VIRUS-L Digest Friday, 27 Apr 1990 Volume 3 : Issue 82 Today's Topics: Re: WDEF-A on Current-Contents-on-Diskette (Mac) Write-access to Executables New Virus? (PC) Re: Exposure in Formatter (was IBM VM/CMS, now UNIX) *really* fail-safe virus protection Anti-virus cleaning programs that are shareware (PC) Kennedy Virus Writable Executables Writable Executables Possible virus? (Mac) CMOS attackers (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: 25 Apr 90 13:25:56 +0000 From: phillips Subject: Re: WDEF-A on Current-Contents-on-Diskette (Mac) TYO@MITWCCF.BITNET writes: > I just installed Life Sciences Issue 16 of Volume 33 (April 16, > 1990) of Current-Contents on Diskette for Apple Macintosh Plus, SE and > II. Upon installation, Gatekeeper Aid popped up and informed me that > it had discovered and removed WDEF-A virus. > > The diskette had just been removed from the (intact) mailing > envelope from the Institute for Scientific Information. Unfortunately, > I had forgotten to move the write-protect tab, so the evidence of > infection is gone. Naturally, I cannot conclude that the disk was > actually infected (as opposed to a glitch in my Gatekeeper Aid), but > if you subscribe to this information service, please use Issue 16 with > caution. > [stuff deleted] > > - --Mike Tyo, TYO@MITWCCF (BITNET) ISI just re-sent Issue 16 with Issue 17 this week, and threw in Disinfectant 1.6. They enclosed a letter warning users not to "load" the infected issue 16, explaining generally what WDEF is, and expressing their regrets. In the letter, ISI claims that they are 'making every effort to detect and prevent the spread of computer viruses.' Over the phone, tech support at ISI claimed that they availed themselves of the 'latest virus detection software.' Obviously, neither of those claims are true, and the fact that they are using an older version of Disinfectant makes it clear that they are not aggressively searching out tools to fight viruses. Further, the letter makes the mistake of warning users not to 'load' the issue (a process which involves decompressing the files and placing them in a folder) instead of warning users not to place the diskette in the drive at all, and leaves the impression that if you didn't go through the issue loading process, you would not be infected. So either they don't really know what they are talking about, or they don't care to make it clear to the people they have sent this virus to. Subscribers to the Current Contents on Diskette [Mac] service should use extreme caution when using their software. - --Mark Phillips (phillips@jhunix.UUCP) ------------------------------ Date: Wed, 25 Apr 90 14:38:13 -0000 From: "Pete Lucas" Subject: Write-access to Executables I followed the discussion about writable executables with interest: Am i missing something? It seems to me that *no* executables should be 'writable' by *any* program under normal circumstances.!.! Consider a simple program development cycle: Program source (readable and writable by its owner...) ! ! Compiler (a program with no write permission on itself) ! ! Object file (with no write permission...) ! Libraries ! (Libraries have no write-access either...) ! ! ! ! -------Linker (a program with no write permission on itself) ! ! Executable (an executable with no write access). Now when you make a change to the source, you recompile and re-link, and if you know what you are doing, *ERASE AND RECREATE* the executable module. It will probably be a different length in any case, so the file-system may have to do this to fit it in. If the resultant executable has no write access (but, for your sake i hope it has execute permission!) then you can be reasonably sure that if the source code is kosher, and the object/libraries are clean, then the resultant executable can be OK too. (There is always the danger that someone could, of course, write a bootleg, trojan-library or compiler that generated executables 'not quite' like what the source code intended.....) The risks arise when people have 'write-enabled' executables (so they can use SUPERZAP or some similar patching tool to hack the executable, and they leave the thing 'write enabled' afterwards. Viruses can then patch their way in later... OK i admit that such tools that patch the executable (and also things like UPDATE/MAKE mechanisms for source maintenance) can be damned useful at times, but as in all these things, a powerful tool can make a big mess very quickly! I hope that those of you involved in SOURCE CODE maintenance realise the risks! I could easily forsee a trojan 'make' file that added an extra few routines for its own nefarious purposes, and patched in wormholes for future subsequent malicious usages. Likewise for text-formatter input. (the .sy command also exists in IBM's SCRIPT, and, yes, it works!) Pete Lucas PJML@UK.AC.NERC-WALLINGFORD.IBMA 0793-411613 ------------------------------ Date: Wed, 25 Apr 90 11:40:00 -0400 From: Don Kazem Subject: New Virus? (PC) I received a call today from one of the local chain food stores about what could be a new virus. Since they have no connection to the network, I offered to post this. A user was running Lotus (by invoking 123.exe), and after a file retrieve, the virus was triggered. The following message was displayed: (The spelling errors are the same as they appeared). IMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM; : : : CONGRADULATIONS -- YOU HAVE JUST WON THE RAMDOM SELECTION : : : : AS A SPECIAL PRIZE YOU WILL RECEIVE ONE : : IMMMMMMM; : : : HARD : : : : : : : : DISK : : : : : : : : FORMAT: : : HMMMMMMM< : : STARTING NOW : : : : BREAK WILL NIT HELP! : HMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM< Formatting drive: C Cylinder: 733 Head: 6 Sector: 25 Status: 0 WARNING: TURNING OFF COMPUTER MAY DAMAGE HEADS! After a while, the words "JUST KIDDING" appeared, and everything went back to normal. Although, it appeared as though there was no damage, they ran Wipedisk, and installed everything from the original disks. They ran SCAN61 both before and after reinstalling the software, and SCAN did not find anything. The have a backup of the hard disk, before they ran Wipedisk, and are willing to forward copies of their executables to researchers (lawyers permitting). Has anyone heard of this? Don Kazem National Academy of Sciences DKAZEM@NAS.BITNET DISCLAIMER: I am merely acting as a messenger, I have not seen the virus, nor have any connection with the infected party. ------------------------------ Date: 25 Apr 90 17:11:52 +0000 From: ras@sgfb.ssd.ray.com (Ralph A. Shaw) Subject: Re: Exposure in Formatter (was IBM VM/CMS, now UNIX) WHMurray@DOCKMASTER.NCSC.MIL writes: >>Viruses certainly ought to be possible under VM, using the Waterloo >>Script text formatter. This formatter has a .sy command that lets you >>execute VM/CMS commands while your text file is being formatted. It >>is handy for running EXECs to allocate files your document has to >>include text from, but it could easily be put to more sinister uses. Now that you mention it, there is a similar function in the UNIX text formatter nroff, whereby programs may be specified to be executed via the ".pi" request. This has existed back as far as '78, although I have never seen any uses of it, malicious or otherwise. It would be a totally unexpected source of mischief, but quite functional. ------------------------------ Date: Wed, 25 Apr 90 15:59:00 -0400 From: hobbit@pyrite.rutgers.edu (*Hobbit*) Subject: *really* fail-safe virus protection Finally someone else comes up with the *correct* solution! Stephan Joest and friends ... changed the keyboard key lock in that way that it now controls the writing electricity cables of one hard disk so that no writing operation can be done on this (bootable) hard disk. I.e. the write gate. This is an active-low line from the controller to the hard drive which when disabled "floats" high. Simply opening this line prevents any writes to the hard drive. I believe it's pin 6 of the larger ST506 interface; your disk may vary. If you install a switch, the extra wiring should probably be made as short as possible to avoid timing problems. This is the first thing I did when I bought my PC clone. The neat thing about this is that due to disk buffering you can write a file to the hard drive and MS-Dos thinks the file is really there until the next time you do a directory, a side effect of which is that the disk buffers get flushed. Note that since it's possible to confuse MS-Dos thusly, it is HIGHLY RECOMMENDED that before you do anything like "chkdsk" you reboot the machine and come up with clean buffers. So you can hand me the nastiest virus-ridden kracked-by-kaptain-k00l game disk and I can run it with impunity, because I have a write-protect switch *and* a hard-reset button. And you can bet that I use both when checking out any unknown software. Comments upon how this scheme could fail for any *one-time* run of infected software are solicited. _H* ------------------------------ Date: Wed, 25 Apr 90 16:30:43 -0400 From: Elizabeth Caruso Subject: Anti-virus cleaning programs that are shareware (PC) Can you inform me of good shareware products that clean IBM pc viruses? McAfee's Clean-up is too expensive for a university site license. Thank you! ------------------------------ Date: Wed, 25 Apr 90 00:00:00 -0500 From: "Richard Budd" Subject: Kennedy Virus A note to F. Skulason's 4/19/90 description of the Kennedy virus. There was a punk rock group out of San Francisco called the Dead Kennedys. Though their peak came around 1980, they still enjoy a cult following today. This may explain the type of person who dreamed up this virus but may also indicate it will probably show up in other countries as well. Richard Budd Marist College Poughkeepsie, NY KLUB@MARISTB ------------------------------ Date: Thu, 26 Apr 90 10:43:00 -0400 From: WHMurray@DOCKMASTER.NCSC.MIL Subject: Writable Executables Of course Aiken was at Harvard, not MIT. My apologies to fair Harvard (and those from MIT perverse enough to take offense). To the little boy from Louisiana who still resides in me, all those big Yankee schools look alike. William Hugh Murray, Executive Consultant, Information System Security 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 203 966 4769, WHMurray at DOCKMASTER.NCSC.MIL ------------------------------ Date: Thu, 26 Apr 90 11:33:00 -0400 From: WHMurray@DOCKMASTER.NCSC.MIL Subject: Writable Executables >What's an executable? > >Oh, something that the computer executes. You don't want programs to be able >to write into executable files. Sorry, it'll never happen. Agreed. >I'm sure, in fact, that given a little time I could infect your AS400 >(or whatever), at least with a REXX script (or equivalent). I concede. Nonetheless, it is interesting to note that a command language script on an AS/400 is a typed object. (I do not believe that the REXX interpreter for the AS/400 has been shipped yet.) >Yep. Command scripts. A fertile breeding ground for viruses. And how about >Postscript files? You want to turn off write permission on all your >fonts? All too true. William Hugh Murray, Executive Consultant, Information System Security 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 203 966 4769, WHMurray at DOCKMASTER.NCSC.MIL ------------------------------ Date: 26 Apr 90 17:00:31 +0000 From: cchui%pollux.usc.edu@usc.edu (Chung Chui) Subject: Possible virus? (Mac) This is for all you mac gurus (guri) out there. We havea mac se that is doing some strange things. When we are at the desktop opening a folder the name would be wipe out and if we are lucky enough to get to an application, such as MS-word it would not respond to the typing. Instead it would type repeated characters that it first acknowledges. I've tried using Virex 2.5 and other anti-viral applications on the harddisk but onthing showed up. Could someone please tell me what's going on. Thank you in advance. ------------------------------ Date: Thu, 26 Apr 90 22:48:00 -0400 From: <90_PENNYPAB@UNION.BITNET> Subject: CMOS attackers (PC) I just had a chat with the SYSOP of a local BBS here and he told me about a file that was recently uploaded to his system. All this information was provided to me from the SYSOP, so I haven't had the chance to verify it yet. This is what the SYSOP discovered: The file was archived with PKPAK or PKARC, and the resulting ARC file was modified in some way. This modification was designed to somehow attack a PC's CMOS memory when PKUNPAK was run on it. Of courese this would only happen on PC's with CMOS memory. The SYSOP discovered this by using a number of programs, including CHK4BOMB, on the archived file. He has already sent a copy of the program to a company (I forget the name) for analysis. Personally, I am a little skeptical about these claims. I admit that I don't know much about Phil Katz's archiving programs, but I would think that modifications to ARC files wouldn't make PKUNPAK suddenly start going after CMOS memory... I'll be getting a copy of this file in a few days however, and will be taking a look at it myself. If any of the "experts" (David Chess, John McAfee, etc.) would like to take a look at this thing I'll be more than glad to send out copies when I get it. Just e-mail me at one of the addresses below. Bruce Pennypacker 90_PENNY@UNION.BITNET 90_PENNYPAB@GAR.UNION.EDU ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253