VIRUS-L Digest Monday, 26 Mar 1990 Volume 3 : Issue 63 Today's Topics: Viruses and Copyrights (Part 4 - Final) Virus-L index of V3 #1 to #60 FAX Address for Tacoma Software. re: Ping Pong Virus Question (PC) re: Virus Replication Rates Re: viri using Hamming Re: New Mac Virus? False Alarm (was Re: New Mac Virus?) VirusX 4.4 (Amiga) False version of antivirus program Re: Possible virus alert (PC) VIRUS SCANNING UTILITIES (pc) Virus Alert - NEW VIRUS IN GERMANY (PC) Prosecute Virus Authors? viruses or viri, a philological question VirusX 4.4 Mac file infected with Scores and nVIR -- Usable? (Mac) F-PROT.ZIP update (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Thu, 22 Mar 90 15:07:00 -0500 From: davidbrierley@lynx.northeastern.edu Subject: Viruses and Copyrights (Part 4 - Final) Although no longer required by law, it is important to include an appropriate copyright notice in a work to insure full legal protection in the event of an infringement suit. The _ONLY_ internationally recognized copyright symbol, as of the publication of my source, is the 'c' in a circle. A 'c' in parenthenses (c) is _NOT_ an internationally recognized symbol (but this could change). In the United States "copyright" and "copr." are valid substitutes, but they may not hold up in other countries. For computer use the author (M.J. Salone) recommends these possible notices for various situations: (these are for use if the circled c is not available.) Copyright 1990 John Doe Copr. 1990 John Doe (C) Copyright 1990 John Doe (C) Copr. 1990 John Doe Copyright John Doe (This work is unpublished) Copr. John Doe (This work is unpublished) (C) Copyright John Doe (This work is unpublished) (C) Copr. John Doe (This work is unpublished) Copyright John Doe (Work in Progress) Copr. John Doe (Work in Progress) (C) Copyright John Doe (Work in Progress) (C) Copr. John Doe (Work in Progress) The phrase "All rights reserved." is required under some international treaties. I've used a lot of software in my time and I have noticed that a lot of publishers use "defective" copyright notices in their programs, like: (C) 1990 John Doe DISCLAIMER: I am not a lawyer. This information was taken from _How to Copyright Software_ by attorney M.J. Salone (3rd edition). ------------------------------ Date: Wed, 21 Mar 90 09:43:32 +0000 From: Anthony Appleyard Subject: Virus-L index of V3 #1 to #60 SUBJECT ISSUE after trying JCremote & MacII Diagnostic Sound,got damaged resource fork 11 Grammatik may contain WDEF A 19 New NVIR-like virus, VIREX can detect, can't identify or fix; Disinfectant can't find [New virus?] 23 [Trojan Alert (MAC)]Mosaic and Fontfinder, they damage disks 30 New Trojan Warning! (Mac) 52 Prog "Totally Safe Sex" on Genie is [possible new trojan on Genie (Mac)] 60 This is not the trojan [There is more than 1 virus called AIDS!] 21 AIDS Virus (Mac) and AIDS Trojan (Non-Mac) 34 How to get Mac Anti-viral programs 4 Another place to get them [RE: Anti-virus programs] 4 Is this Anti-viral site available to Usenet as well as Bitnet? 6 Is there alternate virus protection besides Vaccine & Gatekeeper? 6 answer to alt. virus prot: try RWATCHER [RE: Alt. virus prot.] 7 1st Aid Software, Publisher of Anti-virus Kit, will do no further updates to software [An unfortunate victim] 11 [Ed. Remainder of index package (for Mac, PC, and miscellaneous) is available by anonymous FTP on cert.sei.cmu.edu (IP number 128.237.253.5). Filenames are: pub/virus-l/archives/index.v3i1-60.appleyard.pc pub/virus-l/archives/index.v3i1-60.appleyard.mac pub/virus-l/archives/index.v3i1-60.appleyard.misc ] ------------------------------ Date: Fri, 23 Mar 90 12:54:57 +0000 From: Dave Tillett Subject: FAX Address for Tacoma Software. Does anyone have the fax address of Tacoma Software Systems, the suppliers of VIRSTOP. I have just had a fax from them which does not give their number and I need to send a reply. Thanks Dave Dave Tillett CPI001@UK.AC.SOUTHMAPTON.IBM Southampton University Computing Services phone 0703 592161 fax 0703 593939 ------------------------------ Date: 23 Mar 90 00:00:00 -0500 From: "David.M..Chess" Subject: re: Ping Pong Virus Question (PC) ag541@cleveland.Freenet.Edu (John Zola): > It is also known as the Bouncing Ball, the Bouncing Dot, the > Italian, the Vera Cruz, the Falling Letters, and the Boot Virus. "Falling Letters" is a different virus. "Boot Virus" isn't really the name of any particular virus... > The original Ping Pong Virus is a boot sector virus first > reported in March 1988. The original virus could only infect > floppy diskettes. Although people are constantly saying this, I've never encountered anyone who had a copy of the floppy-only version. The Bouncing Ball (or whatever) virus that's out there actively spreading in the world infects both floppies and hard disks. > would like to find out whether this so-called bad sector is a > duplicate of the virus or possible a data segment that the virus > uses. The virus is too large to fit into the small boot sector; the place on the disk(ette) that it reserves for itself is used to store the rest of the virus, and of course the original valid DOS boot sector that it has overlaid. DC ------------------------------ Date: 23 Mar 90 00:00:00 -0500 From: "David.M..Chess" Subject: re: Virus Replication Rates Fascinating stuff! What sort of data does he base his rate estimates on? I would be (pleasantly) surprised if anyone had managed to gather reliable enough data to make a credible estimate. Will the paper appear in some journal at some point? Do you know if preprints are available? DC ------------------------------ Date: 23 Mar 90 13:17:03 +0000 From: woody@chinacat.Unicom.COM (Woody Baker @ Eagle Signal) Subject: Re: viri using Hamming jg3o+@andrew.cmu.edu (Jason Ari Goldstein) writes: > Excuse me for my apparent cluelessness but could someone please tell me what > people mean by Hamming? From context I think I know what ever one is talking It is an error correcting scheme that lets you detect and correct errors. It is used in various serial transmission schemes and in file integraty verification. Apparently some viruses (please not viri) have hamming error correcting code included that attempts to correct errors or changes made to the virus. Cheers woody ------------------------------ Date: Fri, 23 Mar 90 15:07:02 -0500 From: "Norman William Franke, III" Subject: Re: New Mac Virus? Make sure you are using the most current version of TeachText, which is 1.2 I believe. TeachText isn't really ment to be used as a word processor, hence the name, it's ment to read readme files, and the like. You can also check the modification dates on TeachText do determine if it has been modified lately. Viruses are generally the last thing I look for. This may not be a good idea, but I usually find on the Mac it's something else. For example, have you added any new INITs or CDEVs? Try removing them all. Next you could try to replace your System and Finder. I've had my System get corrupted a few times, while under MultiFinder usually. However, the easiest thing to do would to use one of the virus checkers, publicly available. One of the better non-commerical ones is Disinfectant 1.6, which you can get from most clusters on campus, appleshare servers, or via FTP from sumex. (36.44.0.6, /info-mac/virus/disinfectant-16.hqx). To be super-safe you can do this on a friends system. Put Disinfectant and a system/finder on a disk, lock it, and boot from this disk on your machine. Then run Disinfectant from that disk. If you have a known virus, it should be able to remove it. Norman Franke nf0i+@andrew.cmu.edu ------------------------------ Date: Fri, 23 Mar 90 16:18:10 -0500 From: Yary Richard Phillip Hluchan Subject: False Alarm (was Re: New Mac Virus?) OK, sorry for crying wolf! First, there were some things I forgot to mention in my original post: I run a known clean copy of Disinfectant 1.6 on my entire hard drive every two days, in addition to running SAM Intercept and Virex in the background. Hence the title "new mac virus?" Also, I have not changed any inits in my System folder since I reformatted my hard drive a couple months ago. The occasional MacMail bomb could be anything, as it is still in its test version. The TeachText bomb is most probably from my inadvertantly copying over my version 1.2 with an older 1.1 As for they sys err #10 when I boot up, who knows? I booted up my machine, and other than the old version of TeachText everything seems fine. If anything odd happens again, I'll let everyone know. I would like to thank everyone who promptly sent mail pointing me in the right direction. Now I can enjoy my vacation! - -Yary ------------------------------ Date: 23 Mar 90 21:09:55 +0000 From: consp11@bingvaxu.cc.binghamton.edu (Brett L. Kessler) Subject: VirusX 4.4 (Amiga) This article was originally posted to American People/Link's AmigaZone club by Steve Tibbett, the author of VirusX. As long as this article is kept in its entirety, it can be re-posted anywhere. (I copied it from comp.sys.amiga.) - ----- Club : AMIGA ZONE Sec: 2 Date : 3/22/90 19:59 Num: 63,234 Theme: VIRUSX 4.4 To : ALL By : STEVEX Title: WHAT IT IS - ----- A bogus version of VirusX has appeared recently, and has begun circulating under the name "VirusX 4.4". VirusX 4.4 is not by me, but it's not something to worry about if you have run it. VirusX 4.4 is a VirusX 4.0 archive that has been slightly modified by somebody who obviously doesn't know anything about C, nor programming the Amiga (based on some of the things he says). The 4.4 archive contains a VirusX.Docs that has a new "Virus" appended to the docs, has a longer description of this virus appended to the source file, had some punctuation moved around in the source file, and had the 4.00 version number patched to 4.40. That's it. If you have it, don't use it because you'll just confuse yourself. Please don't pass it on. The only places that I normally personally upload VirusX to are my own BBS (OMX, at 613-731-3419), and People/Link. I will have a new version of VirusX with a few new features, and knowledge a number of new viruses, to release within the next few days. On another VirusX-related topic, some people have noticed that XOPER reports that VirusX uses an incredible amount of CPU time (between 40% and 60% of the available CPU time) for a program that's supposed to run in the background. Well, VirusX is pretty nice to the Amiga system so checked it out with Commodore's PerfMon (PM) from the 1.3 Extras disk, and it reports that VirusX takes almost no processor time. I trust PM. ...Steve +------///-+------------------| BRETT KESSLER |------------------+-\\\------+ | /// | consp11@bingvaxu.cc.binghamton.edu | \\\ | | \\\/// | consp11@bingvaxa.BITNET | \\\/// | | \XX/ | (PeopleLink) B.KESSLER | \XX/ | +----------+-----------------------------------------------------+----------+ ------------------------------ Date: Fri, 23 Mar 90 17:30:00 -0500 From: Subject: False version of antivirus program I think an interesting question is raised by the (intentional) rumor of a new version. Presuming that an evildoer wants people to accept the phony version, with whatever virus it might contain, how can we trust what is said anywhere about shareware? I have a friend who knows something about computers, and he told me its relatively easy to send messages under false names. How can we tell whether a person whose opinion we trust is really "speaking"? Andre Teschner ------------------------------ Date: Fri, 23 Mar 90 16:21:23 -0600 From: Gary Heston Subject: Re: Possible virus alert (PC) Sounds more like your hard drive or power supply is about to go bad. There is no hardware whatsoever that can alter the speed of a hard disc in a PC or AT style system. Failure of either the power supplys' +12V output or the drives' motor control circuitry is indicated, unless the power connection into the drive is loose. The increasing number of bad sectors points to the drive. Keep those backups safe..... - --- Gary Heston { uunet!sci34hub!gary } System Mismanager SCI Technology, Inc. OEM Products Department (i.e., computers) "I think, therefore, !PANIC! illegal protected mode access attempt Memory fault: core dumped ------------------------------ Date: Fri, 23 Mar 90 18:36:00 -0800 From: jmolini@nasamail.nasa.gov (JAMES E. MOLINI) Subject: VIRUS SCANNING UTILITIES (pc) Arthur Gutowski writes: > In Virus-L, v3.i59, Jim Molini gives an alternative to having to register > many copies of shareware programs for virus detection. He suggests using > a PD CRC checker (eg, FILETEST by Len Levine) to monitor program changes, > and use your one registered copy of a scanner/disinfector if any changes > are detected. >... > We (at Wayne State) have a similar problem to the one he's addressing. > We are starting an IBM token-ring LAN, with Ethernet, and will be running > Novell. There will be several workstations hooked up to a server. Some > will be used for a special program involving teaching kids (high school > age) how to use PCs and word processors, database programs, spreadsheets, > etc. Development on these machines will not be an issue. However, our > Engineering department also intends to use some of the workstations as > well, and they may very well do a fair amount of program development. > > Jim, would you suggest the same approach for a network where there may be > heavy programming? I'd like to see some more discussion of this topic. Arthur, you have identified the primary problem associated with CRC type virus detectors. They work against a baseline that always tends to change when working with program development. Nevertheless, this is not an insurmountable problem, because you can usually isolate your program development environment into a separate directory, or partition. What I would recommend is for you to continue with something like FILETEST after you have relocated the destination directory for your program development environment into another area (preferably onto another partition of your disk). In this way, you are once again ensuring that your primary partition is stable enough to use a CRC type program. It is kind of like the problem of locating smoke detectors in a commercial kitchen. Most people don't. They usually have fire extinguishers in hazardous areas and locate smoke detectors outside the kitchen area because smoke naturally occurs in a kitchen area and would then generate too many false alarms. In certain cases they will use sprinklers, which are not activated by smoke (only heat) and figure that if the smoke is bad enough to activate a detector outside the kitchen, it must be bad enough at that point to generate an alarm. In your environment, if you located program development code in a non- bootable partition under C: (like D:, or E:) and scanned C:, you should have a very good chance of detecting viruses before they became a problem, as long as you are not running your network software from a drive that is not being scanned. Then, if you are really worried about your production software (and you should be if you anticipate exporting it from your machines) then you can use one of the other scanners for detecting viruses on those files. Now that I've stuck my foot in it, let me hedge by saying that the existing CRC detectors you described will not detect the more advanced viruses, like 4096, without extensive modifications. But that is an issue for a future edition of Virus-L. Jim Molini. ------------------------------ Date: Sat, 24 Mar 90 10:22:54 -0500 From: Christoph Fischer Subject: Virus Alert - NEW VIRUS IN GERMANY (PC) We received a sample of a new virus. This is very URGENT since this virus will activate part of its payload on ** APRIL 1st ** Overview: It will only infect .COM files since it searches for *.COM during the infection process. ( much like the Vienna, 648, UNESCO family but it does multiple infections upon execution of an infected .COM file). It does *NOT* create a TSR. It is a prepending virus, thus it will overwrite the first part of an un- infected file, saving the data, being overwritten, behind the host code. the file will grow 1539 bytes. The infection process is not very sophisticated and will cause noticable delays and harddisk action upon each invocation of an infected file. The virus is self-encrypting. (very simple mechanism) The decryption mechanism is slightly modified on each infection. With another simple trick it prevents the debugger from tracing correctly. (just takes seconds for an experienced user to circumvent). The virus carries *TWO* payloads: 1. From 24th of December till the end of each year it will write a X-mas tree and the following german message on the screen: Und er lebt doch noch : Der Tannenbaum ! Frohe Weihnachten ... Translation: And still it is alive : The Christmas Tree ! Merry Christmas ... Note: The tree is done with '*' and IBM PC special characters. It might be an allusion to the famous BITNET worm CHRISTMA EXEC ! No further damage is done. 2. On April 1st it will drop a sabotage code into the partition table of harddisk 0 (note this is on the physical level) and into the bootsector of floppydrives 0 and 1. (using INT 13, so some protection sw will prohibit this action) This code will write the following string : 'April, April ...' and a beep to the screen and hang the system upon next boot up. (Translation: April fool) The virus will identify itself by looking for the following 7 bytes in the very beginning of each .COM file EB 07 56 0A 03 59 00 We got our first sample from a small town in nortern Germany named Altena. A highschool student found it while he was trying out a programm that plays a Christmastune on Dec. 24th (he set his clock and got the tree on his screen while running several other programms) I am not fully done with the disassembly since I had a virus myself bad case of FLUE :-) I think we will name it the XA1 virus for X-mas and April 1st. Sincerely Christoph Fischer ***************************************************************** * Chistoph Fischer and Torsten Boerstler and Rainer Stober * * Micro-BIT Virus Team / University of Karlsruhe / West-Germany * * D-7500 Karlsruhe 1, Zirkel 2, Tel.: (0)721-608-4041 or 2067 * * E-Mail: RY15 at DKAUNI11.BITNET or RY12 at DKAUNI11.BITNET * ***************************************************************** ------------------------------ Date: 23 Mar 90 19:03:49 +0000 From: garth!dbarnes@unix.sri.com (Dave Barnes) Subject: Prosecute Virus Authors? I was wondering...I read a comment somewhere that said "[such-and-such] virus was written by [so-and-so]" Do we know who any of the authors of virii are, and if so, can anybody prosecute them? I know you can for single incidents like the big network virus that was written by the student back east, but what about PC viruses? - ---------------------------------------------------------- David Barnes UUCP: {pyramid,sri-unix,ingr}!apd!dbarnes 415/852-2365 USPS: Intergraph APD, 2400 Geng Road, Palo Alto, CA 94303 - ---------------------------------------------------------- ------------------------------ Date: Sat, 24 Mar 90 12:06:00 -0500 From: Christoph Fischer Subject: viruses or viri, a philological question Virus, originally meaning slime, poison is of Latin origin. It was a collective noun of neuter gender such as vulgus meaning common people and occured in the singular only. The plural form viri belongs to the Latin noun vir, meaning man, and has nothing to do with virus. So viruses is the only acceptable plural form of virus and moreover a good example of British pragmatism in using loan words. Sincerely Christoph Fischer ***************************************************************** * Micro-BIT Virus Team / University of Karlsruhe / West-Germany * * D-7500 Karlsruhe 1, Zirkel 2, Tel.: (0)721-608-4041 or 2067 * * E-Mail: RY15 at DKAUNI11.BITNET * ***************************************************************** ------------------------------ Date: Sun, 25 Mar 90 13:03:00 -0500 From: High on Bick's Subject: VirusX 4.4 Has anyone figured out what this program does yet? I realize it's only been a short time since its release, but was just curious. Dave ------------------------------ Date: Mon, 26 Mar 90 06:42:07 +0000 From: drz@po.cwru.edu (David Zinkin) Subject: Mac file infected with Scores and nVIR -- Usable? (Mac) (Sorry if I'm doing something wrong. I've never posted here before.) My copy of SideKick for the Mac has been infected with TWO viruses at the same time -- Scores and nVIR A. Is it possible to make SideKick usable again? The only tool I've tried using is SAM 1.5, which will only let me delete the file, not repair it. I don't want to try anything else until I know the file won't be damaged. Thanks in advance for helping. - -- Dave Zinkin -- Disclaimer: The opinions and ideas expressed here are solely my own. - ------------------------------------------ I see, and I forget. I hear, and I remember. I do, and I understand. (Ancient Chinese Fortune Cookie) - ------------------------------------------ Dave Zinkin - drz@po.cwru.edu ------------------------------ Date: Fri, 23 Mar 90 13:54:03 -0600 From: James Ford Subject: F-PROT.ZIP update (PC) Fridrik (Frisk) Skulason's F-PROT.ARC program has been placed on the server at MIBSRV.MIB.ENG.UA.EDU (130.160.20.80) for anonymous FTP in the directory pub/ibm-antivirus. Thanks to Leonard Levine for uploading it (it was you, wasn't it)? (The file was converted from ARC to ZIP) F-PROT.ZIP had been uploaded incorrectly earlier (thanks to Carol Conti-Entin for spotting this). This has been corrected. If you note any other errors, please drop me a line so I can correct it. For virus-trackers: Jerusalem Virus-B was found in our IE student lab. - ---------- Discover all unpredictable errors before they occur. - ---------- James Ford - JFORD1@UA1VM.BITNET, JFORD@MIBSRV.MIB.ENG.UA.EDU THE University of Alabama (in Tuscaloosa) ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253