VIRUS-L Digest Friday, 23 Mar 1990 Volume 3 : Issue 62 Today's Topics: Re: Stoned disinfection information (PC) Ping Pong Virus Question (PC) McAfee anti-virals updated on SIMTEL20 (PC) Virus Replication Rates Harper's Article Jerusalem B infection fixed (PC) Viruses and Copyrights (Part 3) Stoned Virus Removal (PC) Re: Low level format Re: Utilities? New Mac Virus? VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: 21 Mar 90 00:00:00 -0500 From: "David.M..Chess" Subject: Re: Stoned disinfection information (PC) gm@cunixb.cc.columbia.edu (Gary Mathews) writes: > You could remove the stoned virus with McAfee's clean program or more > simply, by booting off a clean dos disk and use the sys command to > transfer a new copy of the MS-DOS system onto the hard disk. > > 1) boot system on a clean disk > 2) sys c: > 3) "Stoned" virus is gone ! That's wrong, I'm afraid. The Stoned virus infects the master boot sector of the hard disk (the sector that contains the partition table). The DOS command "SYS" doesn't touch that sector, it only restores the DOS (or "system") boot sector. Removing the Stoned requires a low-level format, or the use of some program that fixes the master boot sector (unlike SYS). (SYS generally -will- remove the Stoned from -floppies-, because they have only one boot sector, and SYS fixes it; but SYS doesn't remove the Stoned from hard disks.) DC ------------------------------ Date: Wed, 21 Mar 90 10:29:26 -0500 From: ag541@cleveland.Freenet.Edu (John Zola) Subject: Ping Pong Virus Question (PC) FACTS REGARDING THE PING PONG VIRUS INFECTION OF MARCH 1990 History ------------------------------- The PC virus I received is known as the Ping Pong-B Virus. It is also known as the Bouncing Ball, the Bouncing Dot, the Italian, the Vera Cruz, the Falling Letters, and the Boot Virus. The original Ping Pong Virus is a boot sector virus first reported in March 1988. The original virus could only infect floppy diskettes. The virus found at my company is a derivative of the original Ping Pong Virus called Ping Pong-B. The Ping Pong-B Virus has the ability to infect fixed disk drives as well as floppy diskettes. The virus is a resident boot sector infector, meaning that the virus overwrites part of the disk boot sector with a copy of itself and when RAM resident, occupies the high end of active RAM. The virus hasn't been reported to damage or corrupt stored files. What it did --------------------------- The virus becomes RAM resident when booted from an infected drive. The use of "CHKDSK.COM" shows that exactly 2048 bytes have been taken from total memory available. When the virus is booted from an infected diskette, it immediately infects the other disk drives without the user having to access them through DOS. The virus will overwrite the boot sector at sector 0, track 0, head 1, offset 37. The virus will also write to the first available cluster on the data portion of the disk and mark it as bad. This particular feature of the virus doesn't seem to be documented. I would like to find out whether this so-called bad sector is a duplicate of the virus or possible a data segment that the virus uses. Detection ----------------------------- The active monitor program reported no virus activity because most of the virus activity occurred during boot up, before the active monitor program could be loaded and executed from DOS. The virus cannot stay memory resident when the computer is turned off and booted from a clean system disk. The virus is destroyed when the DOS "SYS.COM" is used to overwrite the boot sector of the infected disk. The disk sector the virus marked "bad" was rewritten to be usable by DOS and the information contained in it was zeroed out three times. Equipment ----------------------------- The virus was examined on a Panasonic FT-70 portable personal computer. The FT-70 is an IBM XT compatible featuring 640K of RAM using an Intel 8086 microprocessor. The FT-70 does not feature a fixed disk drive. All disks used in the examination of this virus were magnetized after use, to prevent further contamination. John C. Zola Technical Support Specialist Information Management Section ------------------------------ Date: Wed, 21 Mar 90 11:09:00 -0700 From: Keith Petersen Subject: McAfee anti-virals updated on SIMTEL20 (PC) I have uploaded the latest McAfee anti-virals to SIMTEL20: pd1: CLEANP60.ZIP Universal virus disinfector, heals/removes NETSCN60.ZIP Network compatible - scan for 77 viruses, v60 SCANRS60.ZIP Resident virus infection prevention program SCANV60.ZIP VirusScan, scans disk files for 77 viruses These files were obtained from McAfee's Homebase BBS. Keith - -- Keith Petersen Maintainer of SIMTEL20's MSDOS, MISC & CP/M archives [IP address 26.2.0.74] Internet: w8sdz@WSMR-SIMTEL20.Army.Mil, w8sdz@brl.mil BITNET: w8sdz@NDSUVM1 Uucp: {ames,decwrl,harvard,rutgers,ucbvax,uunet}!wsmr-simtel20.army.mil!w8sdz ------------------------------ Date: Mon, 05 Mar 90 12:04:00 -0500 From: WHMurray@DOCKMASTER.NCSC.MIL Subject: Virus Replication Rates >Are these infections (with an old virus) an indication of what will >happen when the large number of new viruses have had time to spread far >enough? I am previewing a paper by Peter Tippett, M.D., Ph.D., which deals with this issue. Dr. Tippett believes that the doubling time for Jerusalem and Brain is about 2 months. By his calculations, the population of these viruses has not yet gotten "interesting." He believes that the growth curves exhibit marked knees in the 30-40 month time frame. For example, if a virus were to reach a million copies in month 36, it would see two million by month 38. >Or will the increasing availability of virus scanning tools and >self-checking programs (like MS Works) intersect the "infected systems >curve" soon? Dr. Tippett believes that everything that we have done to date is factored into that doubling time. There is no auto-immune function in computers. An infected one will remain infected and keep infecting others until intervention. Computers do not die, they either remain in or rejoin the population. (John McAfee asserts that a once infected computer runs a fifty-fifty chance of being re-infected in ninety days. While viruses replicate only in computers, where they are not persistent, they reside and move on floppies, where they are extremely peristent. If Dr. Tippett is correct, we will soon stop dealing with computer viruses on a clinical (case-by-case, system-by-system) basis and begin to deal with it on an epidemiologic one. ____________________________________________________________________ William Hugh Murray 216-861-5000 Fellow, 203-966-4769 Information System Security 203-326-1833 (CELLULAR) ARPA: WHMurray@DOCKMASTER Ernst & Young MCI-Mail: 315-8580 2000 National City Center TELEX: 6503158580 Cleveland, Ohio 44114 FAX: 203-966-8612 Compu-Serve: 75126,1722 Telemail: WH.MURRAY/EWINET.USA 21 Locust Avenue, Suite 2D DASnet: [DCM1WM]WMURRAY New Canaan, Connecticut 06840 PRODIGY: DXBM57A ------------------------------ Date: Wed, 21 Mar 90 10:10:35 -0700 From: Don Pirot Subject: Harper's Article I haven't seen it mentioned on VIRUS-L so I'll mention it: In the March issue of Harper's there is a forum on hacking entitled 'Is Computer Hacking a Crime?'. It is actually the transcript of an e-mail forum that took place over an 11 day period. Among the participants are Cliff Stoll, John Perry Barlow, Jim Gasperini, and a few anonymous hackers. ------------------------------ Date: Wed, 21 Mar 90 12:16:26 +0700 From: Chuck Martin Subject: Jerusalem B infection fixed (PC) Our PC got hit by Jerusalem B yesterday (via a customer's disk). With the aid of SCAN and CLEAN, we were able to eradicate the infection in both PCs with little effort. Thank you, John McAfee!! Thank God for shareware. The registration fee is well worth it. - ------------------------------------------------------------------------------ \c- Chuck Martin, Consultant Computer Information Center, Washington State University MARTINCH @ WSUVM1.BITNET (509) 335-0411 - ------------------------------------------------------------------------------ \c- To iterate is human, to recurse divine. - Don Stokes - ------------------------------------------------------------------------------ \c- ------------------------------ Date: Wed, 21 Mar 90 21:52:17 -0500 From: davidbrierley@lynx.northeastern.edu Subject: Viruses and Copyrights (Part 3) Sorry for the delay in posting - final exams, you know. By copyrighting a work the author protects the following rights: 1) The exclusive right to make copies of the work. This right is waived when viruses are involved since they self-replicate. 2) The exclusive right to prepare derivative works (works based on the original work). This might also be waived for viruses since they attatch themselves to other programs, thus making derivative works of the virus. Of course the infected program is now a derivative work of the program before it was infected, violating the copyright of that program's author(s). With this in mind I'd say that true viruses are also illegal since they infringe copyrights in addition to all the other laws regarding illegal use of a computer, etc. 3) The exclusive right to perform the work (as in plays, music, etc.) This right doesn't apply to computer viruses, unless someone writes a really weird one! :-) 4) The exclusive right to display the work in a commercial setting. Applicable only if the virus author wants to advertise and sell his 'product.' This would, of course, serve as evidence against him/her. 5) The exclusive right to market or distribute the work. This also doesn't apply to viruses since they replicate (distribute) themselves. The above are the only 5 rights that are protected by copyright, at least according to the book I have read. Next time, which will be my last posting on viruses and copyrights, will discuss what constitutes a proper copyright notice. The information could surprise you! DISCLAIMER: As always, the above are my personal interpretations of _How to Copyright Software_ (3rd edition) by attorney M.J. Salone. Do not take the above to be sound legal advice, if there is such a thing. ;-) ------------------------------ Date: Wed, 21 Mar 90 23:04:24 -0800 From: Alan_J_Roberts@cup.portal.com Subject: Stoned Virus Removal (PC) McAfee's CLEAN program will remove the Stoned virus as mentioned in yesterday's posting. However the DOS SYS command will NOT remove the virus. The virus infects the master boot record of hard disks (Partition Table), and the SYS command does not alter this area of the disk. It WILL work on floppies, of course, provided they are bootable floppies and there is room for the system info. Alan ------------------------------ Date: Thu, 22 Mar 90 09:57:53 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: Low level format LBA002@PRIME-A.TEES-POLY.AC.UK writes: >Many of the articles I read on recovering from a virus infection >recommend a "low level format" of the hard disk as part of the >process. You should not take this recommendation seriously. Low level formatting is almost never necessary. Most viruses only corrupt .EXE or .COM files, which can usually be restored, by using a disinfection program. The only viruses that cause problems are: Taiwan, which sometimes destroys the infected program instead of properly infecting it. Jerusalem, which occasionally corrupts a file while infecting, if the header contains incorrect information about the file length. I have only seen this twice, however - but one of the programs is very common (WordPerfect). Vienna (and the Lisbon variant), which destroys one out of every eight files it infects. 405 and other overwriting viruses. In those (rare) cases you are forced to restore the files from a backup copy, but in all other cases disinfectors are available that will restore an infected program to its original state. With boot sectors the story is similar - formatting is not required. In most cases the original boot sector (or partition record) can be easily recovered, with the exception of the Swap (Fallboot) virus. When cleaning up after the Dark Avenger virus, it is strongly advised to format the disk (an ordinary DOS format is all that is needed) and restore all programs and data files from backups. The reason is that the Dark Avenger may have garbled some sectors on the disk and possibly destroyed data or program files. No disinfection tool is able to recover from this. There is one virus that might require a low level format, though. When the Disk Killer virus activates, it starts encrypting the hard disk, including the partition table. DOS format can not handle this, you would need to run FDISK first and possibly a low level formatting tool. On the other hand, it is possible to write a program to recover the original data, as the encryption method is easily reversible. - -- Fridrik Skulason University of Iceland | Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 | ------------------------------ Date: 22 Mar 90 19:40:59 +0000 From: MARCELO@phoenix.princeton.edu (MARCELO) Subject: Re: Utilities? Just for everyones information SCAN and CLEAN are now at version 60. Best way to ensure good copies are to DL them directly from McAfee Associates BBS 408-988-4004. He also has the PKZIP programs available for DLing. .. Marcelo .. marcelo@pucc.princeton.edu marcelo@phoenix.princeton.edu ------------------------------ Date: Fri, 23 Mar 90 01:35:10 -0500 From: Yary Richard Phillip Hluchan Subject: New Mac Virus? I have started having problems with my Mac that I didn't have two days ago. I run a number of memory-resident programs which could have started interacting in a funny way, but the facts lead me to be wary- in a chronological order a) Infrequently, when I run MacMail 0.5, I cannot type in id or password information without generating an app(1? 2? 3? 4?)event, which is now reserved for MultiFinder. MacMail traps this and doesn't let me continue. The ID & PW window is the first one that pops up, so I can't do anything other than quit... other apps work fine, but reruning MacMail doesn't fix it. Rebooting does. I've had that problem long before the others, and MacMail is still in the development stage, so it may have nothing to do with the "virus." b) I run TeachText and try editing a 1.5 page document. I can't backspace over any line breaks without getting a System bomb #10. Can't clear or cut a selection containing a line break either, though copy works. I start up Appleshare, connect to my machine from a remote computer, and start up TeachText remotely. My system software should now be out of the loop. I try editing a different document. Now I can't even backspace over a single character. I should point out these errors only occur while editing in or near the last screenful. c) Today I turn on the computer, bootup goes fine until the file window gets drawn. The rectangle comes up with the title, but instead of drawing the icons with titles, I get another System error #10. Booting up with a second disc works, but running software off my HD makes the Mac try to change systems, and I end up with a sys err #2. This could be Appleshare writing where it shouldn't be, or a corrupted sector map (which forced me to reformat my HD a scant month ago), or both- who knows? It could also be a virus. Tomorrow I'd like to binhex my system and teachtext, and mail them to an expert who can tell me if there is any evidence of a virus. I've sent mail to Werner Uhrig, hope he can point me in the right direction. yary ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253