VIRUS-L Digest Thursday, 8 Mar 1990 Volume 3 : Issue 55 Today's Topics: VIRUS-L/comp.virus delays Disk Killer Virus (PC) Re: Recover from *Virus* Infection (PC) Re: Viruses and Copyrights (Part 2) Re: Scanning MAC diskettes on a PC Is the Joker a virus? (PC) Re: Scanning MAC diskettes on a PC Jerusalem B Virus (PC) Jerusalem B Copyrights of virus codes & international law Re: RE: Viruses and Copyrights (Part 2) The Twelve Tricks (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Thu, 08 Mar 90 13:30:00 EST From: Kenneth R. van Wyk Subject: VIRUS-L/comp.virus delays Sorry about the delay in getting this digest out, folks. We've been re-organizing our internal network somewhat... As a result, I have a new email address: krvw@CERT.sei.cmu.edu. The old address, krvw@sei.cmu.edu will continue to work, but the new one is preferred - also, outgoing digests and news are now being sent from the new address. Sorry about any inconvenience. Cheers, Ken Kenneth R. van Wyk Moderator VIRUS-L/comp.virus Technical Coordinator, Computer Emergency Response Team Software Engineering Institute Carnegie Mellon University krvw@CERT.SEI.CMU.EDU (412) 268-7090 (24 hour hotline) ------------------------------ Date: Tue, 06 Mar 90 16:29:03 -0500 From: Ed Brill Subject: Disk Killer Virus (PC) A user on campus reports the following message: "Disk Killer V1.0 by Computer Ogre 4/1/89" along with "Do not turn off this machine or remove the disk from the drive during processing". An older version of McAfee's program did not find any information. As far as the system owner can tell, no data has been damaged. Has anyone encountered this program before, and have any ideas on what to do about it? Ed Brill -- University Computing Services | SysOp, The IU PC-Link Central BBS Indiana University, Bloomington, IN 47405 | (812) 855-7252 -- 3/12/24/96/14.4 INTERNET: ebrill@subcomm.ucs.indiana.edu | KA9TAW @ K9IU [ham radio packet] "You mean BITNET isn't the only network we have to access the outside world?" ------------------------------ Date: 06 Mar 90 21:43:44 +0000 From: kelly@uts.amdahl.com (Kelly Goen) Subject: Re: Recover from *Virus* Infection (PC) gm@cunixa.cc.columbia.edu (Gary Mathews) writes: >moncol!c2810@princeton.edu (SATYAJIT CHATTERJEE) writes: >>We discovered the Stoned Virus in our PC's recently. Does anyone have >>any suggestions on how to get rid of this. We have hundreds of users >>who have their own floppies, most of them infected I suppose. It would >>be difficult to call them all in. Is there some way of automating >>this? Any suggestions will be appreciated. > > All the common virus problems can be cured by the public >domain program cleanp written by John McAfee. It can cure up to >about 65 or so known viruses. The latest version is 58, I think, Just A small Note here The McAfee Utilities ARE NOT PUBLIC DOMAIN They are in Fact SHAREWARE or commercial licensing... if you wish to utilize them on a day to day basis you should ethically pay the requested fee... (for the amount of protection you are obtaining its REAL CHEAP...!!) no this isnt a flame just a reminder that shareware will disappear or go completely commercial if WE dont support it..... cheers kelly ------------------------------ Date: 06 Mar 90 21:53:31 +0000 From: kelly@uts.amdahl.com (Kelly Goen) Subject: Re: Viruses and Copyrights (Part 2) ZDEE699@ELM.CC.KCL.AC.UK (Olivier Crepin-Leblond) writes: >In VIRUS-L V3.51 the moderator (K. Van Wyk) writes in an article >by David Brierley : >>Subject: Viruses and Copyyrights (Part 2) >> >>[Ed. For what it's worth, I believe that some versions of the Brain >>virus included a copyright notice in the ASCII header.] > >The Brain virus was written by Mohammed Farooq Alvi in Lahore Just as additional Note due to a pecularity in Pakistani law ... there is NO Copyright Law.... Mohammed wasnt selling copies of his own software he was selling illegally copied Commercial software packages... Pakistani use copies wouldnt be infected but Americans and westerners in general would recieve infected copies... Intrusive copy protection to protect illegally purloined software ISNT copy protection its simply one unethical act in addition to illegal copying....... >(Pakistan) and was used initially to protect their own software from >being pirated. The Alvi brothers sold "bad" copies of their programs >to Americans who then had to pay an additional amount of money to get >the program they bought to work. That's probably why there was a >copyright notice included in the header. ------------------------------ Date: 06 Mar 90 15:32:12 +0000 From: MINICH ROBERT JOHN Subject: Re: Scanning MAC diskettes on a PC MAINT@UQAM.BITNET (Peter Jones) writes: > After reading how the WDEF virus on the MAC propagates when an > infected disk is inserted in the MAC, I would like to suggest the > approach of using a PC with a 3 1/2 drive to scan the MAC diskettes > and check for viruses. Assuming the PC hardware can read everything > the MAC can, this would be safer, IMHO, than using a MAC for this > task, for the chance of a virus being able to infect both a MAC and a > PC seem remote. There are some bad assumptions in the above. 1) PCs cannot read Macintosh formatted floppies, unless you have some sort of hardware specifically made for that purpose. 2) WDEF travels when an infected disk is inserted into a an UNPROTECTED Mac. 3) There is a free, easy-to-use program called GateKeeper- Aid that, when placed in the System Folder of the startup disk, will kill WDEF on ANY disk "touched" by the Mac at startup time or any time before a reboot. If you have an infected Mac and you put GateKeeper-Aid in your Sys Folder and reboot, you no longer have WDEF. From that point on, just inserting an infected disk will activate GK-A, which will remove WDEF. Real simple. Expense: ~10K on the startup disk. Aside from the facts that PCs don't read Mac disks and WDEF is the easiest virus to prevent/stop/remove/be-rid-of, someone would have to write the soft- ware for the PC that recognizes the resource fork of files that Macs use. This is not a minimal task, whereas a Mac program that uses the Mac's OS is pretty trivial to write. Other virii are a bit more difficult to remove, but still not at all difficult. (The changes they make are known and the reversal of such changes is almost always a simple remove XX and YY, copying this bit of data from XX which was originally here in ZZ, part of the REAL program. OK, take my word for it -- this is NOT the programming challenge of the year by a long shot.) The removal is the easy part. Reading a Mac disk without the Macs OS is bit more of a trick. > Using the MAC to scan DOS diskettes may also be possible, but > something would have to be done to prevent the MAC from assuming the > disk is legitimate when inserted. I *think* you refer to the way that Macs respond to a disk being inserted automatically whereas PCs don't care. A Mac CAN read MS/DOS 1.4MB floppies (not all Mac models, though...) and the mounting prob could be worked around, but overall, using a completely different computer to scan a given disk is quite a programming challenge (at least in one direction) not to mention, chances are that anything the non-native virus checker found would certainly be detectable/treatable at a much earlier date by a native virus checker. And would you be willing to lag behind a few months after a virus became wide- spread before you could stop or deal with it? > This approach would also avoid the casual approach taken by some lab > supervisors, who simply put scan/disinfection tools on one of the lab > machines, without making sure > 1) The machine is booted from a "clean" operating system > 2) The user is aware of how to use the tools properly. I don't know enough of the PC world to comment about this, but for Macs, the virus prevention combo of GateKeeper-Aid and Vaccine will stop all the virii *I* know of from spreading. GK-A will remove WDEF infections and Vaccine will either flag suspicious modifications attempted by virii, or crash, both of which give a pretty good indication a virus is present. If you dedicate a Mac to checking for virii (an admittedly expensive proposition -- if one Mac has Multifinder running, keeping Disinfectant going is an elegant sort of solution) you could have Vaccine and GK-A in the Sys Folder and have Disinfectant (a free, thorough detection/removal program) running in a mode where it scans any floppy inserted into a drive and removes any virii found, spitting the floppies out after its done. A dedicated Mac could even have the mouse removed, effectively crippling it for any other uses. > With this [scan Mac disks on PCs] approach, virus victims would have to go > to a special station to be disinfected. > Peter Jones MAINT@UQAM (514)-987-3542 I think that's just what about what I suggested, more or less. In summary, using a PC to disinfect Mac disks is an interesting idea, but more likely it is a lot more trouble than it's worth. The mac virii are easy to catch with currently available software. WDEF, the most virulent virus I know of, is also the easiest to stop. (If someone happens to be using a Mac that has GK-A in the Sys Folder, just pop in your disk for a sec, and if WDEF is there, you'll find out, and then it will be gone! No need to interrupt work to run a virus scanning application!) Vaccine will stop all other virii that I know of from spreading, but you must 1) have it on the startup disks used to so that Vaccine is present when the virus tries to move, usually with the starting of a program and 2) run a virus scanning program to find and remove a stopped virus. Disinfectant will find and remove all the known Mac virii and is easy to use. All the mentioned software is 100% free and easily accessible on the net, most notably the info-mac archives at Sumex-aim.stanford.edu. If your Macs have hard disks, put GK-A and Vaccine in the Sys Folder, and you'll stop all the virii I know of from spreading. If you use floppy system (OSU does at the moment...), at least put GK-A and Vaccine on any startup disks you provide and it will be pretty obvious when a virus shows up, at which point Disinfectant can remove the virus causing the problem. Robert Minich Oklahoma State University (Just a concerned student, no *official* title) minich@a.cs.okstate.edu Disclaimer: I've re-read this a couple times for accuracy. All the above is to the best of mine knowledge true, and is definitely true in spirit. (Any challenges?) If there are any errors or questions, send me mail and I'll try to help. The virus problem on the Mac is not a difficult one to deal with, even though in a public lab you will have more people than you can believe bringing in infected disks. The best we can do is "the BEST we CAN do." That includes letting users know what is going on and trying to explain how to practice safe HEX, etc. (A nice LARGE posting in a prominent place could save a LOT of aggravating questions. A flyer would also be nice to give more detailed info for those who ask. That will cut the number of questions down dramatically...) A LAST LITTLE NOTE ON SOMETHING BEING DONE TO HELP PUT THIS VIRUS STUFF BEHIND ALL OF US I have read somewhere here in the news that Apple put out a note mentioning that copy protection schemes on the Mac were likely to fail with some unspecified new hardware. (I don't know of any time frame on this...) Basically, they said that it would not be possible to access the hardware from software, I presume as a safety measure to prevent virii and other similar ilk from doing damage by bypassing the OS. This will be a welcome change. If anyone from Apple is reading this, THANKS IN ADVANCE! Hopefully this is just ONE measure in defending our computers against virii. I would like to see EVERY manufacturer take such measures. (Note that you can always rest assuered that a locked floppy [the write protect tab set to lock] on a Mac is a READ ONLY disk as the Mac drives use a hardware interlock.) Still, the above development is much much much better. ------------------------------ Date: Wed, 07 Mar 90 10:55:51 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Is the Joker a virus? (PC) Some of you may have a copy of the Joker (or Jocker) program from Poland, the one that arrived in the same package as the W13 and Vcomm viruses. The question is - is this program a virus ? I have not yet been able to get it to replicate, but McAfee claims it is a virus. So, those of you with a copy of the program - please send me a note if you have been able to make it behave like a virus. While on the subject of the Polish viruses - we really need a different name for the Vcomm virus. The reason for the name is that the disassembly was named VCOMM.ASM. However, it had been created by the program SOURCER, from "V communications" (an exellent product, by the way) but because the virus is in no way connected the company, the name is hardly suitable. Any suggestions ? "Polish virus" ? "Polish EXE virus" ? - -frisk ------------------------------ Date: Wed, 07 Mar 90 08:57:02 -0500 From: Brian Piersel Subject: Re: Scanning MAC diskettes on a PC On Tue, 06 Mar 90 01:12:47 -0500 Howard Haruo Fukuda said: >MAINT@UQAM.BITNET (Peter Jones) writes: >>After reading how the WDEF virus on the MAC propagates when an >>infected disk is inserted in the MAC, I would like to suggest the >>approach of using a PC with a 3 1/2 drive to scan the MAC diskettes >>and check for viruses. Assuming the PC hardware can read everything >>the MAC can, this would be safer, IMHO, than using a MAC for this >>task, for the chance of a virus being able to infect both a MAC and a >>PC seem remote. > >I don't think a PC equiped with a 3.5" drive can read a Mac formatted >disk. A Mac formats the disk to 800K by using a variable speed >controller which puts more data on the outer rings of the disk than on >the inner ones. I'm not sure if it's possible to override the ROM on a >PC, but this would be pretty extreme measures. IMHO it's not really >neccessary to do this. I've tried to read an 800K CP/M disk (formatted on a C-128) on a PC, and the hardware just isn't capable of doing that. In this case, the disks have 10 sectors/track, and PC drives can't read more than 9. In the case of the Mac, with variable speed drives, that sure wouldn't work without hardware modifications. No way to change drive speed through software. - - Brian Piersel SPBK09@SDNET.BITNET ------------------------------ Date: 07 Mar 90 17:58:56 +0000 From: gt0159a%prism@gatech.edu (LEVINSON,MARC LOUIS) Subject: Jerusalem B Virus (PC) We have just experienced a rash of Jerusalem B in our MS-Dos machines in the Industrial Engineering complex. I used McAfee's CLEANP utility, but was unable to recover most of the files which were infected - all it did was render the virus harmless (dead?). The doccumentation makes special note about Jerusalem B being the exception to the effectiveness of this utility. Has anybody got a better utility for killing Jerusalem B virus? It seems to be constantly circling campus and I'm tired of having to restore from backups. Please E-mail suggestions or utilities to: marc@isye.gatech.edu (my IE account) or to gt0159a@prism.gatech.edu (my GT account). Thanks, Marc. - -- LEVINSON,MARC LOUIS Georgia Institute of Technology, Atlanta Georgia, 30332 uucp: ...!{allegra,amd,hplabs,seismo,ut-ngp}!gatech!prism!gt0159a ARPA: gt0159a@prism.gatech.edu ------------------------------ Date: 07 Mar 90 17:50:27 +0000 From: garth!dbarnes@unix.sri.com (Dave Barnes) Subject: Jerusalem B Could someone please e-mail me a description of the Jerusalem B virus and explain, in layman's terms, how it works? I'm not very technical, but a friend got a case of it and this has caused me to be curious about it. Thanks. - ---------------------------------------------------------- David Barnes UUCP: {pyramid,sri-unix,ingr}!apd!dbarnes 415/852-2365 USPS: Intergraph APD, 2400 Geng Road, Palo Alto, CA 94303 - ---------------------------------------------------------- ------------------------------ Date: Wed, 07 Mar 00 15:46:55 -0500 From: Stuart Milligan Subject: Copyrights of virus codes & international law > Copyright of virus code - remember that the copyright laws in many countries > are largely non-existent. Do not assume that copyright law as operated in > the USA/Europe/anywhere else actually applies to the country where the virus > is written/copied/assembled/disassembled. How can you even think of trying > to enforce copyright? Pete Lucas This is simply not true. Very few nations do not have some form of protection for literary and artistic works. The U.S. is a signatory of two important international treaties governing copyright. The oldest international con- vention is the Berne Convention, signed at Berne, Switzerland by 10 nations on September 9, 1886, with major revisions taking place at Paris, France in 1971. Many nations are signatories of that treaty. As of 1986, 76 countries are Berne members. The U.S. only very recently became an adherent of this convention. (refer to the Berne Convention Implementation Act of 1988, which became effective March 1, 1989) The Universal Copyright Convention, signed at Geneva, Switzerland on September 6, 1952 is the other major international treaty, to which the U.S. became a signatory on September 16, 1955. As of October 1, 1988, 78 nations adhere to this convention. There are also other international treaties (the Buenos Aires Convention is one of them) and bilateral copyright relations existing between many nations. The fundamental principle of these international treaties is that copyright protection is based upon "national treatment." That is to say that works entitled to the benefits of the conventions enjoy in each member country the advantages given to the works of nationals of the country where protection is sought. This is to say that depending on the date of copyrighted works, there is a great deal of protection available for your works that might have been let loose in another country within that very country by virtue of the international copyright treaties currently in place. Enforcing them is, of course, the duty of copyright owners, but they do have a considerable judicial forum in which to launch and protect the interests in their original works of authorship. If copyrighting viruses/trojan horses are excluded as proper subject matter that qualify for copyright and can be registered in the Copyright Office of the Library of Congress, then those who write disassembler programs may be free to do so and claim copyright in those programs without infringing the derivative work right of the author of the virus code. > The whole question of copyrighting viruses is an irrelevant diversion to > the task of identifying the sources and writing disinfectors. Pete Lucas The copyright issue is not an "irrelevant diversion." The standards of eligibility for securing copyright in marginal works of authorship, is tied to the concept of "originality." Apparently, pornographic works meet the standards of originality and can be copyrighted - I'm not sure if the Copyright Office refuses to register them. If they do allow registration, why not virus code, if an author is brazen or stupid enough to formally register it? I would hope that U.S. lawmakers would disallow registration and exclude virus code from proper subject matter. This is probably wishful thinking. Keep the copyright issues flowing and on the burner. ______________________________________________________________________________ "You need only one paddle for answers; you need both for good questions" -SM _____________________ __ : \______________________BBBBBBB________________________: : : Stuart Milligan : BBBBBBBB : : : Drake Memorial Library : SSSS U U BB BB NN N Y Y : : : SUNY at Brockport : S U U BBBBBBBB N N N Y Y : : : Brockport, NY 14420 : SSSS U U BBBBBBB N N N YYY : : : : S U U BBBBBBBB N N N Y : : : (716) 395-2508 : SSSS UUUUU BB BB N NN Y : : : ___:__________________BBBBBBBB_______________________: : :____________________/ BBBBBBB :__: ------------------------------ Date: 07 Mar 90 22:16:08 +0000 From: len@csd4.csd.uwm.edu (Leonard P Levine) Subject: Re: RE: Viruses and Copyrights (Part 2) >> The Brain virus was written by Mohammed Farooq Alvi in Lahore >> (Pakistan) and was used initially to protect their own software from >> being pirated. > > This is a myth, I think. I can't think of any feature of the virus > that would help protect software from being pirated. Viruses are > basically irrelevant to copy-protection. DC My understanding of the problem of the Farooq brothers is that they were distributing (legally in Pakistan) pirated copies of software. They deliberately infected disks that they believed were going OUT of Pakistan as distribution of the pirated stuff outside of their country was not lawful. O \ + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.cs.uwm.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U.S.A. FAX (414) 229-6958 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ------------------------------ Date: 08 Mar 90 08:43:33 +0000 From: mtv@milton.u.washington.edu (David Schanen) Subject: The Twelve Tricks (PC) I haven't seen any mention of this virus (actually a trojan.) Has anyone had any exposer? -Dave ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253