VIRUS-L Digest Monday, 21 Oct 1991 Volume 4 : Issue 195 Today's Topics: Administrivia Re: is vshield working? (PC) Miles 1986 (PC) Re: Virus on Mac (Mac) Format problem (PC) Seeking Info on stoned virus (PC) Disinfectant 2.x (Mac) Re: Variations Form virus (PC) SF virus - "When Harlie Was One" Help wanted (PC) Re: SF Worms/Viruses (Re: HW not a solution) Re: Computer "Anamolies" in books Anti-Viral Techniques for Networks Re: More hardware! Re: Computer Anamolies in books Stoned (Michaelangelo) infection (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 21 Oct 91 11:02:03 -0400 >From: Kenneth R. van Wyk Subject: Administrivia I'm going to be traveling this week, but I should have some limited e-mail access from time to time, so I will *try* to send a couple VIRUS-Ls out. Otherwise, see y'all next week. Cheers, Ken Kenneth R. van Wyk Moderator VIRUS-L/comp.virus Technical Coordinator, Computer Emergency Response Team Software Engineering Institute Carnegie Mellon University krvw@CERT.SEI.CMU.EDU (412) 268-7090 (CERT 24 hour hotline) ------------------------------ Date: Thu, 17 Oct 91 19:28:40 +0000 >From: phlux@athena.mit.edu (Peter H. Lemieux) Subject: Re: is vshield working? (PC) Hmm... Did the student try to boot the machine from the floppy, or run a program on the floppy? If the floppy had only data and no programs, how would vshield know that Stoned was there? On a Macintosh, Disinfectant knows to scan every diskette because of the motor drive, but on a DOS machine I don't understand how VSHIELD would know to examine the diskette. Peter H. Lemieux Dept of Political Science MIT, Cambridge, MA 02139 phlux@athena.mit.edu ------------------------------ Date: Thu, 17 Oct 91 16:21:01 -0400 >From: Libbie Counselman Subject: Miles 1986 (PC) Does anyone have any information about the Miles 1986 virus? I have received this question third-hand, and at this time I do not even know what type of machine is infected. However, my sources believe it is a PC or PC-clone. - -Libbie Counselman Princeton University ------------------------------ Date: Thu, 17 Oct 91 15:56:01 -1812 >From: dave@gergo.tamu.edu (Dave Martin) Subject: Re: Virus on Mac (Mac) zaremba@ux1.cso.uiuc.edu writes: >[nVIR] (like most Mac viruses) are wimpy... Hey, don't encourage anyone. I happen to prefer the fact that Mac viruses are far less destructive than most MS-DOS-based viruses, whatever the reason. I'd much rather have a "hefty" machine with wimpy viruses than vice versa . I have always wondered something about nVIR, though, which someone may have an explanation for. A few years back - when I first "acquired" the responsibility for our Mac network here - we had a brief attack of nVIR on one Mac (yes, only one, amazingly enough). I booted from a clean, locked System floppy and used ResEdit to clean out the nVIR resources and correct the CODE resources. I copied rather than cut or cleared the nVIR resources so I could move them to a separate disk to examine them later. Immediately an alert popped up saying that it couldn't write to the System file (disk locked). It seems that simply by copying the nVIR resources was enough to activate it. Anyone know if this is possible (copy enabling code execution)? Now remember this was a couple years ago, so I can't recall everything that occurred, but I'm still curious as to whether that was enough to get nVIR to try and spread. - Dave Martin - TAMU/GERG - DAVE@GERGO.TAMU.EDU - BROOKS@TAMVXOCN.BITNET - ------------------------------ Date: Thu, 17 Oct 91 18:54:46 -0300 >From: bulger@ug.cs.dal.ca (Fred Bulger) Subject: Format problem (PC) I am having a problem formatting disks in my b: drive. It is a 1.44 M 3.5 floppy, but I am not able to format it to 720K; that is, when I try to format a double density disk as such : format b:/f:720 , it says that the parameters are incompatible. This worries me because when I type format b: , the system says Formatting disk at 1.2 M . Obviously, in the case of a 1.44 M drive, when size is not specified it should attempt to format to its maximum capacity. Incidentally, I am able to format a DD disk at 360K, which makes me think that the system has my B drive confused with my A drive (1.2 M) - at least on a command line viewpoint. At first I thought I had forgotten how to format ( it's been a while ) but I looked it up and I was doing it properly according to DOS 4.01. Then I had another problem at the same time - I booted up my computer and it said "ERROR - Run CMOS Setup" - so I did, and noticed that somehow my hard drive was listed as "not installed". I fixed that up no problem, but it made me think tha I had become infected with a virus. From there I decided to do a virus scan, using scanv84.exe - no viruses found. So I resorted to reinstalling DOS, and the formatting problem still persists. Is there a virus which meets my description? Or is there some other possibilty which I am overlooking. Any suggestions are GREATLY appreci- ted. Thanks .... -Fred. ------------------------------ Date: Thu, 17 Oct 91 21:42:20 +0000 >From: casey!casey!casey!annes@uunet.uu.net (Anne L. Scism) Subject: Seeking Info on stoned virus (PC) If anyone has information on how the stoned virus works, where it lives, how it finds its home on a PC, I would be grateful for any information you could pass on to me. Thanks for your help! Anne email casey!annes@uunet.uu.neti ------------------------------ Date: Thu, 17 Oct 91 17:12:42 -0400 >From: RAY Subject: Disinfectant 2.x (Mac) I have Disinfectant 2.4 I have not installed System 7 yet. Is 2.4 compatiable with System 7. If not, can someone send me the latest release of Disinfectant! =============================================================== Ray Drake ACRAY@ECUVM1.BITNET Microcomputer Consultant (919)757-6401 East Carolina University Greenville, NC 27858 =============================================================== ------------------------------ Date: Thu, 17 Oct 91 17:23:14 -0400 >From: davidsen@crdos1.crd.ge.com Subject: Re: Variations turtle@darkside.com (Fred Waller) writes: | Yes, a single virus would be unwieldy. But should we expect that? | Shouldn't we rather expect the prompt appearance of many viruses, | each one capable of attacking one of those systems? The net result | would be similar to having one virus capable of attacking all of them. | Worse actually, since it would require many times the effort to guard | against. I think not. The reason a PC virus can spread is that it attacks a feature common to all machines. By having a set of environments the virus is less likely to come in contact with a viable host. In disease terms, if you vaccinate enough people so that an infected person is unlikely to come in contact with a vulnerable person, the disease will die. You don't have to protect everyone. - -- bill davidsen (davidsen@crdos1.crd.GE.COM -or- uunet!crdgw1!crdos1!davidsen) GE Corp R&D Center, Information Systems Operation, tech support group Moderator comp.binaries.ibm.pc and 386-users digest. "Stupidity, like virtue, is its own reward" -me ------------------------------ Date: Fri, 18 Oct 91 09:47:27 +0700 >From: "Espen Lyngaas (Dr. Outtasight)" Subject: Form virus (PC) I discovered something strange the other day when removing the "Form" virus from 60+ machines in our PC labs. I was using the McAffe SCAN/CLEAN V84 booting from a clean DOS diskette. I manage to remove the virus from all machines except two. I found out that these two machines had been booted from a infected diskette. I SCANned the diskette and found a Form virus. The two machines did not have a Form virus, but Stoned, Stoned II and Stoned Related virus (that's what SCAN told me) But the strange thing is that it was active in MEMORY even when I booted the machine from a clean dos diskette| Stranger than truth.. (Except that it's true..) So what I did was to infect a clean machine by booting it from a diskette with a Form virus. Usually, if you boot a machine from a dos disk, it blinks the hard drive led checking/reading something. This time I did not manage to boot it, and I removed the diskette (knowing that the virus had jumped over to the hard drive). I then CLEAN'ed the hard drive booting from a clean dos diskette, but this didn't work. CLEAN stopped with a fatal message, namely that three versions of the Stoned virus was present in memory. Phew. So what I was wondering was does the Form virus "unpack" itself to a Stoned look-a-like virus in some cases ? Espen Lyngaas Systems Consultant Norwegain School of Managment, Computer Center ------------------------------ Date: Fri, 18 Oct 91 08:36:57 -0400 >From: dab@moxie.Oswego.EDU (David Alan Bozak) Subject: SF virus - "When Harlie Was One" I don't recall where I found this information, but the book by David Gerrold, was based on combining and expanding his short stories. Only a subplot in the book dealt with a scheme where a program called VIRUS was created which randomly dialed the phone til it found a computer, then break in and infect it with a copy of VIRUS, slowing the computer down until it was unusable. The inventor had plans to market a program called VACCINE, to cure the virus. The problem was that VIRUS mutated during transmission due to phone line noise and VACCINE was no longer effective. Interestingly, only the 1st edition (Ballentine Books, 1972) had this subplot. - -dab /\ David Alan Bozak, Computer Science Department / \ SUNY Oswego, Oswego, NY 13126 (315) 341-2347 _____/____\_____ Internet: dab@moxie.oswego.edu / / \ \ or dab%moxie.oswego.edu@nisc.nyser.net /____/ \____\ UUCP: {cornell!devvax,rutgers!sunybcs}!oswego!moxie!dab ------------------------------ Date: Fri, 18 Oct 91 14:25:44 +0100 >From: cantera@dit.upm.es (Antonio Ruiz Cantera) Subject: Help wanted (PC) A friend of mine has got virus, PROBABLY from garbo.uwasa.fi; inside the program HYDK421.ZIP. Please, May anybody from garbo check if this program is infected ? Characteristics of this virus: - - It's not detected by McAfee's SCAN82 and CLEAN82. It's only possible to detect when a write protection TSR program is active, like TSAFE from TNTVIRUS (Carmel). This antivirus informs of Brain/Ashar virus. - - It infects hard drive: boot, partition table and FAT. The virus is installed in the FAT, it's impossible to edit the part of the FAT where the virus is stored. - - It intercepts hard drive write interruption. - - It infects the EXE programs without changing their size. - - The virus is loaded into memory although the computer is booted with a clean floppy. This is the reason for supposing that it's in the partition table. - - After the low-level format of the hard drive ( with FXPREP ), the virus continues in the hard drive. The computer is a 386/25 with two hard drives (40 and 120 Mb), and DOS 5.0. ( the two hard drives are infected ) Suggestions will be welcome. Thanks in advance. Antonio Ruiz Polythecnic University of Madrid (Spain) e-mail: cantera@dit.upm.es ------------------------------ Date: Fri, 18 Oct 91 09:41:36 -0500 >From: smith@SCTC.COM (Rick Smith) Subject: Re: SF Worms/Viruses (Re: HW not a solution) >I wrote: >|.... There's "Adolescence of P1" (a Morris-like worm) which I >|read in the mid-late 70s, but I don't remember the author. and gary@sci34hub.sci.com (Gary Heston) writes: >... I have it and "The Adolescence of >P1" at home; I'll check on it. I don't know if I would quite classify >"P1" as a virus; more of a haywire AI project. Pardon me while I clarify my use of terms. I said "worm" instead of "virus" assuming that a virus spreads infection via shared storage media and a worm spreads via network connections. Clearly, there are cases that combine both (ie spreading via network-mounted media like Appleshare or TOPS). As I recall, P1 would enter a computer over a phone connection, infect the operating system, and then propagate itself via phone connections to other computers. The author had some stuff about P1 "learning" how to infect an operating system once it was inside, but infection clearly spread in a worm-like manner. I think the author added the stuff about "AI" because he didn't know how feasible such an infection might become. This follows the popular fictional device to use the "AI" label on things that are otherwise hard to explain technically. Rick. smith@sctc.com Arden Hills, Minnesota. ------------------------------ Date: Fri, 18 Oct 91 09:59:47 -0500 >From: smith@SCTC.COM (Rick Smith) Subject: Re: Computer "Anamolies" in books padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) writes: >While "Shockwave Rider", "When Harlie was 1", and "The Adolesence of P1" >were all works treating self aware computers and worms, the earliest >reference I know of computers (programs) taking over other computers >goes back to Heinlein's "The Moon is a Harsh Mistress" ... I think Mycroft Holmes/Adam Selene represent a different situation. There was no "taking over" involved, really. Mike was installed as "the computer in charge" of the local computer complex and there wasn't any "infection" involved. You could say the system just didn't operate exactly as the designers intended, (making jokes wasn't part of the original spec, I suppose). Mike's unusual behavior is more of an intrinsic "bug" or "feature," sort of like the homicidal behavior of HAL 9000. One might be able to make a similar argument about HARLIE. I don't remember offhand whether he found his way into computers outside his company. He was clearly authorized to take control of stuff inside the company and he exploited this to the limit. I remember he surprised people with the extent of his control, but I don't know whether he ever really exceeded his authority. Rick. smith@sctc.com Arden Hills, Minnesota ------------------------------ Date: Fri, 18 Oct 91 12:14:27 -0400 >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Anti-Viral Techniques for Networks There is one major missing link to the anti-viral authentication method with most of the current commercial products. The problem has been mentioned a few times as concerned users have asked "How do I know that xxxx is working without trying to infect myself ?" The same question holds true for networks: "How does the server know that xxxx is working on the client ?" The answer is simple, but it is going to be up to the vendors to impliment it (I have mentioned it to McAfee, Enigma-Logic, and Leprechaun already simply because I happened to speak to them after thinking of it). What we need is a simple algorithmic method to verify that the antiviral product is actually resident, its configuration, and the version number. This does not have to be complicated: a simple .COM file stored on the server and invoked with the login script can interrogate the system for residency, perform a checksum that will also validate the version number, (which can return the number as an errorlevel) and set an environmental variable to reflect the installed configuration (invoking command line switches would be adequate). I use a rudimentary form of this to do similar checking of DiskSecure from a server so it can be done relatively easily, how would be up to the vendors> However, I would suggest that this matter be discussed at the vendors meeting in Washington next month (doubt that I will be able to go). The key here is to tame the network and make it start working for its own defense rather than the traditional method of relying on the clients. Is it a perfect defense ? No, but a whole lot better than what we have now. It might even be *enough*. Cooly (way down to the low sixties), Padgett ------------------------------ Date: Fri, 18 Oct 91 17:31:31 +0000 >From: tee@bullet.ecf.toronto.edu (TEE LUNS) Subject: Re: More hardware! CHESS@YKTVMV.BITNET (David.M.Chess) writes: >>From: turtle@darkside.com (Fred Waller) >is, there are both hardware and software solutions that can completely >protect any given machine against the Stoned. And they've both failed >(in the global sense) for the same reason: not enough people are using >them. >P.S. The 1813 (Jerusalem) is still up there near the Stoned; > I think we'd have to stop both of them before we could > claim to have the great majority! *8) The catch with hardware is that it costs more money than some people may be willing to pay. An idea I've been toying with lately has been to write a dummy partition table which Stoned will recognize as being itself. This would defer infection. For $5 a shot, do you think anybody would go for it? I just got my hands on a copy of Jerusalem strain B. Perhaps a similar fix would be possible for this. ------------------------------ Date: Fri, 18 Oct 91 16:17:44 -0400 >From: "Darryl O. (Doc) Cottle" Subject: Re: Computer Anamolies in books As a long time SF fan (fiend) I've been following this discussion with great interest! When Shockwave Rider got mentioned re virus (and long before I subscribed to this network) I went out, found it, and read it with great interest. When "When Harlie Was One" was mentioned same-o-same and enjoyed them both. Now I need to find The Adolescence of P-1. I'd been aware of The Moon is a Harsh Mistress since HS (class of '64) so I enjoyed Padgett's little piece on it. No one yet has mentioned what was probably the most terrifying set of books about computers run amok that I've ever seen - D. F. Jones - "Colossus", "The Fall of Colossus", and "Colossus and the Crab." For those who may've seen the movie based on the first one, it pales in comparison to the book. I've been watching my PC's like a hawk for anomalous behavior! They _do_ seem to develope a personality after a while. I call both of them "Harvey." Any Jimmy Stewart fans will understand why! Doc Cottle U. of KY ps The only viral type infections this subscriber has experienced was "stoned" so I now boot from a write pro- tected floppy if I've read _any_ "strange" diskettes. +- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -+ | Darryl O. (DOC) Cottle | Looking for |"I don't know what I'm doin'! | | Ag. Econ./Univ of KY | "Viri" and | If I ever DO figure it out, | | Bitnet DOCOTTLE@UKCC.BITNET | I hope I | I'll prob'ly go hide!!" | | E-Mail DOCOTTLE@UKCC.UKY.EDU| don't find'm!| "Brother" Dave Gardner | |- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -| | Greetings from Lexington, Kentucky, "in the heart of the Bluegrass" | +- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -+ ------------------------------ Date: Fri, 18 Oct 91 16:08:51 -0700 >From: a_rubin@dsg4.dse.beckman.com (arthur rubin) Subject: Stoned (Michaelangelo) infection (PC) I have a problem here. A newly installed hard disk was infected with a Stoned variant. _My_ machine is fine. How do I convince the administrators here that this is a __serious__ problem and that most of the inhouse (and possibly some of the customer) machines should be scanned and disinfected. ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 195] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253