VIRUS-L Digest Tuesday, 3 Apr 1990 Volume 3 : Issue 67 Today's Topics: re: Updated signature files for IBM VIRSCAN (PC) Confirmed virus infection (PC) More viruses from Taiwan (PC) Disinfectant 1.7/New ZUC Virus (Mac) Small-pox =VIR? (Mac) SCAN60 Trojan Reports (PC) Re: New ZUC virus (Mac) Re: Death of a Virus New viruses from South Africa (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: 02 Apr 90 00:00:00 -0500 From: "David.M.Chess" Subject: re: Updated signature files for IBM VIRSCAN (PC) Version 1.1 of the program (including new & larger signature files) was recently released. Should be available through your IBM Marketing Representative, and perhaps some dealers. Not sure if there's an 800 number this time... DC ------------------------------ Date: Tue, 27 Mar 90 14:37:34 -0000 From: Bob Kilgore Subject: Confirmed virus infection (PC) FOR INFORMATION ONLY: An outbreak of Jerusalem virus, (1813) was detected here at Oceonics FDS on 26 Mar. 1990. There were 26 .COM and .EXE files infected. The infection probably occurred on the week of 19 Mar. It was detected quickly because the operator was keeping track of file size on backup listings and 2 very large programs were infected. The system is a CAD system and is running a popular CAD program. There is very little else in the system other than DOS, the CAD system, and the obligatory Norton Utilities. The files infected were DOS files, mouse.co, xt.exe, chkdsk, diskcopy, etc. There were a number of the Norton programs contaminated, he thought he had a disk problem. Four very large CAD programs, 204K to 387K load modules were infected and did not perform correctly. The CAD system is under a maintenance contract with the vendor and within the last two weeks as undergone some major updates. This involved the installation of new software modules supplied by the vendor. This task was begun on the week of 12 Mar. and the software became 'flaky'. The vendor told us they had found a bug in the new release disk's and sent us another set that would correct the problem. The second set were installed the week of 19 Mar. We have reached the conclusion that the virus was probably attached to the second set of disks. We could not check all of the new disks since four were forwarded to our Gloucester facility to upgrade there system. It is a bit unfortunate that the Gloucester people rang us up during my evaluation of the problem to inform me that they had a suspected virus. I have no hard evidence that the disk came from the vendor, you won't find there name here, but it seems highly likely. I want to thank Dr. Solomon for the virus tool-kit. It did a superb job of identification and made life easy in the recovery of the system. There was never any 'real' danger since the operator is a very firm believer in regular backups, and the retention of the backup documentation. BOB Forgot to mention the original update disks came from the U.S. of A. ------------------------------ Date: Mon, 02 Apr 90 18:49:51 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: More viruses from Taiwan (PC) A few days ago I reported a number of computers arriving infected from Taiwan. This does not seem to be limited to one manufacturer (Nothern International). A computer from a company named "Jafuco" arrived infected with not one, not two, but three different viruses: "Stoned", "Brain" and "Jerusalem". This is the first reported occurrence of "Stoned" here in Iceland, and both "Brain" and "Jerusalem" have been very rare here. Is there a major virus epidemic in Taiwan or what ? - -- Fridrik Skulason University of Iceland | Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 | ------------------------------ Date: Mon, 02 Apr 90 20:24:52 -0400 From: jln@acns.nwu.edu Subject: Disinfectant 1.7/New ZUC Virus (Mac) Disinfectant 1.7 ================ April 2, 1990 Disinfectant 1.7 is a new release of our free Macintosh virus detection and repair utility. Version 1.7 recognizes the new ZUC virus. Thanks to Don Zucchini and Francesco Giagnorio for discovering and reporting this new virus. The ZUC Virus ============= The ZUC virus was first discovered in Italy in March, 1990. It is named after the discoverer, Don Zucchini. ZUC only infects applications. It does not infect system files or data files. Applications do not have to be run to become infected. ZUC was timed to activate on March 2, 1990. Before that date it only spread from application to application. After that date, approximately 90 seconds after an infected application is run, the cursor begins to behave unusually whenever the mouse button is held down. The cursor moves diagonally across the screen, changing direction and bouncing like a billiard ball whenever it reaches any of the four sides of the screen. The cursor stops moving when the mouse button is released. The behavior of the ZUC virus is similar to that of a desk accessory named Bouncy. The virus and the desk accessory are different, and they should not be confused. The desk accessory does not spread, and it is not a virus. ZUC does spread, and it is a virus. ZUC has two noticeable side effects. On some Macintoshes it causes the desktop pattern to change. It also often causes long delays and an unusually large amount of disk activity when infected applications are opened. ZUC can spread over a network from individual Macintoshes to servers and from servers to individual Macintoshes. Except for the unusual cursor behavior, ZUC does not attempt to do any damage. Vaccine is not effective against ZUC. GateKeeper 1.1.1, however, is effective against ZUC. ZUC does not change the last modification date when it infects a file, so you cannot use the last modification dates in the Disinfectant report to trace the source of a ZUC infection. Other Changes in Version 1.7 ============================ Some people have used ResEdit to add a copy of the standard system WDEF 0 resource to Desktop files in an attempt to inoculate their disks against the WDEF virus, even though we do not recommend this practice. Version 1.6 incorrectly reported that such Desktop files were infected by an unknown strain of WDEF. This problem has been fixed in version 1.7. Some of the nVIR clones have offensive names. These names appeared in plain text in various resources in Disinfectant version 1.6, and caused concern for some people who discovered them using ResEdit or a file editor. Version 1.7 encodes the resources so that the names do not appear in plain text. Version 1.6 contained an error which could cause crashes, hangs, unexpected error messages, or other unusual behavior in some circumstances. The error is corrected in version 1.7. How to Get a Copy of Version 1.7 ================================ Disinfectant 1.7 is available now via anonymous FTP from site acns.nwu.edu [129.105.49.1]. It will also be available soon on sumex-aim, rascal, comp.binaries.mac, CompuServe, Genie, Delphi, BIX, MacNet, America Online, Calvacom, AppleLink, and other popular sources for free and shareware software. Macinstosh users who do not have access to bulletin boards, networks, user groups, or online services may obtain a copy of Disinfectant by sending a self-addressed stamped envelope and an 800K floppy disk to the author at the address below. John Norstad Academic Computing and Network Services Northwestern University 2129 Sheridan Road Evanston, IL 60208 Bitnet: jln@nuacc Internet: jln@acns.nwu.edu CompuServe: 76666,573 AppleLink: A0173 ------------------------------ Date: Mon, 02 Apr 90 13:25:00 -0400 From: WHMurray@DOCKMASTER.NCSC.MIL Subject: Small-pox WHM: >To return to the biological analogy, it clearly demonstrates that YOU CANNOT >STOP THE SPREAD BY TREATING THE SYMPTOMS OF THE INFECTED. Then H. Treftz: > I think when a discusion of a virus and how to deal with a virus >is talked about it is a good iead to take a look at the first disease >that man has been able to eliminate totaly. That is the Small Pox >virus. How small pox was eliminated is fairly simple. Frist the >conditions that led to small pox were eliminated the individual cases >were delt with and treated so they could not spread. While I am sure that neither the the author nor the editor intended it, this appears to be a rebuttal. The description of the elimination of small-pox is so incomplete as to suggest that hygiene, treatment, and quarantine alone, or in combination, might have been effective. This is is certainly not true in the case of small-pox and appears to be untrue in the case of computer viruses. While it is true that residual cases and instances of small-pox were tracked down, one at a time, and while it is true that quarantine was useful, the major weapon in the elimination of Small Pox was an effective, specific, low-risk, low-cost vaccine massively and pervasively applied. I encourage the use of prophylaxis. It is extremely effective against infection by computer viruses. If you are interesting in protecting your system, you may rely upon it. However, while it can protect specific systems, it cannot be applied consistently and broadly enough to contain the growth and spread. William Hugh Murray, Fellow, Information System Security, Ernst & Young 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ------------------------------ Date: 02 Apr 90 10:45:59 +0000 From: paul@tenset.UUCP (Paul Andrews) Subject: =VIR? (Mac) Whilst trying to sort out a corrupted desktop file recently I noticed a resource of the type '=VIR' (or maybe it was 'not equals'VIR). Anybody know what this is? I'm running gatekeeper and use disinfectant and neither seem bothered by its presence... - ------------------------------------------------------------------ | Paul Andrews | Post: Tenset Technologies Limited, | | paul@tenset.uucp | Norfolk House, | | Phone: +44 223 328886 | 301 Histon Road, | | Fax: +44 223 460929 | Cambridge CB4 3NF, UK. | - ------------------------------------------------------------------ ------------------------------ Date: Sun, 01 Apr 90 11:58:12 -0700 From: Alan_J_Roberts@cup.portal.com Subject: SCAN60 Trojan Reports (PC) This is a forward from John McAfee: ========================================================================== A number of reports of a trojan in SCANV60 have been floating around for the past two weeks, but so far I have not talked to anyone who has a copy of this allegedly hacked version. SCAN60 has indeed been released and the original ZIP file size is 44482. However, if your ZIP file size is different than this, it does not mean that the file has been hacked. Many people pass on the programs in a re-Zipped file that has been archived using a different version of ZIP, or some people forget to pass the registration document (or other element that they deem unessential to the utility of the package) along with the newly Zipped file. The critical elements are the executable files. These files have all been validated prior to distribution and the validation information (and VALIDATE program) are included in the distribution file. If the validation information is suspect, or you believe it may also have been tampered with, you may call HomeBase 24 hours a day to access the on-line validation data base. This data base cannot be tampered with so the information is secure. The same validation program has been shipped with each version of SCAN since version 46, so if you have a version that you trust, then you need not replace it when new versions of SCAN are released. If you are still unsure, then download the validate program directly from HomeBase - 408 988 3832. The validation information for Version 60 should be: SCAN.EXE program size - 43,277; Creation Date - 03-18-90; Validation method 1 - A8F6; Validation Method 2 - 1C09. Remember that creation dates for the ZIP file will change each time the ZIP file is downloaded to a system. The EXE dates inside the ZIP file should not change. If anyone does have what they believe is a bogus copy of SCANV60 then please call us at 408 988 3832. Thank you. John McAfee ------------------------------ Date: 03 Apr 90 06:25:50 +0000 From: rcoahk@koel.co.rmit.OZ.AU (Alvaro Hui Kau) Subject: Re: New ZUC virus (Mac) AUBXG@ASUACAD.BITNET (Ben Goren): > Does anyone know if Gatekeeper/Gatekeeper Aid will block this? It > sounds like it will, but has anyone checked? How about SAM or virex???? ------------------------------ Date: Tue, 03 Apr 90 06:15:13 +0000 From: Dave Ihnat Subject: Re: Death of a Virus a10hat8@cs.niu.edu (Henry Treftz) writes: > I think when a discusion of a virus and how to deal with a virus >is talked about it is a good iead (sic) to take a look at the first disease >that man has been able to eliminate totaly. That is the Small Pox >virus. How small pox was eliminated is fairly simple. Frist (sic) the >conditions that led to small pox were eliminated then individual cases >were delt with and treated so they could not spread. > So I think a simular method should be used in dealing with a >computer virus. I would recomend a issue of National Geographic that >talked about Small Pox. I belive the issue is from 1978 some time >but. . . . Nice idea. The problem here is that the root cause of the virus explosion is the underlying hardware itself; unlike with humankind, elimination of the conditions that lead to viruses basically means redesigning the computers that are attacked to eliminate the simplistic hardware model that allows full access to the single user. In many instances, this is happening in a rather interesting way; as such DOS emulators as Simultask and VP/IX mature, we're seeing people run DOS applications on these virtual machines. But the elimination of the suceptibility--while, I assure you, necessary and almost a certainty in the long run--is a significant economic undertaking that will probably not be deemed necessary (risk vs. cost) for some time by most vendors or corporations. ------------------------------ Date: Tue, 03 Apr 90 09:53:55 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: New viruses from South Africa (PC) The following viruses have recently been reported in South Africa. Pretoria (alias June 16th) Infects .COM files only, enlarging them by 879 bytes. When an infected file is run, all .COM files on the current drive will be infected. This makes the virus rather easily detectable - the time it takes to start a program may grow enormously, as the virus does a recursive scan on the directory tree. On June 16th, all entries in the root directory are changed to 'ZAPPED'. The virus is reported to be encrypted. Durban (alias Saturday the 14th) This virus infects both .COM and .EXE files, adding 669-684 bytes to their length. It is resident, and will activate on Saturday the 14th, overwriting the first 100 sectors on drive C: (followed by B: and A:) I do not have any more information available, as I have not yet received a copy of the viruses. - -- Fridrik Skulason University of Iceland | Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 | ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253