VIRUS-L Digest Friday, 20 Apr 1990 Volume 3 : Issue 78 Today's Topics: Authoritative/Comprehensive List of Viruses (and Antidotes)? Yankee doodle, code size =7026 (PC) Code Size = 7026 (PC) Virus outbreak in China! (PC) Dirty Tricks B (PC) Virus Outbreak in China Reported Re: Death of a Virus Re: Virus in Text Files Why there are no mainframe virii Re: PCs v. Mainframes Re: Hardware protection and the spread of viruses (PC) New viruses (PC) Disinfecting a Macintosh Detecting "smart" viruses RE:virus protection from OS in ROM VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: 17 Apr 90 17:23:14 +0000 From: sppy00!sed@saqqara.cis.ohio-state.edu Subject: Authoritative/Comprehensive List of Viruses (and Antidotes)? I'm looking for a list of all(?) or at least the major viruses which are circulating about. If someone could direct me to a publication I'd be most appreciative. If you're unaware of this kind of comprehensive list, send what you do know and I'll summarize. I was thinking about something like this: Virus Name: Symptoms: How Distributed: I'll summarize to the net (naturally!) on everything I get. My address is --> sppy00!sed@saqqara.cis.ohio-state.edu - -- *** ** * | | OO CC L CC // *** ** * | | O O C L C // *** ** * | | O O C L C // *** ** * | | OO CC LLL CC // Bringing information to people! ------------------------------ Date: Wed, 18 Apr 90 12:36:00 -0400 From: Wallace@DOCKMASTER.NCSC.MIL Subject: Yankee doodle, code size =7026 (PC) Can anyone provide information on the Yankee Doodle Virus? Vesselin (Last Name Forgotten, sorry) gave details on a version in Bulgaria, but mentioned that there was a separate version in the Western World. Can anyone confirm or deny this, or provide details?? Thanks, Mark C. Wallace breah Sullivan ------------------------------ Date: Wed, 18 Apr 90 12:41:00 -0400 From: Wallace@DOCKMASTER.NCSC.MIL Subject: Code Size = 7026 (PC) Jeff Shulman's Virus Detective can produce a report that a given application has "code size = 7026" Does anyone know what this means??? (I haven't seen the actual warning, so I can't answer for the capitalization or spacing) Thanks, Mark C. Wallace breah Sullivan ------------------------------ Date: Wed, 18 Apr 90 20:43:00 -0000 From: MCGDRKG@CMS.MANCHESTER-COMPUTING-CENTRE.AC.UK Subject: Virus outbreak in China! (PC) I thought I would forward this to the group as a matter of interest. It was taken from JBH Online ( Wed. 18th Apr. ) - - - - - - - - - - - Start of forwarded note - - - - - - - - - - China: Computer viruses reported BBC The China Daily newspaper reports that a large scale infection of the country's computers began last Friday, 13 April, when several computer viruses, including the Jerusalem virus, are believed to have been time activated. At least six separate computer viruses have been identified in Beijing alone. The BBC is introducing its report of the China Daily story by referring to the large scale infection as "sabotage." R.Gowans - ----------------------------------------------------------------------------- JANET: R.Gowans@uk.ac.MCC Internet: R.Gowans%MCC.ac.uk@cunyvm.cuny.edu Dept Civil Eng, EARN/BITNET: R.Gowans%MCC.ac.uk@UKACRL U.M.I.S.T, UUCP: ...!ukc!umist!R.Gowans Sackville Street, Manchester. FAX: [044 61 | 061] 200-4016 M60 1QD. ------------------------------ Date: Wed, 18 Apr 90 16:24:24 -0900 From: "Big MAC..." Subject: Dirty Tricks B (PC) I have found Dirty Tricks B on my computer in Various Files. The only program that recognizes it is AVS that I FTP'd from MIBSRV. Can anyone help me figure out what and HOW to do somehting about it? SCAN v60 does not pick it up. Has anyone else had this problem with AVS? ------------------------------ Date: Thu, 19 Apr 90 08:58:00 -0500 From: Sanford Sherizen <0003965782@mcimail.com> Subject: Virus Outbreak in China Reported The Wall Street Journal reported today (April 19, 1990) that a virus outbreak destroyed or damaged data in thousands of computers throughout China last week, according to the official New China News Agency. I thought that Virus-L people might be interested in this news. Sandy ------------------------------ Date: Wed, 18 Apr 90 17:23:14 +0000 From: Dave Ihnat Subject: Re: Death of a Virus CHESS@YKTVMV.BITNET (David.M..Chess) writes: >I disagree with the second, though; unless you label any setting of >access levels that allows some programs to write to others as >an "error", viruses can spread even in systems that have reliable >access controls which are being used properly and without error. >How many installations can you think of where no program *ever* >legitimately writes to another? Yes, that's an error. I can think of no case whatsoever that *requires* any program to write to another *program* as a matter of course in the day-to-day execution of that program. In all cases, alternative methods may be employed which permit the executables themselves to remain inviolate. Presumably, the software generation cycle (compile/assemble/ link-edit) can, and will, be performed in such a manner as to guarantee the installation of clean executables before write permission to all is revoked. On a regular basis, one of the first things I do on a security scan of systems is remove write permission from all executables! This may bring howls of "Not so!", but frankly, they don't belong in this group. I will answer any scenario anyone may contrive which seems to require on-the-fly modification of executable files with alternatives which, on various operating systems, make use of data files, shared memory segments, global sections, message queues, etc. In general, make programs data-driven, but don't change the code! But if you wish to indulge in this gedanken experiment to prove me wrong, please do so with me via E-mail, and after a period, if necessary, we can summarize to the net. >I think the reasons that we have seen microcomputer viruses, but no >large-system viruses are primarily "cultural" (writing viruses hasn't >become "the thing to do" in the mainframe underground, there simply >aren't as many mainframe programmers, large installations don't tend >to exchange software yet, and so on). Well, maybe. Seems that the last I heard, there were well over 100,000 Xenix licenses out there; there are certainly at least tens of thousands of Unix installations of all flavors, running in everything from major research and industrial installations to my den. Most universities can tell you that such ploys as the "login trojan" are common once people become familiar with Unix. I think you're right in that sharing of BINARIES isn't common; but look at the HUGE body of PD and shareware source that proliferates on USENET, and is archived and freely available to all and sundry via either ftp or anonymous uucp from a large number of archive sites. I have to believe that the same yahoos who think viruses are fun things on single-user OS machines like PCs and Macs would love to infect Unix and VMS systems, if they could. I really do believe that these systems are more difficult to circumvent, and this has, to some extent, accounted for great disparity in the number of successful attacks on these systems as compared to the single-user boxes. (Of course, when they succeed, they seem to be rather spectacular, viz. Robert Morris' Internet worm...) Dave Ihnat ignatz@homebru.chi.il.us (preferred return address) ignatz@chinet.chi.il.us ------------------------------ Date: 19 Apr 90 14:34:13 +0000 From: nvuxr!ccw@bellcore.bellcore.com (christopher wood) Subject: Re: Virus in Text Files flaps@dgp.toronto.edu (Alan J Rosenthal) writes: >cdss!culliton@uunet.UU.NET (Tom Culliton) writes: >>How many times has this question been answered? If you can't execute the >>file or run it via an interpreter it can't carry a virus. >A counterexample to this assertion is the wdef viruses on the macs. They are >carried in the Desktop file which is a data file describing the layout of the >windows. I don't think that WDEF is counter example; WDEF resources ARE executed; the WDEF virus is tricky in that it hides an executable resource in a place that isn't supposed to have executable resources. You CAN, in rare circumstances, execute the WDEF resource in the desktop file. [comments on source-code viruses trimmed] - -- Chris Wood Bellcore ...!bellcore!nvuxr!ccw or nvuxr!ccw@bellcore.bellcore.com ------------------------------ Date: 19 Apr 90 18:48:13 +0000 From: vronay%nunki.usc.edu@usc.edu (Iceman) Subject: Why there are no mainframe virii I think that the reason that there are "no" mainframe virii is social. A person does not have to spend ten years learning all of the ins and outs of a Macintosh to learn how to write a virus. Any programmer can go into the nearest Walden's books and walk with Inside Mac, and (in a few months) s/he can write a virus of the same "quality" as any that exist today. Mainframes, with their more complicated operating systems, do not lend themselves to casual hacking. If you want to write a Unix virus, you have to devote some SERIOUS time to learning UNIX. This dissuades the casual user from creating UNIX virii. This is not to say that Mainframe virii do not exist. I believe that they do, and are in fact more widespread than people think. I would contend that the main use of viral code is to steal information from a remote computer system, and all the "good" stuff to steal is on mainframes. People who write mainframe virii generally have a specifc target in mind, and they write code that gets in, gets the information, and gets out again undetected. They are not after notoriaty in the way that someone who writes an IBM-PC virus which formats hard disks is. I tend to see that the PC virus problem, while annoying, is fairly tame. As long as people are writing virii which reveal themselves (whether on purpose or through programming errors), I do not fear. Of much greater concern are the high-tech thieves who are not foolish enough to leave traces. - -ice PS: And if you think data pirating is a cyberpunk fantasy, you are mistaken. - -============================== reply to: iceman@applelink.apple.com Applelink: ICEMAN disclaimer: (apples-opinion-p (opinion 'ice)) => nil - -============================== ------------------------------ Date: 19 Apr 90 21:00:13 +0000 From: zben@umd5.umd.edu (Ben Cranston) Subject: Re: PCs v. Mainframes There have been virus-like objects in mainframe environments. Some years ago we got the binary program "animal" for our Unisys 1100. It played a game where it tried to guess the animal you were thinking of. It basically asked the questions at the branches of a binary tree, when it got to the end it asked "is your animal a " if you said that it wasn't it then asked for the name of the animal, then asked for a question that would distinguish the new animal from the animal, then added a node at the leaf branching to the old leaf and the new animal. Outside of a few "one eyed trouser snakes" it was pretty benign. Little did we realize that it was ALSO looking for writeable directories and copying itself into those directories. :-) We actually saw it at the end of one of the Unisys distribution tapes, so we assumed their distribution machine was well infected. This must have been in the late 1970s or early 1980s (hi Alan!) - -- "It's all about Power, it's all about Control All the rest is lies for the credulous" - -- Man-in-the-street interview in Romania one week after Ceaucescu execution. ------------------------------ Date: 19 Apr 90 20:59:42 +0000 From: consp11@bingsuns.cc.binghamton.edu (Brett Kessler) Subject: Re: Hardware protection and the spread of viruses (PC) AGUTOWS@WAYNEST1.BITNET (Arthur Gutowski) writes: |>With all the discussion of this going around lately, I had a thought. |>Doesn't the Amiga use EPROMs for its operating system? I'm told that |>under this type of system, when you order and receive a new version of |>the operating system, you flip the write-enable switch on for the |>EPROM, install the new operating system into the EPROM, flip the |>enable switch off, reboot, and you're off. Actually, it's not that easy. True, the OS (KickStart) is on a chip, but upgrading requires the replacement of the chip set. That's the _computer's_ operating system. The DOS, however, is not stored on a chip, it is stored in the C directory of the bootup disk, plus the boot sector of the bootup disk has a bit of code to alow the machine to do it's bootup. +------///-+------------------| BRETT KESSLER |------------------+-\\\------+ | /// | consp11@bingvaxu.cc.binghamton.edu | \\\ | | \\\/// | consp11@bingvaxa.BITNET | \\\/// | | \XX/ | (PeopleLink) B.KESSLER | \XX/ | +----------+-----------------------------------------------------+----------+ ------------------------------ Date: Thu, 19 Apr 90 14:57:19 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: New viruses (PC) Three new viruses Anarkia, a YAJVV (Yet Another Jerusalem Virus Variant) appeared recently. It is very close to the original version - so close that some anti-virus programs are not able to notice the difference. The description I received follows - perhaps some kind soul would translate it into English. Virus Anarkia. Es una modificacion del Viernes 13 bastante profunda. Actua igual que el anterior, pero relentiza todas las operaciones a partir de la hora, no de los treinta minutos como el Viernes 13. En esta variacion del virus el efecto destructivo es el 12 de octubre. La eleccion de esta fecha no esta clara, quizas porque el dia siguiente es un Viernes 13 y para dar el susto un dia antes, o quizas porque el dia 12 es el dia de la Hispanidad. Se puede localizar facilmente buscando la la cadena "ANARKIA". I had to remove the accent marks to get this through the mail system. Another new virus is the Kennedy - It is a simple 333 byte direct-action .COM infector. I believe the virus is only known in Denmark. It activates on three different dates: November 22nd (John F.) June 6th (Robert ? - I thought it was June 5th) November 18th (don't know why - maybe the oldest brother died on this date ?) On this date it will display a message (in Danish) that translates to: Kennedy is dead - long live 'The Dead Kennedys' I have sent a copy of it to McAfee and others, but owners of F-PROT can add the following line to SIGN.TXT to enable detection of 'Kennedy'. Kennedy YEBm-MD52u6FcMV5kMqqmgIAWLuHljjmaYVruOT57v2uf8oL39 1971 This is a resident, .COM and .EXE infecting virus from Germany, 1971 bytes long. A search string: 1971 jCJMK52mY2MjNM36gngj+kHO07M4tF48m4cjMT5mgRTMQjBy6v For detection of some of the other viruses reported recently, the following lines should be added (or you can just wait for version 1.09, which will be sent out after next weekend, as soon as it is able to detect and remove the 1720, 1210 and Amoeba viruses) Durban fExnSmyMy2jM5j9rJB8XK60zQMH5Ynl6jXa2Mnj53qnh5CAy2C Pretoria IVkMAjy5fPWVosyPdWciLq0FKH6j5m8oEyYkN57f76tt4aHv XA1 g7TTy5-mUM8Hmm5MsY28fH8cR7jfAu1CYYO8Ui5588wvU+mj-C - -- Fridrik Skulason University of Iceland | Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 | ------------------------------ Date: Thu, 19 Apr 90 12:25:24 -0400 From: Peter Jones Subject: Disinfecting a Macintosh This is probably a dumb question for the veteran MAC users but here goes. A friend of mine tells me he needs to disinfect his MAC. I can get hold of the anti-virus programs with no problem. But what bothers me is how does one prevent the memory from being reinfected from the hard disk, when the MAC is booted from a known good OS. On the PC, one boots from a clean DOS; the hard disk isn't accessed until an explicit command is given. Doesn't the MAC read its hard disk as soon as it finds it? I would appreciate very explicit instructions for my friend, as I may be able to be present at my friend's machine when the disinfection is done. "Let your flippers do the walking" :-) Peter Jones (514)-987-3542 Internet:Peter Jones ? Internet:Peter Jones ? UUCP: ...psuvax1!uqam.bitnet!maint ------------------------------ Date: Thu, 19 Apr 90 14:16:08 -0400 From: David_Conrad%Wayne-MTS@um.cc.umich.edu Subject: Detecting "smart" viruses sverrehu@ifi.uio.no (Sverre Holmsen Huseby) writes: >About the viruses that desinfects [sic] (program-)files when >they are opened, and reinfects [sic] them when they are closed: > >Would it be possible for a checksum-program to detect >this by recording the time taken to check the file? > >I assume the des-[sic]/re-infection takes a couple of timer ticks! The difficulty with this is two-fold: First, it may not actually take any timer ticks to dis-/re- infect the file, and second, there are many other events which could alter the total time to check the file. How could it not take any time to dis-/re- infect the file? Well, it would take some time, but a timer tick is an awfully long time to a computer, and for a fast processor to strip the last 4096 bytes off a file would not take long at all. For example, on an 80x86 all that is required is a repeated store byte instruction (which executes very quickly) to fill the tail of the last meaningful buffer with zeroes, and then set the file length/buffer length to indicate the appropriate number of meaningful bytes in the last buffer. Hardly any time at all. And no time to reinfect the file, since the disk image remains unchanged. (I chose 4096 bytes because the 4096 virus is one of these "smart" ones.) But more important is the second problem, that of other factors affecting the time. Disk fragmentation. Interrupts occurring and being handled. Background processing (in MS-DOS there are TSR's, and there are other, multitasking OS's too). Imagine the case where the check is of a file on a highly fragmented disk, which was not fragmented when the checksum was generated. The disk read takes much longer than it did originally. And during this time, the user is busily typing the next command, causing a dozen or so keyboard interrupts. And the alarm clock program running in the background is awakened by the timer tick, decides the alarm time has arrived, and takes over for half a second to produce a beeping sound. The total time for the check is quite different, yet a delaying factor I have pointedly *not* mentioned is the disinfecting of the file 'on the fly'! This may or may not have happened, and would be a minor factor in the overall time. And there are many, many other possible factors. The file could have been copied to a different, slower medium. There may be a file handle cache (such as FASTOPEN) or a file data cache operating, or there may have been one operating when the file was originally checked. And so on, and so on.... For this process to have even a chance of working, everything must be exactly as it was when the file was originally checked. According to the conventional wisdom, we must boot from a secure, non-infected source to perform the check. It seems to me that the latter is an easier constraint to satisfy than the former. Regards, David R. Conrad +-------------------------------------------------------------------------+ | David R. Conrad (preferred) dconrad%wayne-mts@um.cc.umich.edu | | /\/\oore Soft\/\/are dave@thundercat.com | | Disclaimer: No one necessarily shares my views, but anyone is free to. | +-------------------------------------------------------------------------+ ------------------------------ Date: 20 Apr 90 13:08:00 +0700 From: "Okay, S J" Subject: RE:virus protection from OS in ROM >Date: Tue, 17 Apr 90 16:39:52 -0400 >From: Arthur Gutowski >Subject: Hardware protection and the spread of viruses (PC) > >With all the discussion of this going around lately, I had a thought. >Doesn't the Amiga use EPROMs for its operating system? I'm told that >under this type of system, when you order and receive a new version of >the operating system, you flip the write-enable switch on for the >EPROM, install the new operating system into the EPROM, flip the >enable switch off, reboot, and you're off. Well, the entire OS is still on media as of AmigaDOS 1.3( the latest rev),but with 1.4 due out in a week or two, that may change. Currently though, only Kickstart 1.3 is in ROM. This is also a regular, non-writeable ROM (I know, I put mine in my HD controller last summer). What Kickstart does is provide bootstrap code for the Amiga to load AmigaDOS. Previously, you had to power on with a Kickstart diskette in the drive, then boot with AmigaDOS. However, KS has been in ROM since the A2000 was released in 1987. While this may seem a little silly, keep in mind that the Amiga can boot as either an Amiga, Mac, DOS-compatible, or UNIX box,(The Mac and DOS functions require expansion cards)so you only want to boot to lowest level needed and then let whoever take it from there. >expensive adventure, but couldn't something like this be applied to >PCs? Granted, it wouldn't eliminate viruses. As has been discussed, >as long as there is an application development area and software >trading, the possibility for viruses exist. >But wouldn't this >eliminate an entire class of viruses (namely boot-sector and >partition-table infectors)? Actually, until recently, the only viruses we had to contend with were boot infectors. Then somebody went out and created XENO and BGS, so now we also have to keep track of file infectors.(Side note here, wanna see a virus spread *REAL* fast??--try letting it infect your CRON daemon and see how fast it propagates!!--XENO took out my hard disk inside an hour ). Fortunately, we do have a pretty good set of tools to fight the beasties with. (If have an Amiga and don't have VIRUSX 4.0, get it!!. With the entire OS in ROM, there is no >longer a need for executable code in the partition/boot record--it >becomes merely a media/layout descriptor. This of course all operates >under the assumption that you never receive an infected OS. True...true...but still a good idea in general. What do you do for minor bug updates or patches though? --a chip swap would be frightening to joe_user for every minor upgrade/bug fix though. There has been some talk in the past about moving the standard libraries and handlers into ROM. Maybe in 1.5 :) >Just a thought, > Art - ------------- Stephen Okay OKAY@TAFS.MITRE.ORG Technical Aide, The MITRE Corporation Claimer:Yes, you're right, these are *MY* opinions ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253