VIRUS-L Digest Friday, 5 Apr 1991 Volume 4 : Issue 53 Today's Topics: Bug in DISKSECURE (PC) Re: Mutation of Stoned/Implications for self check boot sectors(PC) Unix viruses and damaging programs (UNIX) A personal announcement WANTED: Virus Detectors for Suns running UNIX (UNIX) 1813 Virus on a PC (PC) MDC questions F-DRIVER.SYS (v 1.14) problems & questions (PC) April Fool's Day virus (PC) Re: New Mac Hypercard Virus (Mac) Joshi Virus in part. table (PC) Virus (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Wed, 03 Apr 91 10:02:43 -0500 >From: padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) Subject: Bug in DISKSECURE (PC) For those who have received the distribution of DISKSECURE (v.93) containing the batch file lines for checking if DS is present (contained in DS.B supplied with distribution) the lines containing "if not errorlevel 0" is a null statement. The lines (2) should start "if not errorlevel 1" otherwise the failure message and pause will not occur. Since this should be seen if someone removes DISKSECURE or it is somehow bypassed, the check from DOS is an important element. Oh well, that's what beta versions are for, but I apologise for any inconvenience. Warmly, Padgett ------------------------------ Date: 03 Apr 91 21:22:01 +0000 >From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: Mutation of Stoned/Implications for self check boot sectors(PC) CHESS@YKTVMV.BITNET (David.M.Chess) writes: "Nick FitzGerald" : > David - are you thinking about the (I think) Zenith machines that > write the boot time and date in the MBR each boot up, or do you mean > something different? Huh ? I have never heard of any machine which would modify the MBR on each bootup. If this is true I would very much like to see it confirmed. I think somebody may be confusing this with the practice of Zenith DOS (or at least some versions of it) to write to the DOS boot record - that is it updates an area containing information on where to start looking for "free" space on the disk. I discovered this when people started complaining that my F-OSCHK (which among other things does a checksum test of the boot sector) reported constant changes on some Zenith machines. - -frisk ------------------------------ Date: Wed, 03 Apr 91 21:10:57 +0000 >From: vancleef@iastate.edu (Van Cleef Henry H) Subject: Unix viruses and damaging programs (UNIX) I have been asked to consider the possibility of virus, trojan horse, etc. attacks on a distributed Unix fileserver system. My role with Iowa State is as a consultant--Unix is new here, and the system we are building, known as "Vincent," while not new in concept, is new in many details of its implementation. My credentials may be verified with Dr. George Strawn, director, and George Covert, associate director, of the Iowa State Computation Center. My study begins with some assumptions, which I should state here. a. That MS-Dos viruses (is this an all-encompassing term for things that tamper with and destroy the OS and programs?) have conceptual parallels in the Unix o/s. i.e. the kernel is equivalent to COMMAND.COM, the file system superblock is equivalent to the FAT, etc. b. That all "security" to read and write as a superuser has already been breached and that this breach has gone undetected. c. That one workstation with a bootable hard disk is accessible to the individual planning to damage the system. d. That the individual is sufficiently sophisticated to avoid leaving obvious clues (file sizes, dates, etc.). e. We should consider that the individual may have access to the o/s source code. I am particularly interested in comments about: a. Known attacks on Unix o/s involving tampering with the o/s kernel and commands. b. Methodes for checking integrity of these. c. Methods for damage control to prevent propogation throughout the net. The purpose in making this post is to establish contact with others working with similar issues. Iowa State is not presently prepared to quarantine or work with actual "virus" code. Our concern is to plan for dealing with attacks of this nature when, as, and if they appear. (Since they are not in my signature file) Henry van Cleef 219 Durham Center, Iowa State Univ. 515-294-2903 (voice) ------------------------------ Date: Wed, 03 Apr 91 21:53:25 +0000 >From: frisk@rhi.hi.is (Fridrik Skulason) Subject: A personal announcement As of today, I am no longer working at the University of Iceland. The reason is simply the increased number of viruses - I just do not have the time. Instead I will work full-time on virus-analysis and the development of anti-virus products. My phone number (+354-1-694749), fax number (+354-1-28801) and E-mail address (frisk@rhi.hi.is) will not change, as I simply move from one office to another. If you have sent me E-mail the past week, please be patient - I have been busy moving and just have not had any time to reply to my mail. And yes, version 1.15 of F-PROT was delayed because of this, but will be distributed within the next week. - -frisk ------------------------------ Date: Thu, 04 Apr 91 13:45:44 +0000 >From: ejd@slate.mitre.org (eRic Donaldson) Subject: WANTED: Virus Detectors for Suns running UNIX (UNIX) I was wondering if anyone out there knew of any Virus Detection packages for Suns running UNIX (just like the Subject says). Of course, Public Domain software is preferable, but the new for a package may lead to actually purchasing one. Any reviews of any such products would also be greatly appreciated. Thanks kindly, eRic (ejd@hoppi.mitre.org) [Ed. While not a virus detection program per se, COPS is a good tool (IMHO) for pointing out system configuration problems in UNIX systems. It's available by anonymous FTP on cert.sei.cmu.edu.] ------------------------------ Date: Thu, 04 Apr 91 13:02:45 -0500 >From: jogle@floyd.att.com (Joseph M Geigel) Subject: 1813 Virus on a PC (PC) Hello.. A friend of mine's PC just got infected with an "1813 Virus". I was wondering if anyone had any specifics about this virus: what it is, what it does, and how to get rid of it. Any help would be greately appreciated. Thanks in advance, -- jogle att!floyd!jogle jogle@floyd.att.com ------------------------------ Date: Thu, 04 Apr 91 13:14:51 -0700 >From: jimkirk@CORRAL.UWyo.Edu (James Kirkpatrick) Subject: MDC questions I've been looking into Manipulation Detection Codes (MDCs), partly by reading Virus-L archives, and have a few questions: - Robert Jueneman published a paper describing his own QCMDCV4 algorithm, but Don Coppersmith published a review in which he states: ... "the described scheme is insecure (a fact apparently not noted elsewhere); its simple construction allows a direct attack. The reader is hereby warned against its implementation." My question is, has Coppersmith ever published or described the attack? I have not been able to find anything other than the above claim. Also, has anybody implemented it, or obtained Jueneman's implementation? - SNEFRU was discussed on this list, but I was dismayed to find it had been broken, and that Merkle's response was to increase the number of passes. This worries me because of the experience of knapsack cryptosystems, where a single-iteration system was first broken, followed by the introduction of multiple-iteration systems, which were in turn broken (at least, that is my recollection; I may have some details wrong). Questions: does anybody have a better feel for the probable security of the multi-pass SNEFRU, knowing that the earlier version was broken? Does the multi-pass version slow down the whole process (or is it still acceptably quick)? - MD4 was also discussed, and I have obtained the paper from CERT.SEI.CMU.EDU in pub/virus-l/docs md4.rsa.paper. However, the paper appears to be incomplete, in that it claims to contain an example implementation, but only contains a few declarations and seems to be missing actual code. Questions: How does one get MD4? Has anybody broken it yet or even proposed a method? General question (last one!): Jueneman carefully points out weaknesses in other MDCs, such as the inability to distinguish between a last block that has been padded with (say) zeros, as opposed to a last block that is "short." He points out that, for example, ANSI/ISO standards (X9.9? I don't have the paper handy, sorry) have this flaw. Do MD4 and/or SNEFRU suffer from this? (MD4 appears to be free of this problem, but it is not explicitly stated as far as I can tell.) Thanks in advance! Jim Kirkpatrick JIMKIRK@CORRAL.UWYO.EDU ------------------------------ Date: Thu, 04 Apr 91 22:30:20 +0000 >From: nelson@bolyard.wpd.sgi.com (Nelson Bolyard) Subject: F-DRIVER.SYS (v 1.14) problems & questions (PC) With F-DRIVER.SYS installed, there is a 24 second delay when I run a TSR called PSFX. NO error message is displayed, and no warning sounds are emitted from the speaker during this inexplicable 24 second delay. At the end of this delay, the PSFX program displays its successful-installation banner, and terminates. The TSR seems to work correctly, once the 24 second delay is past. With F-DRIVER.SYS removed from CONFIG.SYS, PSFX takes much less than one second to run and install. To solve this problem, I've removed F-DRIVER.SYS from my configuration. I surely wish I could run F-DRIVER.SYS *and* PSFX, but a 24 second delay in AUTOEXEC.BAT is simply unacceptable. Can enyone help me solve this? For some time now, I've had the F-DRIVER.SYS driver from the FPROT114 package installed on my 386 PC system at home, along with QEMM 5.11 and HyperDisk, without any apparent problems. Recently, I purchased PSFX, an EPSON FX-85 printer emulator that converts FX-85 output sent to LPT1 into PostScript, which it then sends to a PostScript printer on the real LPT1. This PSFX TSR should install in a flash, and does, *except* when F-DRIVER.SYS is installed. In truth, I don't know exactly what protection F-DRIVER.SYS supposedly gives me, what types of problems it supposedly prevents, nor what I should expect to experience (i.e. what F-DRIVER will do) if and when I actually encounter a virus. I hope the answer is *not* a 24 second delay 8-(. I have read a posting that suggested that F-DRIVER gets involved in the execution of programs by DOS, and then every time a new program is executed, F-DRIVER checks the program for viruses first, and doesn't allow the program to be executed if it finds a virus. Is this true? Is this 24 second delay its clever 8-( way of telling me that it thinks PSFX is infected? I have also read that it's only function is to check for and detect boot-sector viruses, immediately after boot-up, and that if/when it detects boot sector viruses, it hangs the system hard, to prevent the boot sector virus from doing any more damage, without displaying any kind of explanation message. Is this true? I would appreciate it very much if someone would post a message to this newsgroup (comp.virus) that says exactly what F-DRIVER does, what kind of viruses it looks for, when it looks for them, and what it does when it finds them. A suggested set of remedial steps to be taken when F-DRIVER reports a virus (or whatever it does) would also be appreciated. Thanks in advance. - ----------------------------------------------------------------------------- Nelson Bolyard nelson@sgi.COM {decwrl,sun}!sgi!whizzer!nelson Disclaimer: Views expressed herein do not represent the views of my employer. - ----------------------------------------------------------------------------- ------------------------------ Date: 05 Apr 91 02:27:41 +0000 >From: viki@crash.cts.com (Victoria Harkey) Subject: April Fool's Day virus (PC) There was a posting on April 2 regarding a trojan horse that had activated on April 1, and was now a full force virus. Has this virus been identified? Has anyone been able to get rid of it? I need this info fast. Please help. E-mail or news group comp.virus is fine with me. Viki Crash!viki@nosc.mil viki@jadpc.cts.com Victoria Harkey Certified NetWare Engineer ------------------------------ Date: Fri, 05 Apr 91 03:06:49 +0000 >From: mike@pyrite.SOM.CWRU.Edu (Michael Kerner) Subject: Re: New Mac Hypercard Virus (Mac) D1660@AppleLink.Apple.COM (SoftPlus, Paul Cozza,PRT) writes: >For SAM 3.0 Users: > >A new Macintosh HyperCard virus has been found and has been named the >HC Virus. The virus infects only HyperCard stacks, and is mostly >annoying. With SAM 3.0 you can download the latest Virus Definitions >file from the Symantec bulletin board which includes both detection >and repair of stacks infected with this virus. You can also enter a >virus definition via SAM Virus Clinic 3.0 if you only require >detection capabilities for this virus. The proper virus definition for >SAM 3.0 is included here. > > ... > >Paul Cozza >SAM Author Yo folks, it's me again. The question of the day is, "Is this virus a virus or a Trojan Horse (Like Dukakis was)". If this "virus" attacks stacks from a script, what does the script look like? The easiest way to kill Dukakis (not to slam SAM, but it's overkill), is to (in your HOME stack), intercept the SET command and check if the params includes "Script", and then do further checks to see if it's Dukakis (I don't remember the entire script, if anyone wants it EMAIL me, go for it). Anyway, the script can also be easily changed to intercept ALL SET THE SCRIPT's and stop them, if the user wants. So, is this virus caused by a script, and thus a Trojan Horse that I can counter with a script of my own, or is it a real virus, caused by a binary operation in one of the CODE resources of a stack? Mikey Mac Admin WSOM CSG CWRU mike@pyrite.som.cwru.edu ------------------------------ Date: 05 Apr 91 05:48:18 +0000 >From: awl@extro.ucc.su.oz.au (Tony Locke) Subject: Joshi Virus in part. table (PC) We have a machine with Joshi on it and can't find something to kill it. Anyone have any ideas (have tried SCAN 74B) Tony Locke Sydney University Computing Service Australia ------------------------------ Date: 05 Apr 91 07:27:45 +0000 >From: viki@crash.cts.com (Victoria Harkey) Subject: Virus (PC) Has anyone been able to de-virus the trojan horse that became an active virus on 4/1/91 yet? Is it a stealth virus? Do any of the scanners work on finding and removing it? Need help fast! crash!viki@nosc.mil viki@jadpc.cts.com I read the group as well as e-mail. If you have any info, please advise as soon as possible. Thanks in advance. Viki - -- Victoria Harkey Certified NetWare Engineer ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 53] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253