VIRUS-L Digest Wednesday, 10 Apr 1991 Volume 4 : Issue 58 Today's Topics: Re: My final comments on the six-byte method (PC) VIRUSCAN v76 announcement (PC) Re: New Mac Hypercard Virus (Mac) Do any viruses affect Novell? (PC) Boot sector viruses on IDE hard disks (PC) Re: Am I subject to viruses? Gatekeeper 2.0 (Mac) HyperCard anti-virus script bad (Mac) Re: UNIX & Viruses (UNIX) Unix viruses (UNIX) new virus? ("evil empire" Stoned derivative) (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Wed, 10 Apr 91 13:04:00 +1200 >From: "Mark Aitchison, U of Canty; Physics" Subject: Re: My final comments on the six-byte method (PC) A few thoughts... (1) It would be best to check a few key interrupt vectors (via their low memory locations, not via DOS), as well as the memory size, since either a virus may be living in video RAM (and some key vector would point there), or in an used area of the vector table (etc), again the check would help spot a virus freshly resident. (2) The mention of direct calls to BIOS by viruses... A friend of mine has a method (well, two really, one for diskettes and one for hard disks) that should prevent this, but we can't test it with many real viruses- any volunteers? (3) Does any virus take interrupts by not changing the vector but by changing the first few bytes of the present routine to be a far jump to the virus? If so, my comments in (1) need the addition of checking the first few bytes. (4) I really prefer blocking viruses before they get a chance to run, but spotting them very soon after they load is at least better than scanning disk every few days or weeks. (5) I had hoped that the checksum in the header of .EXE files would help spot viruses, but few programs have a valid checksum. Can anyone tell me whether, if I go to the effort of correcting the checksum in all my programs, will any virus be smart enough to rewrite a corrected checksum? Personally, I think that ultimately boot sector viruses will disappear, since the odds are in the favour of the anti-virus people, assuming users do sensible things. That doesn't involve inconveniences to operations, or changes to DOS or BIOS (although the latter would be very nice). However, IMHO, non-boot sector viruses will probably eventually win over the best efforts of anti-virus software coupled with the present generation of BIOSes and DOS (even DRDOS), and that will hurt "serious" users of the PC, like businesses and universities. The answer is going to have to mean radical changes to BIOS, DOS and MSWINDOWS (which, for a new product, makes a lot of stupid mistakes, it seems). In the short term, a slight change to BIOS, and a not much more than DRDOS's password protection system, should suffice. By the way, I keep asking, has anyone found a virus that gets past DRDOS 5.0's password protection system yet? Has anyone else tried? (I haven't got a lot of viruses to test). Mark Aitchison, University of Canterbury, New Zealand. ------------------------------ Date: Tue, 09 Apr 91 10:07:58 -0700 >From: ozonebbs!aryehg@apple.com (Aryeh Goretsky) Subject: VIRUSCAN v76 announcement (PC) VIRUSCAN Version 76 of VIRUSCAN adds 18 new viruses, bringing the total number of known computer viruses to 239, for a total of 501 viruses including strains. The enclosed VIRLIST.TXT file outlines the characteristics of the new viruses. For a comprehensive discussion of each of the viruses, we recommend that you access the VSUM document copyrighted by Patricia Hoffman. It is available on most bulletin board systems. In addition, two new command line options have been added to improve batch mode operation of SCAN: The /NOPAUSE option turns off the screen pause that occurs when SCAN fills up a screen with messages. The /NOBREAK option will prevent SCAN from stopping when a Control-C or Control-Break is issued. CLEAN-UP Version 76 adds nineteen viruses to the list of computer viruses that can be safely removed. They are the 555, 651, 3066, Air Cop, Beeper, Black Monday, Den Zuk, Fellowship, Filler, Ghost Korea, Lazy, Lisbon, Mardi Brothers, Murphy, Print Screen-2, RPKS, Striker, and Typo Boot viruses. For more information about these viruses, please refer to the accompanying VIRLIST.TXT file. Additionally, a new command, /NOPAUSE, has been added. When CLEAN is run with the /NOPAUSE option it will not stop when it fills the screen with messages. VSHIELD Version 76 has been completely re-structured to provide a major increase in the execution speed. Version 76 will run twice as fast as previous versions. The amount of time added to program loads will now be cut in half. Version 76 of VSHIELD adds 18 new viruses, bring the number of discrete computer viruses detected to 239 and the number of variants to 501 viruses. Version 76 of VSHIELD adds two new options, /WINDOWS option and /CHKHI. When run with the /WINDOWS option, VSHIELD will intercept viruses in DOS processes under Microsoft Windows. The /CHKHI command allows the scanning of the high memory area present on 286 and 386 machines. NETSCAN NETSCAN Version 76 adds nineteen new viruses. For a listing of complete listing of viruses, refer to the VIRLIST.TXT file. Version 76 of NETSCAN adds a critical error handler that allows NETSCAN to continue scanning if a file-open error occurs. For more information about the /UNATTEND option, see the COMMANDS section. NOTE: For Version 76 of the documents, the synopsis of new viruses that usually appears was removed for space reasons. I'd like to know if people would prefer to have a brief listing (1/2 page) of the viruses in the documentation or not. Please respond by email. Aryeh Goretsky - -------------------------------------------------------------------------- Aryeh Goretsky,Tech Sup.|voice (408) 988-3832 |INTERNET McAfee Associates | fax (408) 970-9727 |aryehg@ozonebbs.uucp -OR- 4423 Cheeney Street | BBS (408) 988-4004 |aryehg@tacom-emh1.army.mil Santa Clara, CA 95054 | UUCP apple!netcom!nusjecs!ozonebbs!aryehg "Opinions expressed are my own and may not reflect those of my employer." ------------------------------ Date: 10 Apr 91 09:36:56 +0000 >From: linod!gaertner@uunet.uu.net (Margit Gaertner) Subject: Re: New Mac Hypercard Virus (Mac) D1660@AppleLink.Apple.COM (SoftPlus, Paul Cozza,PRT) writes: > For SAM 3.0 Users: > > [lines deleted] > > Note that SAM 2.0 had the capability to detect and repair Hypercard > viruses (such as Dukakis), but did NOT have a data definitions entry > dialog. This is new to SAM 3.0. Could someone give me the SAM 2.0 Virus Definition for the HC Virus? thanks in advance Margit Gaertner Ps: We are registered users of SAM 2.0, but SAM 3.0 isn't available from PRISMA, Germany. E-mail address UUCP: uunet!unido!linod!gaertner Linotype AG dept. S/CC Mergenthaler Allee 55-75 D-6236 Eschborn, West Germany ------------------------------ Date: 10 Apr 91 11:57:14 +0000 >From: dweissman@amarna.gsfc.nasa.gov (WiseGuy) Subject: Do any viruses affect Novell? (PC) What viruses (if any) affect Novell local area networks? Any DOS virus? Over a broadband/ethernet LAN? =============================================================================== = Dave Weissman - Broadband and FDDI LAN Operations Group Snail mail: NSI DECNET (SPAN) - 6153::DWEISSMAN Code 543.8 NSI TCP/IP - dweissman@128.183.112.2 Goddard Space Flight Center SPRINTnet's X.400 - Greenbelt, Maryland 20771 (C:USA,A:TELEMAIL,P:GSFC,FN:DAVID,SN:WEISSMAN ) *DISCLAIMER*DISCLAIMER*DISCLAIMER*DISCLAIMER*DISCLAIMER*DISCLAIMER*DISCLAIMER* I don't speak for nor represent the views of NASA or my company although they would both be happy if I just shut up for once......... *DISCLAIMER*DISCLAIMER*DISCLAIMER*DISCLAIMER*DISCLAIMER*DISCLAIMER*DISCLAIMER* ------------------------------ Date: Wed, 10 Apr 91 14:39:00 +0000 >From: LYNNE@vax.oxford.ac.uk Subject: Boot sector viruses on IDE hard disks (PC) Can anyone offer me preventative and curative measures for the new IDE hard disks if they become infected with a boot sector virus. If the virus is one that cannot be successfully removed by any of the current anti-viral software, I believe we will be reduced to doing a low-level format on the disk in order to rewrite the boot sector. This will, as far as I know, erase the information that on older drive types was stored in the CMOS, thereby making the disk unusable. As the manufacturers seem very reluctant to supply us with the information needed to correctly rewrite the boot sector we are looking at other means to avoid this eventuality. In the way of preventative measures we think that a solution would be to advise our users who are purchasing IDE drives to take several backup copies of the boot sector which they can then copy back to the disk if it becomes infected. We believe we can use Norton Utilities to rewrite the boot sector but are unsure about the procedure for writing the correct boot sector contents. Has anyone got information that would help us with this? Does anyone know of a simple (and optimally free) utility that provides a fool-proof mechanism for copying and writing the boot sector? As far as curative measures are concerned (where a copy has not been taken of the BS) we are stymied! Has anyone any suggestions? Again on the subject of boot sector viruses does anyone know of some anti-viral software that will remove the Spanish Telecom or Telefonica virus? Please mail me directly at LYNNE@UK.AC.VAX.OXFORD. Thanks in advance. Lynne Munro Oxford University Computing Service ------------------------------ Date: 10 Apr 91 16:57:47 >From: pandy@vipunen.hut.fi (Pandy Holmberg) Subject: Re: Am I subject to viruses? pcsbbs!fff@uunet.uu.net writes: I know that this is the kind of question that only a novice would ask. Well, I am a *rank* novice in Usenet, UUCP, and telecommunications in general. Please bear with me. The question is: If I connect to a site where I always initiate the call, only exchange email and receive netnews, am I subject to receiving a virus. My modem is never left on and the port is not enabled for a login. The answer is NO. As long as you just use your computer as a terminal. As soon as you start downloading files, the danger appears... And how to protect yourself against viruses, well, my friend, I wouldn't know, since I do not know what kind of computer you use... Tsaukki says Pandy -- "All things are possible except skiing through a revolving door." ******************************************************************************* /! ! Andreas "Pandy" Holmberg pandy@hut.fi /_!_! Helsinki University of Technology pandy@spiff.hut.fi / ! ! Faculty of Electrical Engineering pandy@otax.hut.fi / ! ! s37775d@taltta.hut.fi ******************************************************************************* ------------------------------ Date: Wed, 10 Apr 91 15:02:58 +0000 >From: bgrubb@hpuxa.ircc.ohio-state.edu Subject: Gatekeeper 2.0 (Mac) Does anyone on the net know when Gatekeeper 2.0 will come out? Please post any answers on comp.virus. ------------------------------ Date: Wed, 10 Apr 91 10:49:12 +0800 >From: bcarter@claven.idbsu.edu Subject: HyperCard anti-virus script bad (Mac) Greetings, The script posted by mike@pyrite.SOM.CWRU.Edu (Michael Kerner) to prevent HyperCard virus attacks has several problems. First of all, it doesn't pass any set messages that DON'T have script in the params, thereby disabling every other use of the set command. Secondly, it gives a false sense of security since any such handler anywhere can be bypassed by a simple statement of the form: send "set whatever to whatever" to HyperCard Using the send ... to HyperCard format bypasses all intermediate handlers. Bruce Carter, Courseware Development Coordinator Lab: (208) 385-1859 Faculty Development Lab - Room 213 Office: (208) 385-1250 Simplot/Micron Technology Center CompuServe ID: 76666,511 Boise State University CREN (BITNET): duscarte@idbsu 1910 University Drive Internet: duscarte@idbsu.idbsu.edu Boise, ID 83725 --> Preferred: bcarter@claven.idbsu.edu ------------------------------ Date: 10 Apr 91 12:25:22 +0000 >From: ethan@thinc.COM (Ethan.Lish@THINC.COM) Subject: Re: UNIX & Viruses (UNIX) padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) writes: Greetings - In continuation of the *NIX Virus Thread I would like a add a few points. First off I would like to direct you to 'Computer Systems' Volume 2 Spring 1989, Experiences with Viruses on *NIX Systems and Virology 101 > Basically, the sheer diversity of UNIX platforms provides the best > defense against malicious software. Mix in the user/kernel and > "rights" requirements and you have the basis for a good protection > scheme. This is correct if your virus model excludes the shell script world. I have not seen *any* published model to define a virus vs Trojan Horse in the group. Was one published and I missed it? The simplest form of a *NIX virus is : cp $0 . Now *every* *NIX platform I know of will run this "virus" Thanks, \Ethan\ P.S. **NOTE DO NOT RUN THIS VIRUS, SO I DON'T HAVE TO SAY "I TOLD YOU SO"** - -- "If everyone swept his own doorstep, the whole world would be clean" A Chinese proverb Ethan.Lish@THINC.COM _____ 1.301.652.0651 _____ {uunet,anagld}!thinc!ethan Tomorrow's Horizons, Inc. 4807 Bethesda Ave, #330, Bethesda, MD 20814-5299 ------------------------------ Date: 10 Apr 91 17:23:58 +0000 >From: spaf@cs.purdue.edu (Gene Spafford) Subject: Unix viruses (UNIX) First of all, Unix viruses are definitely possible, and they aren't all that difficult to write. See the articles in the Spring 1989 issue of "Computing Systems" (Usenix, 2(2)). Tom Duff describes his experience with writing a machine code version, and he and Doug McIlroy discuss shell viruses too. As I remember (my copy of the issue is out on loan right now), McIlroy has some comments on why Unix viruses aren't all that interesting. If you accept Cohen's formal definition of a virus (roughly stated as "code that makes a (possibly modified) copy of itself in another program") as most of us do, then Ken Thompson wrote perhaps the first Unix virus in his login/cc combination; see "Reflections on Trusting Trust" in the August 84 issue of Communications of the ACM, 27(8). \footnote{BTW, Cohen did not write the first virus; I see so many people claim this (incorrectly) in their writings. Cohen gets the credit for first describing them in a formal way. However, there is evidence of viruses as we know them appearing 2 years before Fred started his thesis work, and Thompson's work also predates Fred's. Furthermore, Fred did not coin the name "virus" -- his advisor Len Adelman suggested it. Even that is not the first use of the term -- see my ADAPSO book, or the excerpts in Hoffman's or Denning's books.} So, the answer to the question of, is it possible to write a Unix virus, is a definite "yes." It can easily be done as a shell script, which makes it portable to any form of Unix, or it can be done in machine language, which makes it a little less portable but easier to hide. The real question here is "How much should we worry about them?" The answer to that is, "Not much." Viruses under Unix are likely to serve only two purposes: enable an attacker to get root, or vandalize a system. If your system is configured reasonably to audit accesses, and privileged users are careful about booby-trapped files and PATH variables, it is unlikely a virus will give someone root access that they shouldn't have. Vandalizing a system is more likely. Imagine a virus that would delete all files in your $HOME directory after a certain date! If that spread to a number of executable files, it could be very damaging. Again, if the system is configured reasonably and the superuser is appropriately cautious, then none of the system programs would likely be affected, and thus the damage would be limited. Having good backups means this would be limited annoyance. The fear that people have is that a Unix virus could spread to many machines. Unix systems don't normally share removable media and programs in the same manner as PCs, so spreading a virus might be more difficult than PCs. However, Unix systems in the same administrative domain often get source code installed on all machines from a single point, and files are often shared via networked file systems, so spread is not inconceivable. This would require the virus writer defeating what should be common security practices in order to infect those sources. Prudent administration and regular auditing for integrity changes will prevent this kind of problem. Widespread infection of Unix machines is very unlikely except in cases where sys admins regularly install binaries or programs from outside sources without examining them. That could cause widespread virus propagation. (Before you say you don't do this, ask if you are running emacs or gcc -- when was the last time you read through all the code for the program and libraries before installing them?) However, in a a case like this, it is more likely that the same goals could be accomplied with less effort by just building in some form of logic bomb or Trojan Horse mechanism and be done with it. Again, some prudent administration and regular integrity auditing would spot changes before much damage would occur. Overall, I'm pretty certain that we have little reason to fear Unix viruses on properly configured systems where the sys admin is a little bit cautious and takes proper precautions. The structure of the system and the normal patterns of use indicate that anyone with a particular agenda that might be satisfied with a virus is more likely to use some other mechanism (worm, logic bomb, cracking) instead. Warning! Shameless plug follows....:-) If you want further information on how to protect against viruses, Trojan Horses, and more in the Unix environment, consider getting a copy of "Practical Unix Security" by Simson Garfinkel and me. It's published by O'Reilly & Associates (the Nutshell Handbook & X Windows reference people), and is due out in mid-May. It's about 500 pages, 19 chapters, and 5 appendices of information on Unix security, including programmed threats, network security, and much more. The book will be $29.95, and can be ordered at nuts@ora.com, 1-800-338-6887 (US & Canada) or 01-707-829-0515 (Europe). - -- Gene Spafford NSF/Purdue/U of Florida Software Engineering Research Center, Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004 Internet: spaf@cs.purdue.edu phone: (317) 494-7825 ------------------------------ Date: Wed, 10 Apr 91 18:29:37 +0000 >From: martin@cs.UAlberta.CA (Tim Martin; FSO; Soil Sciences) Subject: new virus? ("evil empire" Stoned derivative) (PC) Has anyone else seen the boot sector virus that is plaguing some of the DOS computers at U of A? It displays an eight line text about the USA being the "evil empire" in the "impending war with Iraq". Obviously it was written before Jan 15, 1991. It wreaks havoc in the partition table of hard disks, and doesn't know how to properly format 3.5" floppies. McAfee's SCAN calls it "Stoned / Swedish", and the F-DISINF program calls it "a new version of stoned", and doesn't offer to remove it. We are now trying to decide whether this is a local virus, and also whether it has spread elsewhere. Tim Martin Soil Science, University of Alberta tmartin@vm.ucs.ualberta.ca ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 58] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253