VIRUS-L Digest Friday, 23 Feb 1990 Volume 3 : Issue 48 Today's Topics: Re: New Virus? (Mac) re: UVD Re: malicious viruses (Mac) Re: AIDS Copy Prtection System Re: Copyright restrictions re: Upcoming Virus Conference? Anti-virals on AppleTalk? (Mac) The AIDS Copy Protection System Re: PC Cyborg IBM virus scanning program (PC) Re: New Virus turns up at U. of Pa! (Mac) New files uploaded (PC) Re: The 1559 Virus (PC) Re: WDEF details (Mac) Re: WDEF details (Mac) Copyrights on Disassembled Viruses RE: Viruscan Trojan (?) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk --------------------------------------------------------------------------- Date: Thu, 22 Feb 90 09:25:03 -0500 From: Joe McMahon Subject: Re: New Virus? (Mac) Michael Greve writes: > I think a new MAC virus has turned up here at Penn... > ...When I put the disk into my machine Gatekeeper Aid remove a >WDEF A virus then I got a message saying "GateKeeper found an "Implied >Loader 'INIT'" virus, it has been removed"... It sounds as if you *might* have a case of INIT 29 running around. Gatekeeper and Vaccine both block INIT 29, and Disinfectant will remove it. --- Joe M. ------------------------------ Date: 22 Feb 90 00:00:00 +0000 From: "David.M..Chess" Subject: re: UVD David_Conrad%Wayne-MTS@um.cc.umich.edu writes, in response to my suggestion that a "pseudo-executor" would take lifetimes to run: > A seperate instance for every possible input? Nonsense. > All that is required is a seperate instance for every alternative > in a conditional structure. Of course, that can still require a > large number of instances, and some data will be undefined... Mea Culpa, at least partly. I was assuming the simplest possible implementation of the proposed "VDOS". A more sophisticated system like the one Mr. Conrad describes might well be able to pseudo-execute a typical program much more quickly (finishing in perhaps only a few years, or even months/weeks/days). I'd guess that it'd still be too long to be practical, but I've been wrong before! I also suspect that a sophisticated pseudo-executor would turn out to be (1) very hard to write, and (2) extremely useful for other purposes as well as virus-checking. I know various research groups (wish I had references handy!) have done considerable work on "symbolic execution" systems, which essentially take a program P as input, and (try to) produce as output a function that gives the output of P for given inputs to P. It's hard to do well, and I think still poses some unsolved problems. The virus-checking pseudo-executor has a somewhat easier job (it only has to answer "does the output of P include anything nefarious, for *any* value of the input?"), but I'm not sure if it can avoid the hardest problems. Interesting field for speculation! DC ------------------------------ Date: Thu, 22 Feb 90 09:28:54 -0500 From: Joe McMahon Subject: Re: malicious viruses (Mac) steve@clmqt.marquette.Mi.US (Steve Lasich) asks: >...Can somebody >either confirm or deny the report I read in either MacUser or MacWorld >(circa October 1988) that there is malicious code in the SCORES virus >which is only activated by the presence on a disk volume of files >containing certain creator IDs belonging to Electronic Data Systems >(EDS), the company which Ross Perot sold to GM? ... Sorry, Steve. My assertion was a bit too sweeping. Applications of types 'ERIC' and 'VULT' (none of which actually seem to exist anywhere) will cause Scores to activate hidden time bombs. One causes a system error 25 minutes after either is used, a second (which activates later) causes any write-to-disk operation to bomb 15 minutes after using one of the target applications. It's never been made clear one way or the other whether these targets were owned or written by EDS or not. There was no denial, so I suppose we can draw our own conclusions... So let me correct my statement. No currently-existing Mac virus causes damage to _any known commercial application._ --- Joe M. ------------------------------ Date: 22 Feb 90 14:37:31 +0000 From: attcan!ram@uunet.UU.NET (Richard Meesters) Subject: Re: AIDS Copy Prtection System munnari!mqccsunc.mqcc.mq.oz.au!ifarqhar@uunet.UU.NET (Ian Farquhar) writes: > 1) FREE MARKET > > Many writers pointed out that the program itself was garbage, and > justified their position (that it was a Trojan) with the argument > that the money for the program was far too much and thus the > program was an extortion racket. > > Being an Australia, I am used to being charged extortionate > prices for software by both amateurs and professional companies. > The point that must be made, however, is that in a free market > economy the supplier can charge what they like. The idea is that > supply and demand will weed out the excessively priced garbage > from the reasonably priced quality items. While I agree with you that in a free market economy, you can charge whaterver you like for the purchase of a product, the issue here with the AIDS trojan is whether you can give someone a disk and then demand payment for it. It really doesn't matter if the cost was 10 dollars or 10 thousand. I believe the argument being raised was not whether the AIDS infromation package was any good or not, but rather if the package indeed constituted a real software package, or simply a front to introduce a trojan into your system. > 2) THE ABSENCE OF THE REGISTRATION DISKS > > It is presumed that PC Cyborg would have sent the defuser program > on receipt of the registration fee. Many people have pointed out > that this did not happen. I imagine that the US Military rolling > into Panama may have had something to do with that. The end really doesn't justify the means. If this was a case of a real company trying to copy protect their software, (and I don't believe that for a second) this scheme has a major flaw. Consider what happens to the hapless user if the company goes out of buisness. He has now lost all data on his hard drive without any possibility of recovery through what you obviously consider legal channels. If a scheme like this is used to copy protect the software, the company producing it should have some level of responsiblilty (moral, if not legal) to protect your system from damage from a package you have rightly purchased. > 3) THE DEFINITION OF COPY PROTECTION > > Copy protection, by my definition, is a device, system or > technique whereby the copyright holder can guarantee that the > terms of the license are followed. True. But copy protection is NOT a mechanism by which the copyright holder can damage or hinder the operation of aspects of your system unrelated to the operation of said program. > The AIDS CP System was simply an extension of this. It allowed > copying of the distribution disk, and it allowed backing up of > the hard disk. All it did was to ensure that people who were > unregistered (and which were, I hasten to add, involved in a > criminal activity) would have a lot of trouble. > As for the concept of the user having legal control over what was > deleted from his/her hard disk, I cannot see this as a problem. > Multi-user systems have traditionally provided mechanisms for the > superuser to control the user's files with far more privileges > than the users themselves. This has never, to my knowledge, > caused any legal problems. The superuser on a multi-user system has responsibility to the users and owners of the system he administers. This is not the same as someone (ie. a hacker) illegally logging into your system as root and deleting or damaging files. This has caused several legal problems worldwide, and is a more apt description of what the AIDS trojan is, in effect accomplishing. It is true that the system administrator in this case, has left the door open for the damage to be done, but that still doesn't excuse the actions. That would be like letting a burglar off from all charges because the homeowner left the front door unlocked. > 5) PRESUMPTION OF INNOCENCE > > Under British law, there is a concept called the "presumption of > innocence". Put basically, someone is innocent until they are > proven guilty. It would be nice to know that this basic concept > is still followed, though I really do have my doubts. > > If I were the defense lawyer with access to this newsgroup, the > first thing that I would have done is to take all of the relevant > articles that have appeared, and present them as evidence > prejudicial to the fair conduct of the trial. You are most certainly correct that a person is innocent until proven guilty, but what we are debating here is whether or not a crime has been committed, not by whom. The person or persons brought to justice for this problem should, IMHO, recieve a fair and impartial trial. > 6) CONCLUSION > > I am left wondering about the motives of many of the writers. > There seems to be a fanatical, indeed almost religious zeal to > see anyone concerned with the generation of viruses and Trojans > convicted irregardless of the evidence (or its lack). > > There certainly seems to be a panic mentality at work here - the > illusion that quick action is necessary regardless of the > advisability of that action. There also is a strong reluctance > to change an opinion in the light of new evidence, which is very > worrying indeed. > > I have always maintained that computer security experts and > employees of the intelligence services share many things in > common, primarily the huge and quite unwarranted sense of > paranoia. This whole discussion has only strengthened this view. Sorry Ian, but I really don't see how you could have possibly drawn this conclusion from the previous discussions. We are not judge or jury in this case. If indeed the AIDS trojan was a copy protection scheme, then the answer to the problem is to prevent this type of CP scheme to be used in the future. However, the evidence and conjecture I have seen as a result of this discussion point to the fact that this is NOT a simple case of copy protection gone awry. You state that there is a reluctance to change opinion in the light of new evidence, yet you really haven't provided the group (or certainly me, anyway) with any strong evidence that would convince me to change my opinion. By the way, I am neither a computer security expert nor a member of the intelligence services, as you put it. What I have seen from this discussion appears to be a case of fraud and extortion, but it is, after all, up to the courts to decide that. Regards, - ------------------------------------------------------------------------------ Richard A Meesters | Technical Support Specialist | Insert std.logo here AT&T Canada | | "Waste is a terrible thing ATTMAIL: ....attmail!rmeesters | to mind...clean up your act" UUCP: ...att!attcan!ram | - ------------------------------------------------------------------------------ ------------------------------ Date: 22 Feb 90 14:48:20 +0000 From: attcan!ram@uunet.UU.NET (Richard Meesters) Subject: Re: Copyright restrictions IA88@PACE.BITNET (IA88000) writes: - - 3) Does the fact that a program appears to be and may be capable - - of damaging a disk allow give anyone the right to violate a - - copyright? - - - - If you feel that statement three allows someone to violate a - - copyright, consider this for a moment. - - - - One of the major copy protection companies uses a scheme which - - encrypts one or more tracks of a hard disk drive when someone - - installs a copy protected program. - - - - Until such time as the copy protected program is removed the - - encrypted tracks are useless,(in fact some people may even call - - them damaged) to any program other than the copy protected - - program which was installed. You are correct in that the ability to use space on the disk allows the program the right to encrypt part of the data IT stores. They are useless as far as you and other programs are concerned, but accessable by the creating package itself. This is not, however, the same as encrypting ALL the data on your disk, as was the case with the AIDS trojan. This rendered the entire disk useless for all programs concerned. - ------------------------------------------------------------------------------ Richard A Meesters | Technical Support Specialist | Insert std.logo here AT&T Canada | | "Waste is a terrible thing ATTMAIL: ....attmail!rmeesters | to mind...clean up your act" UUCP: ...att!attcan!ram | - ------------------------------------------------------------------------------ ------------------------------ Date: 22 Feb 90 00:00:00 +0000 From: "David.M..Chess" Subject: re: Upcoming Virus Conference? > The 800 number should yield yield more current information > (and, I presume, information on travel, lodging, etc.). Unfortunately, the 800 number, although very friendly and sympathetic, knows no more than the name of the conference, the dates, and the registration fee ($375, I think it was). They don't have a speaker's list or an advance program to send, and they don't know where such information might be obtained. Does anyone else have further information on this? DC ------------------------------ Date: Thu, 22 Feb 90 09:38:18 -0700 From: esunix!sim.dnet!tleaming@cs.utah.edu (Taylor Leaming x3836) Subject: Anti-virals on AppleTalk? (Mac) I've just finished cleaning up an outbreak of the WDEF A virus on my department's Macintoshes. I like to scan each machine with several of my favorite antiviral programs, such as Virex, Virus Rx and Disinfectant, just to be as thorough as possible. But since these programs are targeted at a single user/single machine, this becomes pretty tedious and time-consuming very quickly. Even a routine scan of all machines amounts a fair amount of time. My question is this: what is available (if anything) in terms of Macintosh anti-viral software that will run over a local AppleTalk network, preferrably in the background (like InterPoll and the likes) or can at least be time- scheduled? (Our net is composed of MacPlus's, MacSE's, and Mac II's, each with their own hard disks and systems. We also have a VAX fileserver account for each user.) Vaccine developers: How about it? Taylor Leaming esunix!sim.decnet!tleaming@cs.utah.edu Evans & Sutherland Computer Corp. SLC, UT 801/582-5847 ------------------------------ Date: Thu, 22 Feb 90 11:35:17 -0500 From: Arthur Gutowski Subject: The AIDS Copy Protection System I've been monitoring this conversation for quite some time now, and I thought that it was time to indulge myself with my 2(cents) worth. In his second posting, Mr. Faquhar attempts to address some the writers' concerns: >1) FREE MARKET True enough, anyone can charge anything they want for any product they put on the market, no matter how obscene the price may be. BUT, I must stress that it is inappropriate and unethical to threaten my intellectual property as a means to secure payment. THIS IS EXTORTION, plain and simple. >2) THE ABSENCE OF REGISTRATION DISKS BUNK. The Panama invasion had nothing to do with this in my mind. Dr. Popp was not living there at the time, he was merely operating out of a PO box. If he promised a cure with the registration fee, and I send in my registration fee, I damn well better get my antidote, or I'll sue and prosecute to the fullest extent of the law, regardless of what his reasons were for not sending the cure--I have not only just been extorted, but I've been lied to as well. At this point, I am *not* a happy camper. >3) THE DEFINITION OF A COPY PROTECTION SYSTEM This is a pretty liberal definition of a copy protection system. A friend of mine works for the IRS, and was recently doing some side work for Criminal Investigation--he gave me an example of a legal copy protection system. The package was a commercial accounting program. There was no attempt made to actually prevent the copying of the program (any decent hacker can get around pure copy-protection in a matter of a few minutes anyway), but instead it would wait. After a fixed number of executions, it would ask you to insert the master distribution diskette into A: (presumably if it had detected itself as not being properly INSTALLed, but instead copied from a diskette). If you did not have the master, and you had not INSTALLed it, then you have pirated it (a reasonable conclusion), and the program would hang. Any subsequent attempts to use the program would result in the same failure. No other damage was done to the hard drive. The only kicker is, all the data you created using the program is now unreadable because of the unique format that the data was saved in. No intellectual property was damaged except that which shouldn't have been created in the first place. This is the farthest "extension" of any copy protection system that should *ever* be granted by law, in *any* country. As for any analogy to the superuser, this is irrelevant. It applies to any multiuser system (VM, MVS, UNIX, etc.)--somebody in the system has to have the power to maintain things and make sure people don't inadvertantly step on each other or themselves. And, as David Conrad pointed out, it is assumed (and checked on a regular basis through audits-at least in the case of VM and MVS) that the superuser has not abused his power. >4) INAPPLICABILITY OF US LAWS Yes, but did that prevent them from trying to import into the US anyway? Correct me if I'm wrong, but from my understanding, a couple of copies did make it over here? Besides, isn't it entirely possible that other countries (into which the Trojan came) have similar laws in this regard? Could someone versed in international and/or foreign laws clarify this? >5) PRESUMPTION OF INNOCENCE Yes, we have this one in the US too. Someone is presumed innocent until proven guilty. The burden of proof lies with the prosecution. But, I am certain that there is enough incriminating evidence not only to warrant extradition of Dr. Popp, but to convict him as well, in *any* country. >6) CONCLUSION Concerned, we are, panic-ridden, paranoid, fanactical, and zealots, we are far from. Is it unwarranted to pick apart viruses (which also happen to be copyrighted in a strict sense), and trojans (which are also destructive, illegitamate software) and provide remedies to people? I hardly think so. I myself am left wondering about your motives, that you would protect the "authors" of such code. Do you publish any software? Please warn me so I know enough not to take the risk of not living up to your licensing agreement for fear of having your "copy-protection" system invoked on me. I can't speak for others, but I think this list has provided a wonderful service by warning people in advance of such atrosities as the AIDS Trojan, not to mention the information about viruses, operating systems, hardware, etc. that comes from technical people who know how to pick things apart and look at them. (BTW, I don't think disassembling the trojan was unjustified; if my computer were held hostage, I'd look to every source I could to find a way to recover it. It's a term called Self-Defense, I'm sure you're familiar with it). Our motives here are nothing more than to protect people from losing their valuable time and data as a result of someone else's destructive efforts. Finally, I'd like to conclude with my own analogy, hopefully devoid of dependence on any country's particular laws. Let me submit to your evaluation the following situation: I write a novel, but do not yet have the funds to publish it (i.e., it is a Copyrighted Unpublished work). I send the novel to you, unsolicited. I send along with it a licensing agreement that demands you pay me $534 for the novel. Now consider the following two methods of enforcing my license agreement: 1) I coat the pages with an ink-dissolving reagent such that the book would be unreadable after say, three readings. I think I'm within my right to do this as a method of protecting my intellectual rights, don't you? 2) I use a plastique for the binding material for the pages. It is sensitive to persperation, so that after a number of readings (naturally, random), when you place the book back on your bookshelves, it explodes, thus destroying your entire collection of classics. Would you still think that I was within my rights to protect my work? I don't think so. Granted the example is a bit outlandish, but no less trouble than Dr. Popp's extortion scheme. I can't help but wonder if your views on this matter would be the same if you had been on the receiving end of this monstrosity. It's a lot harder to be aloof when it happens to you. 'Nuff said. Disclaimer: My employers don't pay me enough to express their views. Comments, rebuttals, money, etc. - welcomed Flames, threats, etc. - ===>/dev/null - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- /=====\ Arthur J. Gutowski, : o o : Antiviral and MVS Groups / Tech Support / WSU Univ. Comp. Center : : 5925 Woodward; Detroit, MI 48202; PH#: (313) 577-0718 : ----- : Bitnet: AGUTOWS@WAYNEST1 Internet: AGUTOWS@WAYNEST1.BITNET \=====/ Have a day. ------------------------------ Date: Thu, 22 Feb 90 14:38:57 +0000 From: Martin McCarthy Subject: Re: PC Cyborg 21329KAD@MSU.BITNET writes > I haven't seen any information yet on whether or not Australia and > the European countries the AIDS disk showed up in have laws that > protect consumers from unordered merchandise. I don't know about any other countries, but certainly in Britain if you receive goods that you have not requested, they automatically become your property. No one has the right to send something through the post and expect to receive anything in return, whether or not the recipient makes use of it, whether or not there is a note attached saying "send me $xxx or I will scrap your hard disk". Someone in Sydney may have to pay you for your dog hair, but rest assured that no-one in Britain need do so. And if you send me exploding dog hair, I'll fight for your extradition :-). Martin McCarthy. JANET: mmc@uk.ac.dl.cxa | Sci. & Eng. Resrch. Cncl. Internet: mmc%cxa.dl.ac.uk | Daresbury Laboratory EARN/BITNET: mmc%cxa.dl.ac.uk@UKACRL | Daresbury UUCP: mmc%cxa.dl.ac.uk@ukc.uucp | Warrington WA4 4AD Ean: mmc%cxa.dl.ac.uk@ean-relay.ac.uk | England ------------------------------ Date: Thu, 22 Feb 90 14:58:00 -0500 From: "Gerry Santoro - CAC/PSU 814-863-4356" Subject: IBM virus scanning program (PC) A number of months ago IBM distributed (inexpensively) a program that would scan for certain viruses. One nice feature of this program was that it had an easy way for the user to add search patterns as new viruses were discovered. Has anyone taken upon themselves the job of updating the search string to cover new viruses? Any info would be appreciated. - ------------------------------------------------------------------------------- | | gerry santoro, ph.d. -- center for academic computing | | | -(*)- penn state university -- gms@psuvm.psu.edu -- gms@psuvm.bitnet -(*)- | | | standard disclaimer --> "I yam what I yam" | | - ------------------------------------------------------------------------------- ------------------------------ Date: Thu, 22 Feb 90 13:30:14 -0800 From: dplatt@coherent.com Subject: Re: New Virus turns up at U. of Pa! (Mac) > I think a new MAC virus has turned up here at Penn. A > co-worker/student gave me a disk with some papers he wanted laser > printed. When I put the disk into my machine Gatekeeper Aid remove a > WDEF A virus then I got a message saying "GateKeeper found an "Implied > Loader 'INIT'" virus, it has been removed". I'm glad Gatekeeper Aid > caught it! I think mention was made of this virus a week ago. Is > this a new virus?? What does it do?? Is it spread like WDEF A?? I'm > using Gatekeeper Aid 1.0.1. Will/Can Disinfectant 1.6 catch this > virus. All these questions.... 1) This sounds as if you are infected with the "INIT 29" virus. 2) No, it's not new; it has been around since late 1988. 3) It spreads via system files and applications. It also infects documents, but the infected documents are not infectious. It tends to cause problems when printing, and may also cause system crashes. It will infect _any_ file which has a resource fork. 4) Disinfectant will detect it, remove it from infected files, and repair infected applications (subject to the usual warning that the repairs cannot be guaranteed to be 100% correct in all cases). 5) Gatekeeper and Vaccine will prevent it from spreading. If you use Vaccine, do NOT check the "Always compile MPW INITs" button... some viruses can sneak past Vaccine's protection if this feature is enabled (I don't remember whether INIT29 is one of those which can...) You should use Disinfectant to scan and disinfect all of your disks, and then install Gatekeeper or Vaccine. - -- Dave Platt VOICE: (415) 493-8805 UUCP: ...!{ames,apple,uunet}!coherent!dplatt DOMAIN: dplatt@coherent.com INTERNET: coherent!dplatt@ames.arpa, ...@uunet.uu.net USNAIL: Coherent Thought Inc. 3350 West Bayshore #205 Palo Alto CA 94303 ------------------------------ Date: Thu, 22 Feb 90 08:58:48 -0600 From: James Ford Subject: New files uploaded (PC) The following files have be placed on MIBSRV.MIB.ENG.UA.EDU (130.160.20.80) for anonymous FTP in the directory pub/ibm-antivirus. SCANV58.ZIP - Scan 1.4V58 (update) SCANRS58.ZIP - Scan 1.4V58 TSR version (update) These files were downloaded directly from Homebase BBS on 2/21/90 at 9:30pm. - ---------- If there is a 50-50 chance that something can go wrong, then 9 times out of ten it will. (Paul Harvey News, 1979) - ---------- James Ford - JFORD1@UA1VM.BITNET, JFORD@MIBSRV.MIB.ENG.UA.EDU University of Alabama in Tuscaloosa. ------------------------------ Date: Thu, 22 Feb 00 19:90:34 +0000 From: Gonzalo M. Rojas Costa Subject: Re: The 1559 Virus (PC) Hi Vesselin Bontchev (T762102@DM0LRZ01.BITNET) writes: > - The virus is memory resident. It installs itself in the > memory at address 9800:0000. I couldn't find where (and if) > it checks for the memory size. This virus only copies itself to the address 9800h:0000. It don't installs resident with INT 27 or the function 31H. If I execute a big program (that ocupies the segment 9800h), this program erase the virus from memory and a crash will occurr. Besides, the 1559 virus don't checks the memory size. Then if I execute a program infected with this virus in a computer with less than 640K of RAM, the computer hangs. (This efect occurr too, for example, in an AT with 1024K of memory {512K from factory and 512K of Extended Memory}). > - The virus is 1554 bytes long, but may add more bytes (up to > 1569 I think) to the infected files. Yes. If I infect a program with this virus, the program don't grows in a constant quantity of bytes. For that reason I don't find appropriate the name 1559 for this virus. Besides, the size of the virus is 1554 bytes. Then I don't find the reason for that name. > - Only *.COM files greater than 1000 bytes will be infected. I > couldn't find if there is a limit for the *.EXE ones. EXE files greater or equal than 3 512-bytes-pages (1536 bytes) are infected. > - The first 32 bytes of the *.COM files are overwritten. The > original 32 bytes can be found at offset (14,15)*16+1015 > from the beginning of the file. The 32 bytes overwritten can be found at offset (14,15)*16+1271 on the infected program that I disassembled. (It seems that the offset where the bytes overwritten are located is (14,15)*16+number, and number depends of the size of the program being infected). > - The virus intercepts the WRITE function call (AH == 40H) of > INT 21h. If the month of the current date is 9 or greater, > and if the write is on file handle > 4 (i.e., it is a "true" > file, not stdin/out/err/aux/prn), then the address of the > memory chunk which has to be written, is increased by 0Ah. > This leads to garbage being written. Then, if I type the command COPY myfile1 myfile2 in the months of September, October, November or December, myfile2 will lose the first ten bytes, and will add an equal quantity of garbage to the end. (But, myfile and myfile2 remains of the same size). An important caracteristic of this virus is that it have subroutines that don't permit the use of debuggers (such as MSDOS' DEBUG or Turbo Debugger). Disclaimer: The views expressed are my own! I do not speak for, nor do I represent any other person or company. Gonzalo M. Rojas Costa BITNET: LISTVIR@USACHVM1 ARPA: LISTVIR%USACHVM1.BITNET@CUNYVM.CUNY.EDU Owner of ASSMPC-L Antiviral Research Group Technical Support Unit Universidad de Santiago de Chile ------------------------------ Date: 22 Feb 90 20:48:14 +0000 From: zben@umd5.umd.edu (Ben Cranston) Subject: Re: WDEF details (Mac) DUCKENFP@carleton.edu(Paul Duckenfield (Consultant, User Services)) writes: > WDef is a system resource which (basically) tells the Mac how > to draw its windows. There are several programs in the FREE/SHAREware > market which change how the window appear on your Macs screen. They > make it look like a NeXT or MS Windows or some other form other than > the "standard Apple"-look. They take advantage of the WDef resource in > the SYSTEM file. > Incidentily, I have heard reports that it is possible > (although not easy) for someone to rename the WDef virus's resource to > CDef. Potentially this will create another virus, exactly the same as > the first except for the name, which can propogate quickly as well. > Anyone know anything about this? In the same way WDEF resources define the behaviour of windows, CDEF resources define the behaviour of "controls" (pushbuttons, scroll bars, etc). While it would not be possible to just retype the WDEF as a CDEF, it would certainly be possible to write a virus that would live in a CDEF resource (or for that matter any other executable resource type). IMHO the real problem is that Finder opens these resource files and leaves them in the search chain, relying on them not to contain any resources that might mask the real resources in the Finder and System files. If Finder were to ensure that these files are in the search chain only when the Desktop resources are being fetched, these viruses would not be possible. - -- Sig DS.L ('ZBen') ; Ben Cranston * Network Infrastructures Group, Computer Science Center * University of Maryland at College Park * of Ulm ------------------------------ Date: 23 Feb 90 03:53:02 +0000 From: vronay%castor.usc.edu@usc.edu (Iceman) Subject: Re: WDEF details (Mac) Understanding how WDEF works can tell you bunches about the current state of viruses on the Mac. First, it is important to note that the mac is susceptible to computer viruses due to the large number of trap-dispatched routines built into the computer. These so-called "toolbox routines" provide the programmer with all of the code s/he needs to create the Macintosh look and feel. Now, since this code can change for different version of the Mac, the routines are accessed through a trap-dispatch mechanism. Basically, each routine has a number, and you call that number instead of the actual routine. The built-in trap dispatcher will then look up the location in memory of the trap and start executing. Some virus and most anti-virus programs work by rewriting these trap addresses, so that instead of calling the built-in ROM code, they call the call the virus/anti-virus code instead. This code will usually eventually call the ROM routine as well - perhaps after asking for permission to execute a suspiscious instruction. WDEF goes one step up in this. It first removes all of the patches on toolbox routines it wants to use. This effectively disables any anti-virus code that was there. Next, it figures out what machine you are running on and patches the traps back to what it thinks they should be for that machine. (BTW, this is why WDEF initially crashed the new machines - it didn't know the proper patches for them). It then copies itself, and set the traps back to what they were before it started, leaving the anti-viral software totally unaware that anything happenned. - -ice ================================ reply to: iceman@applelink.apple.com AppleLink: ICEMAN disclaimer: (not (apples-opinion-p (opinions 'ice))) => T ================================ ------------------------------ Date: Thu, 22 Feb 90 20:33:00 -0800 From: jmolini@nasamail.nasa.gov (JAMES E. MOLINI) Subject: Copyrights on Disassembled Viruses I have a question for the group. Recently I was scanning a disassembled virus. It had been intercepted and documented by someone here in the US. I found it strange, however, that the person who disassembled and documented this virus actually copyrighted his disassembly. My question rests on 2 levels. First, is it legal for someone to document another's work and subsequently make it different enough that it can be considered his property with the accompanying distribution restrictions (regardless of the originator's desire to be known)? Secondly, is it ethical in this community to copyright work that is supposedly for the public good? I do not favor posting virus code on Virus-L, but would become very concerned if virus information became one more place for commercialism and private advantage to hobble general efforts at preventing catastrophe. Please post your unabashed comments to the board, but leave me personally out of it. I only asked the question. Jim Molini ------------------------------ Date: Thu, 22 Feb 90 20:36:00 -0800 From: jmolini@nasamail.nasa.gov (JAMES E. MOLINI) Subject: RE: Viruscan Trojan (?) IA88000 writes: > Last night someone upload scanv58.zip to my bbs which contained a > different version of validate by another author. >... > The only thing bogus about this whole matter is the fact that McAfee > sent out a VALERT notice about it. >... > As I mentioned earlier SOURCER was used to disassemble the validate.exe > and there is no evidence of any code which could damage a system. >... > It appears to be a shareware program and clearly states > this when you run the program. Then it should have been separately packaged as shareware. John McAfee has every right to disclaim any program not written by, or for him. Anyone finding the file ZIPed in with his programs would certainly be reasonable in believing that McAfee had sponsored it. But right now all we have is the word of an unidentified node on this worldwide network that this is a harmless file. (Next time, please sign all of your correspondence to Virus-L.) > ...I also feel that Mr. McAfee was in my opinion wrong in using valert > to knock a another's product without justification. VALERT is ONLY > supposed to be used (as I read the instructions) to notify the > community of a trojan or a virus. Nothing, repeat nothing in the > scanv58 archive file I received meets that criteria! If this is true, I would absolutely agree. I think we should ask the moderator of V-ALERT to sponsor an objective investigation into this potential abuse of the system. There is more at stake here than the credibility of a shareware supplier. Jim Molini [Ed. My PERSONAL feelings on the matter: I'm of the "better safe than sorry" school; I believe that John McAfee found an altered version of *HIS* shareware package and did his best to notify the community of that. If the author of this VALIDATE.EXE program had truly honorable intentions, then s/he should have either released the package separately - into either the public domain or shareware - or worked with Mr. McAfee in officially incorporating the code into the next SCAN release. Regardless of whether the alteration to the SCAN package was good or not, it was an unauthorized alteration, and John had every right (perhaps even responsibility) to warn the community. I also personally agree with Jim's request to sign VIRUS-L correspondence. As I said, these are my personal feelings. Ken van Wyk ] ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253