VIRUS-L Digest Tuesday, 16 Apr 1991 Volume 4 : Issue 61 Today's Topics: April Fool? Re: UNIX & Viruses (UNIX) John Gantz' April 1 column in Infoworld Stoned 2 query (PC) Norton's Antiviral program Question (PC) The National Computer Security Association Checking the system.. (PC) Troubles... (PC) Version 76C of McAfee anti-virals for MS-DOS (PC) "Empire" virus (PC) AF/91 - John Gantz's "joke" in Infoworld Virex-PC and PKlite ? (PC) Scan v 76 (PC) AF/91 and April Foolism in general Gantz' Infoworld Column Re: AF/91 - John Gantz joke in Infoworld Yankee Doodle virus (PC) Re: Is virus infection by inserting floppy disk possible? (PC) (Mac) Re: HyperCard anti-virus script bad (Mac) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 11 Apr 91 10:48:11 -0700 >From: wes@thor.srl.caltech.edu (Wes Boudville) Subject: April Fool? > From: sharp@mizar.usc.edu (Malcolm Sharp) > In the April 1, 1991 issue of Infoworld, John Gantz in his column > "Tech Street" warned of a virus called "AF/91" which he said was > developed by the NSA to be used against Iraqui defense computers. > After describing the virus and telling that it started spreading > uncontrolled, he told that windowing technology was "doomed." > In the April 8 issue, Mr. Gantz's column begins with a note from the > Editors saying AF/91 was all an April Fools joke. > > I'm not laughing. > I'm searching for the adjectives to describe this irresponsible > act. > Anyone else spend time investigating this virus from the 4/1 columns? > I'm *seriously* considering a class action suit for compensatory > (small $) and punitive (BIG $$$) damages. I read that Infoworld article. Like many readers, I'm sure, I got a chuckle out of it. A lot of us are aware that media articles dated 1 April should be regarded with a grain of salt [like the story one year about Big Ben going digital]. Personally, I regard such articles as a refreshing and harmless sign of creativity. As a non-American, I find your comment to be a classic glimpse into the litigious nature of US society. Go ahead with your lawsuit. I suspect it will be thrown out of court. Wes Boudville Physics Dept Caltech ------------------------------ Date: Thu, 11 Apr 91 12:06:14 -0400 >From: "Michael J. Chinni, SMCAR-CCS-W" Subject: Re: UNIX & Viruses (UNIX) ethan@thinc.COM (Ethan.Lish@THINC.COM) writes: > The simplest form of a *NIX virus is : > cp $0 . > Now *every* *NIX platform I know of will run this "virus" > P.S. **NOTE DO NOT RUN THIS VIRUS, SO I DON'T HAVE TO SAY "I TOLD YOU SO"** Given the usual definition of a virus (i.e. Cohen's formal definition of a virus as roughly stated by spaf@cs.purdue.edu (Gene Spafford)) as: "code that makes a (possibly modified) copy of itself in another program" and assuming that Ethan was serious about "cp $0 ." being a virus. How is "cp $0 ." a virus? On my systems all that will do is copy your Current Shell Interpreter (CSI) to your current directory. In my case that was the same as doing "cp /bin/sh .". I see no way that could be considered a virus. This is not even a security risk in and of itself. It WOULD be a security risk if: 1) your local superuser had "." before "/DIR" in their PATH/path (where "/DIR" is the path of the directory where the CSI is) because if: 1) you do the "cp $0 ." 2) you change your copy of the CSI to add malicious code 3) you get your local superuser to go into your home directory as root and run your copy of the CSI you could get full root privileges (assuming your malicious code did this) and this IS a security breach. /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ Michael J. Chinni US Army ARDEC - - - - - - - - - - - - - - - - "To Do is To Be" Socrates "To Be is To Do" Plato "Do Be Do Be Do" Sinatra /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ ------------------------------ Date: Thu, 11 Apr 91 14:05:40 -0400 >From: ELOISE@MAINE.BITNET (Eloise Kleban) Subject: John Gantz' April 1 column in Infoworld I can't believe that Malcolm Sharp is seriously considering a law suit over that column! I sincerely trust that any such action would be laughed out of court! Long live John Gantz and April Fool's jokes... Eloise Kleban University of Maine ------------------------------ Date: Thu, 11 Apr 91 14:23:03 +0700 >From: Jim Conroy Subject: Stoned 2 query (PC) Has anyone heard of Stoned 2? I have been off the list for quite a while but we are being pointed to as possible carriers. If you can point me to some info/detection/etc I would be greatly appreciative. We are currently using F-Prot 1.13. Jim Conroy SUNY Binghamton Computer Center ------------------------------ Date: Thu, 11 Apr 91 18:50:23 +0000 >From: axtlp@acad2.alaska.edu (PIKEY TAM L) Subject: Norton's Antiviral program Question (PC) I have heard there was an article in a mag. comparing Norton's antiviral to McAfee's scan and that the Norton's program failed to identify the Stoned virus. Can anyone confirm or deny this? Tam Pikey axtlp@alaska.bitnet axtlp@acad2.alaska.edu ------------------------------ Date: 11 Apr 91 15:25:00 -0500 >From: kdante@nsf.gov Subject: The National Computer Security Association Does anyone know anything about this group? It is stationed in Washington, D.C., and "conducts research on computer security problems, evaluates computer security products, and presents its findings to the public." (Taken from its brochure.) It has a free BBS with 9300 files for downloading "certified virus-free." Katherine J. Dante National Science Foundation kdante@nsf.gov ------------------------------ Date: 11 Apr 91 23:06:50 +0000 >From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Checking the system.. (PC) Mark Aitchison, U of Canty; Physics) writes: >(2) The mention of direct calls to BIOS by viruses... A friend of mine >has a method (well, two really, one for diskettes and one for hard >disks) that should prevent this, but we can't test it with many real >viruses- any volunteers? I had a method which used to work pretty well - it even stopped the 'TRYOUT' program in Dr. Solomon's package, which made a direct JMP to F000:xxxx, but some of the most recent viruses are able to bypass it. I guess they would be able to defeat your friend's method as well...but it would not hurt to try. >(3) Does any virus take interrupts by not changing the vector but by >changing the first few bytes of the present routine to be a far jump >to the virus? If so, my comments in (1) need the addition of checking >the first few bytes. A few viruses do - very few, but they exist - yes. >(5) I had hoped that the checksum in the header of .EXE files would >help spot viruses, but few programs have a valid checksum. Can anyone >tell me whether, if I go to the effort of correcting the checksum in >all my programs, will any virus be smart enough to rewrite a corrected >checksum? I know of no virus which bothers with the checksum - but I would rather suggest you put an invalid checksum there - perhaps compute the "correct" checksum and XOR it with your initials (or something) - even if the virus computes a new checksum, it will be incorrect. If the virus ignores the checksum it will also be incorrect. However - this will not be of any use against "stealth" viruses. >The answer is going to have to mean radical changes to BIOS, DOS and >MSWINDOWS (which, for a new product, makes a lot of stupid mistakes, >it seems). In the short term, a slight change to BIOS, and a not much >more than DRDOS's password protection system, should suffice. Try telling that to Microsoft. (sigh) - -frisk ------------------------------ Date: Thu, 11 Apr 91 17:07:26 -0600 >From: J Picazzo Subject: Troubles... (PC) Hi, This may be a little out of this list, but I'm having troubles on my PC. I believe it must be a virus. When I swap a MS-DOS disk in drive A: (or in drive B:), and ask for a dir or for a file, it verifies the disk, but keeps giving me the dir and treats the disk as if it was the first one I had in the drive. This limits me to only two disks each time I turn the machine on, and if I swap a disk and write to it, DOS writes to it as if it was using the first disk, and crashing the info of the second disk. Has anybody had a similar experience? I'm not using any kind of Diskcaching or something like that, and by using the vaccines I have (pro-scan, scan100, devirus and m-jrslem), they say there's nothing wrong with any of my disks. Does anybody have a vaccine against this? Since I'm not subscribed to the list, I'd appreciate a lot if you could mail me directly. Thanks. J Picazzo ITESM Campus San Luis - MEXICO ------------------------------ Date: Thu, 11 Apr 91 10:07:58 -0700 >From: Aryeh Goretsky Subject: Version 76C of McAfee anti-virals for MS-DOS (PC) Now available from SIMTEL20: pd1: NETSCN76.ZIP Network compatible - scan for 240 viruses, v76 SCANV76C.ZIP VirusScan, scans disk files for 239 viruses VSHLD76C.ZIP Resident virus infection prevention program VIRUSCAN Version 76C of VIRUSCAN adds 18 new viruses, bringing the total number of known computer viruses to 239, for a total of 501 viruses including strains. The enclosed VIRLIST.TXT file outlines the characteristics of the new viruses. For a comprehensive discussion of each of the viruses, we recommend that you access the VSUM document copyrighted by Patricia Hoffman. It is available on most bulletin board systems. In addition, two new command line options have been added to improve batch mode operation of SCAN: The /NOPAUSE option turns off the screen pause that occurs when SCAN fills up a screen with messages. The /NOBREAK option will prevent SCAN from stopping when a Control-C or Control-Break is issued. VSHIELD Version 76C has been completely re-structured to provide a major increase in the execution speed. Version 76C will run twice as fast as previous versions. The amount of time added to program loads will now be cut in half. Version 76C of VSHIELD adds 18 new viruses, bring the number of discrete computer viruses detected to 239 and the number of variants to 501 viruses. Version 76C of VSHIELD adds two new options, /WINDOWS option and /CHKHI. When run with the /WINDOWS option, VSHIELD will intercept viruses in DOS processes under Microsoft Windows. The /CHKHI command allows the scanning of the high memory area present on 286 and 386 machines. NETSCAN NETSCAN Version 76 (note no "C" version) adds nineteen new viruses. For a listing of complete listing of viruses, refer to the VIRLIST.TXT file. Version 76 of NETSCAN adds a critical error handler that allows NETSCAN to continue scanning if a file-open error occurs. For more information about the /UNATTEND option, see the COMMANDS section. NOTE: For Version 76 of the documents, the synopsis of new viruses that usually appears was removed for space reasons. I'd like to know if people would prefer to have a brief listing (1/2 page) of the viruses in the documentation or not. Please respond by email. CLEAN-UP The CLEAN-UP program V76 has a bug in it. Please continue to use V75. A fix for V76 will be out next week. If you have CLEAN76.ZIP please delete it. Aryeh Goretsky - -------------------------------------------------------------------------- Aryeh Goretsky,Tech Sup.|voice (408) 988-3832 |INTERNET McAfee Associates | fax (408) 970-9727 |aryehg@ozonebbs.uucp -OR- 4423 Cheeney Street | BBS (408) 988-4004 |aryehg@tacom-emh1.army.mil Santa Clara, CA 95054 | UUCP apple!netcom!nusjecs!ozonebbs!aryehg "Opinions expressed are my own and may not reflect those of my employer." ------------------------------ Date: Thu, 11 Apr 91 22:19:15 -0400 >From: padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) Subject: "Empire" virus (PC) Tim Martin at the University of Alberta was kind enough to forward to me this new virus. First reported as a STONED variant examination has produced a considerable number of variants from the traditional STONED. This alert is a result of a disassembly performed on the boot sector of an infected floppy. Since the sector containingthe disply message was not included this text is not available, however examination indicates that this second sector (trk 0 hd 1 sector 3 on floppy) contains only text. Listing follows: Virus Name: EMPIRE Aliases: V Status: New Discovery: April, 1991 Symptoms: Memory reduction, possible floppy failures, Messages Origin: Alberta Canada (?) Eff. Length: N/A Type Code: BPRtS (Boot and Partition table infector - Resident TOM - Stealth) Detection: CHKDSK, F-DISKINF, DISKSECURE (SCAN v76C does not pick this up) Removal: Cold boot from clean, write-protected floppy, replace MBR (FD) or Boot Record (Floppy) see text. General Comments: On first look, the virus appears similar to the STONED but There are notable differences: a "cute" at the start will throw a researcher off if a standard STONED opening is expected. The virus consists of two sectors - the first which replaces the MBR on a fixed disk and the BR on a floppy, contains the executable code. The second sector contains the display message- I have not seen this as yet but it is said to refer to the USA as the "evil empire" and makes reference to the war with Iraq. This sector has a trivial encryption scheme to defeat text examination. When active in a PC, total memory will be reduced by 2048 bytes (CHKDSK will return 653312 "total bytes memory" on a 640k machine) A "stealth" mechanism is employed by the virus so that an examination of the MBR will fail when the virus is active in memory since any request for the MBR will be intercepted by the virus and the real MBR will be returned. Similarly, any attempt to write to the MBR will be changed to a reset by the virus. No message is displayed at boot-up, rather display is a function of a trigger based on the real time clock during operation. On a floppy disk the original boot record is stored on track 0 head 1 sector 2 and the message is stored on the next sector. High density floppies may exhibit failures as a result of this. Low density floppies with over 80 directory entries may also have problems. These can occur even long after the floppy is disinfected if the directory is not restored. The original MBR on a fixed disk is stored on cyl 0 head 0 sector 6 with the message on the next sector. Normally, this should be in the "hidden sector" area but a disk without "hidden sectors" will probably experience FAT failures. Signature scanning should reveal the virus when booted from a clean floppy disk using the string "A3 08 7C A1 13 04 48". ------------------------------ Date: Thu, 11 Apr 91 22:09:00 -0400 >From: John Mildner Subject: AF/91 - John Gantz's "joke" in Infoworld John Gantz's Infoworld article on the bogus AF/91 virus resulted in overburdened but concerned Navy computer users calling our office for assistance. To some the article's closing statement, "The meaning of the AF/91 designation: 91 is the Julian Date for April Fool's Day.", was obvious. But, others enterpreted this as the trigger date for the supposed virus. Mr. Gantz was unavailable for comment when we contacted his office. However, the editorial staff at Infoworld indicated they had received a number of calls regarding this article and were reevaluating publishing similar articles in the future. ******************************************************************* Teamwork is important, it gives the enemy other people to shoot at. [Standard disclaimer of opinions and facts applies.] John Mildner, naval computer incident response team (NAVCIRT) ******************************************************************* ------------------------------ Date: Fri, 12 Apr 91 03:23:41 -0400 >From: jguo@cs.NYU.EDU (Jun Guo) Subject: Virex-PC and PKlite ? (PC) Hi, Will Virex-PC scan into PKlited files using 'extra compression method'? (which cannot be expanded using PKlite -x). And where can I get a demo version of Virex-PC? Thanks. Jun ------------------------------ Date: Fri, 12 Apr 91 10:57:40 -0100 >From: ***CURTIS*** Subject: Scan v 76 (PC) Be careful of scan Version 76 as it doesn't pick up on a certain virus. If I were you I would use scan Version 75 until scan Version 76c is tested! _______________________________________________________________________________ _ | Flesh : ***CURTIS*** E-mail : csg020%uk.ac.cov.cck@uk.ac.earn-relay | | Voice : (0203) 599500 Quote : What a great day, watch some bastard spoil it! | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ------------------------------ Date: Fri, 12 Apr 91 09:46:16 +0100 >From: Anthony Appleyard Subject: AF/91 and April Foolism in general In Virus-L vol4 #059 sharp@mizar.usc.edu (Malcolm Sharp) wrote:- Subject: AF/91 - John Gantz "joke" in Infoworld In the April 1, 1991 issue of Infoworld, John Gantz in his column "Tech Street" warned of a virus called "AF/91" which he said was developed by the NSA to be used against Iraqi defense computers. After describing the virus and telling that it started spreading uncontrolled, he told that windowing technology was "doomed." In the same issue, columnist Robert Cringely discussed Windows 3.0 vulnerability to viruses saying it "has lots of holes for custom viruses to slip through." In the April 8 issue, Mr. Gantz's column begins with a note from the Editors saying AF/91 was all an April Fools joke. I'm not laughing. I'm searching for the adjectives to describe this irresponsible act. Anyone else spend time investigating this virus from the 4/1 columns? I'm *seriously* considering a class action suit for compensatory (small $) and punitive (BIG $$$) damages. Interested in hearing from others. ........................................ In Virus-L vol4 #606 johnboyd@logdis1.oc.aflc.af.mil (John Boyd;CRENP) Subject: Re: AF/91 - John Gantz joke in Infoworld wrote to say "can't you take a joke?". ........................................ In reply to these, I say this. Jokes can only be allowed to go so far. Too often people try to cap each other's jokes and go too far and cause much unfunny nuisance. Ref what someone in my scubadiving club said after a bout of trouble: "Practical jokes: they occur in the Army, and sooner or later [they lead to] violence.". April Foolism, in the computer virus field as elsewhere, like other hoaxes, waste time and attention; they cause annoyance; much time can be wasted; people miss things and drive miles and raise alerts. OK, if carefully read the hoax is clear. But busy people haven't always got the time and attention to spare to study everything in depth. Ref e.g. the amount of hoaxes that are believed despite including the giveaway supposed name "Lirpa Loof". And serious matter does arise on April 1st as on other days. On April 1st computer users have enough extra to cope with having to beware of the various viruses and logic bombs etc that silly other people set to 'go off' on April 1st. And serious messages published on April 1st are sometimes taken as hoaxes. Enough nuisance. (One common example is joke April 1st messages such as "Ring Mr.C.Lion" and "Ring Mr.L.E.Fant" and "Ring Mr.G.Raff" etc, and the phone number given is a zoo's. Not very funny for switchboard girls at zoos getting thousands of junk phone calls every April 1st on top of their usual work, and zoos' switchboards are blocked, unfunny nuisance unlimited.) Responsible editors should exclude hoaxes on April 1st as on other days, and take the usual action against the authors of any that get part them into reputable print. ........................................ PS. Was Robert Cringely's article about Windows 3.0 serious or a hoax? ........................................ {A.Appleyard} (email: APPLEYARD@UK.AC.UMIST), Fri, 12 Apr 91 09:02:12 BST ------------------------------ Date: Fri, 12 Apr 91 06:34:43 -0500 >From: ROsman%ASS%SwRI05@D26VS046A.CCF.SwRI.EDU Subject: Gantz' Infoworld Column I'm almost amazed that you were so taken in by Gantz' article. I will admit to reading the article with some interest initially, but it became clear that it was a farce towards the end. I have a lot of respect for the folks at NSA, but they play by the same laws of physics and math that the rest of us do, and I seem to remember some claims toward the end of the article that grossly violated both. The final "nail in the coffin" was the date of the issue (April 1,1991). I wish I had the issue in front of me so I could quote chapter and verse, but I don't. I'm sorry that you were so effectively taken in, but please don't yield to the litigous impulses you are feeling. There's too much of that in this country, and the lawyers are the only ones who win anyway. ------------------------------ Date: Fri, 12 Apr 91 13:34:21 +0000 >From: gribble@ogre.cica.indiana.edu () Subject: Re: AF/91 - John Gantz joke in Infoworld amen! it was pretty obvious that the article was a joke--IF you read the whole article... ************************************************************************** * Steve Gribble (812) 855-9172/7629 gribble@cica.cica.indiana.edu * Systems Manager, Inst. of Social Research swg@socmail.soc.indiana.edu * Dept. of Sociology, Indiana University gribble@iubacs ------------------------------ Date: Fri, 12 Apr 91 09:39:00 +0000 >From: Jim Schenk Subject: Yankee Doodle virus (PC) Hello, Does anyone out there have information on the Yankee Doodle virus? F-PROT 1.14 reports some files infected with "Yankee (TP-44)". I would like to know: 1. What does the TP-44 mean? 2. How does it spread? I know it is memory resident, but once in memory, does it attack .EXE and .COM files when they are executed, or search the disk and randomly attach itself to executable files? 3. What are the symptoms? (Note: this particular strain does NOT play Yankee Doodle on the speaker when I set the system clock to 5:00, nor when I reboot, as some Y.D. strains are reported to do.) F-PROT has been quite effective in getting rid of the virus, but I would like to know more about it. Thanks, Jim Schenk University Computer Services Florida International University Bitnet: jims@servax Internet: jims@servax.fiu.edu ------------------------------ Date: Fri, 12 Apr 91 14:38:26 +0000 >From: mike@pyrite.SOM.CWRU.Edu (Michael Kerner) Subject: Re: Is virus infection by inserting floppy disk possible? (PC) (Mac) That's what WDEF viruses do on the Macintosh - they transfer from the "desktop" file of the infected floppy to the host. However, they are also extremely easy to kill, and don't do any real damage, so they are not (yet) seen as a big threat. Mikey. Mac Admin WSOM CSG CWRU mike@pyrite.som.cwru.edu ------------------------------ Date: Fri, 12 Apr 91 14:43:11 +0000 >From: mike@pyrite.SOM.CWRU.Edu (Michael Kerner) Subject: Re: HyperCard anti-virus script bad (Mac) Unfortunately, Bruce, if the script is going to spread, it has to get past the scripts in the HOME card of HC. Passing the message directly to HC does not bypass the HOME scripts. Mike Mac Admin WSOM CSG CWRU mike@pyrite.som.cwru.edu ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 61] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253