi! Recently, the subscribers of VALERT-L received an uuencoded file which (as the sender said) was infected with a new virus. Of course, sending an infected file to a public (and non-moderated) forum is a big mistake, but I won't emphasize this here. [Ed. Absolutely agreed, and the sender has been told of his error. Unfortunately, most of the copies had already been sent out by then...] Personally, I received at least 3 more messages, which warned me that I *have* to delete this file and not to uudecode it. However, since I'm an antivirus researcher, I couldn't resist to the temptation and "test" the virus --- of course in a "safe" environment. It turned out that the environment was too safe... I worked on a computer with physically disabled hard disk. I booted from a floppy, containing only the operating system (PC-DOS 3.30), the infected file, MAPMEM (a public-domain utility) and ANTI4US --- an interrupt monitoring program --- much like FluShot+ but with much worse interface. I started the interrupt monitor and executed the infected file. Then I executed MAPMEM. I wanted to (1) see if the virus can be "seen" in memory with this utility and (2) confirm that the infected file is "infective" i.e., contains really a virus. Of course, MAPMEM didn't saw the beast. Then I cold-rebooted from a new clear and write-protected diskette and inspected the MAPMEM.COM file. Well, it wasn't infected at all! I decided that I have received a damaged file and sent a message to the author to send me a new file, consisting only of NOPs, infected with the virus. He did so. Further investigations showed that: - If I load ANTI4US and then run an infected program, the damn thing does not spread --- it ever does not try to infect files. - However, if I first run an infected program and then ANTI4US, the beast tries to spread (which is detected by ANTI4US) --- and of course infects ANTI4US. At that point I was convinced that it is really a virus. Now I'm trying to disassemble it and to write an antidote. Here is what I know for the moment (without any warrant!): - The virus is memory resident. It installs itself in the memory at address 9800:0000. I couldn't find where (and if) it checks for the memory size. - The virus is 1554 bytes long, but may add more bytes (up to 1569 I think) to the infected files. - Files are infected when they are executed (*not* when copied). - Both *.COM and *.EXE files can be infected. - COMMAND.COM can be infected --- if it is executed. - Files are infected only once. - The ReadOnly attribute won't help (you already guessed this :-) ). - The virus has its own critical error handler. Therefore an attempt to infect a file on a write-protected diskette won't display the usual "Abort, Retry, Ignore? " message. - The size of the infected files is such that always (SIZE mod 16 == 2). - Only *.COM files greater than 1000 bytes will be infected. I couldn't find if there is a limit for the *.EXE ones. - The first 32 bytes of the *.COM files are overwritten. The original 32 bytes can be found at offset [14,15]*16+1015 from the beginning of the file. Here [14,15] means the contents of the word at offset 14 (decimal) from the beginning of the file. I'm still trying to find how the virus infects *.EXE files. DAMAGE: - The virus intercepts the WRITE function call (AH == 40h) of INT 21h. If the month of the current date is 9 or greater, and if the write is on file handle > 4 (i.e., it is a "true" file, not stdin/out/err/aux/prn), then the address of the memory chunk which has to be written, is increased by 0Ah. This leads to garbage being written. I haven't finished my work with this virus, but it's getting late and I have to leave. Therefore, I decided to post what I know. Please, if anyone knows more about this virus, send info to the forum too. [Ed. As already noted, SCAN v 58 has been modified to detect this virus.] Vesselin Bontchev (a Bulgarian antivirus researcher) ------------------------------ Date: Fri, 16 Feb 90 14:52:38 -0500 From: (Eric Rowan) Subject: Disinfectant 1.6 (Mac) I realize that Mr. John Norstad just released Disinfectant 1.6 and has again announced that Disinfectant 2.0 is forthcoming, but has he or his colleagues announced WHEN we can anticipate its release? I'msure everybody is working hard on releasing it quickly, but I'm just wondering what the timetable is. I also wanted to publically thank Mr. Norstad and his associates for creating Disinfectant, for making it free, and for keeping it up-to-date. For all of that and more...THANKS! Eric Rowan Southern Illinois University at Carbondale Computer Learning Center 1 Faner 1027 Carbondale, IL 62901 *USA* ------------------------------ Date: 16 Feb 90 19:57:20 +0000 From: "David N. Schlesinger" Subject: Re: Many WDEF reports (Mac) CHESS@YKTVMV.BITNET (David.M..Chess) writes: > Curious as to why we're seeing all these WDEF reports, and not similar > numbers of reports of other widespread viruses. Has it just become a > tradition to report WDEF on VIRUS-L, or is WDEF better at spreading? > If the latter, does anyone have a good feeling for what about WDEF > makes it so (um) virulent? DC I believe that one of the reasons for the swift spread of WDEF is that it doesn't require the Launch of a program to infect a target system. WDEF spreads simply by inserting an infected disk into an uninfected machine (clever bit of design work there, actually...) Also, WDEF is not recognized by much of the current generation of "Virus Protection" software, e.g. SAM (versions prior to 1.4), Virex (versions prior to 2.3), etc. Many people seem to have the impression that once they've installed any version of a virus catcher, they're protected for life... =========================================================================== David N. Schlesinger || "There's a word for it: words don't The Wollongong Group || mean a thing. There's a name for it; Internet: Lefty@twg.com || names make all the difference in the POTS: 415/962-7219 || world..." -- David Byrne =========================================================================== ------------------------------ Date: Fri, 16 Feb 90 17:11:42 -0700 From: Peter Johnston Subject: Mosaic and FontFinder Trojans (MAC) -- Update #2 10 Feb 1990, the trigger date for these trojans, has come and gone. I have heard no reports of further attacks by either of these trojans. These nasties would appear to be fairly localized based on the lack of additional attacks. But the speed with which the warning was spread and the general lack of panic suggests that we have a very effective tool with which to combat these electronic vandals. I think that everyone who helped relay the warnings (and from the comments and queries I received, the warning was truly spread worldwide) deserves a hearty "Well Done". My thanks to all those who assisted and "passed the word". If you hear of any future sightings or attacks from either of these trojans, I would appreciate it if you would contact me directly... - - - - - - - - - - - - - - - - - - - - - - - - - - Peter Johnston, Senior Analyst, University Computing Systems, 352 - GenSvcBldg, The University of Alberta, Edmonton, Alberta, CANADA T6G 2H1 Voice: 403/492-2462 EMAIL: USERGOLD@UALTAMTS.BITNET FAX: 403/492-7219 - - - - - - - - - - - - - - - - - - - - - - - - - - ------------------------------ Date: Fri, 16 Feb 90 20:20:15 +0000 From: peter@ficc.uu.net (Peter da Silva) Subject: Re: UNIX discussions? There is a UNIX security list that discusses the subject of security holes in UNIX. Mail to security-request@uninet.cpd.com for more information. [Ed. I also invite more UNIX discussions here on VIRUS-L/comp.virus.] _--_|\ Peter da Silva. +1 713 274 5180. . / \ \_.--._/ Xenix Support -- it's not just a job, it's an adventure! v "Have you hugged your wolf today?" `-_-' ------------------------------ Date: Fri, 16 Feb 90 23:38:42 -0500 From: Peter Jaspers-Fayer Subject: McAfee's SCAN makes National News in Canada Seems Parliament hill was hit by the Stoned virus today. News clip showed someone at a PC, voice over "All computers are now being regularly scanned", and what should pop up on the screen but the "No viruses found ...etc" that McAfee's SCAN program displays when done. Sadly, no credit was given in the broadcast. /PJ SofPJF@VM.UoGuelph.Ca ------------------------------- Computers are not intelligent. They only think they are. ------------------------------ Date: Fri, 16 Feb 90 06:38:05 +0000 From: wolves.uucp!ggw@duke.cs.duke.edu (Gregory G. Woodbury) Subject: Re: The AIDS "Trojan" is a Copy Protection System munnari!mqccsunc.mqcc.mq.oz.au!ifarqhar@uunet.UU.NET (Ian Farquhar) writes: > [much tedious commentary from the "license" deleted] >This is not a trojan: it is a COPY PROTECTION SYSTEM. The >consequences of using the program without paying are quite adequately >laid out in the license, which apparently has not been read. It warns >quite clearly that: >a) You should not install this program unless you are going to > pay for it. With *NO VALID ADDRESS* to send the "license fee" to? And with no way of having the program be informed that the fee has been paid? >b) The program contains mechanisms that will ensure that the > terms of this license agreement will be followed. At a *random* interval, without providing any means of checking to see if a validation (obtained by paying the "license fee") exists? >c) That these mechanisms will affect other programs on the hard > disk. Yeah, by blowing away the whole system! >I am led to make the following conclusions: >1. That all of the users who were adversely affected by this > supposed trojan either (a) did not read the license > agreement for the program which they were installing, or (b) > they read it and ignored it. Either way, they must accept > the consequences. The installation instructions first step > tells you to read the agreement on the reverse of the sheet. Several companies sent off the license fee *AS DIRECTED*, They waited several weeks for a response, and getting none, decided to use the programs - 'cause they *DID* pay the "license fee" --- it still blew away their computers! >2. That the people who have been harping on at length about > this trojan did not bother to read the license agreement > either. I am left wondering if the "excitement" of this > horrible "trojan" prevented them using some elementary logic > to ask if the program may be something else. Incorrect - several did read the "license" and abide by its terms -- the creator of the program did not abide by his (implied) end of the deal by insuring that the program *ONCE PAID FOR* would not harm the users system.... >3. PC Cyborg laid out the consequences quite plainly in the > license agreement. It is a debatable point whether PC > Cyborg would have sent the "defusing" program for the time > bomb that this program installs, though the US invasion > would have defeated any attempt to do this (the invasion was > doubtless more illegal than this program). Also Incorrect! The US Intervention in Panama did not disrupt the mail system nearly as much as it did other aspects of life in that place (btw - political commentary should be sent to talk.politics.misc ;-). There is no evidence that there was ANY ATTEMPT to collect the fees sent to that address, nor is there any evidence that there is/was an authorizor program to provide validation of the payment of the "license fee" >4. That the people hurriedly disassembling the program actually > committed a breach of the license agreement, and are liable > for legal action from PC Cyborg. Equally, copying of this > program is as illegal and is as much piracy as copying any > commercial program. In as much as there is *NO LEGAL ENTITY* as PC Cyborg, there is NO LICENSE. A license is a contract. There must be two legally valid parties to a valid contract. There is no "PC Cyborg" in a legal sense, therefore, there is no binding license. >I am stunned at the sheer volume of pointless garbage that this >program has generated, and it makes me seriously doubt any other >information received from these "experts". I would also point out >that self-destructing programs are not new, but one has never caused >such an outcry before. I fail to comprehend your characterization of the posting on this issue as "garbage". Given the points that I made above in relation to your particular thesis, I would be interested in knowing if you have changed your opinion given the new information. >If the author of this program is convicted, it will be the first >conviction ever for the hidious crime of writing a copy protection >system, and will be one of the biggest farces of justice ever >witnessed. Copy protection scheme? Please be realistic here, to me it is obvious that this is a blatant case of electronic/software terrorism. - -- Gregory G. Woodbury Sysop/owner Wolves Den UNIX BBS (919 493 7111), Durham NC (also) System Programmer/Manager Center for Demographic Studies, Duke University UUCP: ...dukcds!wolves!ggw ...dukeac!wolves!ggw [use the maps!] Domain: ggw@cds.duke.edu ggw@ac.duke.edu ggw%wolves@ac.duke.edu [The line eater is a boojum snark! ] ------------------------------ Date: 18 Feb 90 15:36:19 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: Identification strings T762102@DM0LRZ01.BITNET writes: >And what if virus-scanning programs are written in such way that they >search the identification string only in the place it has to be --- >not in the whole file? Well, some anti-virus programs do this. In general they are faster than other programs, but when a new variant of a virus appears, they are unable to detect it. But you are right - at least they would not report other anti-virus programs as infected. - -- Fridrik Skulason - University of Iceland, Computing Services. frisk@rhi.hi.is Technical Editor, Virus Bulletin (UK). ------------------------------ Date: 18 Feb 90 15:32:21 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: There is no Ultimate Anti-Viral Solution! eachus@aries.mitre.org (Robert I. Eachus) writes: >infeasible. The third group is problems which have been proven >insoluble using any type of solution, imaginable or otherwise. This >group includes problems like the Post Correspondence Problem, the >Halting problem, and universal virus detectors. Here we go again.... The Halting Problem and UVD problem are indeed unsolvable on a Turing machine, but they are theoretically (but not in practice) solvable on a "real-vorld" computer. There are some limitations, however - the machine needed to solve the problem must be many orders of magnitude larger than the machine the program is running on. - -- Fridrik Skulason - University of Iceland, Computing Services. frisk@rhi.hi.is Technical Editor, Virus Bulletin (UK). ------------------------------ Date: Sun, 18 Feb 90 20:54:28 -0500 From: woodb!scsmo1!don@cs.UMD.EDU Subject: Government Newsletter Call for Government Employees for a Government On-line Newsletter. I am currently making a list of government employees who are interested in contributing and to receiving an on-line newsletter. This will be an informal unofficial newsletter to discuss problems and solutions within government computing. Some of the issues I wish to include as topics are: FTS2000 Computer Security GSA FOCUS contract.. AFCAC contract... Other Government contracts... Where to find computer 'deals' Virus breakouts and how to stop them. Chat from vendors... Hardware/software problems - solutions. TCP/IP logins and where to find needed files. Also for those who do not have TCP/IP maybe we can setup a re-distributor system. Interviews with AT&T and other computer experts. etc.. This is open to all Government employees of any and all systems and OSs. Because this is on-line there will be no 'paper' mailings due to cost. If interested contact me at: Don Ingli USDA/SCS FTS 276-5344 314 875-5344 Remember that this is unofficial and is done on my own time.... Also, no sensitive material will be published or accepted. - -- DON INGLI-United States Department of Agriculture - Soil Conservation Service INTERNET: scsmo1!don@uunet.uu.net PHONEnet: 314!875!5344 UUCP(short): uunet!scsmo1!don UUCP(long): uunet!mimsy!woodb!scsmo1!don These are my opinions. I represent myself. Who do you think you are, Bjorn Nitmo? David Letterman '90 Catch Phrase ------------------------------ Date: 19 Feb 90 02:04:46 +0000 From: rpp386.cactus.org!woody@cs.utexas.edu (Woodrow Baker) Subject: Re: CMOS viruses? Nonsense! (PC) T762102@DM0LRZ01.BITNET writes: > >this one lives in the setup-memory (CMOS) that was backed up by the > >computer battery. All the infected diskette can be reformatted and can > >plausible and that's why I decided to hear from experts' opinion on > >the net. Since today's AT usually uses CMOS memory, this looks a > >serious problem. > > Nonsense! There are only 64 bytes there and only the half of them are > not used (these at offsets 11h, 13h, 1Bh-2Dh, 34h-3Fh). And even if > someone is smart enough to write such a small virus (which I claim to > be also impossible on 80x86 based computer), these bytes are not > directly addressable. This means that you cannot *execute* the code > which resides in them. You have prior to extract it (using some IN and > OUT instructions). But the code, which will be able to do this *ought* > to reside somewhere else. True and false. You would have to extract them with in/out instructions BUT, you could store some code there, enough to do damage, say a jump to format a track....It is small enough, or perhaps a decryption routine, like the 8 code wonder in the 4096 virus, or.... BTW, did you know that you can download code from the KEYBOARD? IBM uses it apparently to generate some test code, and squirt it into memory. Now, granted, one would have to burn the nasty into rom in the keyboard, but some one could convievably do that at the factory. I think that the POS queries the keyboard, I'd have to go back and look at the tech ref manual. It might even be possible, to dissasemble the keyboard roms and find some backdoor that you could use to store code. Not much use, but has at least the potential of the cmos chip... Cheers Woody ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253