VIRUS-L Digest Monday, 24 Jul 1989 Volume 2 : Issue 158 Today's Topics: virus sociology Computer security report available the CHRISTMA EXEC on BITNET and VNET (IBM VM/CMS) resource fork viruses (Apple II) Re:What kind of virus is this ? (PC) Virus Encyclopedia (Was Re: INIT29 and data files (Mac)) Ping Pong Virus (PC) Re: Request for boot sector information (PC) safeware (PC) Still on viruscan (PC) Re: query re: VIRUSCAN program availability (PC) Re: new network-virus group? Re: VIRUSCAN tested (PC) --------------------------------------------------------------------------- Date: 21 Jul 89 20:10:28 +0000 From: mrc@Tomobiki-Cho.CAC.Washington.EDU (Mark Crispin) Subject: virus sociology I've been reading this newsgroup for a while now, and have come to speculate about whether or not the situation is going to become self-perpetuating. That is, I'm sure that the human scum who write viri are doing so for the same reasons that any act of vandalism is committed. The motivations of attention getting and of maliciously hurting innocent (and often unknown) people are common to all vandals. The question is: can we speculate that many, if not most, of this scum reads (and perhaps participates) in this newsgroup? Isn't the effort of cataloging all the viri egging the scum on to greater efforts? The next question is: how much effort should we be putting into getting the vendors of various machines and operating systems to design their software to be virus-proof as opposed to writing new virus detectors/fixers? Let's face it, the current generation of personal computers have non-existant security not only from viri but also from user screwups. Mark Crispin / 6158 Lariat Loop NE / Bainbridge Island, WA 98110-2020 mrc@CAC.Washington.EDU / MRC@WSMR-SIMTEL20.Army.Mil / (206) 842-2385 Atheist & Proud / 450cc Rebel pilot -- a step up from 250cc's!!! ------------------------------ Date: Fri, 21 Jul 89 16:27:04 -0400 From: Stephen Wolff Subject: Computer security report available COMPUTER SECURITY: Virus Highlights Need for Improved Internet Management (GAO/IMTEC-89-57) is the first U.S. General Accounting Office report that has been made available on a wide-area computer network. The report is particularly relevant to Internet users -- it examines Internet security and vulnerability to issues and factors relating to the the prosecution of virus crimes. ************************************************************** * This is the first GAO report to be made available over * * the Internet. GAO wants to know how many people * * acquire the report this way. If you do, please send * * mail to me and I'll keep count for * * them. Your name will not be saved or used. * ************************************************************** The report is available by anonymous ftp from the NSF Network Service Center on host nnsc.nsf.gov <128.89.1.178> in directory pub, from the NSF Information Services host nis.nsf.net <35.1.1.48> in directory nsfnet, and on host umd5.umd.edu <128.8.10.5> in directory pub. In all cases, log in as user anonymous, with password guest. The file is about 104 kilobytes. If you would prefer a printed copy, send me your mailing address and GAO will post one to you directly. ------------------------------ Date: 21 Jul 89 13:46:11 -0500 From: Subject: the CHRISTMA EXEC on BITNET and VNET (IBM VM/CMS) At the time of the CHRISTMA EXEC I was a student mainframe consultant. and I don't recall BITNET being crippled by this program. 2 copies of the program were sent to my reader and i just ignored them. Later when I had the time to look at them I went to my reader and Voila, they were gone! I asked my boss what happened to the files. He ran a program that went thru the system and removed all copies of the program from every one's reader and minidisk. He took this a bit further by having RSCS ( VM's communication server ) purge all files going though our node named CHRISTMA EXEC. I've heard that VNET was crippled by the CHRISTMA EXEC. I've heard that IBM actually had to shut down thier RSCS servers and then purge the files from each machine. They have since done 2 things ( that I know of) to prevent future instances. First off, when one receives an EXEC from their reader the filetype is changed from EXEC to CEXE to prevent execution of the program. Secondly, it is now very hard to get files/mail into VNET. I've been trying for sometime to find a route for BITNET<->VNET and haven't been successful. (( any help with this would be greatly appreciated!! )) As a sidebar, the reason I think the 2 nets were effected differently is because these nets are used differently. On BITNET most nodes are primarily used for 'things' other than E-Mail. So when the RSCS servers started using too much CPU time, systems people got curious and found out what was happening. IBM on the other hand uses VNET primarily for E-Mail and with 300,000+ people (my guess) using E-Mail one would expect RSCS to suck a lot of the systems resources. This made it less obvious and the longer the CHRISTMA EXEC went unchecked the harder it was going to be to eradicate. Include standard disclaimers here: A) These opinions are mine; MINE, ALL MINE!! B) I've been wrong before Bob Johnson << u27745@uicvm.uic.edu >> ------------------------------ Date: Fri, 21 Jul 89 21:18:00 -0400 From: TMPLee@DOCKMASTER.ARPA Subject: resource fork viruses (Apple II) The Apple II GS OS is about to incorporate resource forks, something I understand has been in the MAC OS forever. I also note from all the traffic that almost all the MAC viruses seem to have something to do with resource forks. (sounds to me like the virus writers aren't very inventive; any bad guy worth his salt would bypass ALL the vendor's software and play with the bare metal -- but since the IBM crowd ain't much smarter I guess we just don't have the hackers like we used to) Anyway, could someone summarize for me what the MAC resource forks are used for (since I know essentially nothing about MAC-land) and how they are or are not more vulnerable to virus/trojan horse penetration than "conventional" file structures as found in IBM-land or the more earlier Apple II DOS and ProDos-land? TMPLee@dockmaster.ncsc.mil ------------------------------ Date: Sat, 22 Jul 89 12:49:10 +0700 From: CCEYEOYT@NUSVM.BITNET Subject: Re:What kind of virus is this ? (PC) If I am not wrong, it is the Ping-pong virus ( also known as the Bouncing ball virus). I remove the virus by first copy the original boot record ( it is stored in one of the bad sectors marked by the virus) back to the boot sector and then erase the content in the two bad sectors. Yeo Y.T. Plus: I always boot-up the system with a 'clean' DOS before I make any changes. Otherwise the virus will remain active in the RAM if you boot-up with an infected disks. You will not be able to remove the virus even though you format your disk. ------------------------------ Date: 21 Jul 89 18:57:33 +0000 From: chinet!henry@att.att.com Subject: Virus Encyclopedia (Was Re: INIT29 and data files (Mac)) In article <0010.y8907131623.AA04591@ge.sei.cmu.edu> IHLS400@INDYCMS.BITNET (Ho lly Lee Stowe) writes: >Also, for anyone using Macs and trying to teach others about what things >to be aware, may I recommend highly a Hypercard stack called the Virus >Encyclopedia which is available on GEnie and probably other places. >(The author's name is Henry C. Schmitt, and he's from the Northwest of >Us, a user group in Arlington Heights, IL.) Also the informational >screens from John Norstad's Disinfectant are very helpful. Thanx for your praise Holly! I didn't think I'd become famous when I wrote the stack. The latest version (dated 6/8/89 on the disclaimer card) is available on GEnie. I haven't uploaded it to Compuserve yet, so the latest version there is only 3/31/89. I also upload it to The Rest of Us BBS here in Chicago (when it's up!). Since it gets downloaded quite a lot, people put it elsewhere too. I've seen it on HomeBase BBS in CA, someone sent me mail that they got it off a BBS in Denver, I've even seen it on an archive list from the U.K.!! If you want to be sure you have the latest version: check the Date Modified on the Disclaimer card. First Version: 1/22/89, second: 3/31/89, third and latest: 6/8/89. Of course I'm continually working on it so I'll probably release another version soon. Please send me any comments or suggestions. My mail addresses are: GEnie: H.Schmitt CompuServe: 72275,1456 UUCP: henry@chinet.chi.il.us - -- H3nry C. Schmitt | CompuServe: 72275,1456 (Rarely) | GEnie: H.Schmitt (Occasionally) Royal Inn of Yoruba | UUCP: Henry@chinet.chi.il.us (Best Bet) ------------------------------ Date: Fri, 21 Jul 89 22:52:34 -0700 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: Ping Pong Virus (PC) Hans Varkevisser described what appears to be the Ping Pong virus and asks if there is any way to deal with it short of a low level format. The Ping Pong (Italian) is a boot infector and can be removed with McAfee's MDISK programs. The CVIA is distributing these programs free of charge (with proof of infection) to anyone infected with a boot or partition table virus. They've been tested against all the viruses we know about and work flawlessly against all boot and partition table viruses. Contact the CVIA at 408 727 4559 or page SysOp on HomeBase at 408 988 4004 to get these programs. Alan Roberts. ------------------------------ Date: Sat, 22 Jul 89 11:58:28 -0400 From: allbery@NCoast.ORG (Brandon S. Allbery) Subject: Re: Request for boot sector information (PC) In your article <0009.y8907171856.AA19378@ge.sei.cmu.edu> ["Request for boot se ctor information"], you wrote: +--------------- | I need an answer to the following question: | | In the boot sector of every diskette and hard disk there is a short | string starting at the fourth byte. This string contains information | about the version of DOS used to format the disk/diskette. | Typically it is something like "IBM 3.0" or "MSDOS2.0". | What I need to know is: What other possibilities are there ? +--------------- Out of three versions of DOS available to me, two don't follow this rule: ITT XTra, ITT DOS 2.11: "ITT 2.0 " Wyse PC DOS 3.2: "PC & AT^@" Altos 500 MS-DOS 3.3: "MSDOS3.3" ++Brandon - --- Brandon S. Allbery, moderator of comp.sources.misc allbery@NCoast.ORG uunet!hal.cwru.edu!ncoast!allbery ncoast!allbery@hal.cwru.edu NCoast Public Access UN*X - (216) 781-6201, 300/1200/2400 baud, login: makeuser (Send inquiries to rhg@NCoast.ORG, *not* to me! I'm just the resident guru.) * "ncoast" regenerates again! The 5th "ncoast", coming August 1 (stay tuned) * ------------------------------ Date: Sat, 22 Jul 89 13:23:00 -0400 From: IA96000 Subject: safeware (PC) perhaps you remember my mentioning safeware several weeks ago. we have been doing some testing and thought you might like to know the results. we tested safeinfo and several other safeware products on what has now been identified as the jerusalem virus and several other viral strains. in each case, safeware detected that some change had been made in the file since it had been compiled and notified me. safeware runs a proprietary selftest (tm) module as soon as the program is loaded. execution is immediately halted if a change is detected in file length, crc or both. safeinfo.arc can be downloaded from (201) 473-1991 if you would like to check it out. also viruscan can be downloaded from (201) 249-1898. the first number is a 10 line tbbs so there is almost never a busy signal. i spoke to the author of safeware and he assures me neither safeware nor the selftest module will ever be sold or allowed to be used by a commercial software house. he seems to be quite proud of the fact that safeware was written and released by a shareware author. in fact when you think about it it is quite amazing that commercial houses have not yet released such a product, and it took a shareware author to do it first! he also assures me that the code can be changed and programs recompiled in less than 5 minutes if the need arises. it seems there are several versions of the selftest module and only one has been released in shareware so far. in any event, the built in protection safeware offers works, and there are now more than 25 programs released under the safeware label. almost forgot, we are working on getting copies of all the safeware products. if we can get them, does anyone know where we can post them for requests? we do not have a listserv here, so it would be kind of hard. any suggestions would be appreciated. ------------------------------ Date: Sun, 23 Jul 89 22:33:06 -0000 From: A.SIGFUSSON@ABERDEEN.AC.UK Subject: Still on viruscan (PC) Mr. Alan Robertson sent me a message and pointed out to me that the problem I had with VIRUSCAN and multiple scans was due to the hardware and not a software problem. He thinks that about 1% of IBM clones suffer from this and it so happend that both the machines I have used (COMMODORE PC20 & AMSTRAD 1640) fall into that 1%. I have now tried a copy of the new version of SCAN and find that the problem does not occur any more. Best regards, Arnor Sigfusson (A.SIGFUSSON@UK.AC.ABERDEEN) ------------------------------ Date: Sun, 23 Jul 89 17:01:00 -0700 From: kelly@uts.amdahl.com (Kelly Goen) Subject: Re: query re: VIRUSCAN program availability (PC) In article <0005.x8906301409.AA00605@ge.sei.cmu.edu> you write: >in VIRUS-L of Jun 28, 1989 Alan J.Roberts mentioned a program called >VIRUSCAN for the IBM PC. I would like to get this program, but I don't know >how. Could someone, if possible, mail me a uuencoded ARC-file ? > Thank you, > Rainer Kleinrensing (RAINER at DBNUAMA1 in BITNET) I have been doing beta testing for john and at his request I am going to besubmitting the results and the virus scan program... here in just a few hours to the mailing list... if any one knows a uucp reachable archive site address to be a recipient of this code please email me this address as I dont want to have to mail out continuous copies... cheers kelly p.s. its even more inclusive now!! ------------------------------ Date: Sun, 23 Jul 89 17:10:00 -0700 From: kelly@uts.amdahl.com (Kelly Goen) Subject: Re: new network-virus group? > A little while ago, there was some hashing about the overly > pcoriented direction of this list or something like that. (Forgive me, > I had 4+ week's worth of mail to catch up on in the past 1-1/2 wks, > and it's been a while since I read the virus-l notebook - which was > sizeable. So...) [...] > My thought here is that the group has kind of shifted directions > towards the PC environment. But the networking environment and the issues > surrounding it are very different. There are of course no major network > virus dangers right now, but network security and finding loopholes is > always a major concern. Is there a place for another list concerning > viruses in the network and PC-NFS/LAN environment? Actually given RPC's(Remote Procedure calls) and other given holes in present lan systems they are as vunerable as any non-protected system nowadays!! My vote would have to be yes lets cover these issues also I just hope the vendors are listening!! cheers kelly ------------------------------ Date: 24 Jul 89 08:04:25 +0000 From: kelly@uts.amdahl.com (Kelly Goen) Subject: Re: VIRUSCAN tested (PC) Last week someone asked for inputs about the VIRUSCAN program and whether or not it had actually identified any viruses. The following log is an actual log by VIRUSCAN against viruses I have collected for taxonomy purposes. VIRUSCAN correctly identified the Virus and strain involved. At present in the log are the strains of EXE and com infectors I have gathered and will be testing the boot and partition infectors sometime this week. I would be interested on anyone elses's inputs that might have samples of strains that I have not yet tested. EXE AND COM INFECTORS: Scanning for 27 viruses. Scanning boot sectorFECTED\1704.COM Found 1701/1704 Virus - Version B Scanning D:\VIRUS\INFECTED\SARATOGA.EXE Found Saratoga/Icelandic Virus Scanning D:\VIRUS\INFECTED\ICELANDI.EXE Found Saratoga/Icelandic Virus Scanning D:\VIRUS\INFECTED\1168.COM Found 1168 Virus Scanning D:\VIRUS\INFECTED\1280.COM Found 1280 Virus Scanning D:\VIRUS\INFECTED\1701.COM Found 1701/1704 Virus - Version B Scanning D:\VIRUS\INFECTED\1704-B.COM Found 1701/1704 Virus - Version B Scanning D:\VIRUS\INFECTED\1704-C.COM Found 1701/1704 Virus - Version C Scanning D:\VIRUS\INFECTED\ATTRIB.EXE Found Jerusalem Virus - Version B Scanning D:\VIRUS\INFECTED\JRVIR-C.COM Found Jerusalem Virus - Version B Scanning D:\VIRUS\INFECTED\JRVIRUS.COM Found Jerusalem Virus - Version A More? ( H = Help )NFECTED\NUMOFF.COM Found Jerusalem Virus - Version A Scanning D:\VIRUS\INFECTED\DOS62.COM Found Vienna (DOS 62) Virus - Version A Scanning D:\VIRUS\INFECTED\FUMANCHU.COM Found Fu Manchu Virus - Version A Scanning D:\VIRUS\INFECTED\SURIV01.COM Found April First Virus - Version C ! Scanning D:\VIRUS\INFECTED\SURIV02.EXE Found Jerusalem Virus - Version D Scanning D:\VIRUS\INFECTED\SURIV03.COM Found Jerusalem Virus - Version E Scanning D:\VIRUS\INFECTED\INFECTED\1280.COM Found 1280 Virus Scanning D:\VIRUS\INFECTED\I2\1168.COM Found 1168 Virus Scanning D:\VIRUS\INFECTED\I2\1280.COM Found 1280 Virus Scanning D:\VIRUS\INFECTED\I2\1701.COM Found 1701/1704 Virus - Version B Scanning D:\VIRUS\INFECTED\I2\1704-B.COM Found 1701/1704 Virus - Version B Scanning D:\VIRUS\INFECTED\I2\1704-C.COM Found 1701/1704 Virus - Version C More? ( H = Help )NFECTED\I2\1704.COM Found 1701/1704 Virus - Version B Scanning D:\VIRUS\INFECTED\I2\1704FRMT.COM Found 1701/1704 Virus - Version C Scanning D:\VIRUS\INFECTED\I2\DOS62.COM Found Vienna (DOS 62) Virus - Version A Scanning D:\VIRUS\INFECTED\I2\FUMANCHU.COM Found Fu Manchu Virus - Version A Scanning D:\VIRUS\INFECTED\I2\ICELANDI.EXE Found Saratoga/Icelandic Virus Scanning D:\VIRUS\INFECTED\I2\JRVIR-C.COM Found Jerusalem Virus - Version B Scanning D:\VIRUS\INFECTED\I2\JRVIRUS.COM Found Jerusalem Virus - Version A Scanning D:\VIRUS\INFECTED\I2\SARATOGA.EXE Found Saratoga/Icelandic Virus Scanning D:\VIRUS\INFECTED\I2\SURIV01.COM Found April First Virus - Version C Scanning D:\VIRUS\INFECTED\I2\SURIV02.EXE Found Jerusalem Virus - Version D Scanning D:\VIRUS\INFECTED\I2\SURIV03.COM Found Jerusalem Virus - Version E Scanning D:\VIRUS\INFECTED\I2\TRACEBCK.COM Found 3066 (Traceback) Virus More? ( H = Help )RUS.LIB\V3.COM Found Jerusalem Virus - Version A Disk D: contains 81 directories and 1466 files. 36 files contain viruses. This list was edited to eliminate a lot of intermediate output... information proprietary to my system... The test system is a NEC PROSPEED 386 Laptop at MS-DOS Level 3.3 .with Quarterdecks 2.25/386 multitasking system. The disk size was a 32 meg partition running on a 100mb disk. I will be running the series of tests for boot sector infectors and partition table infectors later this week and will post those results then. cheers kelly p.s. I think this should settle any doubts DISCLAIMER: The views expressed above are not those of AMDAHL Corp. who has generously provided e-mail facilities or those of ONSITE CONSULTING... they do represent the views of Cybernetic Systems Specialists Inc. A CVIA Member... No warranty is expressed implied or granted in any fashion what so ever... However The VIRUSCAN program was tested against LIVE viral programs and it did correctly identify what I have in my archives to this date.. ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253