VIRUS-L Digest Monday, 25 Sep 1989 Volume 2 : Issue 200 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: More on the CUPLVX Virus (VAX/VMS) Virus humour RE: McAfee Posting Viruscan (PC) re: datacrime & fdisk (PC) Re: October 12/13 (PC) correction to NOCRIME.DOC (PC) Is this a virus? (PC) should we fight fire with fire? safety protocols Write-protecting Disinfectant (Mac) (Was Re: disinfecting nVIR... Latest V-Alert on a "good virus" --------------------------------------------------------------------------- Date: Thu, 21 Sep 89 09:27:00 -0400 From: John McMahon - NASA GSFC ADFTO - 301-286-2045 Subject: More on the CUPLVX Virus (VAX/VMS) The following mail messages were posted to the INFO-VAX mailing list in response to the message "Virus or Coincidence" posted by Tom Ivers at the Columbia U. Plasma Physics Lab (IVERS@CUPLVX.APNE.COLUMBIA.EDU). The message was posted to VIRUS-L in a previous isse. Tom Ivers original mail message indicated that the VAX that had the problem was running VMS 4.5. VMS 4.4 through 4.7 had a fairly nasty security hole in it that DEC has subsequently patched. Perhaps this system wasn't patched ? Assuming the security hole wasn't patched, and LOGINOUT.EXE was replaced then this type of attack has occurred before. The last major outbreak was when the Chaos Computer Club broke into machines on the "World DECnet" (SPAN/HEPnet/Etc...) during the Summer of 1987. ***> From: "FIDLER::LEVINE" ***> ***> I got your message from info-vax, and passed it on to other ***> system managers at NWC. One of them just called and said he had part of ***> your problem once. The user limit message is a micro VMS message only, ***> and he told me that the login problem was due to a bad floating point ***> unit on his 750. Apparently the password hashing suborutine (HPWD) uses ***> some Floating point instructions. He will be sending me a full ***> desription of the problem next week which I will pass on to you. ***> As for the VIRUS stuff, he had no trace of that. ***> Michael N. LeVine Naval Weapons Center, China Lake, Ca 93555, USA ***> From: "Richard B. Gilbert" ***> ***> I think you've been well and truly screwed. The safest thing to do is ***> to scrub your disk and restore from a backup that you are certain is ***> clean. ***> ***> I have this horrible feeling that SYS$SYSTEM:LOGINOUT.EXE has been ***> patched or replaced. Only extensive checking would reveal what else has ***> been tampered with. You had better assume that any sensitive ***> information on your system has been compromised and that _anything_ may ***> have been tampered with! ***> ***> Even after you restore your system, you will still be vulnerable to a ***> repetion of the same attack! You will need to read and heed the "Guide ***> to VMS Security". You should probably have security alarm ACLs on ***> SYS$SYSTEM:SYSUAF.DAT, SYS$MANAGER:SYSTARTUP.COM or SYSTARTUP_V5.COM, ***> SY$MANAGER:SYLOGIN.COM and perhaps a couple of other things. This will ***> not prevent a breakin but it will make it tougher to do it tracelessly. ***> Check your modem lines if any. Are they all set /MODEM /HANGUP /DIALUP? ***> If not, they provide a potential entry point for a cracker. ***> ***> Priveleged accounts such as FIELD, and SYSTEST should be kept turned off ***> with /FLAGS=DISUSER and enabled only when needed. ***> ***> The default DECnet account also provides a potential point of entry. ***> ***> I'm real glad I'm not in your shoes. ***> From: "Kevin V. Carosso" ***> ***> The fact that you are running VMS V4.5 and getting the "USERS EXCEEDED" ***> message is an important clue. User limits for MicroVMS were enforced by ***> code in LOGINOUT.EXE. When you upgraded your license on your MicroVAX, ***> say from 2 users to 8, DEC sent you a VMSINTAL kit which patched ***> LOGINOUT. ***> ***> The fact that your 750 suddenly has a user limit of 2 (indeed any limit ***> at all) and is not running VMS V5 means that you may be running with a ***> LOGINOUT.EXE copied from a MicroVMS system. One distinct possibility is ***> that someone took the LOGINOUT.EXE from a MicroVMS system, possibly ***> patched in their own trapdoor, and copied it to your 750 replacing the ***> standard SYS$SYSTEM:LOGINOUT.EXE. ***> ***> A couple of years ago there were a rash of breakins to VMS machines ***> characterized, in part, by patched LOGINOUT.EXE's being left behind. ***> ***> You should consider restoring LOGINOUT.EXE from tape. You also might ***> want to save the suspicious one and check it out with ANALYZE/IMAGE ***> (which will report PATCH information unless the image was patched ***> without using the standard VMS PATCH utility). ***> ***> /Kevin Carosso kvc@friday.a-t.com ***> Innosoft kvc@ymir.bitnet /------------------------------------+---------------------------------------\ |John "Fast Eddie" McMahon | Span: SDCDCL::FASTEDDY (Node 6.9) | |Advanced Data Flow Technology Office| Arpa: FASTEDDY@DFTNIC.GSFC.NASA.GOV| |Code 630.4 - Building 28/W255 | Bitnet: FASTEDDY@DFTBIT | |NASA Goddard Space Flight Center |GSFCmail: JMCMAHON | |Greenbelt, Maryland 20771 | Phone: 301-286-2045 (FTS: 888-2045) | +------------------------------------+---------------------------------------+ |Invest heavily in SPAM futures... | \----------------------------------------------------------------------------/ ------------------------------ Date: Thu, 21 Sep 89 08:08:10 -0700 From: Robert Slade Subject: Virus humour Bit of trivia here. I recently received a copy of issue 6 of the now (unfortunately) defunct humour digest 'NutWorks'. It contains an article on a computer virus - a real organic virus that (supposedly) attacked the latest development in computer memory, BRAM, Bacterial Reproducible Active Memory. The article was written in 1984. ------------------------------ Date: Thu, 21 Sep 89 11:57:45 -0400 From: dmg@cornea.mitre.org (David Gursky) Subject: RE: McAfee Posting [Caveat Emptor: My copy of Virus-L V2 #198 seems to have been eaten by the net, so I do not have my original message in front of me as a source.] I believe both Chris McDonald and Kelly Goen missed the point of my message about John's message, (which message? who? what? ;-) I agree wholeheartedly with Chris' characterization of Centel. If they are indeed purporting to be selling Viruscan for $25, they are in flagrant violation of the law. I deliberately tempered my remarks about Centel as the only source of information I have about their "offer" comes from a Washington Post article, and is consequently at least third-hand (whereas my comments about John's posting were based directly on his message). For example, we know Viruscan is on the disk, but how do any of us know that other utilities that Centel may have developed are on the disk?? I could carry on these arguments for awhile, but I suspect I've made my point here. Relating this back to my message about John McAfee's posting, I found his language confrontational in the extreme, with no explanation as to why such a tone needed to be adopted. Kelly is levelling a rather serious charge at Centel. If indeed Centel was suggesting to purchasers of the disk with Viruscan that they were buying the application, rather than covering distribution costs, he is absolutely right, but as I suggest above, we do not have enough information present to make this judgement. Again, John's message had no information backing this up. The question has also been raised about charging for the distribution of software. I'm no lawyer, but I have the strong suspicion this is perfectly legal (although as I stated about, a $25 distribution charge "smells", to quote Chris). Consider that several companies in the United States sell disks full of public-domain, freeware, and shareware applications. When shareware is involved, these companies (at least the better ones) explicitly state that a seperate payment is needed. Also remember that this is how many user groups generate revenue (through the charge of a nominal distribution fee for a disk of pd/fw/sw software. Another question was raised about what say the author has in the distribution of his or her work, when done under the auspices of the "Shareware" label. There is no question that when a piece of shareware code is included in a commercial application or disk, the author is fully within their right to demand payment, or place restrictions on dissemination, or a host of other things. I am not aware of a precedent that allows a shareware offer to say in the general case that a piece of shareware can be available from source A, but not source B. Furthermore, such an example (you can get the software from source A, but not B) appears contrary to the philosophy behind shareware. ------------------------------ Date: Thu, 21 Sep 89 12:10:40 -0400 From: dmg@cornea.mitre.org (David Gursky) Subject: Viruscan (PC) The recent discussions of Viruscan have reminded me of something. The Computer Center folks recently asked me about Anti-virus packages for PCs. I wanted to pass on to them information about Ross Greenberg's "FluShot Plus" and John McAffee's "Viruscan". Anyone out there care to synopsize these two (please include information about finding out about site licensing... Thanks! David Gursky Member of the Technical Staff, W-143 Special Projects Department The MITRE Corporation ------------------------------ Date: Thu, 21 Sep 89 13:18:42 -0500 From: "Rich Winkel UMC Math Department" Subject: re: datacrime & fdisk (PC) >From: IA96000 >if you use fdisk to create a dummy partition of lets says 2 >cylinders and then create a second normal active dos partition >will this prevent the virus from destroying track zero? It depends on how it accesses the disk. If it uses bios calls (INT 13H), it will still attack physical cyl 0 on the disk. If it uses the dos absolute disk write call (INT 26H) it will wipe out whatever the starting track of the dos partition is. Even if it uses the bios call though, and you've partitioned the disk so it doesn't touch dos's FAT and directory, it will still wipe out the master boot sector where the partition table is stored. That wouldn't be so bad if you could make FDISK simply put a new master boot sector on the disk, but unfortunately FDISK insists on doing some general housecleaning which may finish the job that datacrime started. I'm not sure of the extent of the housecleaning, so I can't say for sure. Rich ------------------------------ Date: 20 Sep 89 19:29:03 +0000 From: ttidca.TTI.COM!hollombe%sdcsvax@ucsd.edu (The Polymath) Subject: Re: October 12/13 (PC) In article <0003.8909191146.AA07427@ge.sei.cmu.edu> ACS1W@uhvax1.uh.edu (Meesh) writes: }I'm the editor of our university's computing newletter. I need to }know how users can detect the October 12/13 virus ahead of time. Is }there a way at all? ... How about backing up the hard disk, then setting the system date ahead to October 13 and re-booting? [Ed. Sounds (to me) kind of like testing to see if the mines in an inert minefield are "ert" by having someone walk through it. :-)] - -- The Polymath (aka: Jerry Hollombe, hollombe@ttidca.tti.com) Illegitimis non Citicorp(+)TTI Carborundum 3100 Ocean Park Blvd. (213) 452-9191, x2483 Santa Monica, CA 90405 {csun|philabs|psivax}!ttidca!hollombe ------------------------------ Date: Thu, 21 Sep 89 18:29:38 -0700 From: fu@unix.sri.com (Christina Fu) Subject: correction to NOCRIME.DOC (PC) I have to thank Jim Wright for pointing out to me the mistake I have made in the NOCRIME documentation. I referred to "NOCRIME.DOC" as "DATACRM.DOC." Correction has been made, but I do not intend to make it a new version. I apologize for the confusion. Those who receive copies directly from me starting Sep. 20 will have the corrected copy. Sincerely, Christina H. Fu p.s. Please try to obtain copies from archive sites. I have trouble keeping up with my mail lately. Thank you very much. ------------------------------ Date: 22 Sep 89 00:00:00 +0000 From: Christoph.Fischer.RY15@DKAUNI11 Subject: Is this a virus? (PC) Hi, we just had an inquiery about 4 strange files that appeared on a Microsoft WORD installation. All 4 files are hidden system and readonly. The filenames are: MWA. MW.COD MW.COM MW.DAT 256 47296 27902 24442 bytes file length The file MWA is text and contains: Copyright 1984 by Microsoft Word Freedom Fighters: Richard Brodie Jabe Blumenthal Jeff Harbers Doug Klunder Bruce Leak Frank Liang Carl McConnell David Palmer Chris Peters Jeff Raikes Tom Reeve Ken Shapiro Charles Simonyi Greg Cox Pat Th.... File dates showed a 1985 creation date Has anyone seen this before?????? These guys there have a bunch of problems, but we couldn't find a virus yet| Chris and Torsten ***************************************************************** * Torsten Boerstler and Christoph Fischer and Rainer Stober * * Micro-BIT Virus Team / University of Karlsruhe / West-Germany * * D-7500 Karlsruhe 1, Zirkel 2, Tel.: (0)721-608-4041 or 2067 * * E-Mail: RY15 at DKAUNI11.BITNET or RY12 at DKAUNI11.BITNET * ***************************************************************** ------------------------------ Date: Fri, 22 Sep 89 02:57:00 -0400 From: CZMUREK%DREW.BITNET@VMA.CC.CMU.EDU Subject: should we fight fire with fire? [Ed. The following message was sent to VALERT-L, not VIRUS-L/comp.virus (where it should have gone). Please send any follow-ups here to VIRUS-L/comp.virus. Also, there are already a number of responses to this message in this (and the next) digest. I've included most of them since they present different reasons for vetoing Chris's idea of creating a virus fighting virus. I will try to keep the number of redundant messages on this to a minimum.] It would seem to me, as probably to most of you, that the creation of yet one more virus would be the last straw. But the other day I had an idea that might have occured to the rest of you, or maybe not. I began to design a virus algorythm that would eventually serve as the platform for the destruction of other viruses. It's purpose would be to infect single programs, single disks, or multiple disks in the first, second and third versions respectively. Before any alarm sets in here about my intentions, I would like to say that the purpose here is to aid in the effort to combat these little nasties. I am posting this info in the hopes that some of you will respond with your thoughts on the moral, ethical, and legal aspects of such an act as producing and spawning a virus that is intended to find and/or kill off other viruses that it comes into contact with without causing harm to any other software. I have thought of many ways to detect and defeat viruses in this manner. I have not as of yet done any coding beyond the replication stages. The two methods that I am using are by the boot sector and by piggy-backing com and exec files. There are others, but for obvious reasons I am not posting the source code or other more elaborate techniques. Please send me your insightful comments on this subject. I would also like to know what you think about designing the software to infect only the original user's system (this can be done) assuming it was to be sold commercially. Thank you in advance for your help in this ethical dilema... Chris (poet) ------------------------------ Date: Fri, 22 Sep 89 03:08:00 -0400 From: Subject: safety protocols In a recent digest, Jim Blakely requested some help in developing a protocol for the prevention of contamination from outside viruses. I would suggest to him and to any of you the following: When confronted by the problem of constant disk swapping and usage of disks from the outside, you should set up a machine that is not connected in any way to any other. Then in the event that a new disk is to be used (one from the outside), this disk should be tested on the new machine by one or more of the most trusted anti-virus programs on the market. This will insure that its introduciton into the working environment of the facility will not cause any harmful results. If a disk were to be found infected, the user can then be almost certain that his/her home machine was also infected. By implementing this policy it would help to insure a safer environment for all. ------------------------------ Date: 22 Sep 89 12:29:31 +0000 From: HUUSKONEN@hylka.Helsinki.FI (TANELI HUUSKONEN, DEPT MATH, HELSINKI, FI NLAND) Subject: Write-protecting Disinfectant (Mac) (Was Re: disinfecting nVIR... In article <0008.8909211142.AA16502@ge.sei.cmu.edu>, chinet!henry@att.att.com w rites: >> When you finally get Disinfectant, and de-Binhex it and >> de-Stuffit, make sure the diskette you keep it on is >> write-protected!!! This is very important; a virus cannot infect >> an application on a write-protected diskette! > > This is a good idea, but not entirely necessary with Disinfectant. > Disinfectant is resistant to all currently known viruses and will > refuse to run if it has been changed in any way. ... Two objections: 1) You need to get a new copy of Disinfectant if a virus attacks it and makes it refuse to run. 2) Someone _may_ write a Disinfectant-specific virus that prevents it from checking itself and from noticing the virus. ------------------------------ Date: Fri, 22 Sep 89 00:00:00 +0000 From: "David A. Bader" Subject: Latest V-Alert on a "good virus" I don't care who you are - good, bad.. it doesn't matter, I don't want *ANY* viruses! This is *MY* computer system. I prefer knowing what's going on in here. In order for you to create something that will detect and erradicate all viruses but not harm any software or applications - that is just a contradiction... I don't want to see my files grow in size for any reasons. Viruses are sometimes modified by hackers and new strains appear, so what is stopping someone from modifying your virus into a *bad* virus that looks JUST LIKE the "good" one with the capability of replacing the "good" one and wreaking havoc?? If you started programming... stop. That's my suggestion. -David Bader ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253