VIRUS-L Digest Tuesday, 3 Oct 1989 Volume 2 : Issue 210 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: re: Why not change OS? re: Future AV software (PC) List of PC viruses VGA2CGA.ARC (or .ZIP) infected with virus (PC) Re: Future AV software (PC) Re: Posting to VALERT-L re: M-1704 (PC) nVIR B (Mac) Re: Viruses in Commercial Software New PC Virus (AIDS Virus) --------------------------------------------------------------------------- Date: 02 Oct 89 00:00:00 +0000 From: David.M..Chess.CHESS@YKTVMV Subject: re: Why not change OS? Hm. You seem to be assuming, among other things, that: - If a virus can't talk directly to the hardware or to files belonging to other folks, it can't do any serious harm, and - UNIX programs are exchanged only as source, not as binaries. I'd disagree with both of those claims; the Jerusalem virus, one of the most widespread and troublesome in the PC world, doesn't talk directly to the hardware, and doesn't rely on being able to write out of the user's own space. I imagine everyone on the list can think of a number of nasty/destructive/confusing things that a virus could do even if it only had access to the user's own data files, and couldn't write direct to hardware (I won't list any here, hehe!). As UNIX and UNIX-derived systems continue to spread beyond the programmer community, program exchange among groups using the same hardware will tend, I would expect, to include more exchange of binaries. I wouldn't expect to see a virus that could infect more than one or two hardware platforms in the near future (cross fingers), but a virus that could spread to any machine in one of the more popular UNIX hardware categories would be quite enough to cause problems for lots of folks! While I don't know of any UNIX viruses at the moment, I would disagree with the suggestion that UNIX is inherently virus-resistant enough to make it worthwhile switching OS's in hopes of being able to forget about virus protection! The same applies to any other general-purpose OS around; viruses *don't* need insecure systems to spread and do Bad Things. That's the whole point... DC IBM T. J. Watson Research Center UNIX is a trademark of AT&T (or Bellcore, or someone like that) ------------------------------ Date: 02 Oct 89 00:00:00 +0000 From: David.M..Chess.CHESS@YKTVMV Subject: re: Future AV software (PC) Unfortunately, it's just about impossible to scan for new viruses by examining the on-disk image of programs, and looking for things like INTs. Three (at least) of the families of PC viruses out in the world today store themselves on disk in "garbled" form, with only a little "degarbler" stored in clear. That degarbler doesn't contain any INTs or other suspicious instructions, and the garbled part of the virus appears to be random data. The nasty instructions don't appear until the virus executes, and the degarbler converts the garbled stuff to code. So it's really only possible to catch these things at runtime (as Flushot+ and similar programs try to do), not on disk... DC ------------------------------ Date: Mon, 02 Oct 89 17:54:26 +0200 From: Y. Radai Subject: List of PC viruses On May 16 I submitted a list of 20 PC viruses to VIRUS-L. Since then, the Terrible Twenty have become the Threatening Thirty (Plus Two). Here's the list updated to the present (well, actually, only to yesterday; at the current rate there'll probably be at least five more today :-) ). PC-DOS/MS-DOS Viruses ===================== No. of First Names Strains Type Appearance ----- ------- ---- ---------- 1. Brain, Pakistani, Ashar 8 Boot sector 7K F Jan? 86 2. Merritt, Alameda, Yale 8 Boot sector 1K F Apr? 87 3. South African, Friday 13th 2 COM D ? 87 4. Lehigh 2 COMMAND.COM RO 0 Nov 87 5. Vienna, Austrian, Dos-62, Unesco 3 COM D 648 Dec? 87 6. Israeli, Friday-13, Jerusalem 12 COM/EXE R 1813/1808 Dec 87 7. April-1-Com, Suriv-1 1 COM R 897 Jan 88 8. April-1-Exe, Suriv-2 1 EXE R 1488 Jan 88 9. Ping-Pong, Bouncing-Ball, Italian 3 Boot sector 2K Mar 88 10. Marijuana, Stoned, New Zealand, 2 Boot sector 1K; Early 88 Australian partition record on hard disk 11. Nichols 1 Boot sector Apr 88 12. Missouri 1 Boot sector May 88 (89?) 13. Agiplan 1 COM R 1536 Jul 88 14. Cascade, Autumn, Blackjack 6 COM R 1701/1704 Sep 88 (87?) 15. Oropax, Music 1 COM RD 2756 to 2806 Feb 89 16. DenZuk, Venezuelan, Search 6 Boot sector 7K F Early 89? 17. Dbase 1 COM/EXE R Mar? 89 18. DataCrime 2 COM D 1168/1280 Mar 89 19. 405 1 COM DO 405 Apr? 89 20. Screen 1 COM R May? 89 21. FuManchu 1 COM/EXE R 2086/2080 May? 89 22. Ohio 1 Boot sector May 89 23. Icelandic, Saratoga 3 EXE R 656/642/632 Jun? 89 24. Typo 1 Boot sector 2K Jun 89 25. Traceback 1 COM/EXE RD 3066 Jun 89 26. Disk Killer 1 Boot sector Jun? 89 27. Swap 1 Boot sector 2K Jul 89 28. DataCrime II 1 COM/EXE D 1514 Jul 89 29. Vacsina 1 COM/EXE R 1206 Aug 89 30. Mix1 1 EXE R 1618 Aug 89 31. Syslock, 3555 1 COM D 3555 Sep 89 32. Dark Avenger 1 COM/EXE 1800 Sep 89 -- Total no. of strains 77 Summary by type: Boot = 11, COM = 10, EXE = 3, COM/EXE = 7, COMMAND.COM = 1. Among file viruses, Resident = 12, Direct = 6, Resident-Direct = 2. Notes: 1. In the "Type" column, "COM" or "EXE" indicates the type of files infected. "R" stands for "resident", meaning that when an infected program is run the virus makes itself RAM-resident (hooking one or more interrupts); usually such a virus infects subsequently executed programs of the appropriate type, e.g. COM files. "D" stands for "direct", meaning that it searches the disk for an uninfected file and infects it; normally such a virus does not stay resident. (However, it is possible for a virus to be both resident and direct in this sense.) "O" indicates that the virus overwrites the beginning of the file instead of appending or prepending itself to it. The number(s) after the "R" or "D" indicate the number of bytes by which the virus extends files which it infects (however, in the case of EXE files, the total size of the file after infection will get rounded up to the next multiple of 16 if it is not already such a multiple). The number after the "O" is the number of bytes overwritten. In the case of a boot-sector virus, the number of the form "nK" indicates the amount of RAM which the virus occupies. "F" means that the virus infects only diskettes. 2. I include only those viruses which have spread publicly, as opposed to localized test viruses (of which there may be hundreds). (The "Pentagon virus" is deliberately excluded since as far as I know it has not spread publicly; in fact, in the form it was received in the UK, it cannot spread at all.) 3. By definition of "virus", this list does not include non-replica- ting software. 4. Questionable cases: (a) I suspect that the "Lotus 123 virus" and the "Cookie virus" repor- ted recently in VIRUS-L may not be true viruses, and I have therefore decided not to include them, at least for the time being. (b) Although I have included the Dbase and Screen viruses reported by Ross Greenberg, no one else currently on VIRUS-L seems to have encoun- tered them. Jim Goodwin claimed that Dbase does not replicate and hence is not a virus, though it's possible that Jim and Ross were talking about two different things. (c) In May 88 I read about a "retro-virus" which infects 3 specific programs and is capable of reinfecting files after apparently being eradicated. Does anyone have any further info on this virus? (d) I have heard of spreadsheet viruses which occasionally change a value by a small amount, but I have not included them in the table. Further info would be appreciated. We frequently find new viruses which have evidently been created by using an existing virus as a starting point and then modifying it. When should the new creature be considered a new virus and when should it be considered as merely a new strain of the same virus? The cri- terion I have tried to follow (though I probably haven't been entirely consistent) is as follows: If the "damage" part of the virus has been qualitatively altered, or if a virus has been altered to infect additional files (e.g. EXE files where the original infected only COM files), then I classify it as a separate virus. (E.g. although FuManchu, Typo, DataCrime-2, and Mix1 are based on Israeli-Friday13, Ping-Pong, DataCrime-1 and Icelandic-1, resp., I consider these as separate viruses.) If code has been altered, but only by something minor, such as changing a target date or the number of infections required to trigger the damage, or if the alteration seems to be merely an attempt on the author's part to *improve* the code of an existing virus without adding new features, then I regard it as a different strain of the same virus. If the only difference is that only strings (e.g. messages or volume labels) have been modified, then I do not consider it as even a sepa- rate strain. Corrections and additions to this list are welcome. (I'm particu- larly curious about those questionable dates.) Please send your cor- rections directly to me; I'll post an updated version of this table from time to time. I have received suggestions to include additional info in the table, such as the symptoms and damage caused by each virus, what types of disks it infects, etc. While I agree that such information would be very useful, it is beyond the intended scope of this table, both be- cause of the difficulty of describing this information in such a short space and because the answers often depend on the particular strain of the virus. This would make the table much more complicated than it was intended to be. Those interested in further information on the viruses listed here will eventually find it in various catalogs under preparation, e.g. one by David Ferbrache and another by the Virus Test Center at the Univ. of Hamburg (these include non-PC viruses as well). Acknowledgments: I have drawn on information provided by many people. Postings in VIRUS-L are too numerous to mention individual names, but among those who have corresponded with me personally, I would like to thank Dave Ferbrache, Dr. Alan Solomon, Joe Hirst, Prof. Klaus Brunnstein, Fridrik Skulason, John McAfee, Bernd Fix, Otto Stolz, and David Chess. Y. Radai Hebrew Univ. of Jerusalem ------------------------------ Date: Mon, 02 Oct 89 11:08:00 -0600 From: Keith Petersen Subject: VGA2CGA.ARC (or .ZIP) infected with virus (PC) A BBS operator in the Detroit area received an MSDOS program infected with a virus. The file, VGA2CGA.ARC (or .ZIP) - a program which claims it can display VGA graphics on a CGA display, has not been distributed in Detroit and no systems were affected as far as we know. The date/time stamps of the member files in this archive are April 1, 1989 (April fools day). The BBS in California where this file was obtained has been notified to remove the file. Please let me stress that SIMTEL20 does NOT have this program in its archives. I am just acting as a go-between to pass the warning to this newsgroup. [Ed. See followup, on "AIDS" virus, from Alan Roberts in this digest.] - --Keith Petersen Maintainer of SIMTEL20's CP/M, MSDOS, and MISC archives Internet: w8sdz@WSMR-SIMTEL20.Army.Mil [26.2.0.74] Uucp: {ames,decwrl,harvard,rutgers,ucbvax,uunet}!wsmr-simtel20.army.mil!w8sdz ------------------------------ Date: 02 Oct 89 21:32:49 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Re: Future AV software (PC) In article <0014.8910021145.AA27888@ge.sei.cmu.edu> carroll1!tkopp@uunet.UU.NET (Tom Kopp) writes: | A version/variant of ViruScan would run, searching not for | viral-identifying code, but rather for the interrupt calls that write | to a disk (a la Flu_Shot techniques). When it finds one, it looks in | a table to see if that code is allowed. There is a program to do this already. CHK4BOMB will scan a program and report on anything "suspicious" it finds. This was originally meant to find Trojan Horses, but could work against some viruses as well if used in conjunction with other programs. One thing it cannot find is code which is self-modifying, thus hiding the actual low-level access to the disk controller. - -- Jim Wright jwright@atanasoff.cs.iastate.edu ------------------------------ Date: Mon, 02 Oct 89 18:18:56 -0500 From: James Ford Subject: Re: Posting to VALERT-L re: M-1704 (PC) I recently posted a question on VALERT-L about the file M-1704.EXE. SCAN V36 stated that it was infected. I now know, from McAfee and others, that the 1704 virus is encrypted. Since it is, M-1704 must have a specific hex search string in it....one that will indeed cause SCAN to flag it. This is *normal* (thats as technical as I can get....I don't know more, and what I just said is probably techincally wrong). I hope that my posting of the VALERT-L message does not reflect negatively on the Wellspring BBS. The Wellspring BBS is a top-notch BBS, and its anti-viral file collection is among the best in the country. If I gave you a wrong impression of Wellspring, I apologize. I would post this statement about the Wellspring BBS on VALERT-L, but have been informed that VALERT-L is not suppost to be carrying such postings. JF Acknowledge-To: ------------------------------ Date: Mon, 02 Oct 89 19:46:00 -0500 From: Subject: nVIR B (Mac) I recently came across the nVIR B virus on a cluster of Macs. I removed it using Disinfecant 1.5 and appears to be gone. What problems does nVIR B cause? Does it delete files, do annoying things, or simply spread? Being a semi-public cluster, how much of a concern is its presence? ------------------------------ Date: 03 Oct 89 02:23:01 +0000 From: bnr-di!borynec@watmath.waterloo.edu (James Borynec) Subject: Re: Viruses in Commercial Software In article <0008.8909281133.AA14331@ge.sei.cmu.edu>, TMPLee@DOCKMASTER.ARPA wri tes: > In commenting on viruses being distributed (accidentally, of course) > through commercial software someone recently mentioned that someone > near him had been hit by a virus that was in a shrink-wrapped copy of > WordPerfect. I'm skeptical... It happened. A co-worker bought a copy of WordPerfect for his Amiga. When it came to him, it was infected. Those are the facts as he told them to me. If anyone wants more details I am willing to supply them. It probably won't do any good because the problem has been fixed. If anyone is collecting historical information and wants more details send E-mail. (BTW. to the person who sent me E-mail on this topic, did my reply get through to you?) The story behind this goes something like: WP sold the distribution and support rights for the Amiga version of WP for Canada to a company in Ontario. That company had some problems. That company no longer has the redistribution rights. I personally have been hit TWICE by viruses in commercial software. From different vendors. Once when I was examining a popular speech synthesis package for my Mac, and once when we got our TI micro-explorer. Just the thing, factory loaded viruses. To summarize: It happens. Treat ALL software entering your system with caution. James Borynec - -- UUCP : utzoo!bnr-vpa!bnr-di!borynec James Borynec, Bell Northern Research Bitnet: borynec@bnr.CA Box 3511, Stn C, Ottawa, Ontario K1Y 4H7 ------------------------------ Date: Mon, 02 Oct 89 21:45:03 -0700 From: portal!cup.portal.com!Alan_J_Roberts@SUN.COM Subject: New PC Virus (AIDS Virus) A new PC virus was submitted to the CVIA from Keith Peterson (who maintains the SIMTEL20 MSDOS archives). This virus replicates in COM files and has the unusual capability of infecting generic COM files internally - without changing the real size of the file (unlike the zero-bug virus which maintains an "apparent" constant infected file size). Small COM files are infected externally, and the files sizes, for all files under 10K, changes to 13952 bytes - another unusual characteristic. The virus displays a full screen graphic with the the word "AIDS" occupying the bottom half of the screen. The top half contains a long rambling message from the author informing the user of how stupid he has been for using public domain software. SCANV40 has been updated to identify the virus. It is not yet known how destructive the virus may be (all tests have been done with a disabled hard disk). More info forthcoming. ViruScan identifies the virus as the AIDS Virus. Thanks to Keith Peterson for his quick identification of the virus and for his timely response. Alan ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253