VIRUS-L Digest Friday, 18 Jan 1991 Volume 4 : Issue 12 Today's Topics: Re: Stone-2 (PC) Comments on GAME2 (IBM VM/CMS) Virus X?? (Mac) Need OTS Virus package (UNIX) Stoned (and other boot viruses) & non-bootable floppies(PC) Re: Stoned (PC) Plans regarding F-PROT (PC) Eaters of Language: (WAS: (No) Viruses in Irak's EXOCET?) Need help w/ CMOS problem in PS/2 Model 70 (PC) SITELOCK Query - Disinfectant vs. Virex (Mac) Re: Stonned reoccurence of reformatted hard drive (PC) Re: possible macintosh virus (Mac) Possible Mac virus? Problems need an answer. (Mac) AU Virus Alert (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Wed, 16 Jan 91 13:07:43 -0800 >From: Tim Trimble Subject: Re: Stone-2 (PC) We have had the stone virus pop up here with one or two incidents but was able to catch it with the McAfee software. So the suggestion of the stone virus not being in the states yet can be considered false. - -- ============================================================= Timothy Trimble (Ashton-Tate 213-538-7625) timt@ashtate.a-t.com Unix 76306,1115 Compuserve ------------------------------ Date: Wed, 16 Jan 91 13:50:30 -0800 >From: "R N Hathhorn, VM Systems Support" Subject: Comments on GAME2 (IBM VM/CMS) I have made a preliminary analysis on GAME2 MODULE and have stored my comments on LISTSERV@PCCVM under the file GAME2 COMMENTS. Included in this file are several notes from other contributors from other lists. I will be adding to the COMMENTS file as more information is forwarded and/or found. The copy of the virus that I was given is 'broken' and my testing was therefore limited. A better (un-received) copy is needed to continue. Please remember that I am not an 'expert', 'authority', or 'guru' in these matters, I am still learning. All mailings to this list will automatically forwarded to VIRUS-L, hopefully this will not cause too much duplication. Any assistance and/or 'viral cracking' programs that you could give me would be greatly appreciated. R N Hathhorn, VM Systems Support | Portland Community College Computer Services Department | P. O. Box 19000 Sylvania Campus: CCB27c | 12000 S. W. 49th Ave. (503) 244-6111 ext. 4705 | Portland Oregon 97219 ------------------------------ Date: 17 Jan 91 01:41:32 +0000 >From: rxcjm@minyos.xx.rmit.OZ.AU (John Mazzocchi) Subject: Virus X?? (Mac) In a recent issue of the Australian Macintosh magazine "MacNews", it was announced that there was a new Mac virus called "Virus X". Apparently, every time you restart your mac, it deletes a file, going in backwards numerical order. Recommended procedure for finding out if you have the virus is to create a file called, say, "z", then reboot your mac. If the file's gone, you've got the virus. I haven't seen any similar symptoms mentioned before, so could this be a first for Australia? - -- + John Mazzocchi + "The mind is not a vessel to be filled, + + Melbourne, Victoria + but a fire to be lighted" - Plutarch + + Australia + + rxcjm@minyos.xx.rmit.oz.au + ------------------------------ Date: 16 Jan 91 21:46:37 +0000 >From: ssdc!jbasara@uunet.UU.NET (jim basara) Subject: Need OTS Virus package (UNIX) I would like to request recommendations for off-the-shelf packages which will prevent/isolate/monitor/etc. viruses on a Sun workstation under unix. thank you jim basara uunet!ssdc!jbasara ------------------------------ Date: Thu, 17 Jan 91 09:10:28 +0000 >From: Anthony Appleyard Subject: Stoned (and other boot viruses) & non-bootable floppies(PC) In reply to this message in Virus-L vol 4 #11:- ...................................................................... "Date: Tue, 15 Jan 91 10:48:25 -0600 >From: ROsman%ASS%SwRI05@D15VS178A.SPACE.SwRI.EDU Subject: STONED and NON-bootable floppies (PC) I learned something new about the STONED virus today. One of our users' PCs was infected by the STONED virus by attempting to boot from a NON-bootable diskette that was infected! All MS/DOS diskettes (bootable and non-bootable) have a sector reserved for the boot code (the boot sector). I was under the impression that the DOS boot code had to be present (bootable) in order for the STONED virus to move itself to the hard disk. This was an incorrect assumption." I understand from several Virus-L recent messages that PC 'non-bootable' floppies are actually bootable, and their boot sectors contain only a little program that merely prints out "This disk is not bootable". Thus Stoned etc can infect them same as any other PC floppy. {A.Appleyard} (email: APPLEYARD@UK.AC.UMIST), Thu, 17 Jan 91 09:03:52 GMT ------------------------------ Date: 17 Jan 91 10:09:35 +0000 >From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: Stoned (PC) dave@tygra.ddmi.com (David Conrad) writes: >Many recent postings have made the point that the Stoned virus >overlays a sector in the FAT, thus causing damage to the file system. The original "Stoned" virus came in two variants. Both infect the Partition Boot Record - the first physical sector on the hard disk. The original PBR is stored on head 0, track 0 and either on sector 2 or sector 7. Those sectors are normally unused, but not always. In particular, if the hard disk is small, and formatted under DOS 2.x (even though it may now contain DOS 3.x), the first track will be in use. In some cases the DOS boot sector is located in sector 2, and will be overwritten, but the other variant of the virus may overwrite a part of the FAT - located at sector 7, which could, indeed, be restored from the other copy - provided you do the repair right after infection. On large hard disk, or disks formatted under DOS 3.x this is not a problem. - -frisk Fridrik Skulason University of Iceland | Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 | ------------------------------ Date: Thu, 17 Jan 91 11:20:31 +0000 >From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Plans regarding F-PROT (PC) I just wanted to inform readers of VIRUS-L/comp.virus of my plans for F-PROT. Version 1.14 will be distributed on Monday, Jan 21st. It is able to detect and remove over 70 new viruses (most of them recent viruses from Eastern Europe), which 1.13 could not handle. I will send out copies to the people on my mailing list, in the form of an xxencoded .ZIP file as I usually do. I will also send a copy to the moderator of comp.binaries.ibm.pc - hoping the program will appear there soon. >From now on a new version of the program may be expected once per month - I am leaving my job here at the University of Iceland and plan to work full-time on the viruses. At the same time I am cancelling some other plans, and announcing that I will continue to support and update the program for the next 24 months - but continued support after that will depend on the success of the product. Version 2.0, with a totally rewritten user-interface will be ready for beta-testing in the first week of February - are there any volunteers who would like to assist in the testing ? I have now decided to distribute it as previous versions, that is "freeware" for individual use, but "shareware" for companies/institutions, but I am not ruling out the possibility of an expanded, commercial version, though. - -frisk - -- Fridrik Skulason University of Iceland | Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 | ------------------------------ Date: 17 Jan 91 16:52:36 +0000 >From: vail@tegra.com (Johnathan Vail) Subject: Eaters of Language: (WAS: (No) Viruses in Irak's EXOCET?) > reports about "viruses in Hussein's rockets". According to dpa, > (unnamed) French computer scientists said: > > - manufacturers of war material usually implant, "for mere > commercial reasons", viruses in exported war electronics to > provoke, after some time, faults and "profitable repair > work"; Without specific comments about the cyberpunk musings of Iraqi weapons, is anyone else concerned about the usage of these terms? Specifically the tendancy of mostly non technical people to classify any intentional or unintentional bug and computer "nasty" as a virus? I see the terms defined more or less thus: Virus - A self replicating piece of code that is atached to another program or OS and that depends on that program running in order for it to be executed. This is what most of us reading here are familiar with. Worm - A self replicating program that is complete in itself. Usually replicating over a network. Morris's creation was the "Internet Worm". Trojan (Horse) - Code that included in a program that is intended to do something other than what the original program is supposed to do. Usually something bad. Magic Cookie - Code or feature put into a program intentionally by the programmer that is not part of the design. It is usually something harmless. Many instances of this in commercial software and the kind of thing that is alluded to in the post about military weapons. Another example is the 'xyzzy' command in DG's AOS operating system. "Discussion invited, flames discarded" ... jv "Frisbeetarianism is the belief that when you die, your soul goes up on the roof and gets stuck." -- button _____ | | Johnathan Vail | n1dxg@tegra.com |Tegra| (508) 663-7435 | N1DXG@448.625-(WorldNet) ----- jv@n1dxg.ampr.org {...sun!sunne ..uunet}!tegra!vail ------------------------------ Date: Thu, 17 Jan 91 17:17:32 +0000 >From: wright@cs.uiuc.edu (David Wright) Subject: Need help w/ CMOS problem in PS/2 Model 70 (PC) My apologies if this group is not appropriate, but I would like to solicit advice on a problem that may be a malicious attack: I am looking at a friend's PS/2 Model 70 that he reports has had problems including problems reading diskettes that appear to be fine in another machine (a laptop that I am keeping carefully isolated). Since the PS/2 has been exposed to physical, unmonitored access by outsiders, I suspect that the machine may have been tampered with. The SCAN program reports no viruses in the system, but the INFOPLUS program (on the CMOS page) reports that the CMOS checksum is incorrect; other anomalies on this page include a ridiculous system date and no hard disk reported. However, the system does boot off of the hard disk, and the DOS date command reports the correct date. My friend reports some unusual behavior reading and writing the hard disk, but I have been reluctant to test the system further. I seem to remember hearing of the possibility of altering the CMOS as a form of computer attack. Could someone enlighten me on this subject briefly, or alternately, point me to a reference? I have general technical background in PCs, but will need specific info on how to approach this problem. Any help would be greatly appreciated. - -David Wright wright@cs.uiuc.edu ------------------------------ Date: Thu, 17 Jan 91 16:06:53 -0500 >From: martha rapp Subject: SITELOCK Has anyone heard of SiteLock by Brightwork Development Inc.? It advertises itself as the following.. "Others can only fight yesterday's virus but Brightwork can protect you from yesterday's, today's and tomorrow's. " Any and all comments appreciated. Thanks Martha Rapp, BITNET: IMER400@INDYCMS; INTERNET: IMER400@INDYCMS.IUPUI.EDU ------------------------------ Date: Thu, 17 Jan 91 16:34:17 -0500 >From: Lee Ratzan Subject: Query - Disinfectant vs. Virex (Mac) There is some discussion here about the relative merits of Disinfectant 2.4 versus Virex 1.3 . Apart from issues of personal taste which supplies a greater range of protection? For example, is Virex effective against WDEF? Are there viri (a/k/a viruses) which are detected by one but not the other? (For the record D 2.4 is circa Fall 1990, V 1.3 is circa 1989). Any information would be most helpful! Lee Ratzan Univ of Medicine/Dentistry of NJ Rm S-B11/ Dpt IST 675 Hoes Lane Piscataway, NJ 08854 ------------------------------ Date: Thu, 17 Jan 91 17:55:42 -0600 >From: C09615SJ@WUVMD.BITNET Subject: Re: Stonned reoccurence of reformatted hard drive (PC) >From: "David.M.Chess" >Hm, interesting. The Stoned infects the master boot record >(synonymous with "partition table") on the first physical hard drive >(BIOS drive id "80" hex). In your case, that's the master boot record >on the 80Mb hard disk. The master boot record (and therefore the >partition table) are stored at the very bottom of the disk, lower than >any of the partitions (E F G and H). Ooops. Yes I found all this out after I sent the message. I am, unfortunately, BIOS illiterate. But the poliferation of viruses here at Washington University in St. Louis is forcing me to learn more every day. It was a "shoot from the hip" answer to very real effect which I outlined. >Did you test whether or not, after booting from a clean floppy and >then switching to E: and back to A:, the virus was actually *active* >(infecting new diskettes), as well as being in memory? My guess would No we did not. Oops again. [stuff deleted] >active virus from a "ghost" of the virus that just happens to be >sitting in a buffer somewhere, never running). The only way the usual >Stoned virus can get control is if it's present on the boot record or >the disk or diskette that the system is booted from. Ummmm... I'm not sure I understand what a "ghost" virus implies, we were never able to actually clean it off so I don't know how it could have become a "ghost". Also there was at least enough of it to set of McAfee's SCAN program. Jon Jon Spinner Washington University C09615SJ@WUVMD ------------------------------ Date: Fri, 18 Jan 91 06:40:25 +0000 >From: milton@ccu.umanitoba.ca (David A. Milton) Subject: Re: possible macintosh virus (Mac) >jade!brenda@jade.cpsc.ucalgary.ca (Brenda Barabash) writes: >>We are also experiencing problems with floppy disks appearing to be >>locked when they aren't. This is happening on both new disks and old >>disks. It's definitely got to be a virus. If anyone knows which one >>please let us know. It definately does NOT have to be a virus! Are you using Virus Blockade II? This nifty little utility automatically locks ALL disks, even after they have been formatted. It is also possible it to configure it to leave the hard disk unlocked. David A. Milton, University of Manitoba. ------------------------------ Date: Thu, 17 Jan 91 22:08:01 -0800 >From: asmith@questor.wimsey.bc.ca (Adam Smith) Subject: Possible Mac virus? Problems need an answer. (Mac) The directory of my hard disk keeps changing the information regarding how much space is allocated and how much is free. Symptoms include: copying a file to Hd from floppy, Hd indicates file is 1,700 k when original file is only 12k. My removable drive (45 meg) said 42,050 in disk, 69,750 free! We've been having problems with disk space disappearing as well. One drive looked full but when all files added up it should have had 25 meg free. I ran various utilities including Norton, Disinfectant 2.4., checked for invisible files (none). Can anyone shed some light on this phenomenon? Apple tech support does't admit a problem. These problems have occured on or llci, ll cx, and Fx. Also folders that won't delete. Only whenname is changed using resedit or similar utility. Don't know if the problmsare related or not. Runnig system 6.0.7 recommended by the great mother Apple. Follow-ups to comp.virus or mail to "asmith@questor.wimsey.bc.ca" please. And excuse the sig. ======================================================================== Adam Smith Genius - Graphic Artist - Bad Mood Guy The Chameleon Papers Vancouver, BC CANADA "I'd give my eyeteeth to have a Macintosh--unfortunately, due to Apple's pricing policies, that's not enough" ======================================================================== ------------------------------ Date: 17 Jan 91 18:55:36 +0000 >From: ron@augeas.cs.athabascau.ca (Ron Haukenfrers) Subject: AU Virus Alert (PC) The Joshi virus has been discovered on a PC at Athabasca University. So far it appears to have been contained to the local machine. Anyone who has had contact with the 386 in Lewis Varga's office, please check your system. A copy of virus scan software is available for this purpose. One of the known symptoms is the floppy drives will no longer read disks reporting that the disk has bad sectors. - -- Ron Haukenfrers ron@cs.athabascau.ca Academic Programmer/Analyst {alberta,cbmvax,mips}!atha!ron Athabasca University (403)675-6332 ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 12] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253