VIRUS-L Digest Thursday, 22 Feb 1990 Volume 3 : Issue 47 Today's Topics: Re: WDEF details (Mac) Re: AIDS Copy Prtection System New Virus turns up at U. of Pa! (Mac) 1813 Virus sighting (PC) Bogus Version of SCANV58 (PC) UVD PC Cybrog Re: Disinfectant 1.6 (Mac) Re: Idea for WDEF Innoculation (Mac) AIDS Trojan (PC) Safety of Boot Disk (PC) Israeli virus strains vs. Novell? (PC) US H.R. 55 VALIDATE.EXE (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk --------------------------------------------------------------------------- Date: Wed, 21 Feb 90 12:35:38 -0500 From: Joe McMahon Subject: Re: WDEF details (Mac) Paul Duckenfield writes: > ... Another problem which we have had to deal with is recurring >system crashes on our AppleShare servers even after the eradication of >WDef. Although WDef if "officially" gone thanks to Disinfectant v1.6, >the servers still seem to crash regularly. It appears that WDef, like >polio can be cured, but it leaves lasting damage. The only solution I >have found is to delete the unused DESKTOP file on all server volumes... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By all means do that. The virus will still write to this file (if you've allowed your client machines access to it) and will be lurking there, waiting for you to boot the server from a floppy. When you do that, the AppleShare Desktop Manager INIT is bypassed and you have a new source of infection. Also, be warned that rebooting from a floppy will cause the Desktop file to be *rebuilt* on the server! You will have to remove it again. Paul also notes/asks: > Incidentily, I have heard reports that it is possible >(although not easy) for someone to rename the WDef virus's resource to >CDef. Potentially this will create another virus, exactly the same as >the first except for the name, which can propogate quickly as well. >Anyone know anything about this? Doubtful. I don't have my handy copy of Inside Mac right here at the moment, but as I recall, the calling sequences are quite different. I believe that there would be trouble (i.e., crash/hang) if you tried it. However, if the viral WDEF does its infections directly, it might be able to spread itself before the crash occurs. I don't think that it would spread as fast as WDEF, because the behavior of the Mac would take such a sudden turn for the worse that almost anyone would become suspicious. Also, if you're running GK Aid or Eradicate'em, you're already protected against anything which looks even remotely executable in the Desktop file. --- Joe M. ------------------------------ Date: Wed, 21 Feb 90 19:27:03 +0000 From: davies@sp20.csrd.uiuc.edu (James R. B. Davies) Subject: Re: AIDS Copy Prtection System Ian Farquhar (munnari!mqccsunc.mqcc.mq.oz.au!ifarqhar@uunet.UU.NET) has posted two notes here recently claiming that the AIDS trojan was a copy protection scheme. This has not been a popular idea among respondents, but they have mostly been addressing themselves to the immorality of trashing someone's hard disk and the lack of the promised remedy after "registration". I think that a more damning feature of the AIDS program is that it would give the victim some "free" reboots if he would carry it to another computer and infect it. While this could be construed by some (like Mr. Farquhar, no doubt) as being analogous to the incentives offered by book clubs for enrolling new members (sign up a friend, get a free book), this to me seems clear evidence that the intent was malign (as if more evidence is really necessary). In particular, the new victims were not necessarily given the benefit of reading the "license agreement" as the original recipient was. In any case, Mr. Farquhar is either being intentionally dense to provoke arguments, or he has some bone to pick with commercial software vendors that use copy protection and hopes to cast them in a negative light by associating them with this scam. I personally don't see any reason why someone who is clearly responsible for this trojan wouldn't get convicted, as the overwhelming evidence is that this was extortion. jrbd ------------------------------ Date: Wed, 21 Feb 90 14:00:00 -0400 From: Michael Greve Subject: New Virus turns up at U. of Pa! (Mac) I think a new MAC virus has turned up here at Penn. A co-worker/student gave me a disk with some papers he wanted laser printed. When I put the disk into my machine Gatekeeper Aid remove a WDEF A virus then I got a message saying "GateKeeper found an "Implied Loader 'INIT'" virus, it has been removed". I'm glad Gatekeeper Aid caught it! I think mention was made of this virus a week ago. Is this a new virus?? What does it do?? Is it spread like WDEF A?? I'm using Gatekeeper Aid 1.0.1. Will/Can Disinfectant 1.6 catch this virus. All these questions.... Michael Greve Univ. of Pa. Wharton Computing greve@wharton.upenn.edu ------------------------------ Date: 21 Feb 90 13:26:56 -0600 From: "Tom Kirke (312) 413-5539" Subject: 1813 Virus sighting (PC) This little fellow has shown up at the University of Illinois at Chicago. Scanres found it on a machine in the public labs in the computer center. Tom Kirke | All standard and non-standard U33515@UICVM.BITNET | disclaimers, declaimers, and claimers U33515@UICVM.CC.UIC.EDU | apply. U33515@UICVM.CC.UIC.EDU@DASNET# We have discovered a *therapy* (NOT a cure) for the common cold, play tuba for an hour. ------------------------------ Date: Wed, 21 Feb 90 13:12:36 -0800 From: Alan_J_Roberts@cup.portal.com Subject: Bogus Version of SCANV58 (PC) This is a forward from John McAfee: ============================================================================ We have received reports of a SCANV58.ZIP file that contains a bogus VALIDATE program. The program is an EXE file (the real validate is a COM file) and is 46,167 bytes long versus 6,485 for the original VALIDATE. There have been reports of system damage from the use of this program and under no circumstances should it be used. The authorized version 58 of scan is 42,977 bytes long, has a creation date of 2-15-90 and the validation checks should be: Method 1: 2F16 and Method 2: 1C57. If you come accross the bogus version and have information about where it came from, then please contact me at 408 988 3832. The bogus validate program appears to be identical to a program uploaded to HomeBase on 2-19-90 by a person usinmg the name Richard Levey. The documentation for the program contained a copyright by Richard Levy, but there was no phone number or any other contact information provided. As you can imagine, we are very anxious to find this person and if anyone has any information then please call. John McAfee 408 988 3832 (voice) 408 970 9727 (FAX) 408 988 4004 (BBS) ------------------------------ Date: Tue, 20 Feb 90 21:17:38 -0500 From: David_Conrad%Wayne-MTS@um.cc.umich.edu Subject: UVD "David.M..Chess" writes: >> VDOS pseudo-executes the program, checking for >> every possible outcome and attempts to write to disk. > >Unlikely to be practical, I'm afraid? For instance, if the program >waits for user input, or looks at the time or date, or reads from a >file (I can't think of -any- program offhand that doesn't sometimes do >at least one of these), the pseudo-executor would have to >pseudo-execute a separate instance of the program for every possible >input/time/data-item. Not likely to finish within the life-expectancy >of the user! A seperate instance for every possible input? Nonsense. All that is required is a seperate instance for every alternative in a conditional structure. Of course, that can still require a large number of instances, and some data will be undefined, so it would be necessary to rule out entire classes of operations where it is unacceptable for some parameters to be unknown (such as direct writes to the disk where the location to be written to is unknown). But many such activities would be 'suspicious' anyway. Another method of verification in which the values of data are unknown and which requires no seperate instances of a program is to examine the code as if all alternatives of a conditional structure are taken. Once again, it is necessary to rule out certain actions when data values are unknown. Remember, however, most instructions are not suspicious even when all parameters are unknown. Also, in conditionals in machine languages there are only two alternatives in a conditional branch (branch or don't!). Still, if one tried to simulate every possible path through any decently large program the number of instance doublings (every time there is a conditional jump you get two possible paths) would quickly eat up memory and it would take a *long* time. But since it isn't necessary to simulate every possible input, I think the simulation would terminate within the average user's lifetime. _________________________________________________________________ David Conrad BITNET: David_Conrad%Wayne-MTS@um.cc.umich.edu "He hates the sight of liquor. That's why he drinks so much. To get it out of sight quickly." ------------------------------ Date: Wed, 21 Feb 90 20:25:09 -0500 From: Kim Dyer <21329KAD@MSU.BITNET> Subject: PC Cybrog I sincerely hope that Ian Farguhar is playing devils advocate. It's scary to think someone is actually DEFENDING acts of electronic terrorism. (Extortion sort of implies you CAN deliver ... you pays your fee and your club doesn't burn down. I've seen no evidence that PC Cyborg could cure/prevent the damage caused by the AIDS disk.) I haven't seen any information yet on whether or not Australia and the European countries the AIDS disk showed up in have laws that protect consumers from unordered merchandise. I know that US laws do not apply ... and I know that no one has said they do. If, however, similar laws do NOT exist elsewhere, I'd sure be getting on my legislators case to enact them quickly. SOMEONE please enlighten us. Perhaps my economic woes are over. If there are no laws protecting Australian citizens from this sort of scam, maybe I can pack up tons of dog hair and mail it to random addresses in Sydney for use as packing materials. Bill at rate of $100 an ounce included ;-). ------------------------------ Date: Wed, 21 Feb 90 16:51:39 -0600 From: John Norstad Subject: Re: Disinfectant 1.6 (Mac) CA6726@SIUCVMB.BITNET writes: > I realize that Mr. John Norstad just released Disinfectant 1.6 > and has again announced that Disinfectant 2.0 is forthcoming, but has > he or his colleagues announced WHEN we can anticipate its release? I wish I knew. It will be at least a few months, probably longer. The big problem is that I keep getting ideas for new features faster than I can implement them. John Norstad Northwestern University jln@acns.nwu.edu ------------------------------ Date: 21 Feb 90 17:51:43 +0000 From: steve@clmqt.marquette.Mi.US (Steve Lasich) Subject: Re: Idea for WDEF Innoculation (Mac) CXT105@PSUVM.PSU.EDU (Christopher Tate) writes: >The big problem with this is that since the WDEF-removal code is itself >a virus, it stands a big chance of causing the same problems as any other >virus -- crashes due to poorly written code. >There have been no viruses written to date for the Macintosh which ^^^^^^^^^^^^^^^^^^^^^^^^^^ >deliberately cause damage to the system (*). All of the problems caused ^^^^^^^^^^^^^^^^^^^ >by existing viruses are in fact the result of bugs in the viruses, which >causes interference with other programs under certain circumstances. >Since the above-mentioned inoculation program would be a virus itself, >it might well cause problems itself. I have seen this assertion made a half dozen times. Can somebody either confirm or deny the report I read in either MacUser or MacWorld (circa October 1988) that there is malicious code in the SCORES virus which is only activated by the presence on a disk volume of files containing certain creator IDs belonging to Electronic Data Systems (EDS), the company which Ross Perot sold to GM? I apologize if this is an old question that has been answered a hundred times already. >(*) Mosaic and Font Finder are not viruses (they do not replicate), but > are instead "trojan horses" -- destructive code hidden within an > innocuous-seeming program. >Christopher Tate | - ---------- Steve Lasich Micro Lab Coordinator steve@clmqt.marquette.mi.us ..rutgers!mailrus!sharkey!clmqt!steve ------------------------------ Date: Wed, 21 Feb 90 16:56:14 -0500 From: David_Conrad%Wayne-MTS@um.cc.umich.edu Subject: AIDS Trojan (PC) munnari!mqccsunc.mqcc.mq.oz.au!ifarqhar@uunet.UU.NET (Ian Farquhar) writes: >...As for the concept of the user having legal control over what was >deleted from his/her hard disk, I cannot see this as a problem. >Multi-user systems have traditionally provided mechanisms for the >superuser to control the user's files with far more privileges >than the users themselves.... So intellectual property may be destroyed by anyone at any time and the owner has no recourse whatsoever? If current laws say this, then it is another failure by those who created our laws to provide adequate protection of intellectual property. The parallel with multi-user systems is flawed, in that in a multi-user system a user *knowingly* grants the superuser certain privileges in exchange for the system being efficiently organized, and *with the understanding that the superuser will *not* abuse those privileges*! What the AIDS program did was most likely illegal, but what's even more important, it was entirely unethical. As to the response here, all I've seen are warnings not to run the program (in light of what it does), and perhaps there was some advice on how to recover files that the program took hostage. Telling people how to recover their legal property is hardly wrong. What I haven't seen are instructions on how to run the AIDS program despite its "copy protection", which would violate the rights of the author. Creating disassembled listings of the program would, unfortunately, violate the author's right to create derivative works, but I see this as a necessary evil in the highly ethical process of attempting to restore the legal property of victims of this program. Ian also writes: >...If I were the defense lawyer with access to this newsgroup, the >first thing that I would have done is to take all of the relevant >articles that have appeared, and present them as evidence >prejudicial to the fair conduct of the trial.... Fine, but you'd have to show that the jury members had read the articles. Ian also writes: >...There also is a strong reluctance to change an opinion in the light >of new evidence, which is very worrying indeed.... Just remember, Ian, you said it! ___________________________________________________________________________ David R. Conrad BITNET: dconrad%wayne-mts@um.cc.umich.edu "Monday is an awful way to spend one seventh of your life." ------------------------------ Date: Wed, 21 Feb 90 17:09:10 -0500 From: David_Conrad%Wayne-MTS@um.cc.umich.edu Subject: Safety of Boot Disk (PC) frisk@rhi.hi.is (Fridrik Skulason) writes: >...the computer is first booted from a non-infected diskette, but >how can one be sure that...the diskette was not infected? At present, of course, the only way is to keep a backup of the operating system release diskettes, and to pray that the makers of the OS are not infected. I hope the major (and minor, for that matter) OS publishers use the very newest and best virus protection softward available. If they don't, then God help us! Perhaps the virus protection people will eventually come out with a bootable (no DOS required) virus checker! _________________________________________________________________________ David R. Conrad BITNET: dconrad%wayne-mts@um.cc.umich.edu Disclaimer: Hey, wait a minute! These aren't my opinions! "If anything can go wrong, then it probably already has." ------------------------------ Date: Thu, 22 Feb 90 10:15:43 -0500 From: RZOTTO%DKNKURZ1.BITNET@CUNYVM.CUNY.EDU Subject: Israeli virus strains vs. Novell? (PC) Good evening, recently, a user of a Novell Network consulted me about my (ancient, even obnsolete, yet popular) VIRCHECK program, which had rendered his network hanging. He declared, that Novell uses Int 21, Function E0, for its internal gearings -- the very same function the "Friday 13th" virus uses for its signalling. My VIRCHECK will check for the presence of TSR "Friday 13th" by invoking this function and looking at the answer. Now I conjecture, that ** the "Friday 13th" will cause Novell Networks to hang every time an infected program is invoked; ** so will probably other Israeli strains do (Y.R. forgive me: I don't know any other, widely recognized, term for them :-) ; ** IMMUNE and similar virus-watchers will probably suspect Novell of being a virus, and alert the user about it; ** VIRCHECK and similar virus-checkers will cause Novell to hang, as well. Has anybody any experiences to share with us, in this respect? (I, for my part, have no Novell running to test my conjectures.) Best wishes Otto Stolz ------------------------------ Date: 21 Feb 90 21:09:37 +0000 From: pyrdc!inco!newman@uunet.UU.NET (Bo Newman) Subject: US H.R. 55 This may be a rehash of an old topic and if it is, I apologize at the start. The FOLLOWING VIEWS ARE IN NO WAY ATTRIBUTABLE TO ANYONE OTHER THAN ME. - ---------- Does anyone know what the status of US H.R. 55 is? H.R. 55 introduced in July of 89, is a follow-up to the 1986 Computer Fraud and Abuse Act. It addresses, in part, computer virus designed with "authorized " assess to computers, or viruses that are not designed to delete files. According to Rep Wally Herger (R-Calif) this bill was supported by a number of computer lobbying groups. What concerns me most was that it was reported that H.R. 55 establishes tough penalties(up to 20 years in prison) for; "knowingly" planing a virus that causes "loss, expense, or risk to the health or welfare" of an individual or a company. This would seem to open the provider/installer of any software at risk of libel. Software has bugs, like it or not. (Also remember that in layman's vernacular the common cold is caused by a bug/virus without much distinction) If the presence of a "bug" results in a "potential" risk to the health or welfare(?) of an (individual or) company you as the provider/installer could find yourself facing 20 years in jail. If this is the case, the liability insurance problem faced by the medical profession will be nothing compared to what the software industry will face. With the way the federal Racketeer Influenced and Corrupt Organizations Act (RICO) has been used in civil court, it is very hard to bank on "intention of congress" when it comes to the way a law will be applied. RICO was designed as a weapon to protect legitimate business from organized crime. But civil claims have been filed under it in cases of bank fore-closures on real estate, between doctors and hospitals over staff privileges, to cases between warring spouses in divorce cases and child custody battles. The parallels for misuse of the provisions of H.R. 55 seem too obvious. You have just converted your companies market information system to a new Relational Database product that contains a bug. Because of that bug you are unable to retrieve key marketing information and as a result the "well being" (market position) of your company is now "at risk." Will this be grounds for prosecution or a civil suit? Before you answer, consider the RICO situation. When RICO was enacted it was mostly ignored, as was the 1986 Computer Fraud and Abuse Act until the Morris case). But around 1980, plaintiffs' lawyer started seeing the potential for applying RICO to individuals other than typical racketeers. The number of civil RICO cases increased eightfold for the early 1970s to the mid sixties. The increased cost for defending against litigation brought under RICO and the costs of higher insurance premiums end up coming out of the consumers pocket. If the same situation develops as a result of law based on H.R. 55 the impacts could be felt in almost every sector of the economy. But then for those brave soles who are still willing to face the risks of the lawyers, writing software may become a vveerryy well paying profession. =================================================================== :Bo Newman newman@inco.uu.net uunet!inco!newman : - ------------------------------------------------------------------- : ALL STANDARD DISCLAIMERS APPLY AND THEN SOME : =================================================================== ------------------------------ Date: Wed, 21 Feb 90 19:29:00 -0500 From: IA88000 Subject: VALIDATE.EXE (PC) Last night someone upload scanv58.zip to my bbs which contained a different version of validate by another author. The program clearly states the author's name and the documentation clearly indicates it was not written by McAfee and Associates. I carefully unzipped the files and checked them all for virus and/or trojan infections. THERE WERE NO VIRUS REPORTED! Just to be safe, I used SOURCER to check VALIDATE and there were NO suspicious or dangerous routines in the program. It does exactly what it claims to do, that is it opens a file, reads the file a block at a time, and generates four CRC's for the file. I ran it and it runs fine. Absolutely no problem whatsoever!In fact it seems to be slightly faster than McAfee's validate.com and it generates four CRC's instead of two.In the documentation the author claims to use proprietary forumlas for generating the CRC's. Today, I get a message in VALERT about this program. According to Mr. McAfee, it is bogus and supposedly damaging systems. Nothing could be further from the truth! The VALIDATE.EXE does one thing which it is obvious Mr. McAfee does not like. That is (in my opinion) that it leaves his version of validate in the dust. Mr. McAfee negelected to mention that in the documentation it appears there is a question as to who owns the rights to the name VALIDATE. I called HOMEBASE and downloaded the real scanv58 and with the exception of the different validate.doc and validate.com found the other files to be exactly IDENTICAL. This being the case it seems to me that Mr. McAfee is complaining over nothing. The version of SCAN is correct and is not damaged or changed in any way. It seems to me that the author just deleted Mr. McAfee's version of validate and included his own in the archive file. It appears no changes were made to SCAN and as such I don't see what McAfee is complaining about, unless he is attempting to claim a copyright on the contents and/or makeup of the scanv58 archive file? The only thing bogus about this whole matter is the fact that McAfee sent out a VALERT notice about it. Especially since he claims that validate was uploaded to HOMEBASE several days ago and he had plenty of time (so it appears) to make comments before this. In my opinion the author of validate has done the community a favor by replacing the program in the archive file with one that appears to do a better job. As far as the program names are concerned, so what? I checked over five different copies of McAfees validate and none of them mention that he has a trademark on the name validate. The validate.exe does have a trademark notice, and as such that should be the one and only program to use the name validate. If mcafee can provide absolute proof that validate.exe damages systems as he claimed in valert, let him do so by producing the source code to prove his claim. As I mentioned earlier SOURCER was used to disassemble the validate.exe and there is no evidence of any code which could damage a system. In fact the only code which accesses the disk opens the file for READ and then closes it at the end of the program. The only memory accesses appear to be a large numeric array set up to read the file into and the code which reads the array and generates the CRC's. There is nothing dangerous in this program whatsoever (in my opinion). I also read the documentation and the alleged author's name is clearly there, as well as complete information on the validate.exe program. It appears to be a shareware program and clearly states this when you run the program. Due to the differences in the disassembly between the two versions of validate, they are obviously written in two different languages. IN other words VALIDATE.EXE appears to be a totally different program from validate.com. It does not appear to be a hack of mcafee's version it appears to be a totally different program. As such I for one will continue to use the new version of validate, and thank the author for supplying it in a rather unorthodox manner. I also feel that Mr. McAfee was in my opinion wrong in using valert to knock a another's product without justification. VALERT is ONLY supposed to be used (as I read the instructions) to notify the community of a trojan or a virus. Nothing, repeat nothing in the scanv58 archive file I received meets that criteria! His scan program was not modified or changed in any way, shape or form! If every author launched a valert notice every time an archive file had files added or deleted all we would ever read would be valert notices. ************************** DISCLAIMER *************************** The opinions expressed herein are my own. I speak for myself and I do not represent any other person, company or educational institution. ************************** DISCLAIMER *************************** ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253