VIRUS-L Digest Tuesday, 27 Feb 1990 Volume 3 : Issue 50 Today's Topics: CoTRA virus sig meeting re: Virus signatures & IBM virus scanner (PC) Stoned Virus (PC) Re: NYT Bestseller Tried 800 number for Virus Conference Virus Disinfections (PC) 1701/1704 Ver. B virus and SCAN/CLEAN Ver. 2.7 V57 (PC) Posting scan signatures. Ping Pong Virus (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. Ken van Wyk Moderator, VIRUS-L/comp.virus Technical Coordinator, Computer Emergency Response Team Software Engineering Institute Carnegie Mellon University cert@CERT.SEI.CMU.EDU (monitored during business hours) (412) 268-7090 (answers 24 hour a day) --------------------------------------------------------------------------- Date: Mon, 26 Feb 90 11:23:47 -0000 From: David.J.Ferbrache Subject: CoTRA virus sig meeting A number of British readers may be aware that the Computer Threat Research Association was formed recently to address a wide range of computer security and integrity issues, including the establishment of a central library of viral materials and an active research group for work on viruses. As virus SIG co-ordinator I would like to arrange a meeting of the SIG in the last week of March, issues I hope to discuss are establishment of: 1. A central UK library of viral materials available to all bona-fide virus researchers (fortunately the definition of bona-fide is being tackled by another committee) 2. A number of sites with a test bed set of viruses for evaluation of commercial and public domain anti-viral products 3. A network of formal or informal connections to deal with future occurences of bulk mailed trojan horses, major new viral strains or network worms The AIDS trojan horse clearly indicated the lack of a well organised network of virus/trojan workers in the field. The response, while enthusiastic, did duplicate much effort accross a number of separate sites. While I realise that commercial considerations often temper the distribution of information between workers in the field, I feel that issues such as the AIDS trojan must circumvent industrial confidentiality to allow a sharing of information, and division of workload. With complex disassemblies it is likely that details of protection mechanisms (particularly self-modifying code) may be missed by one researcher and detected by another. The cross-checking of disassemblies is vital to the accuracy of the final product. The Internet worm caused formalisation of the "old-boy" network, resulting in the creation of an excellent rapid response system (CERT) with formal links with established experts in the field. I hope that such a structure will evolve in the UK, preferably with government recognition of the important role that such an organisation will play in the security and integrity of personal and mainframe computer systems. I would be interested in any feedback on the above comments (preferably constructive criticism). Hopefully such a reporting network will not be restricted to member of CoTRA but will include all workers in the field (academic, commercial and governmental). - ----------------------------------------------------------------------------- \c- Dave Ferbrache Internet Dept of computer science Janet Heriot-Watt University UUCP ..!mcvax!hwcs!davidf 79 Grassmarket Telephone +44 31-225-6465 ext 553 Edinburgh, United Kingdom Facsimile +44 31-220-4277 EH1 2HJ BIX/CIX dferbrache - ----------------------------------------------------------------------------- \c- ------------------------------ Date: 26 Feb 90 00:00:00 +0000 From: "David.M..Chess" Subject: re: Virus signatures & IBM virus scanner (PC) Kevin_Haney@NIHDCRT.BITNET writes: > With regard to Gerry Santoro's question about the IBM virus scanning > program, the author, Bill Arnold, is constantly updating the program, > improving its performance and including new viral signatures. The > current version is 1.37 which scans for 58 different signatures and I > assume that if you have an older one you can get an update from IBM. IBM has made only one version of The IBM Virus Scanning Program available to the public; this is version 1.0, that was released in September of 1989. Any other versions of the IBM program are marked IBM Internal Use Only, and are not available to the public at this time. We definitely urge people *not* to use any program marked IBM Internal Use Only (except for IBM internal use, of course, or if you have a specific agreement signed with IBM allowing you to use it). Dave Chess IBM T. J. Watson Research Center ------------------------------ Date: 26 Feb 90 20:47:26 +0000 From: moncol!c2810@princeton.edu (SATYAJIT CHATTERJEE) Subject: Stoned Virus (PC) We discovered the Stoned Virus in our PC's recently. Does anyone have any suggestions on how to get rid of this. We have hundreds of users who have their own floppies, most of them infected I suppose. It would be difficult to call them all in. Is there some way of automating this? Any suggestions will be appreciated. ------------------------------ Date: 26 Feb 90 14:56:00 -0500 From: "zmudzinski, thomas" Subject: Re: NYT Bestseller Cliff, I read your note in VIRUS-L Digest; Volume 3 : Issue 49 >> The Cuckoo's Egg has made it onto the NY Times bestseller list. >> I'm amazed that so many people would be interested >> in our computer networks, viruses, and nasty animals in our systems. Bad news, Cliff -- Yesterday I visited a discount book outlet, BOOKS-A-MILLION, and there, big as life, was a pile of _The_Cuckoo's_Egg_'s, $13.95. (Why couldn't I have gotten that price when I bought four copies?) :{D Tom Zmudzinski | Sic Transit Gloria Mundi, DCS Data Systems | which Murphy translates as McLean, VA | "Tuesday will be worse". ------------------------------ Date: Mon, 26 Feb 90 16:29:29 -0500 From: Peter Jones Subject: Tried 800 number for Virus Conference I just tried calling the number (800)-835-2246 about the upcoming virus conference. The lady who answered asked be who I was calling *for*, not from. I repeated the number verbally; she said she couldn't tell what company I was trying to reach because their computers were down, and she had tried and failed to find the information another way. (Yes, I'm going to submit this item to RISKS.) I had intended to suggest that detailed conference information be posted on the VIRUS-L. Peter Jones MAINT@UQAM (514)-987-3542 "Life's too short to try and fill up every minute of it" :-) ------------------------------ Date: Mon, 26 Feb 90 15:07:18 -0800 From: Alan_J_Roberts@cup.portal.com Subject: Virus Disinfections (PC) This is a forward from John McAfee: ================================================================= A number of Virus-L entries over the past couple of months have discussed virus disinfection issues and the problems with disinfecting certain viruses. Vesselin Bontchev yesterday wrote: >I spoke with David Chess (at IBM) and he prefers the "delete the >infected file and restore them from backups" method. But have in >mind, that the guy from Taiwan is in trouble --- and may not have >appropriate backups. I understand Vesselin's point, but in general I favor Dave's approach. In spite of the fact that I produce and distribute a number of disinfector programs, including CLEAN-UP, I always suggest deleting as a first choice. There are many reasons for this, but the primary one is that the process of disinfecting a file always leaves an element of uncertainty in the system. For example, the Jerusalem virus uses information in the EXE header record to determine how to infect. Often this header record is inaccurate, causing the virus to overlay part of the EXE file, and also causing the virus to update the header record incorrectly. The virus has, in effect, destroyed part of the EXE file, and this destruction is often not noticed immediately by the user. The corrupted area might be seldom referenced, or in a program function area that is bypassed in normal processing. If this is the case, removal will leave a program that will at some point cause inconsistencies, data corruption, or system crashes when the erased area is referenced. There is simply no way to recover the file because there is no way (short of using the original uninfected program) to determine what was in the file before it was overwritten. The Jerusalem is not alone in causing these problems. There are numerous EXE infectors and some COM infectors (405, Vienna) that cannot be successfully recovered in all cases. What complicates the matter is that it cannot be determined in advance (in all cases) which files will disinfect correctly and which will not. We are left then with a system that will have no more viruses, but we may have applications that are subtly corrupted. This is not good. A program that seems to work, but may have brain damage in a seldom used subroutine, can be as troublesome as a virus. In addition to the above problems, many viruses are continually being modified so that identification may still work, but disinfection will cause complete destruction of the file due to changed offsets and other programming issues. To get back to my point, I would strongly suggest that infected files be overwritten in their entirety and then deleted if at all possible. Only as a last resort, where backups or original diskettes are unavailable, should disinfection be used. John McAfee ------------------------------ Date: Mon, 26 Feb 90 17:23:00 +0000 From: RMAP222@EUCLID.UCL.AC.UK (on GEC 4190 Rim-E at UCL) Subject: 1701/1704 Ver. B virus and SCAN/CLEAN Ver. 2.7 V57 (PC) I had a following problem: when I requested a directory of my floppy disk, the machine (Toshiba 3100, DOS 3.2) read the floppy directory just once, ie, every successive request for floppy directory displayed the data from the ram, WITHOUT re-reading of actual data from the floppy. Even when chan- ging the floppy, the same thing occured, ie directory of the previous floppy was displayed. I decided to check for the virus and downloaded McAfee's SCAN/CLEAN package (Ver. 2.7 V57) from our public domain archive (Lancaster University). I ran the SCAN and it reported 1701/1704 Version B virus, with id code [170X] in about 10 *.com files (command.com was one of them). I replaced the infected command.com (booted from a clean floppy, ran SCAN, and replaced command.com), and then, since my backup's are at home, ran CLEAN, which claimed that it has repaired those remaining com files. Two of infected files (CED.COM and DOSEDIT.COM) where OK, ie following the CLEAN, I ran the CED (DOSEDIT - not at the same time), and re-ran the SCAN, and everything was OK. A number of other files (MODE.COM,MORE.COM,MOUSE.COM,LIST.COM,GREP.CO where apparently clean (CLEAN reported that it has succesfully recovered them) BUT after running them (they behaved as they should), SCAN again reported that 1701/1704 was IN THE MEMORY, but couldn't find them IN THE FILES. Can anyone (maybe John McAfee) comment on that? Best regards, Nino ******************************************************************************* *JANET: N.Margetic@uk.ac.ucl.euclid | Mr. Nino Margetic * *EARN/BITNET: N.Margetic%euclid.ucl.ac.uk@ukacrl | University College * *INTERNET: N.Margetic%euclid.ucl.ac.uk@cunyvm.cuny.edu| Dept. of Med. Physics * *Phone: [+ 044-1 | 01] 380-9846 | 11-20 Capper Street * *FAX: [+ 044-1 | 01] 380-9577 | London WC1E 6AJ * ******************************************************************************* ------------------------------ Date: Tue, 27 Feb 90 01:13:00 -0500 From: JHSangster@DOCKMASTER.NCSC.MIL Subject: Posting scan signatures. Possibly a useful approach to posting virus scan patterns would be for virologists to extract one or more segments of the virus code of, say, 1K bytes (that's a fairly reasonable 12 lines at 80 bytes per line). >From that posted segment or segments, the user community could arbitrarily select a substring or substrings to use for recognition of the virus. Presumably no two users would select the same substrings, so virus writers would have to alter the entire posted segment to escape detection. Yet the segment would not be executable (with luck!) so posting it would not run the risk of spreading a "live" virus. This leaves the question of how many bytes the user should include in the scan pattern to avoid false alarms. Possibly the person posting the segment could provide guidance on this, or a general guideline could be used based on the size of the storage device to be scanned. (Anybody know offhand the entropy per byte of virus code?) Of course, viruses can be constructed which alter themselves at each replication, making any search with a fixed string futile, or at best, "challenging" to design. - -John Sangster / JHSangster at dockmaster.ncsc.mil / (617) 235-8800 - SPHINX Technologies, Inc. / Post Office Box 81287, Wellesley Hills, MA 02181 ------------------------------ Date: 27 Feb 90 16:48:56 +0000 From: bgsuvax!mckeeby@cis.ohio-state.edu (Jon Mckeeby) Subject: Ping Pong Virus (PC) An IMB PC with a hard disk in a lab of ours was infected with the Ping Pong Virus. I know that the Ping Pong Virus is a boot infector virus so we removed it by using the DOS SYS command. However, I have other questions about the virus. If you have an answer please reply via the newsgroup or my mailing address: mckeeby@andy.bgsu.edu. 1. How does the virus spread? 2. Are there available detection/protection programs to safeguard against new infections. What are they? 3. How is the virus activated? 4. What does the virus do besides infect the boot sector? 5. Is the DOS SYS command the best way to remove the infection? 6. Are there public domain programs to remove an infection of the ping-pong / bouncing ball virus? What are they? 7. Is the ping-pong and the bouncing ball virus the same virus? 8. An infected user said they had the Brain virus on there disk and before using the infected ping-ponged hard disk it was clean. Is there any correlation between these two viruses? I don't think so, but I want to make sure. Thank you very much for your time, Jon McKeeby Graduate Assistant Microcomputer / Microcomputer Virus Support Bowling Green State University ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253