VIRUS-L Digest Friday, 26 Apr 1991 Volume 4 : Issue 70 Today's Topics: Initial Virus Protection (PC) Re: HC virus (Mac) Re: mac virus question from amateur radio packet (PC) TSR Virus Detector (PC) Disabling the floppy-drives. (PC) what might "SERUM" be for? (PC) Viruses & System 7.0 (Mac) What's so bad about self-extracting archives? Re: Zenith Dos Writes (PC) F-PROT on any trickle servers? (PC) Re: PREVENTION of Drive A: boots - Suggestions Please (PC) FPROT115 and Kamikaze virus (PC) Warning: BITNET worm on the loose... (IBM VM/CMS) New VM/CMS intruder. (IBM VM/CMS) Telefonica virus at Oxford (PC) Virus Software Query (UNIX) Re: AF/91 and April Foolism in general VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 24 Apr 91 16:57:48 -0500 >From: "Chris Wagner" Subject: Initial Virus Protection (PC) We've just identified the stoned virus on our campus. We would like to get some virus protection out to the pc's asap. We are looking at FPROT and McAfee's SCAN & CLEAN. There are about 1000 pc's on campus, almost all stand-alone pc's. Currently, no protection software is in use on the pc's at this time. Right now, cost is a real factor due to a limited budget. Since the virus was found on several write protected floppies used on drives with good write protection circuitry, we suspect the virus might have been planted intentionally. With that in mind and the thought that a nastier virus might be waiting on a disk somewhere, does anyone have recommendations as to how to initiate some sort of protection and what software to use? I get the impression that the only way to be sure we don't have a virus is to periodically scan our disks with the latest scanning software we can find. Is this true? Is there some software that can "guard the front door" to stop a virus from getting on a disk rather than "constantly checking the house" to see if a disk is already infected. Thanks in Advance. Chris Wagner Computer Technician Microcomputer Maintenance Dept. Northern Michigan University Marquette, MI 49855 PHONE: 906-227-1961 BITNET: STCW@NMUMUS ------------------------------ Date: Thu, 25 Apr 91 00:44:27 +0000 >From: mike@pyrite.SOM.CWRU.Edu (Michael Kerner) Subject: Re: HC virus (Mac) This bugger is essentially harmless - it just plays some German folk tunes. Mikey. ------------------------------ Date: Wed, 24 Apr 91 21:08:00 -0500 >From: Big fish man on hippocampus Subject: Re: mac virus question from amateur radio packet (PC) Brian Riley writes: >>------------------------------msg------------------------------------ >>From: ka2bqe@ka2bqe.#nwvt.vt.usa.na (Brian Riley) >> >> That WDEF A is 'mostly benign' is questionable. I recently had a query >>made to the network about an infestation of nVIR B. Upon recommendation, I >>obtained Disinfectant 2.4 and went to work cleaning house in the corporate >>tower at the Village of Smuggler's Notch Resort where I do some part time >>computer work. Of some 14 machines I scanned and cleaned, every one was >>infected with a nVIR B that came to us attached to a copy of Stuffit 1.5.1. >>Moreover every single HD desktop was infected with WDEF A. 85% of the >>floppies were infected. Most machines were SE's or Plus's and a few >>Classics, no II's. All system were complaining of 'minor annoyances'; >>premature program terminations, a number of the Plus's had Europa 20 >>external HD's and all of them were 50-50 whether or not they would boot >>from HD. There were anumber of other complaints that are hard to >>categorize. ALL complaints stopped upon removal of WDEF A! I installed the >>Protection INIT and everything has run smooth for several days with 0 >>complaints. >> >> I am sort of new to Macs (I have 8 years on PCs!) and its brand of virii, >>but this experience would have to make me think that, while not maliciously >>catastrophic, WDEF A is far from 'mostly benign!' It seems to me that the effects can't be attributed to WDEF since nVIR was also on the infected drives. It has been my experience that although WDEF gets around quickly, that it is not much of a problem with the older machines. On the other hand, nVIR (which has made its rounds here) is more of a pain and interferes with proper oiperation much more often than WDEF. Also, benign doesn't neccessarily mean that it doesn't cause any problems; it just means that it doesn't go out looking for trouble. Think of a benign brain tumor; it doesn't eat up brain tissue, but it does start putting pressure on the brain when it grows, eventually destroying the tissue. Pretty yummy analogy, huh? =-) |\ \\\\__ Tony Maimer __ | \_/ o \ / | > _ (( <_ / | | / \__+___/ maimer@kuhub.cc.ukans.edu /o /_/| |/ |/ < )) _ < \ \ \| \ | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ------------------------------ Date: Wed, 24 Apr 91 21:09:45 -0500 >From: John Councill Subject: TSR Virus Detector (PC) Hi. I'm sure that this question has been asked here before, but I'll ask it again: Can anyone reading this recommend a reliable program that will sit in memory and warn against writes to .EXE and .COM files, as well as other suspicious virus-like activity without degrading performance of the machine too much? Are there products like this that you've had bad experiences with? And while I'm posting this, I'll comment that it would be a GOOD THING if someone from IBM who reads this, and is affiliated with VIRSCAN, could announce new releases of this program on VIRUS-L. Such notification would help me out a lot, as our IBM rep is usually ignorant about it. AND it would help avoid the kind of rumor flurrying that surrounded the last release. Thanks, John A. Councill Bitnet: JXA5@MARISTB Technical Assistant Voice: 914-758-7494 Henderson Computer Resources Center of Bard College in Idyllic Annandale-on-Hudson NY ------------------------------ Date: Thu, 25 Apr 91 10:19:44 +0100 >From: "Pete Lucas" Subject: Disabling the floppy-drives. (PC) Andrew Turner () asks:- >To minimise and manage virusses at our institution I wish to prevent >PC's being booted off Drive A: and only permit booting off the Hard >Disk. This of course immediately presents a management problem of >what to do if the Hard Disk goes bad and I need to boot off a floppy. >So ideally any solution needs to address this situation. Two >possibilities spring to mind: > >a. Use of a ROM. This would sit in the appropriate address space and be > detected during the BIOS boot. The code would need to at least > prevent floppy boots and desirably check for a floppy with a particular > label and if detected permit the floppy boot. This would overcome the > problem of a clobbered hard disk. > >b. Use of hardware modifications connected to a key switch mounted on > the case which would be used to enable/disable floppy boots. On our > machines the keyboard lock could be used for this purpose. Both these options require modification to the PC. This may mean problems when it comes to getting your machines serviced, or when you want to sell them. Try explaining to the repair-shop or maintenance engineer the modifications you have made, then see him go pale as he wonders if these modifications are the reason for the fault..... A far easier way is what i have done; you can buy floppy-drive locks that simply fit into the drive slot and prevents anyone putting any diskettes in the slot. All you need to remove the thing (when you *need* to boot from or read a floppy) is a twist of the key. You could give 'trusted' users a copy of the key to their PC. These things are also far cheaper than any hardware/BIOS mods. are likely to be. Question is, what are your users going to be better at? Hardware hacking, or lock-picking......? Pete Lucas PJML@UK.AC.NWL.IA G6WBJ@GB7SDN.GBR.EU ------------------------------ Date: Thu, 25 Apr 91 13:02:24 +0000 >From: David Hansen Subject: what might "SERUM" be for? (PC) A bunch of students came to Memorial UNiversity from Indonesia and they claim that they have inadvertently brought an Indonesian virus with them. They brought a cure calle d SERUM, which is an executable file which only works on drive A. Can anyone help us? One colleague of mine claimed to be getting flashing funny faces. What might this virus actually BE? Is there really an Indonesian virus?? How are we going to clean up our hard disks since SERUM only works on drive A. PLEASE HELP. davidh@garfield.cs.mun.ca ------------------------------ Date: Thu, 25 Apr 91 09:23:40 -0400 >From: Dave Martin Subject: Viruses & System 7.0 (Mac) The report on GateKeeper 1.2 made me start wondering about how viruses would behave under System 7.0 (one of the feature points said that GK1.2 had better compatibility with Sys7, adding that users & viruses shouldn't notice any differences). Has anyone experienced a virus under System 7.0 (beta, FC, etc.), and if so, did they behave any differently. Are any of them completely incompatible in that they simply crash the machine when they try to do their dirty work, or do they work just as they always have. Anyone looked at the code enough even to tell what they'd do? Of course, compatibility of old viruses aside, I get this gut feeling that Sys7 will open the doors for more viruses, and make old ones spread more easily. How will SAM react to an infected file run from a FileShare folder? Or if someone puts a disk with WDEF into a drive while a shared folder is open. Will SAM or any of the other active detectors warn you when a virus tries to get in from the back door? Does the AppleEvent manager have any built-in precautions to prevent viri from sending events out to programs? Or from interfering with VM? I know, lots of questions. Maybe they've been discussed before, I don't know -- just signed on a week or so ago. As semi-official manager of a small (~20) network, and someone who has had to clean Scores, nVir, & WDEF from most of them many times, I'm curious how much more trouble to expect from System 7.0 Thanks. Dave Martin, Geochemical & Environmental Research Group, Texas A&M University DAVE@GERGA.TAMU.EDU DAVE@DBM-GERG.TAMU.EDU BROOKS@TAMVXOCN.BITNET AOL: DBM ------------------------------ Date: Thu, 25 Apr 91 13:49:10 +0000 >From: magnus%thep.lu.se@Urd.lth.se (Magnus Olsson) Subject: What's so bad about self-extracting archives? I'm sorry if this question seems a bit naive, but why are people so concerned about the risk of virus-infected self-extracting archive files? Can't you just first run the archive file through your favourite virus checker, and if it passes the test extract it, and then test the individual files that were inside it? Or have I missed something? Magnus Olsson | \e+ /_ Dept. of Theoretical Physics | \ Z / q University of Lund, Sweden | >----< Internet: magnus@thep.lu.se | / \===== g Bitnet: THEPMO@SELDC52 | /e- \q ------------------------------ Date: 25 Apr 91 13:38:32 +0000 >From: sharp@mizar.usc.edu (Malcolm Sharp) Subject: Re: Zenith Dos Writes (PC) Add Zenith models 150/151 to that list. SCANs of diskettes that are known to be infected with Stoned have not been detected on these machines. However, F-PROT picks them up. We have a 151 that recently had its hard drive trashed due to Stoned. Had been using VSHIELD and SCAN (first ver64, then 76, 76C). ??? ------------------------------ Date: Thu, 25 Apr 91 17:22:19 -0500 >From: Juan Jose Perez Subject: F-PROT on any trickle servers? (PC) Hi, How and where can I get F-PROT 1.15? Can I get it from any trickle? Thanks..... ************************************************ * ___________ Juan Jose Perez Bueno * * |_ | Servicio de Informatica * * | | Universidad Autonoma de Madrid * * | 0 / Ctra de Colmenar Km. 15 * * < | 28049 Madrid (SPAIN) * * |_ ___/ Phone: +34 1 397 51 44 * * / E-Mail: * * * ************************************************ ------------------------------ Date: 25 Apr 91 17:40:12 +0000 >From: davidsen@crdos1.crd.ge.COM (Wm E Davidsen Jr) Subject: Re: PREVENTION of Drive A: boots - Suggestions Please (PC) | >b. Use of hardware modifications connected to a key switch mounted on | > the case which would be used to enable/disable floppy boots. | | Don't think this would work since all that is required to boot is for the | disk to be read. I do not think a switch could prevent selective reads witho ut | disbling any read. (unless you have a use for a write-only floppy). All you need is a switch the BIOS can read to disable trying the boot on A:. I mailed this to the original poster, but here's my idea. I suggested it to a vendor, but they haven't used it, or at least not yet. Have in the CMOS a "boot path" which works like the PATH variable, and specifies which devices are to be tried, in what order. This allows disable of floppy boot, as well as boot from B: if A: fails or if you have one 5-1/4 and one 3-1/2, etc. Use a password to allow access to change the configuration. If the password takes too much room, save three bytes of CRC20 plus a value for length range 1-15 characters. Length zero could mean "no password." - -- bill davidsen (davidsen@crdos1.crd.GE.COM -or- uunet!crdgw1!crdos1!davidsen) "Most of the VAX instructions are in microcode, but halt and no-op are in hardware for efficiency" ------------------------------ Date: Thu, 25 Apr 91 19:28:10 -0400 >From: Ernest Crvich Subject: FPROT115 and Kamikaze virus (PC) I apparently have run across the Kamikaze virus... I downloaded a file called UUEXE.ZIP at FTP location MSDOS.ARCHIVE.UMICH.EDU in the directory /archive/msdos/unix. When I ran F-FCHK on the two .EXE files that were in the archive, the file UUDECODE.EXE caused the message 'This file is infected with Kamikaze' to appear. I could find no desc. of this virus in any of the three virus description files included with F-PROT. Does this FTP location *NOT* check its files for viruses? Any info on this virus would be appreciated (was it a fluke?)... Ernest Crvich Bitnet : GENERAL@VTVM1 Internet : GENERAL@VTVM1.CC.VT.EDU ------------------------------ Date: Thu, 25 Apr 91 22:25:19 -0400 >From: Valdis Kletnieks Subject: Warning: BITNET worm on the loose... (IBM VM/CMS) Sorry for the cross-posting, but... There is a worm loose on bitnet. I've gotten hit by 3 copies so far, all coming out of PSUVM. I have not determined the origin node yet. The important characteristics: Name: ZT EXEC Language: Rexx Size: 68 lines. It sends a copy of itself to everybody in your NAMES file, using rather poor parsing, and the PUNCH command rather than SENDFILE. The inducement to run it is that it claims to be a 'zebra tell', sending multi-color messages (actually does 3270 extended attribute chars for bright/normal). I suggest that the core nodes put it in their filters. Valdis Kletnieks Computer Systems Engineer Virginia Polytechnic Institute ------------------------------ Date: 25 Apr 91 22:37:27 -0500 >From: "Tim Eisler (312) 996-7143" Subject: New VM/CMS intruder. (IBM VM/CMS) ZT EXEC has appeared at UICVM, the University of Illinois at Chicago. It reads the names file and sends itself to everyone. It does issue the 'TELL' before sending itself. It has been added to the list of intruders filtered out by the RSCS selective file filter. Below are the comments from the beginning of the exec: Tim Eisler Research Programmer University of Illinois at Chicago /********************************************************************* ZT : The Zebra-Tell Another product by HackerSoft, the masters of REXX Language Purpose: o Send a message in different colors o Amaze your friends! o Enhace your messages, with a later version of this program Syntaxis: ZT UserId Message Zebra Tell will use alternating colors in your message, it - won't work on systems running CHAT subsystem. This is due -- the use of Special Characters unavailable for CHAT. *********************************************************************** ** ** ** ZebraTell (C) 1991 HackerSoft, the masters of REXX Language ** ** ** ***********************************************************************/ ------------------------------ Date: Fri, 26 Apr 91 10:49:00 +0000 >From: LYNNE@vax.oxford.ac.uk Subject: Telefonica virus at Oxford (PC) Just to let you know that the virus plaguing Oxford turned out to be Telefonica. We've had nine departments infected. I wanted to thank everyone who mailed me with help on my query. Andy Holt at City, Brighton, provided the fix we so desperately needed. Thanks everyone for being so helpful. Lynne ------------------------------ Date: Fri, 26 Apr 91 11:49:07 -0700 >From: BOB STRINGFIELD Subject: Virus Software Query (UNIX) Does anyone know of any virus software compatible with Sperry 5000/80/95, Unix operating system> Thanks *********************************************************************** Robert (Bob) L. Stringfield, Computer Systems Analyst Mainz Army Depot Directorate, Management Information Systems (D/MIS) ATTN: SDSMZ-I APO NY 09185 COML (No ETS or Autovon available): 06131-696328 (Germany) FAX: 06131-696467 Electronic Mail: bstring@mainz-emh2.army.mil Alternative: bstring%mainz-emh2.army.mil@wsmr-simtel20.army.mil Slogan: IGNORANCE hates knowledge.... ------------------------------ Date: 24 Apr 91 21:06:52 +0000 >From: Era.Eriksson@f59.n220.z2.FIDONET.ORG (Era Eriksson) Subject: Re: AF/91 and April Foolism in general * Quoting dank@stealth.usc.edu (Dan King) to jkp@cs.HUT.FI (Jyrki Kuoppala): > Come on, don't pick on the users. Attack, instead, the virus authors. > If these people would write useful code instead of malignant code, > then life would be grand. I've been following this thread from the beginning, and I actually don't have anything to add. Just wish to point out that REAL programmers, APPLICATION programmers, have a huge responsibility for system security. Somebody mentioned MS Word as an example of a program which overwrites its own code occasionally. Your mistake, I say. Don't buy a word processor from the company which produced the insecure operating system we're talking about if you're concerned about viruses and security in general. ;-) LAN operators should be particularly picky about the programs they choose to offer the users. If a program can't behave, scratch it! There are going to be virus attacks on any LAN at one time or another, so be prepared. /* era */ era@f59.n220.z2.fidonet.org If you want to see a disclaimer, that can be arranged. - -- Era Eriksson - via FidoNet node 2:220/801 UUCP: ...!fuug!casino!59!Era.Eriksson INTERNET: Era.Eriksson@f59.n220.z2.FIDONET.ORG ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 70] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253