VIRUS-L Digest Monday, 29 Apr 1991 Volume 4 : Issue 71 Today's Topics: Info wanted on Plastique (PC) Viruses and Database Systems Help! Casper/1260 virus (PC) IBM Scanner Updates (was: TSR Virus Detector (PC)) AIRCOP alert (PC) Stoned Again (PC) Disabling the floppy-drives. (PC) Re: PREVENTION of Drive A: boots - Suggestions Please (PC) Version 1.15A of F-PROT (PC) HyperCard virus --should I wait to script? (Mac) F-PROT 1.15A anti-virus package uploaded to SIMTEL20 (PC) Yankee Doodle virus (PC) Malicious Program Definitions Re: Virucide query (PC) can we trust diskette write-protection? (PC) F-FCHK 1.15 & Casper Virus (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: 26 Apr 91 10:20:29 +0000 >From: cctb@hippo.ru.ac.za (Tim Bouwer) Subject: Info wanted on Plastique (PC) Hi We have been infected with the Plastique virus and the Jerusalem virus as reported by McAfee's SCAN program (Ver74). The virus infected files on our Novell 386 server and was inhibited in it's spread by a program we use which prohibits users from running files that have been modified in any way. We have some people working on disassembling the code, but have become concerned that we are in for more trouble from it before this is complete. Could any kind soul send us some more info on this - an anonymous FTP site, or some live info that you may have gathered. Thanks Tim - -- | Tim Bouwer Computing Centre Tel: 27 [0]461 22023 ext 288 | | Rhodes University Grahamstown FAX: 27 [0]461 25049 | | 6140 South Africa Internet: cctb@hippo.ru.ac.za| - ----------------------------------------------------------------------- ------------------------------ Date: 26 Apr 91 16:15:07 +0000 >From: plains!haraty@uunet.UU.NET (Ramzi A. Haraty) Subject: Viruses and Database Systems Greetings, Does anybody know how to handle viruses in a database system? In a database environment there would certainly be a lot of updates and I was wondering how could one limit the infection of viruses into data items. In other words, how do we guarantee that untrusted users or processes won't infect our database with viruses? P.S. I am talking at the system level here. Thanks is advance Ramzi Haraty email: haraty@plains.nodak.edu ------------------------------ Date: 26 Apr 91 16:33:31 +0000 >From: wdh2866@zeus.tamu.edu (HAWKINS, WILLIAM DARYL) Subject: Help! Casper/1260 virus (PC) I have just recently scanned my harddrive with F-PROT115. During the scan, it returned the message - possible virus found: casper/1260. The file which it says is infected is vaxlink.exe. As the name implies, I use it to upload and download files to and from the vax. When I tried to disinfect the file, F-FCHK still reported a possible infection, but would not... or could not disinfect the file. I have also scanned the same file with McAfee's SCANV76C, and it does not report an infection. The question: Do I have an infection? (or is F-FCHK interpreting a piece of code in the vaxlink program as the signature of the casper/1260 virus...) If I do have an infection, why won't F-PROT disinfect the file? Any help would be greatly appreciated...... Thanks in advance. ------------------------------ Date: 26 Apr 91 13:29:09 -0400 >From: "David.M.Chess" Subject: IBM Scanner Updates (was: TSR Virus Detector (PC)) John Councill : > it would be a GOOD THING if someone from IBM who reads this, and is > affiliated with VIRSCAN, could announce new releases of this program > on VIRUS-L. Mea probably Culpa. I certainly agree it would be good if we (I) did this regularly. We did it informally for the first couple, and only after-the-fact for 2.00.01; my only excuse is that I (HICL's official Network Junkie) was out of town when it was released, and we don't have it down anywhere as an official Thing To Do. We'll correct that! Dave Chess High Integrity Computing Lab IBM Watson Research ------------------------------ Date: Fri, 26 Apr 91 15:23:33 -0400 >From: padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) Subject: AIRCOP alert (PC) Recently, one of our users brought a laptop in for screening. The AIRCOP boot sector infector was found on two of the 3 1/2 utility disks furnished with the machine & we have reason to believe that the virus was on the disk prior to the utility files. The disks are professionally labeled MS-DOS V4.01 utility/diag printed by CAF Computer Corp. under license from MircroSoft Corp. The virus appears to conform to published reports and contains the "RED STATE" message in encrypted form. The virus also appears to expect 360k floppies since the location the original boot sector is stored in would be in the middle of any larger capacity disk. Since the disk conforms to most Microsoft boot sector specifications, automatic routines may not pick it up however SCAN v66 and later will detect it as should any routine looking for memory size information manipulation. The virus when active does not employ any stealth and will take 1k bytes from the top of memory. Infected disks may be identified by the lack of the normal error messages in the boot sector except for the ASCII "NON-SYSTEM" found at the end of the boot sector just prior to the MS signature. ------------------------------ Date: Fri, 26 Apr 91 15:23:33 -0400 >From: padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) Subject: Stoned Again (PC) >From: "Chris Wagner" >Subject: Initial Virus Protection (PC) >Right now, cost is a real factor due to a limited budget. >I get the impression that the only way to be sure we don't have a >virus is to periodically scan our disks with the latest scanning >software we can find. >From: John Councill >Subject: TSR Virus Detector (PC) >Can anyone reading this recommend a reliable program that will sit in >memory and warn against writes to .EXE and .COM files, as well as >other suspicious virus-like activity without degrading performance of >the machine too much? On the PC, a virus must be executed to have any effect & there are three ways for this to occur: cold boot from floppy, warm boot from floppy, user request. The last two can be controlled by software (e.g. McAfee V-Shield), the first only with hardware (but can be detected immediately by software). Full system scanning is only necessary if an infection is suspected and the extent is to be determined. Once malicious software is present on a system, it can hide in many ways, the key is to detect such activity before it becomes resident. I am constantly surprised that, considering the simplicity of the PC architecture, more schools have not developed their own protection software rather than relying on outsiders, certainly it is more difficult to write a functional operating system, something most CS schools require. How about an annual intermural anti-virus competition - anyone interested ? ------------------------------ Date: Fri, 26 Apr 91 15:23:33 -0400 >From: padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) Subject: Disabling the floppy-drives. (PC) >From: "Pete Lucas" >A far easier way is what i have done; you can buy floppy-drive locks >that simply fit into the drive slot and prevents anyone putting any >diskettes in the slot. If you can make the users use the keylock that is - most BSI infections occur from "accidental" floppy boots, not intruders. A more effective way is to simply unplug the floppy drive. A keylock just keeps unauthorized people out but someone must administrate it. ------------------------------ Date: Fri, 26 Apr 91 15:23:33 -0400 >From: padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) Subject: Re: PREVENTION of Drive A: boots - Suggestions Please (PC) >From: davidsen@crdos1.crd.ge.COM (Wm E Davidsen Jr) > All you need is a switch the BIOS can read to disable trying the >boot on A:. First you need a BIOS that will read the switch (hardware again - best but most expensive answer). The programming is trivial but production is the hard part (ps a ROM extention is easy & uses the stock BIOS, for maintenance/resale, just remove it & you have a "normal" PC. Warmly, Padgett ------------------------------ Date: Fri, 26 Apr 91 19:21:04 +0000 >From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Version 1.15A of F-PROT (PC) I have just finished version 1.15A of F-PROT, where some "bugs" in 1.15 are corrected. The bugs were: Occasional false alarms reporting "10 past 3", "Kamikaze" and "1260/Casper" infections. F-DRIVER would (incorrectly) report a "Yankee" infection in the anti-virus programs from Central Point. F-DISINF was unable to detect and disinfect one common variant of "Stoned", and would only report.. "...this diskette is infected with an unknown virus." The name of the new file is FP-115A.ZIP, and it should be available on SIMTEL-20 and beach.gal.utexas.edu shortly. - -frisk ------------------------------ Date: 26 Apr 91 14:07:19 -0500 >From: Pat Ralston Subject: HyperCard virus --should I wait to script? (Mac) I use HyperCard frequently and am not happy to see that there is a HyperCard viurs on the loose. Since there have been several comments on the HyperCard anti-virus script recently which say in general ..."this won't/may not work", I am not confident that I want to enter this script in my Home Stack. In fact I have more than one Home Stack because I have customized several Home Stacks for the specific uses I make of my stacks. I have found John Norstad to be very responsive in the past when new Mac viruses developed. John, are you working on this one too? Or does anyone else know if the Disinfectant virus checking software is being updated to include the HyperCard virus? If that is the case I'll wait rather than script something into my Home Stack that I may not really want there. I do appreciate the work that Mike went to in trying to give us all a script to defend against the virus. And I am sure that many Mac users are grateful for the work that has been done to give us Disinfectant. Pat Ralston IUPUI Indiana University - Purdue University at Indianapolis ------------------------------ Date: Fri, 26 Apr 91 19:15:14 +0000 >From: frisk@rhi.hi.is (Fridrik Skulason) Subject: F-PROT 1.15A anti-virus package uploaded to SIMTEL20 (PC) I uploaded version 1.15A of my F-PROT anti-virus package to SIMTEL20: pd1: FP-115A.ZIP Virus detection/removal/prevention/information - -frisk - - - Fridrik Skulason frisk@rhi.hi.is ------------------------------ Date: 27 Apr 91 10:59:00 -0600 >From: "William Walker C60223 x4570" Subject: Yankee Doodle virus (PC) Hello, people. Glad to be part of this discussion. Jim Schank (JIMS@SERVAX.BITNET) write: > Does anyone out there have information on the Yankee Doodle virus? A little bit: Yankee Doodle is a variant of a virus called Vacsina, both of which, along with Yankee Doodle-B, belong to the "TP" family of about 48 viruses (last time I checked). The second to the last byte of an infected file is believed to be the "version number" of the virus. In the most common Yankee Doodle virus, this number is 2C hex, or 44 decimal, therefore the name "TP-44." The viruses from about 25 (19 hex) earlier are called Vacsina, while the later ones are called Yankee Doodle. I'm not 100% sure when the infection takes place, but I believe that it occurs when a .COM or .EXE file is run. As for playing "Yankee Doodle" on the speaker, TP-44 does indeed play it. I know because I've just removed that version from a machine here. However, when you test it, don't set the clock exactly at 5:00, set it for 4:59, because it starts a few seconds early. Also, be sure that the time is 4:59 PM (not AM), or 16:59. For additional information, the best source (besides this forum) is the VIRUSSUM document by Patricia M. Hoffman, which is available on many BBSs and FTP servers which have anti-virus software. Oh, by the way, some versions of Yankee Doodle hunt down other some other viruses, such as Ping and Cascade. Who knows, with this kind of in-fighting, maybe they'll wipe each other out completely! ;-) Bill Walker OAO Corporation Arnold Engineering Development Center M.S. 100 Arnold Air Force Base, TN 37389-9998 ------------------------------ Date: 27 Apr 91 18:44:00 -0600 >From: "William Walker C60223 x4570" Subject: Malicious Program Definitions There's enough confusion in the anti-virus community already, without the confusion resulting from the differences in terminology. I'm sure there's nothing new in that statement. Eldar A. Musaev has a good start at eliminating the confusion in the terminology, and he's going about it in a good way: defining differences in function and classifying by function. However, his using "Christmas Tree" (I assume the BITNET CHRISTMAS EXEC) as an example of a Network Worm doesn't seem quite right to me. Even if he didn't mean the CHRISTMAS EXEC, it still doesn't fit neatly into his classifications (see Virus-L V4 I60). The CHRISTMAS EXEC on BITNET would, in my opinion, be a Trojan Horse rather than a Worm. The definitions of a Trojan Horse that I have seen state that a Trojan Horse is a [standalone] program which purports to do one thing (and may in fact do it), but covertly does another, malicious thing. CHRISTMAS fits this description; however, CHRISTMAS also replicates. So, where's the distinction? Perhaps the function of replication could be divided into independent and dependent. Independent replication would be that, once started, the replication process would continue without outside assistance. Dependent replication would be that the replication process would occur only while the parent/host/whatever program is running. In this way, CHRISTMAS EXEC could be separated from, say, the Internet worm: CHRISTMAS is a dependent replicator, while the Internet worm is an independent replicator. However, with this addition, a new problem arises. How does one classify NON-resident malicious programs such as Amstrad, Vienna, or 405? They're dependent replicators as well. Would they be separated from resident malicious programs such as Stoned, Jerusalem, or Yankee Doodle? Another distinction which should be made is the difference between a standalone program, an overwriting program, and a parasitic program. Eldar Musaev separates parasitic by saying it attaches itself to another file, but he lumps the other two under "non-parasitic." I believe that they should be kept separate. A standalone program is just that, and requires no other program to help it run and/or spread. An overwriting program, though it doesn't attach itself to a file and is itself a complete program, requires that a host/"victim" file be present for it to replace. Similarly, a "spawning" program requires that a host/victim file be present for it to spawn to. A boot-sector virus could be classified similarly, depending on how it treats the original boot sector. Using these further separations, the functional criteria could now become: I. Replication 1. Non-replicator 2. Dependent Replicator 3. Independent Replicator II. Host Basis 1. Standalone (non-host-based) 2. Host-based a. Spawning b. Overwriting c. Parasitic If the term "bacterium" (plural "bacteria") is used for host-based dependent replicators, and "virus" ("virii") is used for host-based independent replicators ( for lack of better terms to separate the two ), the resulting classifications could now become: I. Standalone Non-replicators Trojan Horses Example: ARC 5.13 II. Spawning Non-replicators Spawning Trojans III. Overwriting Non-replicators Overwriting Trojans Example: Twelve Tricks IV. Parasitic Non-Replicators Parasitic Trojans V. Standalone Dependent Replicators Replicating Trojans Example: CHRISTMAS EXEC VI. Standalone Independent Replicators Worms Example: Internet Worm VII. Spawning Dependent Replicators Spawning Bacteria Example: Aids II VIII.Overwriting Dependent Replicators Overwriting Bacteria Example: 382 Recovery IX. Parasitic Dependent Replicators Bacteria Example: Vienna X. Spawning Independent Replicators Spawning Virii XI. Overwriting Independent Replicators Overwriting Virii XII. Parasitic Independent Replicators Virii Example: Jerusalem Some of the resulting combinations don't have examples at this time, and some of those (such as a parasitic non-replicator) are not likely. Also, some people may say that the Lehigh virus is an overwriting virus. I would call it parasitic, since it is not a complete program by itself, but attaches itself to COMMAND.COM, even though it overwrites the stack space. Well, that's my two cents worth. I hope it can be of some help. The names given for the different combinations are just suggestions; they don't have to be used ( For that matter, NONE of this HAS to be used :-) ). In fact, I'm sure that someone could come up with better names for some of these. Bill Walker | OAO Corporation | Arnold Engineering Development Center | "I'd like to solve the puzzle, Pat" M.S. 120 | Arnold Air Force Base, TN 37389-9998 | ------------------------------ Date: Sun, 28 Apr 91 06:48:54 +0000 >From: sunset@leland.stanford.edu (Igor Grebert) Subject: Re: Virucide query (PC) AL380382@VMTECCHI.BITNET (Ramon Bartschat) writes: >Hi there.... > > I have the following question: > > A friend of mine was using the VIRUCIDE program, so I copied it >to try it out, but when I got home and scanned it with SCAN V67 the >program told me that VIRUCIDE was compressed with LZEXE and that it >was infected internally with the Kennedy Virus and with the 12 Tricks >Troyan Horse. I could never find out any unusual behaviour in >VIRUCIDE. So what's wrong with VIRUCIDE ???? Right now I got a >secured copy of VIRUCIDE, in case it's really infected with Kennedy & >12 Tricks. This problem only appears on the very first version of VIRUCIDE, when checked with SCAN. It was a false alarm generated by SCAN. The problem has been solved, and the version you have works perfectly, even though it is a little outdated: Parson's Technology upgrades VIRUCIDE quite often, every two to three month, I believe. The current version number is 2.10, and a next release is due soon. Igor Grebert. ------------------------------ Date: Sun, 28 Apr 91 19:20:07 +0000 >From: jim@cavebear.berkeley.edu (Jim Bradley) Subject: can we trust diskette write-protection? (PC) I am completely baffled by the following experience. Someone sent me eight (green) 360K 5.25-inch floppy diskettes containing pkzip archive files. I write-protected each with a silver sticker from another box of diskettes. I subsequently discovered that I could *freely* write or erase files from any of these "write-protected" diskettes in the 1.2M half-height floppy drive of an AT-clone or in the retro-fit 360K half-height floppy drive of an IBM XT. Both machines are located in a computer lab I manage. (I have not tested other machines, since I am so spooked by this experience.) When I performed the same test with the same silver stickers with the same floppy drives, but this time using diskettes from my own collection, the write-protection worked correctly. Two issues: 1) My experience (whatever the cause) suggests that write-protecting cannot be assumed to provide protection against virus infection if you stick Brand-Y diskette into Brand-X machine. 2) What is going on here? How is it possible for a diskette drive to write on one brand of protected diskette, and not on another brand. The mind boggles. Jim Bradley, CNR Computer Facility, UC Berkeley jim@cavebear.berkeley.edu ------------------------------ Date: 29 Apr 91 05:16:22 +0000 >From: gbj@melb.bull.oz.au (Graham Jose) Subject: F-FCHK 1.15 & Casper Virus (PC) I have just started using the latest version (1.15) of F-FCHK and it has started reporting the possibility of infection by the Casper/1260 virus in a number of data files on my system, and others around the company, most notably the keyboard.sys file. The previous version of F-FCHK I have been using (1.13) did not report this warning. Could someone (FRISK?) please explain whether I actually have an infection or whether the checking introduced with 1.15 is simply more sensitive. Thanks, Graham Jose --------------------------------------------------------------------------- | Graham Jose, Snr Software Engineer (EFTPOS,Comms) | Phone: 61 3 4200450 | | Melbourne Development Centre | Fax: 61 3 4200445 | | Bull HN Information Systems Australia Pty Ltd |-----------------------| | ACSnet : gbj@bull.oz | Who wants my opinion | | Internet: gbj@melb.bull.oz.au | anyway? | --------------------------------------------------------------------------- ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 71] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253