VIRUS-L Digest Friday, 20 Sep 1991 Volume 4 : Issue 167 Today's Topics: WARNING: Compuserve Virus Forum (PC) Re: Disinfectant and students (Mac) Re: Scanning LZEXE and PKLITE'd files (PC) Re: Mutant viruses (PC) Need Info on Integrity Shells Re: Possible Autocad virus (PC) Re: FAT Infection (PC) Re: Disinfectant and students (Mac) Omicron virus knowns the TOKEN? (PC) Re: Viruses and students SIMTEL20 task terminated FORM virus found (PC) Boot sequence (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 19 Sep 91 17:00:32 -0700 >From: karyn@cheetah.llnl.gov (Karyn Pichnarczyk) Subject: WARNING: Compuserve Virus Forum (PC) The following is a note found on the Compuserve Virus Forum. IMPORTANT NOTE - PLEASE READ On September 18, it was discovered that a file uploaded to the suspect file area of the Compuserve Virus Forum had been accidently unlocked and made available for downloading from the suspected file area. The file, MOUSE.COM, was uploaded by user 73750,2417 for analysis as a suspected infected file. It contained the Taiwan 4 virus and it clearly identified itself as containing a suspected virus during a download. Our records indicate that nine people downloaded the infected file before the oversight was noticed and corrected. While the library area containing this file clearly indicated that the enclosed files were suspect and that the library should be used for uploads only, we must assume that one or more of the downloaders may have downloaded in error and are unaware of the potential danger. Accordingly, we are urging all 9 people who downloaded this file to contact McAfee Associates for instructions or assistance. As a result of this error, we have decided to close down Library #0, the Suspect Virus upload library. Forum users may continue to submit suspected viruses for review through Compuserve Mail to Aryeh Goretsky (76702,1714) or Spencer Clark (76702,1713). This change will prevent this error from recurring. We regret any inconvenience caused by closing Library 0, and we further regret that anyone may have downloaded the infected file in error. For assistance or further questions, please contact McAfee Associates at (408) 988-3832 during office hours, or send email to the SysOps. end of Compuserve message - --------- I believe this virus is a fairly new virus, as only some virus detectors currently can locate it, and identify it as "Anticad" or as a Jerusalem variant. I'm still in the research mode on this. If anyone has any information, post it or send me mail. Karyn Pichnarczyk CIAC karyn@cheetah.llnl.gov 510-422-1779 (area code has changed from 415) *** Insert Standard Disclaimer Here *** ------------------------------ Date: Thu, 19 Sep 91 14:52:15 +0000 >From: geoffb@coos.dartmouth.edu (Geoff Bronner) Subject: Re: Disinfectant and students (Mac) LISSA@WHEATNMA.BITNET writes: >It has been my experience that, for as long as I have worked here, >that administrations of colleges try to keep the subject of viruses >low-key. They don't want to worry the students, and they don't want to >admit they have a problem. martin@cs.ualberta.ca (Tim Martin; FSO; Soil Sciences) writes: >Are there any Administrators reading this group, who can explain to me >the logic behind such administrative head-in-the-sandedness? Well, I'm not an administrator but I have been helping to implement anti-viral policy at Dartmouth and its related schools (Engines, Medicine, Business) for 4 years. Dartmouth has tried very hard to keep viruses in the public eye so that preventative measures do not fall by the way side. Disks distributed by the College always have Disinfectant INIT on them if they have a System Folder and the latest versions of PD/Shareware anti-viral packages are placed on all the fileservers on campus within hours of their release. Numerous clusters have dedicated scanning stations for user's disks... etc etc. But there is a difference between making an effort to educate users and simply scaring the hell out of them. Much of the hesitation involved in anti-viral efforts is intended to prevent misinformation and needless worry. Yes, we want the community here to be aware of computer viruses and take measures to eliminate them but it is too easy to cause major problems by letting people's imaginations run wild. (This is especially easy with Mac users who tend to be less computer-literate. Since we have about 8000 mac users here we have to tread carefully) I don't know what's up at your school but much of the hesitation I've seen here could be misinterpreted as an attempt at denial but in the end it is an attempt at responsible dissemination of information. Your mileage may vary... - -Geoff - -- geoffb@coos.Dartmouth.EDU Computing Support Technician, Amos Tuck School of Business Administration Cerebus For Dictator. "Vote For Me... OR ELSE!!!" ------------------------------ Date: Thu, 19 Sep 91 11:04:00 -0400 >From: Bob Babcock Subject: Re: Scanning LZEXE and PKLITE'd files (PC) >The dilemma really is that, for example, all PKLITE'd executables >cannot be expanded. Perhaps it wasn't such a hot idea to sell the >unexpandable compression version by PkWare. The "unexpandable" PKLite compression is actually quite easy to expand on a '386. Load the program into td386 (Turbo debugger), single step one instruction, set a hardware instruction fetch breakpoint at the entry address (cs:100), and run the program. The built-in decompressing code will expand the program, and you'll get a hardware breakpoint when the decompressor jumps to the actual program. (The entry address may vary; I've only seen a couple of examples of nonminally unexpandable files.) A scanner could use the same technique without the memory overhead of the debugger; the td386 technique is for examining a file which you have reason to suspect may be infected. I would think that a scanner could also extract the decompressing code from the executable, remove the jump to the expanded program, and use that to expand without executing. ------------------------------ Date: Thu, 19 Sep 91 19:11:02 +0300 >From: Tapio Keih{nen Subject: Re: Mutant viruses (PC) >>grdo@botik.yaroslavl.su writes: >> >>> At least two viruses wich can NOT be detected by scanning programs >>> (SCAN etc.) have been reported in USSR. These are mutant viruses. >> >One mutant virus is STARSHIP - it contains encrypted string >">STARSHIP_1<". It is both MBR and file infector. Uses 4th text video >page - so it doesn't work on PCs with monochrome. When an infected >program is being executed the virus just infects BOOT and doesn't >remain resident. It stays resident when an infected disk is booted. >Infects .EXE and .COM files being copied to floppy. This way of infecting sounds quite similar as infection mechanism in Tequila virus - maybe it is a modified variant of it? >Another one is TEQUILA. Also MBR/file infector. Contains encrypted >strings "Welcome to T.TEQUILA's latest production", "Contact >T.TEQUILA/P.o.Box 543/6312 St'hausen/Switzerland", "Loving thoughts to >L.I.N.D.A.", "BEER and TEQUILA forever!", "Execute: mov ax, FE03 / int >21. Key to go on!". Infects .COM and .EXE when executed. This one is known amongst the virus researchers. At least Scanv80+ and F-Prot 2.00 detects it. If you have those scanners and they don't pick this virus up, you probably have a new variant of it. If this is the case, I suggest you send it to some well-known virus researchers. BTW, the authors of Tequila are known to Swiss police and most likely they've written the Flip virus too. - -- Tapio Keih{nen | tapio@nic.funet.fi | DIO COMES - ARE YOU READY TO ROCK? Disclaimer: This posting has nothing to do with nic.funet.fi archive server. ------------------------------ Date: 19 Sep 91 12:22:46 -0400 >From: Steve Albrecht <70033.1271@CompuServe.COM> Subject: Need Info on Integrity Shells In his article "A Cost Analysis of Typical Computer Viruses and Defenses", Dr. Fred Cohen speaks of "integrity shells...command interpreters that look for changes in interpreted information before interpreting it". What commercial products, shareware, or public domain software falls into this category? I know of plenty of products which fall into Dr. Cohen's other three categories (scanners, monitors, and cryptographic checksums), but cannot locate an "integrity shell". Any help to my email address would be appreciated. I will be happy to post a summary of responses back to the group. Steve Albrecht 70033,1271@compuserve.com ------------------------------ Date: Thu, 19 Sep 91 16:11:37 +0300 >From: grdo@botik.yaroslavl.su (Gryaznov Dmitry O.) Subject: Re: Possible Autocad virus (PC) Bob Brown wrote: >Date: Tue, 10 Sep 91 12:50:05 -0600 >Subject: Possible Autocad virus (PC) > >Has anyone heard of a virus that infects Autocad and pops up an alien >who moves his mouth for appr. 1 second and then dissappears? We tried >using scanv80 and IBM's virscan, but neither could find an infection. >Has anyone else seen this or have ideas? And then: >Date: Wed, 18 Sep 91 12:28:54 -0600 >Subject: autocad non-virus (PC) > >We have since discovered that we did not have a virus. There was a >program in the root directory that was called by the autoexec.bat. >The program is a TSR that pops up the alien every 5 minutes or so. >This was clearly an act of vandalism, but was not a virus. I >apologize for the scare and appreciate your help and interest. Thank >you Glad for you! There is a virus named JOKER-01 with a visual effect similar to what you wrote about. The virus intercepts hardware keyboard interrupt (INT 09) and triggers each 500 keys pressed/depressed. A funny human-like face appears, swings its tongue several times and then disappears, restoring previous screen. This virus infects .COM and .EXE files but it doesn't touch files larger than 6795 bytes since it converts .EXE to .COM and his own length is 29233 (!!!). As far as I know, AUTOCAD is a little bit longer... There are also several anti-Autocad viruses (TAIWAN, INVADER, PLASTIQUE) from so-called TAIWAN family - a futher development of well-known JERUSALEM virus. The author of these viruses seems to hate Autocad. If one tries to run a file named ACAD.EXE a virus triggers and tries to overwrite all the info on all floppy and hard disks. Some versions also destroy the CMOS contents. I didn't reply at once since I was confused you mentioned both Autocad and "moving mouth". Maybe somebody placed a demo of the JOKER virus at your PC. - -- Sincerely, Dmitry O. Gryaznov E-mail: grdo@botik.yaroslavl.su or grdo1@node.ias.msk.su Phones: office: (08535)-2-1731, (08535)-2-0715 home:(08535)-2-1465 ------------------------------ Date: Thu, 19 Sep 91 16:58:53 +0300 >From: grdo@botik.yaroslavl.su (Gryaznov Dmitry O.) Subject: Re: FAT Infection (PC) moore@iastate.edu (Brian J Moore) writes: >bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: > >>HTORRES@HELENA.HQ.NASA.GOV writes: >>> ..... >>> known but I have not heard about a FAT virus. If this is true, will it >>> infect the two FATs what a re thepossibilities of losing the index. > >>If it overwrites only the first FAT copy, you won't lose anything... >>and you probably won't even notice that something nasty has happened. > >Running CHKDSK will tell you if the FATs don't match... > ... if a virus doesn't use stealth technique. And it must or it'll be overwritten due to file creation/modifying/deleting. "Nick FitzGerald" writes: >In VIRUS-L Digest V4 #162, bontchev@fbihh.informatik.uni-hamburg.de >(Vesselin Bontchev) wrote: >> >> ..... >> >>Note however, that it won't help if a virus has been especially >>designed to hide in the first FAT copy - you'll need probably a >>specific disinfector. > > ... > >Aha - light bulb flashes in the minds eye ... > >Yes of course, because it would have to use some good (as in "well- >implemented") stealth techniques (but wouldn't it then be slightly >simpler to implement using FAT2 as the hiding place instaed of FAT1?). No, it wouldn't. FAT2 is also a subject to be modified by DOS. So, a virus using any of FATs for its own purposes, MUST be stealth. Such a virus shouldn't just save a copy of occupied FAT somewhere else - - where? - this will cause the original problem of saving an original BOOT. We decided virus would save it in FAT - and where to save the FAT? So a virus must show another, not occupied by it, copy of FAT each time its FAT is required. (I hope our discussion will not serve as a guide for virus-writers... Once again, let us consider founding a special teleconference with a restricted access for discussing such things.) - -- Sincerely, Dmitry O. Gryaznov E-mail: grdo@botik.yaroslavl.su or grdo1@node.ias.msk.su Phones: office: (08535)-2-1731, (08535)-2-0715 home:(08535)-2-1465 ------------------------------ Date: Thu, 19 Sep 91 13:08:58 -0400 >From: Christopher Tate Subject: Re: Disinfectant and students (Mac) Not ALL universities are turning a blind eye to the virus problem. Here at Penn State, we've been virus-checking every startup disk used in the labs every time it is used. We've been doing this for over a year now. We also run the Disinfectant INIT on all startup disks. We haven't had a real virus problem since WDEF first appeared, and none of the virus tools of the day could deal with it. Sure, it takes a few seconds to run each startup floppy through Disinfectant, but what else are the lab attendants going to do all day? :-) - ------- Christopher Tate | "Go directly -- see what she's doing, and | tell her she mustn't." cxt105@psuvm.psu.edu | cxt105@psuvm.bitnet | -- "Punch," 1872 ------------------------------ Date: Thu, 19 Sep 91 15:32:00 -0500 >From: RONNIE@ECUAFUN.BITNET Subject: Omicron virus knowns the TOKEN? (PC) A few days ago, an experimental network at our projects department was infected by the Omicron virus, the attack was detected, controlled an terminated using CPAV (Central Point Anti-Virus, an excellent product), the network is a Token-R ing LAN based on OS/2 v1.3 and stations running DOS v5.0. The CPAV claims that the virus uses stealth techniques, self-encription, and self-modifiying code, I want to Known if anybody out there has an answer for the following questions: 1)-Does the Omicron virus knowns the Token?, can he capture a token, put a dest ination address, insert himself on the token, an travel trough the network? 2)-What it means "Self-modifiying code", a MUTANT virus?, a mutation engine? 3)-Can the Omicron PT virus affect a network drive created by LAN Manager? During the attack, some applications were destroyed, it seems that the virus ca n affect data an .OVL files, but some stations that were not infected (we check it), and did not perform a "net logon" operation, were infected after, those s tations were running DLR (DOS LAN Requester), and de NET.COM program, was found infected in all the stations. If anybody has ideas, please reply ASAP. Thanks in advance ------------------------------ Date: Thu, 19 Sep 91 14:39:48 -0400 >From: "Sue Hay (tm)" Subject: Re: Viruses and students I just want to reassure people that this head-in-the-sand approach is not everywhere. Here at Brown we actively disseminate virus information and Disinfectant (thanks, John!) any route we can. We periodically print art- icles in our newsletter, we distribute Disinfectant in various ways (in- cluding making it available electronically on our mainframe and public file servers, delivering it to departments, and handing it out in our student labs), we run a Disinfecting station where students can simply insert disks to be checked, we post Disinfectant update announcements on our electronic bulletin board, we refer to Disinfectant in our Mac classes, etc... I think we're doing our best to educate our users and protect them. Susan Hay User Services Consultant/Analyst Computing & Information Services Brown University bitnet: suehay@brownvm internet: Susan_Hay@brown.edu ------------------------------ Date: 17 Sep 91 21:24:41 +0000 >From: w8sdz@rigel.acs.oakland.edu (Keith Petersen) Subject: SIMTEL20 task terminated My task of maintaining the WSMR-SIMTEL20.ARMY.MIL archives will be terminated effective September 30, 1991 because there is no funding for it in the fiscal year 1992 budget which begins on October 1st. There will be no one to catalog the MS-DOS, CP/M and MISC repositories or to accept and review new files. My last work day was yesterday because I am on vacation until the end of the month. I am now actively seeking new permanent employment. Questions about the SIMTEL20 archives should be directed to Action@WSMR-SIMTEL20.ARMY.MIL. [Ed. It was with great sadness that I read this note. Keith's services in maintaining various SIMTEL20 repositories have been enormously valuable over the years.] Keith - -- Keith Petersen Maintainer of the MSDOS, MISC and CP/M archives at SIMTEL20 [192.88.110.20] Internet: w8sdz@WSMR-SIMTEL20.Army.Mil or w8sdz@vela.acs.oakland.edu Uucp: uunet!umich!vela!w8sdz BITNET: w8sdz@OAKLAND ------------------------------ Date: Fri, 20 Sep 91 14:43:00 +0100 >From: "Olivier M.J. Crepin-Leblond" Subject: FORM virus found (PC) Someone here has managed to get his 3 1/2 floppy infected with a virus detected as being the FORM virus by McAfee's SCAN. It infects the boot sector. The effect of the virus was particularly "exotic": "when the virus is in memory, execution of a DIR command will turn the screen letters to bright white, and flash the background grey/black at a rate of 1/2 Hz." The virus was killed by saving the files on another disk and reformatting the infected floppy. What I'd like to know is if there's a tidier way of killing it. McAfee's CLEAN reported that the virus could not be removed safely. Any suggestions appreciated. On another note, I'd like to get an up-to-date copy of Patricia Hoffman's VSUM paper. Mine dates from Sept. 1990 ! Could someone indicate a source for me, or email it (after prior agreement - I don't want 10 copies of the same paper !) ? Thanks - Olivier M.J. Crepin-Leblond, Electrical and Electronic Engineering Dept. Imperial College of Science, Technology and Medicine, London, UK. ------------------------------ Date: Wed, 18 Sep 91 13:44:11 -0700 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Boot sequence (PC) FUNBOT2.CVP 910918 Boot sequence In order to point out the areas of possible viral program attack, it is helpful to outline the sequence of operations in the boot process. When the machine is first powered up, there is a certain amount of programming contained in boot ROM. The amount of this varies greatly between different types of machines, but basically describes the most central devices, such as the screen and keyboard, and "points" to the disk drives. A very basic location on the disk is addressed for further information. This is the generic "boot sector"; as mentioned in the last column, on MS-DOS hard disks it is the partition boot record that is accessed first. The boot record or sector contains further information about the structure of the disk. It, or a subsequent linked sector, also describes the location of further operating system files. This description is in the form of a program, rather than simply data. Because this outline is in the form of a program, and because this sector is "writable", in order to allow for different structures, the boot record or sector is vulnerable to attack or change. Boot sector infecting programs may overwrite either the boot record or the boot sector, and may or may not move the original boot sector or record to another location on disk. The repositioning of the original sector's program allows the viral program to "pretend" that everything is as it was. This pretence is not absolute. A computer with an active viral program resident will, of necessity, be different in some way from the normal environment. The original sector position will, of course, have different information in it. The viral program will need to "hook" certain vectors for its own use in order to monitor activity within the computer and in order to function. The viral program will have to occupy a certain portion of memory, and may be identified by a memory map, or, in the case of the Stoned virus, may try to hide by "telling" the computer that it has less memory than is actually the case. These tell-tale indicators are not absolute. There may be various reasons why the "top of memory" marker is set to less than 640K. Each different type of disk drive, and each drive of the same type which is partitioned differently, will have a different boot record. As operating systems or versions change, so will the boot sector. Therefore, the environment of newly booted machines cannot, in isolation, be examined and said to be infected or free from infection. It is possible, however, to compare any machine with itself in a "known clean" state. By saving information on the environment after a minimal clean boot, and comparing this with subsequent boots, changes can be detected, and the user alerted to a potential problem. Since a boot sector infector can only infect a machine if the machine is booted from an infected disk, it is also possible to replace the boot record with a non-standard one, in order to prevent access to the hard disk unless booted from the hard disk. copyright Robert M. Slade, 1991 FUNBOT2.CVP 910918 ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into CyberStore | turn it on." User (Datapac 3020 8530 1030)| Richards' 2d Law Security Canada V7K 2G6 | of Data Security ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 167] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253