VIRUS-L Digest Monday, 5 Mar 1990 Volume 3 : Issue 52 Today's Topics: Virus catalog updated Copyright on viruses? request for info. Re: Virus signatures & IBM virus scanner (PC) Printer Related Virus? (Mac) Memory scans vs. file scans MIBSRV files updated (PC) Unknown virus ??? (PC) Scanning MAC diskettes on a PC Re: Recover from *Virus* Infection (PC) Re: Stoned Virus (PC) DPMA Virus Workshop in NYC New Trojan Warning! (Mac) RE: Viruses and Copyrights (Part 2) Re: Re: New variant of Cascade/1704 (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Thu, 01 Mar 90 10:59:41 -0600 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Virus catalog updated I have just received and forwarded to the IBMPC anti-viral archive sites an update to Dr. Brunnstein's virus catalog. This gives a detailed description of a number of viruses. This release is an addendum to previous releases; it does NOT replace them. INDEX.290 Guide to Dr. Brunnstein's virus catalogs MSDOSVIR.290 Feb 90 update to Dr. Brunnstein's MSDOS virus catalog Jim ------------------------------ Date: Thu, 01 Mar 90 17:14:57 +0000 From: "Pete Lucas" Subject: Copyright on viruses? Copyright of virus code - remember that the copyright laws in many countries are largely non-existent. Do not assume that copyright law as operated in the USA/Europe/anywhere else actually applies to the country where the virus is written/copied/assembled/disassembled. How can you even think of trying to enforce copyright? If i disassemble the virus with my disassembler, and someone else uses the same disassembler on the same virus, so what? You get the same disassembly - - thats what! The whole question of copyrighting viruses is an irrelevant diversion to the task of identifying the sources and writing disinfectors. ///Pete ------------------------------ Date: Thu, 01 Mar 90 12:48:44 -0800 From: matt@cs.uoregon.edu Subject: request for info. I am in the process of composing a paper for my Operating Systems class, on the topic of worms, viruses, and trojan horses on distributed systems. Can anyone suggest (or better yet send) a good article/book that they have read to fill me in on the basics. ____________________________________________________ Matthew Haramoto matt@cs.uoregon.edu Computer Science Dept. University of Oregon ____________________________________________________ ------------------------------ Date: 26 Feb 90 21:02:03 +0000 From: G.Moretti@massey.ac.nz Subject: Re: Virus signatures & IBM virus scanner (PC) > Re danger of publishing signature strings. How about publishing the signatures that have processed by a one way algorithm such as Xerox's SNEFRU? Knowing the processed signature would let you detect the original sequence without knowing exactly which bytes were used to form the original sequence. Possible? - ---------------------------------------------------------------------------- | GIOVANNI MORETTI, Consultant | EMail: G.Moretti@massey.ac.nz | |Computer Centre, Massey University | Ph 64 63 69099 x8398, FAX 64 63 505607 | | Palmerston North, New Zealand | QUITTERS NEVER WIN, WINNERS NEVER QUIT | - ---------------------------------------------------------------------------- ------------------------------ Date: Fri, 02 Mar 90 03:45:08 -0500 From: Peter Edward Popovich Subject: Printer Related Virus? (Mac) I have now seen at least 3 notices regarding what people originally thought was WDEF. ALL noted problems while printing. ALL noted that the virus was NOT detected by virus-detecting programs that are fully capable of detecting WDEF. I am left with one real thought: a new virus? I know nothing about Macintoshes. Our local power-users are infinitely more familiar than I. However, it occurs to me that a resourceful person could possibly create a PDEF virus (Assuming there is a PDEF to infect.) Could a TECHNICALLY-ORIENTED PROGRAMMER please check for me to see if PDEF exists? If so, I suggest the probability that someone has converted the WDEF idea into a PDEF. Either way, could the people who reported the virus infections PLEASE call one of the authors of the utilities they checked their computers with? They can't write a checker for a virus they don't have. (Then again, it's possible that the posters just didn't use the virus- checkers correctly.) Disclaimers apply, as always/No offense intended/Please read all replies to this message that have been sent before replying. Peter E. Popovich ------------------------------ Date: Fri, 02 Mar 90 11:53:00 +0000 From: RMAP222@EUCLID.UCL.AC.UK (on GEC 4190 Rim-E at UCL) Subject: Memory scans vs. file scans Since my earlier posting to this list (about a problem with SCAN reporting a virus in the memory, and not in the file) a number of things happened. First, we did some hacking of cleaned programs, and found out that the problem was indeed in cluster boundary when DOS writes a file to disk, which was subsequently confirmed by John McAfee, and when the file is scanned, SCAN can't find anything in the file. Now, I have a further question for the list. Correct me if I am wrong, but I belive that it shouldn't be to hard to calculate the cluster boundary, and write zeroes to the end of the last cluster which is occupied by the file, or, alternatively, write zeroes over the full length of the file, and then update the directory entry. That I belive, should cure such problems and confusion. Nino Margetic ******************************************************************************* *JANET: N.Margetic@uk.ac.ucl.euclid | Mr. Nino Margetic * *EARN/BITNET: N.Margetic%euclid.ucl.ac.uk@ukacrl | University College * *INTERNET: N.Margetic%euclid.ucl.ac.uk@cunyvm.cuny.edu| Dept. of Med. Physics * *Phone: [+ 044-1 | 01] 380-9846 | 11-20 Capper Street * *FAX: [+ 044-1 | 01] 380-9577 | London WC1E 6AJ * ******************************************************************************* ------------------------------ Date: Fri, 02 Mar 90 10:08:14 -0600 From: James Ford Subject: MIBSRV files updated (PC) The following files have been added to MIBSRV.MIB.ENG.UA.EDU (130.160.20.80) in the directory pub/ibm-antivirus for anonymous FTPing: SHEZ53.ZIP - ZIP, ARC, PAK shell which can be configured to use SCAN on archive files. (update) VSUM9003.ZIP - Virus listing, March 3 1990 (update) These files were downloaded directly from Homebase BBS on 3/1/90 at 11:30pm. The files they replace (SHEZ51.ZIP and VSUM9002.ZIP) will remain until 3/5ish/90 in case requests for them are pending at BITFTP. - ---------- We should go metric every inch of the way. - ---------- James Ford - JFORD1@UA1VM.BITNET, JFORD@MIBSRV.MIB.ENG.UA.EDU University of Alabama in Tuscaloosa. ------------------------------ Date: Fri, 02 Mar 90 12:47:56 +0000 From: Mr. Andy Packham Subject: Unknown virus ??? (PC) I may have a problem with a virus but can't identify it. The affected file is a compression utility - when I run it the computer just hangs and beeps at me, when I run the file after loading SCANRES the computer just hangs. I have another copy, both are the same size but DOS COMP gives 10+ differences. I've scanned the memory and the file with SCAN 3.0V58 and F-SYSCHK 1.7 but neither shows anything. Does this sound like a virus, the file has been moved to a floppy and overwritten on the hard disk. It's probably not a virus but the fact that the sizes are the same has made me abit vary. Thanks in advance, Andy Packham. JANET : A.Packham@uk.ac.umist Internet : A.Packham%umist.ac.uk@cunyvm.cuny.edu EARN/BITNET: A.Packham%umist.ac.uk@UKACRL UUCP : A.Packham%umist.ac.uk@ukc.uucp Post: DIAS, UMIST, Manchester, M60 1QD, U.K. ------------------------------ Date: Fri, 02 Mar 90 15:00:34 -0500 From: Peter Jones Subject: Scanning MAC diskettes on a PC After reading how the WDEF virus on the MAC propagates when an infected disk is inserted in the MAC, I would like to suggest the approach of using a PC with a 3 1/2 drive to scan the MAC diskettes and check for viruses. Assuming the PC hardware can read everything the MAC can, this would be safer, IMHO, than using a MAC for this task, for the chance of a virus being able to infect both a MAC and a PC seem remote. Using the MAC to scan DOS diskettes may also be possible, but something would have to be done to prevent the MAC from assuming the disk is legitimate when inserted. This approach would also avoid the casual approach taken by some lab supervisors, who simply put scan/disinfection tools on one of the lab machines, without making sure 1) The machine is booted from a "clean" operating system 2) The user is aware of how to use the tools properly. With this approach, virus victims would have to go to a special station to be disinfected. Peter Jones MAINT@UQAM (514)-987-3542 "Life's too short to try and fill up every minute of it" :-) ------------------------------ Date: Sat, 03 Mar 90 19:27:21 +0000 From: gm@cunixa.cc.columbia.edu (Gary Mathews) Subject: Re: Recover from *Virus* Infection (PC) moncol!c2810@princeton.edu (SATYAJIT CHATTERJEE) writes: >We discovered the Stoned Virus in our PC's recently. Does anyone have >any suggestions on how to get rid of this. We have hundreds of users >who have their own floppies, most of them infected I suppose. It would >be difficult to call them all in. Is there some way of automating >this? Any suggestions will be appreciated. All the common virus problems can be cured by the public domain program cleanp written by John McAfee. It can cure up to about 65 or so known viruses. The latest version is 58, I think, which can be reached from SIMTEL via ftp. Just "ftp 26.2.0.74" and download "cleanp57.zip" for the clean program and also "scanv58.zip" for the virus scanner. If you don't have pkzip to uncompress these archives then you need to download "pkz102.exe" also. You will need to scan the disks to know what virus to disinfect. I have removed the "Stoned", "Ping-Pong" and "Jerusalem" viruses from various computers at work and in the lab. The "stoned" virus is really stupid because it infects the boot sector of all disks, even non-bootable disks which cannot spread the virus and end up as carries. Luckily it doesn't infect files. This program has helped many people with the problem of computer viruses. I don't know what else we can do with these stupid virus programs besides delete them when we're infected. It will be a good idea to use McAfee's scan program on all disks you come in contact with before using them. Never trust a strange disk ! If there are any more problems or questions - just send then to out the net ... Viruses are a common problem and we all need to know how to deal with them. Even John McAfee, himself is listening. Gary Mathews P.S. To all you people creating the viruses --- I think you're scum !!!!!!! - --------------------------------------------------------------------------- Gary Jason Mathews | gm@cunixd.cc.columbia.edu Columbia University | Death is life's way of telling you you've been fired. - ------------------------+ CPU time flies when you have a lot of bugs ------------------------------ Date: Sat, 03 Mar 90 20:07:45 +0000 From: gm@cunixa.cc.columbia.edu (Gary Mathews) Subject: Re: Stoned Virus (PC) moncol!c2810@princeton.edu (SATYAJIT CHATTERJEE) writes: >We discovered the Stoned Virus in our PC's recently. Does anyone have >any suggestions on how to get rid of this. We have hundreds of users >who have their own floppies, most of them infected I suppose. It would >be difficult to call them all in. Is there some way of automating >this? Any suggestions will be appreciated. I told you how to clean a disk, but I didn't really answer your question. After you get the clean program, you can run it in a simple batch file as follows: - -------------------------- cut here ---------------------------------------- @echo off :retry echo Insert disk to clean in drive A: echo (Press any key to continue or Ctrl-C to quit) pause > nul clean a: [stoned] goto retry - ----------------------------------------------------------------------------- You should have each user run this with all their disks. I hope this solves your virus problem ! - --------------------------------------------------------------------------- Gary Jason Mathews | gm@cunixd.cc.columbia.edu Columbia University | Death is life's way of telling you you've been fired. - ------------------------+ CPU time flies when you have a lot of bugs ------------------------------ Date: 03 Mar 90 23:03:40 +0000 From: spaf@cs.purdue.edu (Gene Spafford) Subject: DPMA Virus Workshop in NYC What: 3rd Annual Computer Virus Clinic Sponsored by: DPMA, Financial Industries Chapter Dates: March 14 & 15, 9-5 both days Place: New York World Trade Center The Clinic (workshop) will have two tracks, one for managers and one for security technicians. All attendees receive a copy of the clinic proceedings. The second day will feature presentations on current virus protection products including demonstrations and ratings. Scheduled speakers: March 14 Stephen Purdy, U.S. Secret Service Sally Meglethery, NY Stock Exchange Dennis Steinauer, NIST (NBS) Eugene Spafford, Purdue University Thomas Duff, Bell Labs Jon R. David, Systems R&D Ken van Wyk, Computer Emergency Response Team (CERT) Sanford Sherizan, Data Security Systems March 15 Dick Lefkon, Citicorp Gail Thackeray, Arizona Asst Attorney General Fred Cohen, A. S. P. Pamela Kane, Panda Systems Mark Rasch, U.S. Attorney's Office Marc Rotenberg, CPSR Donn Parker, SRI International Harold Highland, SUNY Cost: $275 for 1 day $375 for both days $100 discount for full time students & academic faculty from accredited institutions Fourth attendee from a group is provided with complimentary registration. To register, call 800 835-2246, operator 190. - -- Gene Spafford NSF/Purdue/U of Florida Software Engineering Research Center, Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004 Internet: spaf@cs.purdue.edu uucp: ...!{decwrl,gatech,ucbvax}!purdue!spaf ------------------------------ Date: 28 Feb 90 17:18:00 -0800 From: harvard!applelink.apple.com!D1660@GARP.MIT.EDU Subject: New Trojan Warning! (Mac) A new Trojan horse on the Macintosh has been discovered. This one poses as a program designed to give out Virus information. The copy I saw was called 'Virus Info'. It starts by displaying a terse warning about being more careful about what you run on your Macintosh. Then it does the following damage. It first attempts to delete the Finder on the current system disk. If the delete succeeds, the Trojan continues by attempting to zero the first 50 sectors of the system disk (thus destroying the volume info, bitmap, directory, etc.). If the Finder delete fails (this will fail if you are running MultiFinder), the Trojan puts up an error alert and exits. SO, the Trojan seems to do NO damage if you are using MultiFinder (I don't guarantee this, but it never seemed to damage anything when I was using MultiFinder). I did not do a complete examination of the program, so it's possible the Trojan is also doing something else which I didn't notice. I also did not check to see whether the Trojan attempted to damage volumes other than the current system volume. For SAM users: If you are using SAM in advanced mode, then you will be alerted to this Trojan's attempts to overwrite the volume info and directories. Denying these attempts prevents damage to the volume and directory info. (Note: If you have a very small system disk, such as a floppy, then it is possible that the desktop file or some other file might be damaged by this Trojan.) Paul Cozza ------------------------------ Date: Fri, 02 Mar 90 14:13:00 +0000 From: "Olivier Crepin-Leblond" Subject: RE: Viruses and Copyrights (Part 2) In VIRUS-L V3.51 the moderator (K. Van Wyk) writes in an article by David Brierley : >Subject: Viruses and Copyyrights (Part 2) > >[Ed. For what it's worth, I believe that some versions of the Brain >virus included a copyright notice in the ASCII header.] The Brain virus was written by Mohammed Farooq Alvi in Lahore (Pakistan) and was used initially to protect their own software from being pirated. The Alvi brothers sold "bad" copies of their programs to Americans who then had to pay an additional amount of money to get the program they bought to work. That's probably why there was a copyright notice included in the header. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |Olivier M.J. Crepin-Leblond, Comp. Sys. & Elec. Eng | On this computer, | |Electrical & Electronic Eng, King's College London, UK | a flame-proof | |BITNET : | shield, is an | |INTERNET: | expensive gadget... | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ------------------------------ Date: Fri, 02 Mar 90 17:17:00 +0100 From: swimmer@fbihh.informatik.uni-hamburg.de (Morton Swimmer) Subject: Re: Re: New variant of Cascade/1704 (PC) >I now have a copy of the virus in question, and it appears that this >has nothing to do with Novell networks - it is just a new variant of >the virus. >It is possible that this virus was created by a random mutation, which >seems to have changed one JA instruction into JNE, but it is not >certain. I hate to disapoint you, but there are literally dozens of variations of the Cascade/1704 virus. Most of the reside mainly in Vienna, and most seem to have stayed there. This goes also for the Vienna virus. Although it may be useful to have looked at all of them, at the moment I have enough to do. Perhaps one should say that Vienna can be dangerous to your computer's health, but soon we can say that of nearly everywhere, so whats the point. >Because the author of 1704 did not include self-correcting Hamming >code in the virus :-), the mutation spread - and spread faster than Now that would indeed be funny. As I am sure some virus programmers read virus-l, perhaps we'll see one soon. >All programs which are able to detect and remove the "standard" 1704 >virus should also be able to handle this variant. But should they? Say a new variant of 1704 comes along where the original code is not saved at the same location, what then? Cheers, Morton Virus Test Center, University of Hamburg Morton Swimmer, Virus Test Center, University of Hamburg, Schlueterstr. 70, 2000 Hamburg 20, FRG. dnet: swimmer@fbihh.informatik.uni-hamburg.de ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253