VIRUS-L Digest Friday, 20 Dec 1991 Volume 4 : Issue 238 Today's Topics: Voice Trojan (PC) virus outbreak in central Virginia (PC) New Virus Alert: Happy Halloween (PC) Re: "Happy Halloween" (PC) Virus writing contest Re: Washburn and ethics; VIRUS-L Digest V4 #237 MICHAELANGEO (PC) Re: PC problem - possible virus? (PC) Re: Booting from a clean floppy (PC) Re: Mac virus?: system crash (HELP!) (Mac) programs from New Zealand (PC) Thunderbyte anti-virus updates on SIMTEL20 (PC) McAfee 85 suite is on BEACH (PC) Merry Christmas VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 17 Dec 91 16:07:32 -0500 >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Voice Trojan (PC) Must apologise for not posting this sooner but was sure someone else was going to... The following describes a trojan (does not apper to be a virus) found on a BBS in Virginia, USA. At this time it is not known what the source was. This is a dangerous trojan which will attempt to overwrite the Boot Record, both FATs and a portion of the root directory on all disks using Interrupt 26. At this time I do not know if this will occur on each activation or if their is a discriminator in use (disassembly is 54 pages long). This was received as a .ZIP file containing the executable and a document file. The following are excerpts from the documentation: >VOICE MASTER v1.0, Written by Storm Shadow, Dec. 2nd 1990 >__________________________________________________________ > (Last update June 1990) > Voice Master is a program that uses the IBM internal >speaker to record voices and playback the recorded voices. If >you have an Adlib or Soundblaster card the sounds will be >better. > You are encouraged to distribute this program. All I ask >if you are using it is to leave a message to me on my board to >let me know that you are using it. That way, if I write >other versions of it, and if I can reach you somewhere, you >will have the opportunity to receive a copy of it faster than >if you wait for it to be uploaded to a bbs. Since the IBM-PC speaker could make a very poor microphone but the system electronics is designed only for sound output, the program's claims are (IMHO) evidence of malicious purpose. The funny thing is that I seem to remember hearing of such a trojan several years ago (the absurd claim is what sticks in my mind) but cannot place it. Certainly the program's date (2-90) does not match the .DOC's (same date) "June" or "December" statement and is fairly old. This just goes to reiforce the statement made by several other researchers (I haven't - yet) that malicious software never dies out so long as there it is still on a disk somewhere - the recent destruction of a disk overseas by the DataCrime is certainly ample proof of that. In any event, just remember the old chestnut "if is sounds too good to be true, it probably is." Happy Holidays, Padgett ------------------------------ Date: Thu, 19 Dec 91 06:12:00 -0500 >From: HAYES@urvax.urich.edu Subject: virus outbreak in central Virginia (PC) Hi. Following are two messages reporting two virus outbreaks in the Richmond VA. area. They were posted on a local BBS (the Blue Ridge Express). It is interesting to note that a military institution got hit; very seldom one can read/hear reports from these institutions. - ----- begin forwarded messages -- Msg #: 3000 MAIN From: ROBERT LIAS Sent: 12-18-91 21:55 To: ALL Rcvd: 12-19-91 05:23 Re: FORT LEE GOT "STONED" I had the great honor to identify the "Stoned" virus on 4 of my units PC's today. This has not be a severe virus; however, I do have to check ALL of my disks for the virus as well. McAfee's VirusScan and Clean had no problem with the detection and elimination. If you work at Fort Lee you may want to notify someone and have them check out your systems too. I hope you find all is well. ***Rob*** ===== Msg #: 3005 MAIN From: TOM HUFFMAN Sent: 12-18-91 22:23 To: ALL Rcvd: 12-19-91 05:23 Re: DIR-2 WARNING!!! We have had a "slight" attack of the DIR-2 virus in the School of Business at VCU. We found the virus on almost 10-15 computers... two of them being the machines that are used by the lab monitors/consultants to scan students diskettes as they come into the lab. With the monitors machines being infected, this virus WILL be on all the diskettes which have been checked on these machines! We have McAfee's VSHIELD v84 on all the machines, but they never detected the infections! The virus was however found with version 85. This virus has already trashed several hard disks, which need to be formatted because they're beyond help!! Since this virus is incredibly infectious, I would advise EVERYONE who has used any of the machines at VCU to check their PC's and diskettes using SCAN v85 or F-Prot v2.01. Thanks!! Tom Huffman - ----- end forwarded messages -- Best, Claude - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET) University of Richmond hayes@urvax.urich.edu (Bitnet or Internet) Richmond, VA 23173 ------------------------------ Date: Thu, 19 Dec 91 09:44:57 -0700 >From: martin@cs.ualberta.ca (Tim Martin; FSO; Soil Sciences) Subject: New Virus Alert: Happy Halloween (PC) (from Padgett) > Tim: You can have the honor of making the Virus-L alert. Just let > me know by noon that it is happening. More details after I take > it apart at home. - Padgett Thanks, Padgett. I added a line or two to what follows. Tim. - -------------------------------------------- New Virus: Happy Halloween First pass preliminary estimates (not yet disassembled) Non-Resident Requires minimum file size to infect (have not yet determined requirements). Discovery: December 1991 in British Columbia, Canada Charactoristics: File infects on execution - appears to seek out single file for infection of length greater than xxxx bytes. Infected files grow by 10,000 (decimal) bytes. Virus infects all files as if .EXE - Infected .COM files will not execute properly. Virus may have at one time been compressed with LZEXE. Embedded string ("All Gone") indicates file deletion or destruction may occur on unknown trigger. COMMAND.COM infection will make floopy boot necessary. Detection: This virus is not found by the common scanners tested. Notably, the FPROT "analyse" option finds "no virus-like activity". Copy the following line (including quotation marks) to a file "Hallowee.ext" "6c6c6f7765656e55" Happy Halloween Utilize with McAfee's Scan as follows SCAN /EXT HALLOWEE.EXT - may also be used with other scanners that accept external strings. ------------------------------------------------------------- Tim Martin * Soil Science * These opinions are my own: University of Alberta * My employer has none! martin@cs.ualberta.ca * ------------------------------------------------------------- ------------------------------ Date: Thu, 19 Dec 91 15:08:24 -0500 >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Re: "Happy Halloween" (PC) A couple of other things noticed since the Viralert went out thanks to efforts by Tim Martin, David Chess, Fridrick Skulasson, & Vesselin Bontchev. (isn't the net wonderful) 1) Virus triggers on October 31 of any year after 1991 (at least 92 & 93 work). then: All executable files in current directory are truncated to 666 bytes and the message "ALL GONE Happy Halloween" appears. Message is found near the start of infected files in plain ASCII. 2) Virus only infects files of 10,000 bytes and larger. File size increases by exactly 10,000 bytes. Dates/times are changed to match infection or trigger date. 3) Virus does not use any "stealth" not does it seem to go resident 4) Simple .COM files may still execute properly - more complex ones do not. 5) Appears to have been written in Turbo-Pascal (honest). 6) As number of infected files in directory increases, so does amount of "disk thrashing" - particularly noticable on floppies. IMHO - this virus will probably not become common without help. Will update if anything more of importance is learned. (and I thought it was going to be a quiet week) - Padgett ------------------------------ Date: Fri, 20 Dec 91 11:55:47 -0500 >From: ry15@rz.uni-karlsruhe.de Subject: Virus writing contest Hi everybody, a German computer magazine called 64'er by Markt & Technik has just published an article on viruses. One part of the article is an announcement of a virus writing contest. Two quotes: The most sophisticated virus will be awarded generously! The virus will be published. Send in your killers to:
A paragraph below they tell about the German computer crime laws and also state that these laws are no threat because its very hard to proof the intention. WE ALL JUMPED ONTO THEM!!! Siemens Nixdorf told Markt & Technik that they would cancel all advertisements in all of their magazines!!! One of the staff members said that they will withdraw the offer in the next issue. Christoph Fischer Micro-BIT Virus Center University of Karlsruhe Zirkel 2 W-7500 KARLSRUHE 1 Germany +49 721 376422 Phone +49 721 32550 FAX email: ry15@rz.uni-karlsruhe.de ------------------------------ Date: Wed, 18 Dec 91 06:49:43 -0800 >From: Eric_Florack.Wbst311@xerox.com Subject: Re: Washburn and ethics; VIRUS-L Digest V4 #237 Frisk in #237: >>>tolerated. It stands to reason that anyone who knows enough about >computers to create a virus, does other 'above board' programming.< Eh..I must disagree. Most viruses are probably not written by programming geniuses, or even by professional programmers - many known virus authors are just teenagers, doing this "for fun"...<< OK, Granted that many are. However, I would ask how many of them also have somewhat more useful code in the PD and SHAREWARE pipes? (I guess the question should be, how much that we /know of/, since as has been pointed out, anyone in that position would be less than excited about admitting it.) And even given that what you say is totally true, you further my last point: That a strong reaction to a Washburn would send a message to impressionable minds that such behavior isn't tollerated, thereby lowering the amount of virus code generated. Consider, if you will; what happens when the kiddle crew wants to make use out of their computer skills to earn their daily stale bread. IF actions like what we were discussing against Washburn, for example, were taken, and made public, perhaps the kiddie crew out to have 'fun' (? The idea of fun is not universal, I guess) would think twice about their actions. Happy Holiday all... E ------------------------------ Date: Wed, 18 Dec 91 15:36:20 -0700 >From: kev@inel.gov (Kevin Hemsley) Subject: MICHAELANGEO (PC) I recently cleaned a machine infected with Michaelangeo. Before I scanned the machine I ran CHKDSK. This is when I suspected a problem because there was over 3000 bytes missing from conventional memory. SCAN V85 reported Michaelangeo. Using Diskedit I looked around and found a copy of the original MBR at cylinder 0, track 0, sector 7. After taking a sample and cleaning the MBR, I rebooted the machine and ran SCAN again, which reported everything was clean. Out of habit, I ran CHKDSK again and found exactly 1K still missing from conventional memory. When the computer was booted from a clean disk, CHKDSK reported a full 640K. I did rename AUTOEXEC.BAT AND CONFIG.SYS to make sure it was not a driver or other TSR stealing memory. I was able to correct the problem with a SYS, but I'm not quite sure what was using the 1024 bytes. It was either the DOS boot record, or the two hidden system files or COMMAND.COM. My question is did Michaelangeo alter one of the above system areas, or was it another problem. I thought that Michaelangeo only altered the Partition Table. Any Ideas? - ------------------------------------------------------------------------------- Kevin Hemsley | Information & Technical Security | If you think that you have someone Idaho National Engineering Laboratory | eating out of your hand, it's a (208) 526-9322 | good idea to count your fingers! kev@inel.gov | - ------------------------------------------------------------------------------- ------------------------------ Date: Wed, 18 Dec 91 16:44:47 -0500 >From: cci632!sjfc!od9425@ccicpg.irv.icl.com (Ogden Dumas) Subject: Re: PC problem - possible virus? (PC) Just a quick note. I have heard from a few close sources that what you have is a virus. I will contact them and forward your address. Now i have a question for you. Can you forward this message to the moderator of Comp. Virus. Thanx in advance Question for all: Is there a virus that can infect BOTH PCs and Mainframes? The place where I am working is networking and I am trying to find out what possible threats can arise from this. Thanx. ************************************************************************ od9425@sjfc.uucp(Ogden Dumas) The few, the proud, (716)723-0991 No job too small The Nice Guy. MYopinionandNOoneelsePERIOD Rape is Rape PERIOD. With or without Violence! Apt. 812 1100 English Rd. Rochester, NY 14616 whatIhaveNOopinionIhaveJUSTmyMEAGERmind...aPOSTRONbrain ************************************************************************* ------------------------------ Date: 19 Dec 91 10:11:34 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Booting from a clean floppy (PC) HILLIARD_N@csvax1.ucc.ie (Nick Hilliard) writes: > Writing virus scanners which have to cope with the problem of > already-resident viri is an unnecessary complication. It could be > done, of course, but it just means more work for the programmers, > *and* it would not be fail-safe. Remember just how many viri there > actually _are_ out there [no comments about names and classification, > please ;-)]. Writing the code to disable each one of them, restore all > the interrupts they hook, reclaim memory, etc. is superfluous when all I agree, in general, with your point, but just to add my two cents worth... In ma Lab in Sofia we began to develop a programmable memory disinfector. It takes a text file, which contains strings to scan for (wildcards accepted), offsets (from a paragraph boundary) at which they must be found, and (if the string is found) sequences of "look for" and "patch to" bytes. And a virus name, of course. If the string is found, an additional check is made for the "look for" bytes (at the appropriate offsets). If they are not present, the virus is assumed as already deactivated and nothing is done. Otherwise, the virus name is reported and the bytes are patched to the "patch to" values. The virus is just patched in memory, in order to stop it from infecting/triggering, no attempt is made to restore the original interrupt vectors or to free the used memory, since this cannot be always done, and is too dangerous anyway. There are almost no false positives, since the string must be at a fixed paragraph boundary; there are other restrictions as well - like looking only in the low memory (below the current PSP), or in the high memory (above the current PSP), or at fixed address (say, in the interrupt vector table, in the video memory, etc. As a conclusion, I agree that it is unsafe to -rely- on such a program - - it's much better to boot from a clean disk; but to you know how many dumb users of anti-virus software don't do this? So, it's better to have such (unreliable) protection, than none... > All PC's with hard drives have floppy drives, and if they don't, > they should. Hm, I tend to disagree... If there were no floppies (say, a PC attached to a LAN), it would be much more difficult to infect the computers... Especially with boot sector infectors... :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -246 Vogt-Koeln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Thu, 19 Dec 91 08:08:47 +0000 >From: phaedrus@milton.u.washington.edu (Phaedrus) Subject: Re: Mac virus?: system crash (HELP!) (Mac) SWVX@VAX5.CIT.CORNELL.EDU writes: >Does anyone have any information about a Mac virus that causes >programs to frequently "unexpectedly quit due to error type 1" > >It happens under both system 7 & system 6, on various machines. If Disinfectant doesn't flag any viruses, then the odds of a virus being the cause of this are negligably small. "System error 01" or "Unexpectedly quit (1)" simply mean that the program crashed; either the program is just buggy (Microsoft programs are good at this :) ), or it's not compatible with the version of the system software you're using, or there's a conflict between the program and an INIT ("Startup document") or cdev ("Control Panel document") that you have in your System Folder. Try dragging all of these Startup documents and Control Panel documents out of the System Folder (or out of the Extensions and Control Panels subfolders of a System 7 System Folder), restarting the machine, and seeing if the crashes stop. If they don't, the program you're using probably just won't work with that system software version. If the crashes do stop, then try adding the startup and control panel documents back into the System Folder one at a time, restarting the Mac after each addition and testing again to see if the crashes start up again. If they do, then the last startup or control panel document you added is probably the culprit. - -- Internet: phaedrus@u.washington.edu (University of Washington, Seattle) "If you can keep your head while those about you are losing theirs, consider an exciting career as a guillotine operator!" Hi! I'm an anti-virus utility! Install me in your .signature right away! ------------------------------ Date: Tue, 17 Dec 91 18:05:00 -0500 >From: HAYES@urvax.urich.edu Subject: programs from New Zealand (PC) Hi. After reading virus-l 4.236, I went to the site mentionned by "PHYS169@csc.canterbury.ac.nz" "Mark Aitchison, U of Canty; Physics", and fetched the two programs, BOOTID and CHECKOUT. The original files were in .ZOO archive format, and I repackaged them in .ZIP format for the sake of compatibility with users here. So now are available for FTP processing: BOOTID .ZIP Identify a diskette's boot sector type ("hashcode"). Use BOOTID to check the boot sector of DOS diskettes, to produce a 12-byte hashed identifier string based on the contents of the diskette's first sector. Copyrighted Freeware from New Zeland CHECKOUT.ZIP Display or check a diskette or Hascode. Use CHECKOUT to check the boot sector of DOS diskettes, to produce a 12-byte hashed identifier string based on the contents of the diskette's first sector, identical to the BOOTID program, but with better descriptions and more options. You can also use it to explain a hashcode created elsewhere. The program only works with diskettes. Copyrighted Freeware from New Zeland Site address: urvax.urich.edu IP# 141.166.1.6 system: vax/vms 5.4-2, running Multinet for FTP processes login: anonymous password: your_email_address directory: When logged in the user is in the anonymous directory. type: cd msdos.antivirus to enter the directory where these two programs (and the rest of the "antivirus" collection) reside. Happy hollidays to all! Claude - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET) University of Richmond hayes@urvax.urich.edu (Bitnet or Internet) Richmond, VA 23173 ------------------------------ Date: 17 Dec 91 23:36:37 +0000 >From: jeroenp@rulfc1.leidenuniv.nl (Jeroen W. Pluimers) Subject: Thunderbyte anti-virus updates on SIMTEL20 (PC) I have uploaded to SIMTEL20: pd1: TBRESC15.ZIP Thunderbyte Anti-Virus Resque Boot Sector v1.5 TBSCAN30.ZIP Thunderbyte Virus Scan 3.0; needs VSyymmdd.ZIP VS911114.ZIP Virus signatures for HTSCAN/TBSCAN date 911114 These files replace: TBRESC12.ZIP; TBSCAN28.ZIP, VS911009.ZIP o _ _ _ _ _ voice: +31-2522-11809 (19:00-22:00 UTC) / (_' | (_) (_' | | snail: P.S.O. __/ attn. Jeroen W. Pluimers P.O. Box 266 jeroenp@rulfc1.LeidenUniv.nl 2170 AG Sassenheim jeroen_pluimers@f521.n281.z2.fidonet.org The Netherlands Please note: phone number will change to +31-2522-20908 at december 16th ------------------------------ Date: Thu, 19 Dec 91 09:50:04 -0600 >From: PERRY@beach.gal.utexas.edu (John Perry KG5RG) Subject: McAfee 85 suite is on BEACH (PC) Hello Everyone! I apologize for taking so long to post the new McAfee suite of anti-viral software on beach.gal.utexas.edu. The system manager changed the password to my maintenance account and then went on vacation! Anyway it is there now for anyone with FTP capabilities. John Perry KG5RG | perry@beach.gal.utexas.edu - Internet University of Texas Medical Branch | PERRY@UTMBEACH - BITnet Galveston, Texas 77550-2772 ------------------------------ Date: 14 Dec 91 01:02:26 +0000 >From: gregm@sail.labs.tek.com (Greg Montgomery) Subject: Merry Christmas "The Worm Before Christmas" by Clement C. Morris (a.k.a. David Bradley, Betty Cheng, Hal Render, Greg Rogers, and Dan LaLiberte) Twas the night before finals, and all through the lab Not a student was sleeping, not even McNabb. Their projects were finished, completed with care In hopes that the grades would be easy (and fair). The students were wired with caffeine in their veins While visions of quals nearly drove them insane. With piles of books and a brand new highlighter, I had just settled down for another all nighter --- When out from our gateways arose such a clatter, I sprang from my desk to see what was the matter; Away to the console I flew like a flash, And logged in as root to fend off a crash. The windows displayed on my brand new Sun-3, Gave oodles of info --- some in 3-D. When, what to my burning red eyes should appear But dozens of "nobody" jobs. Oh dear! With a blitzkrieg invasion, so virulent and firm, I knew in a moment, it was Morris's Worm! More rapid than eagles his processes came, And they forked and exec'ed and they copied by name: "Now Dasher! Now Dancer! Now, Prancer and Vixen! On Comet! On Cupid! On Donner and Blitzen! To the sites in .rhosts and host.equiv Now, dash away! dash away! dash away all!" And then in a twinkling, I heard on the phone, The complaints of the users. (Thought I was alone!) "The load is too high!" "I can't read my files!" "I can't send my mail over miles and miles!" I unplugged the net, and was turning around, When the worm-ridden system went down with a bound. I fretted. I frittered. I sweated. I wept. Then finally I core dumped the worm in /tmp. It was smart and pervasive, a right jolly old stealth, And I laughed, when I saw it, in spite of myself. A look at the dump of that invasive thread Soon gave me to know we had nothing to dread. The next day was slow with no network connections, For we wanted no more of those pesky infections. But in spite of the news and the noise and the clatter, Soon all became normal, as if naught were the matter. Then later that month while all were away, A virus came calling and then went away. The system then told us, when we logged in one night: "Happy Christmas to all! (You guys aren't so bright.)" [ Note: The machines dasher.cs.uiuc.edu, dancer.cs.uiuc.ed, prancer.cs.uiuc.edu, etc. have been renamed deer1, deer2, deer3, etc. so as not to confuse the already burdened students who use those machines. We regret that this poem reflects the older naming scheme and hope it does not confuse the network adminstrator at your site. -Ed.] ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 238] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253