VIRUS-L Digest Friday, 15 Nov 1991 Volume 4 : Issue 220 Today's Topics: 1701 and DATALOCK in the same hit (PC) Re: Format problem (PC) Re: UNIX anti-virus program (UNIX) Re: Subjects Disinfectant (Mac) Windows & viruses (PC) Re: First SPARC Virus? (Character Replacement Within Files) (UNIX) Re: First SPARC Virus? (Character Replacement Within Files) (UNIX) followup on hardware-destructive virus found in Canada -- from Fido (PC) AirCop virus in boot sector (PC) virus scanner on UNIX? (PC) (UNIX) IBM-PC Virus Protection Software (PC) File checking - 1 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 13 Nov 91 08:18:53 -0800 >From: Eric_Florack.Wbst311@xerox.com Subject: 1701 and DATALOCK in the same hit (PC) A report from our domin, in ElSegundo, that I've obtained permission to echo out: " - -=-= The symptoms we experienced with the virus were: The desired software would run correctly immediately after installation, but never again. The failures included system lock-ups, or simply dropping back into DOS with no messages. Some programs would display the message "overlay not found" prior to dropping back to DOS. The programs included Windows 3.0, and the Genoa CET package. At least one program (an .EXE) grew by 920 bytes during its first execution after re-installation. I viewed the .EXE file with the debugger out of curiosity, and noticed a string "DataLock version 1.0" , but it meant nothing to me at the time. I assumed it was part of a copy protection mechanism. However, after we ran SCAN we discovered that there is a virus called DataLock, and we had it. In addition, one of our machines had both the DataLock virus, and another called 1701. After running CLEAN, everything is back to normal. What a frustrating experience this has been. I never suspected a virus, and assumed I had a problem in my machine/DOS configuration. Finally, we haven't determined the source of these viruses. We believe they were imported by authorized users running unauthorized (read "games") software. We are running SCAN over all our installation floppies. "Eternal vigilance is the price of freedom" --Ian =-=-=-= ..... including viruses, seemingly. ENF ------------------------------ Date: Wed, 13 Nov 91 18:49:07 +0100 >From: bunisys!bunisys!erikN@relay.EU.net Subject: Re: Format problem (PC) This is not so difficult. Your main problem is that the configuration of your BIOS is wrong. So you should use a setup program to change these settings to the ones it should be. Instead of a floppy of 1.44Mb you'll have a 1.2Mb in the BIOS. Erik. ------------------------------ Date: Wed, 13 Nov 91 18:18:07 +0000 >From: bdh@gsbsun.uchicago.edu (Brian D. Howard (CS)) Subject: Re: UNIX anti-virus program (UNIX) tommyp@ida.liu.se (Tommy Pedersen) writes: >I wrote: >>schieb@dingo.gsfc.nasa.gov (Brian Schieber) writes: >>>I'm looking for sources for virus checking for UNIX boxes. Whats available ? >>TCell is a commercial UNIX virus checking program that the company I >>work for has developed. It uses cryptographic checksums to check for >>unexpected changes in the file system. Contact me and I'll tell you >>more about it. >peter@ficc.ferranti.com (Peter da Silva) writes: >>Are there any viruses on UNIX to actually *check* for? >bdh@gsbsun.uchicago.edu (Brian D. Howard (CS)) writes: >>No. But that never stopped nobody from selling. >No, there are no virus to check for on UNIX systems around today ... Not to be snide (means I am so being) but its fair to say then that you are selling something that would detect something *If* in fact that something actually existed when in fact it does not? I have a program that will test and determine if your UNIX machine has been possessed by the Devil himself. I will sell it to anyone that wants it. The WEEKLY WORLD NEWS contains a report of an *actual* daemonic possession at a bank in Chile so you can read about the dangers thereof. - -- Dallas,TX "Where we shoot Presidents and shoot people who shoot Presidents." ------------------------------ Date: Wed, 13 Nov 91 18:24:14 +0000 >From: bdh@gsbsun.uchicago.edu (Brian D. Howard (CS)) Subject: Re: Subjects turtle@darkside.com (Fred Waller) writes: >Complains Dr. Chess: > > I notice you always seem to change the Subject: line > > when replying to a posting. Is that intentional? > Mostly, yes - but not ill-intentioned. By the time I start > composing a reply, some part of its theme is already clear in > my mind, and I tend to use that as the subject. > ... > I'll try to do better, though. :-) Many of us may use the subject line as the means of placing the text in a database, hence if changed the relevent text goes more than one place. Not difficult to handle, merely irritating. - -- Dallas,TX "Where we shoot Presidents and shoot people who shoot Presidents." ------------------------------ Date: Wed, 13 Nov 91 12:43:00 -0600 >From: AB5891A@ACAD.DRAKE.EDU Subject: Disinfectant (Mac) In response to the people... I did use Disinfectant v1. something. It took it out, but I had to track down a new version of System 6. All I had was 6.0.2 and HyperCard 1.6.5 wouldn't run under it, so I need ed to find something else so that it would work. I have NEVER seen a virus for the Commodore (Many people remark "Who'd waste the time?") 64/128. I am running system 6 without Multi-finder because I know of the dirriculties under many applications I have of it running. I only have 2.5 Megs in this SE. I thank everyone who suggested keeping the Disinfectant INIT. I did, but it was erased. And unfortunately my roommate (and his non-ethical ways) got it infected the next time he used it... I am just curious as to how many MacIntosh viruses are currently roaming around. and also, I have just recently aquired a COMPAQ an dI am interested in how many and if there are any IBM Public Domain Anti- Virus utilities... ParaPsykotically Yours, Tony AB5891A@Acad.Drake.Edu ------------------------------ Date: Wed, 13 Nov 91 16:35:00 -0400 >From: SJMADSEN@MIAVX1.ACS.MUOHIO.EDU Subject: Windows & viruses (PC) Is there a virus scanner available which is written specifically for Windows? The reason I ask is because VIRUSCAN appears to skip right over any Windows .EXEs (either that or it only checks the short DOS headers). Last, have there been any reports of viruses written only for Windows? - -- Steve Madsen ! Internet: sjmadsen@miavx1.acs.muohio.edu (preferred) Miami University ! sm9esanw@miamiu.acs.muohio.edu Oxford, Ohio ! And now for something completely different. ------------------------------ Date: Wed, 13 Nov 91 19:21:00 -0500 >From: Russell Billings Subject: Re: First SPARC Virus? (Character Replacement Within Files) (UNIX) Looking at the characters that are getting replaced in your system, and the replacement characters, it looks like you have a hardware failure somewhere on your data bus. The characters that are being changed are starting out as ASCII values 0x5B, 0x5C, and 0x5D and are ending up as the values 0x7B, 0x7C, and 0x7D. If the 0x20 data bus line went high when it should not have, you would get this kind of change in your data. Assuming that the ^? characters in your .h files were NUL characters (ASCII 0x00), then if the 0x20 data line dropped low during the transmission of blank spaces (ASCII 0x20), those characters would turn into NULs. Hope this helps! Russell E. Billings University of Louisville, Louisville, Ky - -- BITNET: rebill02@ulkyvx.bitnet UUCP: ...psuvax1!ulkyvx.bitnet!rebill02 ------------------------------ Date: Thu, 14 Nov 91 10:11:23 +0000 >From: janet@cs.uwa.oz.au (Janet Jackson) Subject: Re: First SPARC Virus? (Character Replacement Within Files) (UNIX) cmcl2!tester@uunet.uu.net (L Testerville) describes { being replaced by [, } by ] and \ by | in various Unix files. [, \ and ] are consecutive in ASCII, and { | and } are all 32 (decimal) above the characters they're replacing. Sounds like misguided upper to lower case conversion. The only thing I can think of (other than a virus) that might randomly do this to various files throughout the system is a bug in the backup/restore software. Unfortunately the poster doesn't say what he or she is using. Janet Jackson (janet@cs.uwa.oz.au) Department of Computer Science The University of Western Australia ------------------------------ Date: Thu, 14 Nov 91 08:05:00 -0500 >From: HAYES@urvax.urich.edu Subject: followup on hardware-destructive virus found in Canada -- from Fido (P C) Hi. Following is a follow-up about the hardware-destructive virus found in Canada. This is a forwarded excerpt from the FIDO VIRUS echomail conference. - --- begin forwarded message -- To: Antony Purvis Message #: 3426 1123 From: Todd Burgess Submitted: 12 Nov 91 16:36:00 Subject: Destruction! Status: Public Received: No Group: VIRUS (30) > Anyone got any comments? Newsbytes isn't exactly the > most reliable of > agencies, it must be said. (No disrespect to them) I live in Canada and Queens University isn't all that far from where I live... If it was a varient of the 1575 I wouldn't be surprised because the 1575 can be found all over Southern Ontario. I should know because I get hit by the 1575. Now who wrote it is speculation. I know we have a group called Rabid but they release their viruses through the BBSes. It could be a rebel student who modified the code. - -Todd- - --- FD 1.99c * Origin: Virus Awareness Group - Whitby Ont. (1:229/420.16) - ----- end forwarded messsage -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET) University of Richmond hayes@urvax.urich.edu (Bitnet or Internet) Richmond, VA 23173 ------------------------------ Date: 14 Nov 91 16:30:38 +0000 >From: Tom Killalea Subject: AirCop virus in boot sector (PC) We have a number of hard-diskless (to avoid virus infection) PC labs which students use floppies to boot. Previous viruses such as stoned, cascade, form, 170x etc. have caused considerable inconvenience, but we're currently beseiged by AirCop and I'm reaching for the valium. It causes FPROT 2.01 to hang, while FPROT 1.15 (f-disinf) occasionally says it's cured (only it never is) or else returns "error reading boot sector". CLEAN 7.9v84 says "Virus cannot be safely removed from boot sector". DOS\SYS says "Not able to SYS to .3L File System" (That's a superscripted L, and is the same for all floppies.) Needless to say, any help would be appreciated. If you think this is a new strain then I can archive or mail samples to the appropriate bodies. Thanks, Tom. - -- Tom Killalea | 011 353 1 702 2165 | Trinity College | killalea@unix2.tcd.ie | ------------------------------ Date: Thu, 14 Nov 91 13:26:50 -0500 >From: clarke@csri.toronto.edu (Jim Clarke) Subject: virus scanner on UNIX? (PC) (UNIX) The subject of this note is not "UNIX virus scanner" but "virus scanner on UNIX"--and with a question mark. In the November issue of the IEEE "Computer" magazine, page 87, a review of IBM's Aix 3.1.5, a version of UNIX, mentions that the system comes with "a 'virscan' command [that] can scan files and detect bit patterns that match known (DOS-based) viruses." I take it that this is IBM's standard DOS "VIRSCAN", and that it is not intended to detect UNIX viruses, of which we've been hearing there aren't any. Is this worth doing?--that is, do DOS users frequently have DOS programs in scannable form on UNIX machines? As a Mac user, I often have Mac programs stored as UNIX files, but in binhexed form and consequently unscannable. Or does IBM distribute "virscan" with Aix just because it's there? (While you're looking at the magazine, check the bottom of the next page, where a reviewer of an alternative version of DOS has an "oops! dear, dear" reaction to finding the Stoned virus on his machine. It's frightening that a user competent enough to be asked to write a review would be so unaware his machine was infected.) - -- Jim Clarke -- Dept. of Computer Science, Univ. of Toronto, Canada M5S 1A4 clarke@csri.toronto.edu or clarke@csri.utoronto.ca // (416) 978-4058 ------------------------------ Date: Thu, 14 Nov 91 20:36:52 +0000 >From: chaneyb@cssmtf.ccs.csus.edu (bryan chaney) Subject: IBM-PC Virus Protection Software (PC) I am looking for virus protection software. McAFEE looks like the top of the line. Does anyone know of anything comparable in service but cheaper? Bryan ------------------------------ Date: Wed, 13 Nov 91 21:59:29 -0800 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: File checking - 1 FUNGEN7.CVP 911113 File checking Most file infecting viral programs can be checked for quite simply, and without any special programs or equipment. Provided, that is, that the computer user will pay the most minimal attention to the system, and take the most basic precautions. The simplest form of antivirus detection "equipment" is a list of all the programs to be run on the computer, with the size and "last changed date" for each. (The list for "resource" based systems such as the Macintosh will, of necessity, be somewhat larger, and must include all "code" resources on the disk.) With some few (albeit important) exceptions, programs should never change their size or file date. Any changes that are made, should be at the request of the user, and thus easy enough to spot as exceptions. While "stealth" technology of various types has been applied to viral programs, the most common (and successful) viri, to the date of this writing, have not used it. Most change the size of the file, and generally do it in such a standardized fashion that the "infective length" of the virus is often used as an identification of the specific viral program. The file date is changed less often, but is sometimes deliberately "used" by the virus as an indicator to prevent reinfection. (One used the value of "31" in the seconds field, which is presumably why the later 1.xx versions of F-PROT all had dates ending in 31. Another used the "impossible" value of 62.) Even when stealth techniques are used, they generally require that the virus itself be running for the measures to be effective. We thus come to the second piece of antiviral equipment; the often cited "known clean boot disk". This is a bootable system (floppy) disk, created under "sterile" conditions and known to be free of any viral program infection, and write protected so as to be free from possible future contamination. When the computer is "booted" from this disk, the hard disk boot sector and system areas can be bypassed so as to prevent "stealth" programs from passing "false data" about the state of the system. Viral protection can thus start with these simple, and non-technical provisions. Starting with a known-clean system, the list can be checked regularly for any discrepancies. The "clean disk" can be used to "cold boot" the system before these checks for added security. Checks should be performed before and after any changes made to software, such as upgrades or new programs. Security does not, of course, end here. This is only a very simple first line of defence. copyright Robert M. Slade, 1991 FUNGEN7.CVP 911113 ============= Vancouver p1@arkham.wimsey.bc.ca | "Power users think Institute for Robert_Slade@mtsg.sfu.ca | 'Your PC is now Research into CyberStore | Stoned' is part of User (Datapac 3020 8530 1030)| the DOS copyright Security Canada V7K 2G6 | line." R. Murnane ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 220] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253