Return-Path: Received: from csmes.ncsl.nist.gov (MACBETH.NCSL.NIST.GOV) by csrc.ncsl.nist.gov (4.1/NIST) id AA06122; Fri, 25 Sep 92 15:48:30 EDT Posted-Date: Fri, 25 Sep 1992 15:41:31 -0400 Received-Date: Fri, 25 Sep 92 15:48:30 EDT Errors-To: krvw@cert.org Received: from Fidoii.CC.Lehigh.EDU by csmes.ncsl.nist.gov (4.1/NIST(rbj/dougm)) id AA02585; Fri, 25 Sep 92 15:43:11 EDT Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA23126 (5.65c/IDA-1.4.4); Fri, 25 Sep 1992 15:41:31 -0400 Date: Fri, 25 Sep 1992 15:41:31 -0400 Message-Id: <9209251819.AA08618@barnabas.cert.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@cert.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V5 #155 Status: R VIRUS-L Digest Friday, 25 Sep 1992 Volume 5 : Issue 155 Today's Topics: Re[2]: NAVSCAN (PC) Stoned and disk problems (PC) Mcaffee Scan (PC) Re: Help with Soned A virus (PC) Re: virus dissection (PC) A new way to damage EXE files (PC) Re: Information on CPAV and McAfee (PC) A few questions (Stardot/V801/Michaelangelo) (PC) New virus !!! (PC) FLIP, TELECOM, SCREAMING FIST and MBR type Viruses using F-prot (PC) VIRSCAN detects Yankee-Doodle 2885 (PC) Infection question re COMMAND.COM viruses (PC) Is there a new virus (720Kdisks) ? (PC) Boot sector infected ! Virus ? (PC) Re: Viruses and OS/2 (OS/2) Help! Strange macintosh Happenings... (Mac) Internet Worm SUMMARY (UNIX) Re: "New trends and other stuff" Macmag virus - spread (CVP) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 23 Sep 92 02:35:23 -0000 >From: pd@nwavbbs.demon.co.uk (Peter Duffield) Subject: Re[2]: NAVSCAN (PC) cjkuo@ccmail.norton.com writes: >Robert Slade reports: >>> Where can i get NAVSCAN? or When its gonna be out? > >It is on Compuserve in the following locations: NORUTL, VIRUS, IBMSYS, >and UKFORUM. It is available from the Symantec BBSs: 2400: >408-973-9598, 9600: 408-973-9834. You will also find it for anonymous ftp on wuarchive.wustl.edu in the directory /pub/MSDOS_UPLOADS Peter - -- Peter Duffield pd@nwavbbs.demon.co.uk (Internet) Voice: +44 244 545669 BBS: +44 244 550332 North Wales Anti-Virus Support BBS, FidoNet: 2:250/201, VirNet: 9:441/110 ------------------------------ Date: Wed, 23 Sep 92 04:31:22 +0000 >From: msp2@midway.uchicago.edu (Michael S. Post) Subject: Stoned and disk problems (PC) I just got a new 486DX, and I partitioned the hard drive, putting DOS 5.0 into one partition and OS/2 2.0 into the other. Now, I am having problems reading SOME of my high density 1.44" drives when I am in DOS. If I format a disk, and then type 'a:' to switch to the drive, it tells me it can't read the disk. Also, some of my old disks can't be read. In OS/2, I can read these same disks and format. I discovered that when my disks are write protected, they will continue working if they already were. As soon as I remove write protection, and the a: drive is used, even just doing a dir, suddenly something is damaged. When I ran SCAN v.93, it said that it found [Stoned] in memory and Michaelangelo in the partition. Are these viruses causing the problem with the disk drive, or is it something else? Note: my 1.2Mb 5.25" drive, b:, is working just fine. I renamed autoexec.bat and config.sys, and still booting off of the hard drive makes the stoned virus appear in memory. Where is it coming from when I turn on the machine? The IO.SYS and MSDOS.SYS files? They went through the scanning program OK. Could my purchased install diskettes have a virus? Thanks. PLEASE, if you are responding, send a duplicate back to me. Either reply to this address or send e-mail to mpost@math.ucla.edu. Thanks again. -- Michael ------------------------------ Date: 23 Sep 92 05:49:19 +0000 >From: rxa21@po.CWRU.Edu (Ranjit Annamalai) Subject: Mcaffee Scan (PC) I know I have a virus becauase Central Point Software Vsafe TSR can detect it when it modeifies my *.com and *.exe but nothing I have run (Untouchable 1.1 Mcaffee Scan and some numerous other scanners) have not been able to find it I wanted to get the latest version of Mcafee Scan to see if it can find it. It is obviously a stealth virus because it changes the file but does not tell any other program that it is doing so. I have other numersous signs that it is active and after a few weeks it changes the boot sector of my HD luckily Untouchable can restore it and I have a few more weeks to live. I gave this virus to my uncle in India and it totally TRASHED his computer and has scared the living hell out of me because I have detected the same signs of the virus on my computer as I did on his. He did not give it to me because I never copied anything from him. But I left $$$ of software with him because I assumed that they all had the virus. I would like any and all viruscanners good or bad. I do have FTP access and I would appreciate any help. As of this moment I am sending the files that I believe are infected to Central Point Software and to Fifth Generation to see if they can find anything. Ranjit - -- Ranjit Annamalai rxa21@po.cwru.edu ~!@#$%^&*()_ ------------------------------ Date: 23 Sep 92 07:30:55 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Help with Soned A virus (PC) MANKOFF@twu.edu writes: > The machines will boot from the A drive and access everything on the C > drive just fine from that point on. Now the real tricky part. I ran > F-PROT on the machines and all three came up with Michelangelo > viruses. It said that it removed them. Reboot and same problem. So > I rebooted again from A and ran F-PROT and this time it says infected > with Stoned-A and a variant of Stoned. But then it says removed. As > soon as I run F-PROT again, it continues to say Stoned variant is in > boot sector. No matter how many times I run the program, Stoned is > always there. And it still gives the same problem on booting from the > C drive. It is well known that a disk infected by both Stoned and Michelangelo becomes unbootable. The reason is that the original MBR is lost. For the same reason, it is not possible to "disinfect" the MBR - there is just no original MBR to restore. The only solution is to put a new, clean MBR. In short: boot from a write-protected non-infected system DOS 5.0 diskette. It is important that the version number is 5.0. It doesn't matter what is the DOS version on your hard disk. Then run the program FDISK with option /MBR. This will create a new MBR on your hard disk, without modifying the partition table data. Don't forget that most of your floppy disks are probably infected too. You'll have to check every single one (yeah, including the data diskettes), or you risk the infection to re-occur. > Now getting frustrated, I decided to just format the hard drive and be > done with it. But low and behold, after installing the system files, > same problem on boot up and after running F-Prot, same Stoned variant > in boot sector. Formatting is not necessary at all, and if not done properly, it will remove everything but the virus. What do you mean by "format the hard drive"? Just run the FORMAT command? It doesn't touch the MBR and therefore leaves the virus. Or do you mean a low-level format? Then you have probably booted from an infected diskette and the virus has re-infected your disk (now you see why checking all diskettes is important). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 23 Sep 92 08:26:00 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: virus dissection (PC) seborg@csrc.ncsl.nist.gov (Brian Seborg) writes: > Patricia Hoffman's VSUM lists the 1530 virus as CB-1530 (according to > her July 1992 version). Your description seems to more closely > resemble the 1963 virus. Both of these viruses are related to the > Dark Avenger Virus so this may account for McAfee's seeming mis- Two points: First, as Frisk mentioned, it was a completely new virus (Alexander), not even belonging to the Dark_Avenger family. Second, 1963 (Necropolis) and the Dark_Avenger viruses have nothing in common. They are completely different, belong to different families, infect in a different way, use different tricks, and are written by different people. > to see if in fact you have the same beast. Patricia's VSUM should be > helpful in determining if you are at least talking about a similar > virus or not. I disagree. VSUM is full of errors and not helpful at all to provide correct, technical virus information. In fact, I challenge anyone to find an entry in VSUM, which has no errors and/or omissions... Some comments about the "virus research algorithm" that you described (I'll save the bandwidth and will not quote it here). Have in mind that some viruses are very capricious and you have literally to feed them with a spoon, in order to make them replicate. The Rythem virus infects only files that are not in the root directory. Dr_Watson infects only AUTOEXEC.BAT. Some of the Astra viruses infect only device drivers. Some viruses (Tequila and StarShip, I think) will not infect, if you don't have a hard disk - because they don't go resident when you run an infected file, but only modify the MBR and wait until the user reboot... There are some other pitfalls. We have a huge amount of files here, about which we cannot easily decide whether they are viruses, trojans, buggy programs, or just innocent tools. They all refuse to replicate on the systems we have tested them, but this does not imply that they will not replicate on some other systems. The only way to solve the problem is to disassemble each one of them and see what it does. And this is a LOT of work... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 23 Sep 92 08:57:12 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: A new way to damage EXE files (PC) Hello, everybody! As you probably know, several viruses of the Jerusalem type are unable to infect the EXE files correctly. They destroy those EXE files that have internal overlay structure (e.g., WordPerfect). The following paragraph describes in short why this happens; those of you that already know it, please skip to the next paragraph, where a new kind of incorrect EXE files infection is described. A virus which appends itself to the EXE files has three ways to determine the file length (i.e., the end of the file). The first is to look in the FAT and to count the clusters that the file occupies. However, this is difficult and does not give the file length exactly - it gives it in clusters, not in bytes. The second method is to use the information in the directory. This is usually achieved by doing a seek to the end of the file. The third method is to use the information about the file size, present in the EXE header. This is exactly what the Jerusalem-like viruses do. Unfortunately, the size listed in the header is not necessarily the true file size. It is the size of the portion of the file, that has to be loaded at runtime (sometimes called the loadable part). If the size of the loadable part is greater than the true file size, DOS refuses to run the file and outputs an "Error in EXE file" error message. (The same happens if the size in the FAT is greater than the size in the directory.) However, the size of the loadable part can be shorter than the true file size. Such files are those with internal overlay structure. The Jerusalem-like viruses append themselves after the loadable part (because they compute the file size from the information in the header) and therefore overwrite the first internal overlay. The program becomes damaged - it is not possible to recover it by removing the virus. During out meeting at the 2nd Virus Bulletin conference in Scotland, Fridrik Skulason, Marek Sell (a Polish anti-virus researcher) and me discovered a new way to infect EXE files incorrectly, that some viruses are using. Those viruses correctly append themselves after the physical end of the file. However, when correction the information in the EXE header, the viruses just ADD the virus size to the size listed there. Therefore, at runtime, DOS will load more than the initial loadable part. It will load part of the first overlay - that much of it as is the length of the virus. But it will not load the virus! However, the entry point in the EXE header still points to the virus. Therefore, it points to a place, where nothing is loaded. Obviously, such files cannot be executed and will probably hang the machine. However, unlike the previous case, such files can be recovered by a virus-removing program. The program just must know about this property of the virus and SUBTRACT the virus size from the appropriate fields in the EXE header - instead of putting there the full file size minus the size of the virus. Currently we have noticed at least two viruses, which act in the way described above. Those two viruses are Amoeba and Boojum. Without any doubt, several other of the known viruses act in this way. Producers of virus-removing programs should take care to recover correctly the files infected with such viruses. As a conclusion, it is a bad idea to rely on virus disinfectors. Just delete the infected programs and replace them with clean backup copies. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Wed, 23 Sep 92 14:31:35 +0000 >From: mgflax@phoenix.princeton.edu (Marshall G. Flax) Subject: Re: Information on CPAV and McAfee (PC) sengteik@iti.gov.sg (Chua Seng Teik (RC)) writes: >I am doing an evaluation on some Anti-Virus packages and I have >narrowed down to 2 products namely Central Point AntiVirus and >McAfee's suite of products. And not F-Prot????? I'm very surprised. marshall - -- =========== 5 Joyce Lane, Woodbury, NY 11797, 516-364-9331,9379 =========== ============ PGP 2.0 Public Key available by finger or request ============ ===== c/o Jack Gelfand,Psych Dept,Princeton U.,NJ 08544,609-258-2930 ====== = Original material(c) 1992, Marshall Flax = ------------------------------ Date: 23 Sep 92 18:00:00 -0800 >From: "NBECC::KENNEY" Subject: A few questions (Stardot/V801/Michaelangelo) (PC) The PC anti-viral programs at my location have been getting quite a workout lately, with 4 viruses appearing in the last 3 months. (Joshi, Stoned, Stardot 789, and Michaelangelo) We use Virhunt as a scanner/cleaner, and use Norton as an interceptor. Norton AntiVirus vs. Stardot was notable, though. Norton 2.0 (20all06.def) and 2.1 both identified this as V801 instead. (Both Stardot and V801 are non-destructive .COM and .EXE infectors, which come in varying lengths: boring stuff, really.) V2.0 said it couldn't clean it in a error-laden text box; V2.1 tried to clean it, leaving unusable files behind. Virhunt cleaned all the files neatly. Still, Norton did the intercepts. All of this has led to a few questions: - - are StarDot and V801 related? - - how stealthy was Michaelangelo, and does it survive warm boots? - - can you tell where the start and end of an infected file are supposed to be algorithmically, so that one routine could trim off all length-variants of one or more virii? Since Stoned + Michaelangelo = bye-bye FAT, this is getting very interesting. (I've sent the Stardot to Norton, so maybe on their next update...) Good luck. KpK ------------------------------ Date: Tue, 22 Sep 92 12:55:01 -0000 >From: Victor_Smith@f2.n310.z9.virnet.bad.se (Victor Smith) Subject: New virus !!! (PC) Hi Folks! New virus has been discovered in The Netherlands! First report has been received from Andreas Reinicke from Hogeschool Eindhoven on September 20th, 1992. ATTENTION: Virus is quite dangerous and probably will spread very fast due to sevral stealth tricks used in it. Virus Name: Terminator-II (don't mix with Terminator described in VSUMX) Detection: Gobbler-II v3.0 Disinfection: Gobbler-II v3.0+ Description: Aliases : Length of virus : 2294 bytes Classification : Program (COM,EXE) infector; memory resident; stealth; Easy Identification: File allocation errors shown by CHKDSK. The amount of free memory is decreased by 2448 bytes. Type of Infection : The virus appends itself to the end of an EXE or COM file and changes the CS:IP in EXE header or places JMP to virus code in COM files. Only files bigger than 1388 bytes will be infected. File with "SCAN" in any place of name will not be infected. Infection Trigger : Open and Load/Execute DOS services. Interrupts hooked : 21h(Dos-Services); functions: 0Fh (Open_FCB), 11h (Find1st_FCB), 12h (FindNxt_FCB), 3dh (Open), 3eh (Close), 3fh (Read), 42h (Seek), 4eh (Find1st), 4fh (FindNxt), 4B00h (Load/Execute), 4B01h (Load), 6ch (Extended_Open); Memory location : Top of system memory but below 640K boundary, usually virus locates at 9f67:0000. Virus allocates memory by decreasing size of the last "Z" Memory Control Block by 2448 bytes. Self-Identification: 1) On media : Last two bytes of virus are equal to 1000h, seconds value of FileTime set to 56. 2) In Memory: Function 4BFEh of DOS services reconstruct and executes program if virus is in memory, otherwise virus continues execution and install itself in memory. Damage(payload) : First part: Slows down speed of computer, mixing output to printer: case of every 16th character will be reversed and 0 will be changed to 9. Second part: Displays string "TERMINATOR", overwrites CMOS, overwrites one side of all hard drives. Damage Trigger : In two month after infection, if second bit of date is non-zero first part of payload will be triggered, otherwise if date bigger then date of infection on two month plus ten days will be istalled the most dangerous part. Comments : Due to some new techniques virus is almost invisible when it is active in memory. It has prevention from "curing" by packing infected files, mostly stealth viruses can be disinfected by such a trick, because usually stealth virus returns clean file to system, and file becomes clean during packing. ================================>CUT HERE<================ Regards, VS ------------------------------ Date: Thu, 24 Sep 92 13:31:30 +0000 >From: swarupv@gov.on.ca (Vivek Swarup) Subject: FLIP, TELECOM, SCREAMING FIST and MBR type Viruses using F-prot (PC) Our PCs are scanned using Central Point Anti-Virus (CPAV) upon boot. On 1 of our PCs CPAV detected some virus but could not tell us which one. We obtained a copy of f-prot V2.02 which indicated this system had a FLIP Virus. We obtained a new version of f-port (v2.05) which indicated the PC has the TELECOM Virus. Shortly there after we had difficulties booting the PC. After considerable work, we renamed the CONFIG.SYS and were able to boot the system. Meanwhich similar difficulties occured on another system on which f-prot indicated a Flip Virus then a Telecom Virus and then a Screaming Fist Virus existed before it became un-bootable. We have rectified these systems. F-prot is reporting many other systems the FLIP oe Telecom Virus. Of course, we ensured CPAV was removed before re-running f-port. Any insight into either these viruses, Stealth Viruses or f-prot would be appreciated. If you are aware of magazines or articles we can subscribe to or any good books, especially on Stealth Viruses, please let me know. In Advance, thanks for your help. Vivek swarupv@moh.gov.on.ca PS. I am a new user to Internet, News, and vi. Having fun (at times) but am primarily on the learning curve. ------------------------------ Date: Thu, 24 Sep 92 19:09:53 +0000 >From: mechalas@mentor.cc.purdue.edu (John Mechalas) Subject: VIRSCAN detects Yankee-Doodle 2885 (PC) The PC-compatibles in our labs are using the IBM Anti-Viral package VIRSCAN, version 2.1.9. Recently, we have been getting a handful of reports of the Yankee Doodle-2885 virus in some of our .EXE files. So far we have been able to eliminate the viruses by replacing the infected files. My questions are as follows: 1) Does VIRSCAN have a tendancy to cause a false positive for Yankee Doodle? I think we really do have a virus, but I'd like to check this option anyway. 2) I check F-Prot's virus base, but of course every virus is labeled differently between scanners. :) Which version of Yankee Doodle do we have, as in what does this strain do? Thank you for your help. - -- John Mechalas [This space intentionally left blank] mechalas@mentor.cc.purdue.edu Purdue University Computing Center Help put a ban on censorship General Consulting #include disclaimer.h ------------------------------ Date: Thu, 17 Sep 92 07:56:00 -0000 >From: Jeff_Claggett@f5030.n492.z9.virnet.bad.se (Jeff Claggett) Subject: Infection question re COMMAND.COM viruses (PC) Hello All! I have a quick qustion on COMMAND.COM infecting viruses. Do the majority of these viruses go for the file COMMAND.COM do the go for the COMSPEC= file or do they go for the SHELL= file from the config.sys. I was wondering because I no longer have COMMAND.COM any more if they would infect 4DOS.COM or not. Bye now, Jeff Claggett Frankfurt, Germany GlobalNet: 52:5200/111 FidoNet: 2:249/80.2 Fly-Net: 196:8010/5 C-Net: 20:100/6202 VirNet: 9:492/5030 CompuServe: 71155,2323 ------------------------------ Date: 25 Sep 92 15:43:22 +1000 >From: U8945535@csdvax.csd.unsw.EDU.AU Subject: Is there a new virus (720Kdisks) ? (PC) Does anybody know of a virus that causes problems with 720K disks I have heard a rumour that there is a virus that will prevent 720K disks from being read or formatted. This virus apparently does not affect 1.44K disks. I have tried several machines and several new disks and I can't work out what the problem is. It would be kind of reassuring if it was simply a virus (maybe not a simple cure though!) ------------------------------ Date: Fri, 25 Sep 92 08:14:35 +0000 >From: cj@info.ucl.ac.be (Christine Jacqmot) Subject: Boot sector infected ! Virus ? (PC) I think I got a virus on my PC but it is not detected by viruscan 8.5v91 from McAfee. The boot sector has been modified with the following byte sequence: 08 01 00 02 00 02 00 00 F8 A0 00 1A 00 0E 00 1A The effect is the following one: whenever we try to read or write a floppy, the displayed message tells us that there is "0 byte free, 0 byte allocated" on the floppy and then, the contents of the diskette is lost. The problems began after having used CDROM's which contain demo's of products available in sharewares (but maybe this is pure coincidence!) I'm afraid it will take some time before I will get the latest version of McAfee's Viruscan. Does someone know which anti-virus available on which anti-viral archive site could help me ... if those problems are due to a virus, of course! Thanks in advance - ---- Christine JACQMOT Research Assistant Universite Catholique de Louvain Fax: ++32 10 45 03 45 Unite d'Informatique - Computer Sc. Lab. E-mail: cj@info.ucl.ac.be 2, Place Sainte-Barbe Tel: ++32 10 47 23 87 B-1348 Louvain-la-Neuve BELGIQUE ------------------------------ Date: 23 Sep 92 08:42:57 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Viruses and OS/2 (OS/2) btf57346@sumter.cso.uiuc.edu (Byron Thomas Faber) writes: > I'm currently using os/2 with no virus protection because I know of This is not very wise, IMHO... > nothing that would work correctly with os/2 (for protection methods). IBM's user-programmable scanner VIRSCAN works both under DOS and OS/2. S & S International has a version of Dr. Solomon's Anti-Virus ToolKit for OS/2. Unfortunately, both products are commercial. > I don't believe that alot of viruses (current) will run under os/2. True, but some of them will. Recall that OS/2 2.0 claims to be able to run any DOS or Windows programs. Therefore, it should be able to run at least some viruses. In general, MBR infectors can infect any IBM PC compatible computer, even if it runs OS/2. Indeed, they are unable to spread after OS/2 has booted, but if the virus is Michelangelo and the date is March 6, guess what happens... Furthermore, most file infectors that do not use dirty tricks will happily infect in the DOS sessions. The "nice" thing is that since all DOS sessions use one copy of the command interpreter, if a virus succeeds to infect it, this means that it will infect all DOS sessions. So, you'd better get some protection... > Does anybody know anything about os/2 and viruses who can > tell me if I'm right or wrong? Currently there are no OS/2-specific viruses (although they can be easily written). A computer which runs OS/2 is more virus-resistant than a DOS-only box. (The same holds for computers that run Windows, BTW.) Most viruses that infect EXE files will fail to infect correctly the OS/2 executables (they will damage the files). However, virus-resistant does not mean virus-proof. You should use some protection. Since OS/2 provides memory protection, writing a good protecting program for it should be easier. Therefore, scanners definitively should not become the main line of defense under OS/2... Does anybody know whether the ASP Integrity Toolkit has an OS/2 version? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Tue, 15 Sep 92 09:10:32 -0400 >From: Subject: Help! Strange macintosh Happenings... (Mac) I came into work this morning, turned on my mac as usual, and after all the extensions had loaded a box appeared saying: " Sorry, a system error occurred. address error To temporarily turn off extensions, restart and hold down the shift key" I did this, and got the exact same error. Then I got a 6.07 startup diskette out and booted no problem... so I thought. As soon as I launch ANY program on the HD, launching begins then halts saying "Bus error". I am able to launch programs that were on my startup diskette like teachtext, and I can delete files from my hard drive, but still I cannot launch any programs located on the HD. I have removed just about everything from the system folder that may be causing a conflict, but when I try to reboot without the 6.07 diskette, I get the same initial error! Help! Many projects depend on getting this working! All help will be greatly appreciated... Thanks. Roderick Murchison, Jr. _/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/ Population Research Institute _/_/_/ _/_/_/ _/ Penn State University _/ _/ _/ _/ murchiso@darwin.pop.psu.edu _/ _/ _/ _/_/_/ rxm108@psuvm.psu.edu office: (814) 863-8321 ------------------------------ Date: 23 Sep 92 11:33:51 +0000 >From: rgasch@nl.oracle.com (Robert Gasch) Subject: Internet Worm SUMMARY (UNIX) A while back I requested references regarding papers about the internet worm of November 89. Here is the promised summary of articles which I have collected. These seem to be the major reports covering the incident. There are doubtless a million other newspaper clippings one could add to this list but I doubt that most of those would be very informative as the articles below cover the subject in depth. The number after the authors name indicates the source I obtained the particular article from. All of these articles are availible from numerous sources so don't be surprised when you stuble across these articles somewhere else. I'd like to apologize that it took me so long to compile this list but I do not have direct FTP access and have to work via an FTP server which slows things down. Lastly I'd want to thank all the people who responded to my query and to all the kind souls that actually sent me articles. The archives which I obtained the articles from are a good place to nose around for other interesting things regarding security and viruses. I found some worthwhile reading there. If anybody has any other articles which I did not catch then please let me know as I'd like to read them myself. Here's the list: Eugene Spafford: The Internet Worm Program: an Analysis (Purdue CS Technical Report TR-CSD-823) (1) The Internet Worm Incident (Purdue CS Technical Report TR-CSD-933) (1) The Internet Worm: Crisis and Aftermath (2) ACM, June 1986, vol 32, number 6 Donn Seeley: A Tour of the Worm (3) - needs some hacking around before it will print on a non-laserwriter Mark Eichin and Jon Rochlins: With a Microscope and Tweezers: An Analysis of the Internet Virus of November 1988 (also knows as the MIT paper) (4) The Cornell Commission (Ted Eisenberg, David Gries and others): The Computer Worm (5) Availible from Cornell (call 607-255-3324) United States Court of Appeals (6) Document 928 F2D 504 - Court statement on Morris' appeal Denning Computers Under Attack: Intruders, Worms and Viruses Addison Wesley Pub Co Inc. (ISBN: 0-201-53067-8) I've never seen this one so I can't judge if it's any decent but I've included it for sake of completeness. Sources: (1) - ftp.cs.purdue.edu (/pub/spaf/security) (2) - any good technical library (3) - cs.utah.edu (/pub) (4) - cert.sei.cmu.edu (/pub/virus-l/docs) (5) - call or write cornell technical publications (607-255-3324) (6) - ftp.eff.org (/pub/cud/papers) PS: European users may want to check out the archives in ftp.informatik.uni-hamburg.de Cheers - --> robert rgasch@nl.oracle.com ------------------------------ Date: 23 Sep 92 07:59:15 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: "New trends and other stuff" seborg@csrc.ncsl.nist.gov (Brian Seborg) writes: > some dismay. Regarding the "new trend" to allow your computer to boot > off of the C: drive rather than the a: drive, this is not new. Hasn't > anyone heard of a Zenith 248? The military only has about 650,000 of > them. This boot redirection has been re-definable in cmos for > some-time. We're talking pre 1988 here. The "new" in the trend is that nowadays more and more BIOS producers are providing this feature. > Regarding Cohen's paper, I guess I am somewhat tired of hearing about > a paper that I do not have a copy of and perhaps that is making me > somewhat testy, but let's be serious about network security. I hope The paper is in the proceedings of the 2nd Virus Bulletin conference. You can order the proceedings from Virus Bulletin. > we are not going to have to find out that networks can be set up in an > un-secure manner. What a surprise! I work in a Banyan environment The point in Cohen's paper is that the "obvious" way to set a Novell LAN is insecure, not that it is not possible to set it up in a secure way, or that it can be set up in an insecure manner. I have quoted the secure settings listed in his paper in one of my previous messages. Take a look at them, then take a look at the LANs you have seen. Are they set up in this (secure) way? Till now only Padgett has succeeded to figure out himself what the secure settings are... The average supervisor usually makes a mistake or two, exactly because the secure settings are not obvious. And the equations that I quoted concern only the effective file rights. If you try to take into account all inheritance masks, the task becomes even more difficult. > to a nation-wide WAN, I have some experience here. I understand the > need to quantify security policy, but taking common practices and > reducing them to set notation for the sake of publishing a paper seems > to do nothing to advance the field. I disagree. The paper clearly lists what the secure settings are, mentioning why any other settings can be bypassed. It emphasizes that the ExecuteOnly attribute should not be trusted, because it can be easily bypassed - and do you know how many Novell LAN users rely on it for protection? There are many other interesting things in the paper. The only problem is that it concerns mainly version 3.x of NetWare (and the Unix NFS servers, but this is another story). In our tests at the VTC-Hamburg we have found that version 2.15 is -completely- different and the equations for the secure settings in it are also very different from the ones listed in Dr. Cohen's paper. I'll summarize the results of our tests in an article, which I hope to post here soon. > 1) Set the access rights for applications drives (file-services) to > read only for all users including administrators. Administrators can > always change the permissions back temporarily when making updates or > changes, but will be protected from inadvertantly infecting the system > in general. Unfortunately, under Novell NetWare and Unix, the person with supervisor (root) privileges can bypass the protection, without having to modify the permissions... > Some programs require users to have modification rights to > applications directories. My experience suggests that most programs > of this sort can be set up so that users are given modify rights to > some files which are put in a seperate directory, and the application > itself can still be write-protected. This is true for Paradox for It might be true for Paradox, but it isn't for dozens of other applications... But I agree with you that such applications have to be avoided. > 2) If possible, do away with all file services where multiple user's > have write-access (except in small groups). "Bit Bucket" file > services where everyone has write access are good places for Trojan > Horse programs, companion, and path companion viruses (or standard > trojans), and, in addition, are hard to manage since determining > ownership is a problem. If you must have these type of file services, > limit the number of users (i.e. fragment them into smaller chunks, by > functional working group for example), don't allow any .bat, .com, > .exe, files to reside in these directories. Any applications, > including batch files, should reside in write-protected areas. As I have described in my paper (available by anonymous ftp), there exists a form of virus attack, involving PATH-companions and at least one writable directory - be it the user's home directory on the server, or one of the local workstation's directories. The attack is not specific to Novell and allows a virus to bypass any protections and to make all protected applications to look and behave as if they are infected. Fortunately, the infection does not spread between users. > Also, make sure that user's path statements do not contain directories > where multiple people have write-access. This is not only > unnecessary, but dangerous as well. Problem is, the PATH variable cannot be protected at all, due to the lack of memory protection in Messy-DOS... The rest of your suggestions are very sound and should be carefully followed by all LAN users, regardless of the LAN type. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Wed, 23 Sep 92 20:03:48 -0700 >From: rslade@sfu.ca Subject: Macmag virus - spread (CVP) HISVIRC.CVP 920903 MacMag virus - Spread Brandow claims to have infected two computers in MacMag's offices in December of 1987 in order to "seed" the infection. It probably isn't beyond the bounds of possibility that a few deliberately infected disks were distributed as well. A resource (named DREW in the Hypercard stack and DR in its viral form) was copied into the System folder on Mac systems. The System folder, as the name implies, is the "residence" of the operating system files. With the resource based structure of the Mac OS, the operating system can be configured and customized by "dropping" resources into the System folder. (MS-DOS users, tired of fiddling with entries in CONFIG.SYS, conflicting TSRs and the like, might be warned that this does not always work as easily as it sounds.) "Bootable" Mac disks contained a System folder, in the same way that "bootable" MS-DOS disks contain the "hidden" system files and COMMAND.COM. In those days, "system" disks were much more common than they are now. In addition, Mac users would often create "system" disks that would have specialized configurations. (I well remember, at the time, a number of Macintosh programs which would work with one specific version of the Finder only. This would put the user in the position of having to "downgrade" the computer each time it was desired to run these programs.) The Mac OS "opens" each disk inserted into the machine. Therefore, on an infected machine, any diskette which was inserted into the drive would have the MacMag virus into the system folder. The MacMag viral resource was placed into the folder as an "INIT". This meant that it would be one of the "initial" programs automatically run on system startup. Many, if not most, INITs are background or resident programs which either monitor or support different functions on an ongoing basis. Therefore, this was a perfect position for a virus. On an ongoing basis it would be able to watch for opportunities to spread. The MacMag virus was not a sophisticated piece of programming. As one of the earliest (one of the (rarely used) names for it was the "Macinvirus") Mac viral programs, it didn't have to be. (Some would say that Mac viri don't have to be sophisticated anyway. Although the Mac world have far fewer viral strains than does the MS-DOS world, infection rates of a given virus have tended to be far higher in Mac populations.) There is no particular secrecy to the MacMag virus. Anyone who looked could find it. Few, however, looked. copyright Robert M. Slade, 1992 HISVIRC.CVP 920903 ============== ______________________ Vancouver ROBERTS@decus.ca | | /\ | | swiped Institute for Robert_Slade@sfu.ca | | __ | | __ | | from Research into rslade@cue.bc.ca | | \ \ / / | | Mike User p1@CyberStore.ca | | /________\ | | Church Security Canada V7K 2G6 |____|_____][_____|____| @sfu.ca ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 155] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253