VIRUS-L Digest Tuesday, 22 Aug 1989 Volume 2 : Issue 179 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Swap Virus (PC) DEMO Software Disk Infected (Jerusalem, Version B) (PC) Hygeine Questions New German Virus (PC) --------------------------------------------------------------------------- Date: Mon, 21 Aug 89 09:47:00 -0500 From: Craig Minton Subject: Swap Virus (PC) I just received my bitnet account about a month ago and just subscribed to this list about a week ago. In the past week, I have seen the Swap Virus mentioned several times. Since I'm sure that it has already been discussed alot on this list, I would appreciate any information on it that I could get. Please send this to me personally unless you feel it hasn't been discussed enough or something new is going on with it. Thanx, Craig ------------------------------ Date: Mon, 21 Aug 89 11:32:19 -0500 From: SDSV@MELPAR-EMH1.ARMY.MIL Subject: DEMO Software Disk Infected (Jerusalem, Version B) (PC) A research and development lab located at Ft. Belvoir Virginia had their PC's infected with the Jerusalem, Version B, Virus. Further investigation uncovered the virus entered the lab through a DEMO software disk from ASYST Software Technologies supplied with a IEEE-488 board from METROBYTE. The infected program is RTDEMO2.EXE. In a conversation with Mr. Dave Philipson from ASYST, to the best of his knowledge, 50 to 100 copies of the infected software were released. The infection entered their facility through software received from their parent company in England. Mr. Brent Davis of METROBYTE informed me that the DEMO disk was supplied with three (3) of their products; MBC-488, IE-488 and UCMBC-488. METROBYTE is in the process of contacting all purchasers of these products. Many thanks to Mr. John McAfee for his assistance, SCAN34 which was used to identify the type of virus, and M-JRUSLM which was used to eradicate the virus. Both ASYST and METROBYTE were extremely helpfull and responded expeditiously to the problem. Many thanks to Mr. Brent Davis and Mr. Dave Philipson for their action and assistance. ************** From the Desk of Mr. James M. Vavrina ************** * Comm 202-355-0010/0011 AV 345-0010-0011 * * DDN SDSV@MELPAR-EMH1.ARMY.MIL * ******************************************************************* ------------------------------ Date: Mon, 21 Aug 89 13:36:00 -0400 From: WHMurray@DOCKMASTER.ARPA Subject: Hygeine Questions >1) Is the possibility of virus infection limited to executable > programs (.com or .exe extensions)? Or can an operating system be > infected from reading a document file or graphic image? While a virus must succeed in getting itself executed, there are a number of solutions to this problem besides infecting .exe and .com. While it will always be sufficient for a virus to dupe the user, the most successful ones are relying upon bootstrap programs and loaders to get control. >2) Are there generic "symptoms" to watch for which would indicate a virus? Any unusual behavior may signal the presence of a virus. Of course most such unusual behavior is simply an indication of user error. Since there is not much satisfaction to writing a virus if no one notices, most are not very subtle. However, the mandatory behavior for a successful virus is to write to shared media, e.g., floppy, diskette, network, or server. (While it may be useful to the virus or disruptive to the victim to write to a dedicated hard disk, this is not sufficient for the success of the virus.) >3) Any suggestions on guidelines for handling system archiving > procedures so that an infected system can be "cleaned up"? WRITE PROTECT all media. Preserve vendor media indefinitely. Never use the backup taken on one system on any other. Be patient when recovering; be careful not to reinfect. (Computer viruses are persistent on media.) Quarantine systems manifesting strange behavior. Never try to reproduce symptoms on a second machine. Never share media gratuitously. (Note that most PC viruses are traveling on shared MEDIA rather than on shared PROGRAMS.) ____________________________________________________________________ William Hugh Murray 216-861-5000 Fellow, 203-966-4769 Information System Security 203-964-7348 (CELLULAR) ARPA: WHMurray@DOCKMASTER Ernst & Young MCI-Mail: 315-8580 2000 National City Center TELEX: 6503158580 Cleveland, Ohio 44114 FAX: 203-966-8612 Compu-Serve: 75126,1722 INET: WH.MURRAY/EWINET.USA 21 Locust Avenue, Suite 2D DASnet: [DCM1WM]WMURRAY New Canaan, Connecticut 06840 PRODIGY: DXBM57A - -------------------------------------------------------------------- ------------------------------ Date: Mon, 21 Aug 89 14:49:57 -0700 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: New German Virus (PC) This is a forward from John McAfee: ============================================================================= The VIRUSCAN version V35 now identifies the virus reported by C. Fischer in Germany. As always, the trickiest problem is the name. We can't very well use the host program length increment as the nomenclature this time because the length can change anywhere from 1206 to 1353 bytes (1206 min for COM files; 1221 + 132 max for EXE files). Using the bell sound as a name is questionable since the virus appears to be a prototype version and it seems likely that the bell sound may be removed and replaced in the final? version. I don't like using Vacsina as the name because it is a data string that can be trivially changed without materially affecting the virus. However, conversations with Chris Fischer indicate that he wishes to call the virus Vacsina, so that's what VIRUSCAN displays when the virus is present. P.S. We are still struggling over the name of the "Israeli Boot/ Swap/Fat 12/Whatever" virus reported by Uval Tal. Y. Radai is adamant that it be called the Swap virus. However, no-one that I am aware of has been able to make the the "Swap..." message reported by Yuval replicate onto another diskette. When the virus replicates, the area reported by Yuval to contain the message insists on transferring itself as binary zeros. It seems to me that someone merely placed the text message into the virus thinking that it would replicate along with the virus. Until I am further enlightened, I think that the VIRUSCAN descriptor for this virus should remain as is. John McAfee ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253