VIRUS-L Digest Wednesday, 1 May 1991 Volume 4 : Issue 72 Today's Topics: Re: Viruses & System 7.0 (Mac) WDEF is benign? (Mac) HyperCard Virus and Disinfectant (Mac) First sighting of Dark Avenger (PC) Re: can we trust diskette write-protection? (PC) Re: Malicious Program Definitions Virucide query (PC) Version 77 of McAfee anti-virals for MS-DOS (PC) Re: HyperCard virus --should I wait to script? (Mac) Stoned Virus (PC) Bouncing Ball at British Telecom (= UK telephone system)(PC) Virus at Common Cold research Unit, Cardiff, Wales, UK Any bugs in McAfee's v76? (PC) Thank You (EMPIRE, PC virus help) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 29 Apr 91 06:34:42 +0000 >From: phaedrus@milton.u.washington.edu (Mark Phaedrus) Subject: Re: Viruses & System 7.0 (Mac) DAVE@GERGA.TAMU.EDU (Dave Martin) writes: >Of course, compatibility of old viruses aside, I get this gut feeling >that Sys7 will open the doors for more viruses, and make old ones >spread more easily. How will SAM react to an infected file run from a >FileShare folder? Or if someone puts a disk with WDEF into a drive >while a shared folder is open. Will SAM or any of the other active >detectors warn you when a virus tries to get in from the back door? >Does the AppleEvent manager have any built-in precautions to prevent >viri from sending events out to programs? Or from interfering with VM? I think all the hype over System 7 has caused a lot of people to have incorrect ideas about what System 7 is like. It does not magically change all the rules of Mac programming; in fact, based on my experience, it's more compatible with older software than System 6 was. It does add new features, but in almost all cases it adds them in a way that makes them very comparable to existing ones (just a heckuva lot easier to use). FileShare, for instance, is almost exactly equivalent to AppleShare, but without the dedicated server. A program in a FileShare folder (virus-infected or not) appears the same way as a program in an AppleShare server folder, and viruses and virus-detection utilities should react to it in roughly the same way. Any virus detector worth its weight in RAM will check every resource file that's opened, no matter where it comes from. So FileShare shouldn't create any new problems there (except for the problem of uneducated users networking for the first time who don't realize the potential for infection, and without any AppleShare administrator to troubleshoot). There's no "protection" code in AppleEvents, as far as I know, and the reason is simple; what good would it do? Sure, a virus could trigger spurious AppleEvents, but a virus under either System 6 or 7 can do things that are a heckuva lot worse; delete files, format disks, crashing the system, etc. Until code is added to make it impossible for a virus to do these things (which brings up the age-old problem: how to distinguish a virus from a legitimate request to delete a file, etc.?), it seems silly to try to throw in code to keep a virus from choosing Quit or whatever. Finally, virtual memory is exactly the same as physical memory, only slower. About the only VM-specific nasty a virus could pull off would be to mess up or delete the virtual-memory storage file on the hard disk; this would crash the system, but again, as crashing the system is trivial under either System (the tricky thing to do is *avoid* crashing it... :) ), no new security holes are added here. IMHO, System 7 will, if anything, make it a bit harder for viruses and Trojan horses to propagate, if only by cleaning up the System Folder a bit. How many of us would even notice if somebody slipped one more file into the morass of junk (whoops, vital System extensions) that all of us keep in there? By sorting things out into at least a few subgroups, the new System will make it easier to keep some sort of grasp of what's going on in there. Internet: phaedrus@u.washington.edu (University of Washington, Seattle) The views expressed here are not those of this station or its management. "If you can keep your head while those about you are losing theirs, consider an exciting career as a guillotine operator!" ------------------------------ Date: 29 Apr 91 09:04:16 -0500 >From: "William J. Hobson" Subject: WDEF is benign? (Mac) For those who comment that WDEF is benign -- try telling that to the user who has just lost an hour's work when Microsoft Word 4.0 "unexpectedely quits". We definately don't consider that trivial. William J. Hobson Phone: (409) 845-9999 O.E.T. Rm. 123 | Virus Buster "Have Software - Will Travel" | | All Opinions are mine - not my employer's | |______________________________________________________| ------------------------------ Date: Mon, 29 Apr 91 12:43:31 -0600 >From: j-norstad@nwu.edu (John Norstad) Subject: HyperCard Virus and Disinfectant (Mac) Pat Ralston (IPBR400&INDYCMS.BITNET) writes: >I have found John Norstad to be very responsive in the past when new >Mac viruses developed. John, are you working on this one too? Or >does anyone else know if the Disinfectant virus checking software is >being updated to include the HyperCard virus? Disinfectant does not attempt to deal with application-specific viruses which spread via application scripting languages. These are very different kinds of viruses from the "normal" kinds of viruses Disinfectant was designed to handle. Modifying Disinfectant to detect and repair these kinds of viruses would be a major project, and I do not have the time or energy to undertake such a new project right now. This recent "Three Tunes" virus is not the first HyperCard virus - there was a very similar HyperCard virus named "Dukakis" which appeared several years ago. Disinfectant doesn't recognize that virus either. Symantec's SAM 3.0 does detect HyperCard viruses. John Norstad Academic Computing and Network Services Northwestern University j-norstad@nwu.edu ------------------------------ Date: 29 Apr 91 11:26:03 -0500 >From: Pat Ralston Subject: First sighting of Dark Avenger (PC) This posting is just to let the virus trackers know.... We have had our first reported sighting of Dark Avenger here at IUPUI (Indiana University - Purdue University at Indianapolis) It showed up on a LAN server in one of our open computer clusters. It was eradicated but the software it damaged had to be reinstalled on the server. I have been, for some time, suggesting that our computer clusters have a dedicated viurs checking DOS computer and a dedicated Mac. And that our users be requested to submit their disks for checking before they enter the cluster to use the LAN. Of course, that would not absolutely insure a virus free LAN but it would help us help innocent and uninformed users. My suggestion is getting more attention now that we were hit on the server. Thanks again to all those people out there that made it possible for us to catch and destroy this virus -- both documentation and virus checking software were a big help to us. Pat Ralston IUPUI ------------------------------ Date: Tue, 30 Apr 91 12:11:00 +1200 >From: "Mark Aitchison, U of Canty; Physics" Subject: Re: can we trust diskette write-protection? (PC) jim@cavebear.berkeley.edu (Jim Bradley) writes: > I write-protected each with a silver sticker from another box of diskettes. > I subsequently discovered that I could *freely* write or erase files from > any of these "write-protected" diskettes in the 1.2M half-height floppy drive > of an AT-clone or in the retro-fit 360K half-height floppy drive of an IBM XT . > > Both machines are located in a computer lab I manage. I used to trust write-protect tabs until very recently. My main advice is: DON'T! Possibly, the reason why it sometimes fails, other than obvious loose wires, is because of light bouncing around the diskette drive. Remember, a tab over the notch should stop the light getting to the photo-detector on the other side; if it can bounce of a silvery tab, onto metalwork, and onto the detector, it is like having no tab on at all. I haven't tested my theory, but I suspect black tabs are better, and there should be little distance between the diskette and the photo-transistor or whatever. Someone may be able to answer the question as to whether the circuitry uses synchronised pulsed light, or plain light (the latter would mean daylight from outside the computer could nullify the protection system). Mark Aitchison. ------------------------------ Date: Mon, 29 Apr 91 17:07:15 -0600 >From: martin@cs.ualberta.ca (Tim Martin; FSO; Soil Sciences) Subject: Re: Malicious Program Definitions walker@AEDC-VAX.AF.MIL (William Walker C60223 x4570) writes: >If the term "bacterium" (plural "bacteria") is used for host-based >dependent replicators, and "virus" ("virii") is used for host-based >independent replicators ( for lack of better terms to separate the two The biologists amongst us would be much happier if you reversed these two names, since a virus is a much more dependent organism than is a bacterium. A virus uses the host biochemical mechanisms to replicate, while a bacterium has its own. So the dependent replicators should be called virii and the independent ones bacteria, assuming we want to be consistent with the analogy. Tim Martin Soil Science University of Alberta ------------------------------ Date: Mon, 29 Apr 91 18:43:51 -0700 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Virucide query (PC) AL380382@VMTECCHI.BITNET (Ramon Bartschat) writes: > A friend of mine was using the VIRUCIDE program, so I copied it > to try it out, but when I got home and scanned it with SCAN V67 the > program told me that VIRUCIDE was compressed with LZEXE and that it > was infected internally with the Kennedy Virus and with the 12 Tricks > Troyan Horse. I could never find out any unusual behaviour in > VIRUCIDE. So what's wrong with VIRUCIDE ???? Right now I got a > secured copy of VIRUCIDE, in case it's really infected with Kennedy & > 12 Tricks. Copied it, eh? Well, we'll let that pass for the moment ... You will have noticed that VIRUCIDE is, in fact, a McAfee Associates product, for all that it is marketted by Parsons Tech. Therefore, the signature strings used in VIRUCIDE will be very close to those used in SCAN, and that is likely to cause the program to give some false positives. There is nothing ~wrong with either program, at least not as indicated by waht you saw. Why it said VIRUCIDE was compressed is a new one on me. ============= Vancouver p1@arkham.wimsey.bc.ca | "Don't buy a Institute for Robert_Slade@mtsg.sfu.ca | computer." Research into (SUZY) INtegrity | Richards' First User Canada V7K 2G6 | Law of Data Security | Security ------------------------------ Date: Tue, 30 Apr 91 04:52:07 +0000 >From: Aryeh Goretsky Subject: Version 77 of McAfee anti-virals for MS-DOS (PC) Now available via anonymous ftp from SIMTEL20 [192.88.110.20]: pd1: CLEAN77.ZIP Universal virus disinfector, heals/removes NETSCN77.ZIP Network compatible - scan for 243 viruses, v77 SCANV77.ZIP VirusScan, scans disk files for 243 viruses VCOPY77.ZIP Copy utility checks for viruses as it copies VSHLD77.ZIP Resident virus infection prevention program VIRUSCAN, NETSCAN, VSHIELD, and VCOPY Version 77 of these programs adds four new viruses: The Empire virus is a floppy disk boot sector and hard disk partition table infecting virus. It is based on the Stoned virus and was first reported in Alberta, Canada. The Star Dot virus was received from Europe. The New Sunday virus is a variant of the Sunday virus. The Casino virus has also been added. For a listing of complete listing of viruses, refer to the VIRLIST.TXT file. Additionally, detection of three virus variants have been added: The Collor variant of the Stoned virus, which contains the messages "Collor, um tiro basta!" and "Call John McAFee?" was reported in Sao Leopoldo, Brazil by Mr. Raul F. Weber. Another variant of the Stoned, containing a message about Saddam Hussein has been added. The Rabid variant of the Dark Avenger virus has also been added. The scanning routine for Version 77 has also been sped up. It is now 5% faster than Version 76. CLEAN-UP Version 77 replaces Version 76 of CLEAN which had a bug in it that prevented it from removing the viruses added in that release. The viruses added in Version 76 were: the 555, 651, 3066, Air Cop, Beeper, Black Monday, Den Zuk, Fellowship, Filler, Ghost (Boot Sector Portion) Korea, Lazy, Lisbon, Mardi Brothers, Murphy, Print Screen-2, RPKS, Striker, and Typo Boot viruses. Aryeh Goretsky - ---------------------------------------------------------------------------- Aryeh Goretsky,Tech Sup.|voice (408) 988-3832 |INTERNET McAfee Associates | fax (408) 970-9727 |aryehg@ozonebbs.uucp -OR- 4423 Cheeney Street | BBS (408) 988-4004 |aryehg@tacom-emh1.army.mil Santa Clara, CA 95054 | UUCP apple!netcom!nusjecs!ozonebbs!aryehg "Opinions expressed are my own and may not reflect those of my employer." ------------------------------ Date: Tue, 30 Apr 91 15:08:06 +0000 >From: mike@pyrite.SOM.CWRU.Edu (Michael Kerner) Subject: Re: HyperCard virus --should I wait to script? (Mac) O.K., Paul, much to my chagrin, the script has the _potential_ of not working since scriptors can simply change their code to get around it. I am currently working on a separate script that searches for possible viruses and trojans. So, if anyone has the code to the new German HC virus, would you please send it to me? This new script is essentially designed to work in HC 1.2.x because it appears from all the EMAIL that I'm getting that my script works (through some fluke, mind you) in 2.0v2. I am studying for finals right now and have been unable to confirm that it will still work with a virus implementing "Start using" in its script, or if I can simply intercept the message even though it may be sent directly to HC. The problem with my new script is that if there is a handler in the inheritence path that the user has set up, I won't ever see the necessary messages to do the job. This new script will search a stack when the stack opens. Options still to be worked out. Suggestions welcome. If anyone wants to run with this idea and beat me to the punch, feel free, 'cause the main thing is to get to the point where vandals get the picture that we can protect HC as well as VD, Disinfectant, and Virex can protect the rest of the Mac. Mikey. ------------------------------ Date: Tue, 30 Apr 91 11:48:00 -0400 >From: "Imagine..." Subject: Stoned Virus (PC) Just a notification of the STONED VIRUS here at Southeastern Mass. University. It appears we're getting from people using the computers at a neighboring college. I read teh list occasionally, is there some place we should report VIRUS sightings, and if so is it only for new viruses?? Jim Cusson ACSJEC@SEMASSU ------------------------------ Date: Tue, 30 Apr 91 08:19:00 +0100 >From: Anthony Appleyard Subject: Bouncing Ball at British Telecom (= UK telephone system)(PC) [from Daily Telegraph (UK newspaper), Fri 28 April 1991] <> British Telecom [= BT] has set up an investigation to tackle an outbreak of computer viruses. In one case, users found a ball bouncing across their screens instead of data after part-time students unwittingly introduced the "Italian bouncing ball" virus by bringing in disks from their local college. Reports of viruses in the extensive computer networks operated by BT are averaging one a fortnight[,] and half of them have been confirmed as infected disks. The company [= BT] has set up a "help desk" as well as the investigation team to try to control the problem. BT has 50,000 personal computers and admits the problem has become serious. So far the viruses have not disrupted sensitive systems or the telephone billing operation, but the company has tightened controls on the use of software in an effort to limit damage. An 18-point guide has been issued to staff to curb the spread of contaminated disks. Employees are told not to borrow or lkend software or programs between their own and BT computers and limit the use of software to reputable manufacturers". The special investigation team at- tempts to pinpoint the source of each virus and gather evidence in case of legal action. Mr.Charles Brookson, operations manager of BT's electronics systems security unit, says: "The objectives are to sanitise and restore the system as soon as possible, gather evidence to use in claims against third parties or as part of our own defence in litigation." {A.Appleyard} (email: APPLEYARD@UK.AC.UMIST), Tue, 30 Apr 91 08:04:16 BST ------------------------------ Date: Tue, 30 Apr 91 08:28:44 +0100 >From: Anthony Appleyard Subject: Virus at Common Cold research Unit, Cardiff, Wales, UK [from Daily Telegraph (UK newspaper), Fri 28 April 1991] Results of years of research into the common cold have been threatened by a computer virus, writes Michael Fleet. Computer screens at the Common Cold Unit at the University of Wales, Cardiff, went blank this week when the virus spread after being introduced innocently by a student. "We first noticed it when we could not call up information on the latest literatrure about colds," said Dr.Ronald Eccles, the centre's director. Experts identified the virus as one which was first discovered in Belgium in 1989 and used a "disinfectant program" to cure it. [A.Appleyard: Any idea from the description what virus it was?] {A.Appleyard} (email: APPLEYARD@UK.AC.UMIST), Tue, 30 Apr 91 08:22:08 BST ------------------------------ Date: Tue, 30 Apr 91 15:40:25 -0400 >From: Jeff Subject: Any bugs in McAfee's v76? (PC) Can someone tell me what bugs are in what versions of MacAffee's 76 programs. Thanks in advance. Jeff Johnson usgjej@gsuvm1.gsu.edu ------------------------------ Date: Tue, 30 Apr 91 18:36:50 -0600 >From: martin@cs.ualberta.ca (Tim Martin; FSO; Soil Sciences) Subject: Thank You (EMPIRE, PC virus help) A special Thank You to the comp.virus / VIRUS-L crowd for prompt and helpful responses to my query about a DOS virus that was plaguing our systems, and which turned out to be a new beast: EMPIRE. Thanks to Dave Chess, Nick Fitzgerald, Rob Slade, and especially Padgett Peterson. Without their help, we would not have been able to identify / understand / remove / defeat (?) this beast as quickly as we were able to. This Internet world never ceases to amaze me! Sincerely, Tim Martin University of Alberta ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 72] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253