VIRUS-L Digest Monday, 25 Sep 1989 Volume 2 : Issue 201 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Re: Centel Corp. and ViruScan New IBMPC anti-viral programs should we fight fire with fire? Re: Should we fight fire with fire? NO! Macintosh Lock-up Anti-virus virus Re: Software company distributing viruses (PC) The anti-virus virus MIX1 (PC) RFC: Guide to Fighting Macintosh Viruses:... A boincing diamond star (What is it???) SCANV38 (PC) Is this a virus ? --------------------------------------------- Date: Fri, 22 Sep 89 08:21:07 -0400 From: dmg@lid.mitre.org (David Gursky) Subject: Re: Centel Corp. and ViruScan In (ewiles@iad-nxe.global-mis.dhl.com) writes... The creator of VirusX for the Amiga certainly feels this way, [that "I want you to get your information from me and no one else"], and for a very good reason: It's the only way to make certain that the program hasn't been tampered with to make it a virus spreader instead of a stopper. It just so happens that I agree with him. What better way for some sleazo to get a virus or trojan horse spread than to make it look like it's a common, otherwise trusted, shareware virus killer program? - ----- I have no qualms with any of this per se. If the author of a package wants to limit the sources from which his or her work is available, fine! But by doing so you forfeit the right to label your work as shareware! Shareware, by definition, is software that is shared with other users for the purpose of preliminary evaluation. If the user finds the application useful, the user is honor- and legally-bound to pay the requested fee for the software. Shareware works because the distribution system is the users themselves. The author has only a minimal say in the distribution. Certainly if the author wants to more strictly limit the dissemination of his or her work, he or she is welcome to do so. The proper manner is a commercial distributor; anything that tries to mix commercial and shareware, "isn't kosher". As far as Ed's other argument goes (about using trusted shareware virus killer programs as a carrier for a virus), I can't be the only one who has failed to notice that despite that this is a common fear, it has not happened recently or often (the last case I know of was a "version" of Ross Greenberg's original FluShot, that was a Trojan Horse that destroyed FATs or some-such; even then, this wasn't a virus but a trojan). Let me take this one step further. Anti-virus applications (IMO) make a poor carrier for a virus. In order for a virus to succeed, it must go undetected. This means that prior to the activation of the virus' logic-bomb or time-bomb, it cannot interfere with the normal operation of the computer or the applications in use on the computer. To do so greatly improves the chances the virus will be discovered (to wit, the Jerusalem virus). If we work under the assumption that when a user acquires an anti-virus application, they actually use it (in fact we must work under this rule; otherwise the virus would not spread), the virus necessarily undergoes an increased chance of detection because an application is running that looks for viruses! Standard disclaimers apply. David Gursky Member of the Technical Staff, W-143 Special Projects Department The MITRE Corporation ------------------------------ Date: Fri, 22 Sep 89 09:14:40 -0500 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: New IBMPC anti-viral programs More programs for the IBMPC anti-viral archives. columbus.arc Program to backup track zero of a hard drive and restore track zero. Meant for disaster recovery, such as that from "Columbus Day" virus. Includes source! m-3066.arc Program to repair damage due to the new "3066" virus. Checks and repairs and entire drive. Use with caution. scanres7.arc Memory resident program to check each program for viruses before it is executed. This replaces the previous release of scanres. scanv37.arc Scans hard drives or floppies for viruses. This replaces the previous release of scanv. virsimul.arc Program to simulate the non-destructive effects of various viruses. Very useful in figuring out what everyone else is talking about. COLUMBUS.ARC Save & restore track zero of hard drive. M-3066.ARC Recover from the 3066 virus. SCANRES7.ARC Resident program to detect viruses. SCANV37.ARC Scans drives and reports presence of viruses. VIRSIMUL.ARC Simulates non-destructive behavior of viruses. Jim ------------------------------ Date: Fri, 22 Sep 89 11:42:25 -0400 From: "Ronald Johnson," Subject: should we fight fire with fire? *** Reply to note of 09/22/89 00:11 The proposed "solution" is not acceptable. 1. It would be the beginning of a new "ARMS RACE" with each side trying to overpower the other with increasingly sophisticated viruses. 2. The possibility for abuse is frightening. . Regards, Ronald Johnson, acting Data Security Manager Security Services, LDB, Vancouver, 254-5711 ext. 353 ------------------------------ Date: Fri, 22 Sep 89 09:51:53 -0700 From: well!odawa@apple.com (Michael Odawa) Subject: Re: Should we fight fire with fire? NO! Thank you for bringing this issue up with others before you acted. We have had previous discussions about this issue, and here are some of the considersations: a) Virus technology is still relatively primitive; there is much we do not know about the interaction of viruses with other software functions, such as real-time, cycle counting procedures. Hence even a well-intentioned virus writer can not anticipate all the effects his code may produce. b) It is highly likely that bugs and unintended side effects will be present in any complex piece of software. Thus even an intended "beneficial" virus is likely to take action beyond what was designed by the author. c) The existence of "good" viruses in the environment would create a massive identification problem for the anti-viral software routines which currently exist and which are being developed. How could a virus detector distinguish between a "good" virus and a "bad" virus that was masquerading as a "good" one? d) One of the worst aspects of virus propagation is that it alters the contents of other people's computers and storage media without their consent. This is a very serious ethical principle which cannot be broached even in the name of public service. You simply do not have permission to muck with people's computing hardware without asking them first. For these reasons and others, we ask you not to become seduced by the temptation to create a "good" virus. Indeed, we believe that, The only good virus is a dead one. Michael Odawa Sofware Development Council odawa@well.uucp ------------------------------ Date: Fri, 22 Sep 89 13:26:00 -0500 From: "Chris_C.Conner" <13501CCC%MSU.BITNET@IBM1.CC.Lehigh.Edu> Subject: Macintosh Lock-up This is the first time I've written to the digest and I hope someone out there has some information on my topic. I work at the Graphics Lab in Michigan State University's Computer Center, so we get plenty of people coming through to use our MacII and scanner. A fellow came in the other day and when he inserted his disk into the Mac, the machine locked up. We run VACCINE, and Disinfectant 1.2. After restarting the machine, I checked the hard-disk and found nothing, so I inserted his disk again (while Disinfectant was still running) and it locked up again. I was wondering if anyone knew about this. If it is some kind of virus it could be a real nuisance. You couldn't use the disk, or reformat it because you couldn't put it into a machine. The only thing I can think of doing is using a bulk eraser. If anyone has anything, help me out... CCC ------------------------------ Date: Fri, 22 Sep 89 16:02:39 -0500 From: Joe Simpson Subject: Anti-virus virus Recently another proposal to create an anti-virus virus was made on valert-l. I posted a note that discussion belonged in virus-l and that I would be responding here. [Ed. Thank you!] Concerning writing an anti-virus virus. Such an entity would make unauthorized use of equipment not owned or operated by this virus's creator. The creator would be acting in just as immoral a fashion as the creators of joke, political, or deliberately desctructive viruses. In fact, I prefer not to make moral judgements based upon the intent of the virus creator. I would prefer that they simply refrain from this anti-social behavior no matter what the motivation. ------------------------------ Date: 22 Sep 89 12:57:23 +0000 From: bnr-di!borynec@watmath.waterloo.edu (James Borynec) Subject: Re: Software company distributing viruses (PC) In article <0006.8909211142.AA16502@ge.sei.cmu.edu>, frisk@rhi.hi.is (Fridrik S kulason) writes: > "We can't have a virus - there are no pirated games here" > I guess this will happen elsewhere, but until now there have been very > few occurrences of software companies distributing viruses (only 4 > that I know of). Software companies may be the largest source of virus contamination around. After all, they send disks everywhere and no one worries about 'shrink wrap' software being 'unclean'. I have only been hit by two viruses - both came from software companies - one of which was Texas Instruments. The guy in the office next door was hit by a copy of a virus on his (shrink wrap) copy of WordPerfect. I think it is shocking that people are told just to watch out for viruses when engaged in software 'swapping'. Everyone should regard EVERY disk that enters their machine with suspicion. J.b. - -- UUCP : utzoo!bnr-vpa!bnr-di!borynec James Borynec, Bell Northern Research Bitnet: borynec@bnr.CA Box 3511, Stn C, Ottawa, Ontario K1Y 4H7 ------------------------------ Date: Sat, 23 Sep 89 11:49:00 -0500 From: Subject: The anti-virus virus (regarding a note of 9/22/89 on VALERT-L) Using a virus to destroy other viruses is a good idea IN THEORY. It assumes two points: 1. the AVV (anti-virus virus) is assumed to work properly under all conditions; 2. the virus-writers are assumed to not create new anti-anti-virus-virus viruses i.e. start a viral arms race. Regarding point 1: Robert Morris Jr. seemed to want his worm to be "well behaved", with only one rather tame worm living on each system on Internet. However, one little bug (from what little I know) caused the worm to run out of control. Like the author of the Internet worm, the authors of the AVV would probably be crucified if anything went wrong. In fact, the virus hysteria would cause a major uproar even if it worked (would you like a virus to appear on your system without your permission even if it did no damage?) Point 2: I assume one reason that viruses are written is because it "lives", i.e. it exists, multiplies, travels, and survives in a way resembling, say, a flea. The existance of a virus that "eats" viruses would be seen as a challenge that would become a "survival of the fittest" contest. A viral war would break out between the "bad" virus writers and the "good" virus writers. The battlefield would be computers in general. - -=- CTDONATH@SUNRISE -=- ------------------------------ Date: Sat, 23 Sep 89 13:59:23 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: MIX1 (PC) Actually I was not planning to write more about viruses from Israel for a while, but I just could not resist. You see, the latest virus reported there, the MIX1 virus, is in fact just a variant of the Icelandic virus. I would not be surprised, if this was in fact the variant mentioned some time ago, as "...a hacked variant of the Icelandic virus, that a group of hackers intends to distribute to various BBS..." Fortunately, it is just a variant of the Icelandic-1 virus, like Saratoga. If the authors of MIX1 had instead based their variant on Icelandic-2, we might be seeing the start of a serious problem. I have now almost finished disassembling MIX1, and here are a few details not mentioned by Yuval Tal in his report: The virus has been modified in several places, in order to fool virus detection programs. The changes include replacing instructions with other equivalent ones. Examples XOR AX,AX ---> MOV AX,0000 MOV ES,AX ---> PUSH AX POP ES Also, NOP instructions have been inserted in several places, including inside the identification strings used by VIRUSCAN and most other similar programs. This seems to be a response by virus writers to anti-virus programs that look for infection by using identification strings. This method has so far only been used in two viruses that I know of, MIX1 and the '286 variant of the Ping-Pong virus. Apart from these changes, two parts of the virus are almost identical to other variants of the Icelandic virus. In the installation part, the code to check INT 13 has been removed. (as in Saratoga and Icelandic-2). The infection routine has been modified in the following ways: Infect every file (instead of every tenth program run.) Do not infect a program, unless it is at least 16K long. The Icelandic virus was first detected in June, disassembled a week later, and the disassembly was made available around the beginning of July. The MIX1 virus appeared in Israel in August - which is a very short time for a virus to spread around the globe. Now - the question is: How did the authors of MIX1 obtain the Icelandic virus ? It is almost certain that these viruses do not have the same author, because then the virus would surely have been based on Icelandic-2, which is a much more dangerous and effective variant. I see the following possibilities: 1) The author of MIX1 obtained a copy of Icelandic-1 from somebody who got infected with it, disassembled it and created a new virus. This sounds reasonable, but there is one major problem, which is that the Icelandic virus has (as far as I know) not been detected outside of Iceland. 2) The author obtained a disassembly, modified it and re-released it as MIX1. It is already known that at least one virus writer has access to virus disassemblies, that were only intended for virus specialists. The problem is that obtaining well-commented virus disassemblies is not hard, and I would not be surprised if a number of new variants of viruses, based on them would appear in the near future. MIX1 and Ping-Pong '286 may be just the first of this new generation. ---- frisk ------------------------------ Date: 23 Sep 89 20:36:15 +0000 From: shull@scrolls.wharton.upenn.edu (Christopher E. Shull) Subject: RFC: Guide to Fighting Macintosh Viruses:... Macintosh Virus Experts: I have just finished the second draft of a roughly two page guide to fighting machintosh viruses. (The first draft was proofread only within my group, so don't feel left out if you didn't see it.) This set of instructions is fundamentally the advice I have been loosing my voice repeating. To save my voice, I have written it down. Please mail your comments, suggestions and constructive criticism to shull@wharton.upenn.edu, so I can enhance this document. In the meantime, if you are tired of explaining how to defend against viruses and you like what I have written, please feel free to distribute my "Guide to Fighting Macintosh Viruses: Instructions for the Rest of Us", subject only to terms of the Copyright Notice. Thanks in advance! - -Chris %--cut here------------------------------------------------------- R E Q U E S T F O R C O M M E N T Guide to Fighting Macintosh Viruses: Instructions for the Rest of Us September 23, 1989 Christopher E. Shull The Wharton School University of Pennsylvania Shull@wharton.upenn.edu Disclaimer and Copyright Notice This document may help you understand and cope with Macintosh viruses. It may however fail in this objective. Use it at your own risk. Neither the author, Christopher E. Shull, nor his employer, the University of Pennsylvania, make any warranty, either express or implied, with respect to the information contained herein. Copyright 1989, University of Pennsylvania. Permission is granted to make and distribute copies of this document, provided this disclaimer and copyright notice are preserved on all copies. The document may not, however, be sold or distributed for profit. Instructions This file describes how to cope with Macintosh viruses. 1) Do Not Panic. As of this writing, all known Macintosh viruses are easily detected, destroyed and prevented. 2) Read these instructions from front to back, and then follow them step by step. 3) Using Disinfectant to Find and Kill Viruses. a) Obtain a boot-able diskette containing the program Disinfectant from a trusted source. Disinfectant was written by John Norstad of Northwestern University. The current version is 1.2, dated August 4, 1989. (This is also a good time to get copies of Vaccine and GateKeeper, which are described in steps 5) and 6). b) Write Lock this diskette by sliding the write protect tab to the open position (so you can peek through the little hole). c) Start or Restart your Mac from this diskette. d) Run Disinfectant by doubling clicking on its icon, and then following the simple on-screen instructions: Please read the instructions before running Disinfectant for the first time. Click on the About button. Special key summary. Hold down the key(s) while clicking on the Scan or Disinfect button. (See the instructions for details.) No keys = Scan or disinfect the selected disk. Option key = Scan or disinfect a single folder or file. Command key = Scan or disinfect a sequence of floppies. Option and Command keys = Scan or disinfect all drives. Note that Disinfectant suggests that you read its documentation first (by clicking the About button.) This is an excellent idea. However, if you are in a hurry and willing to risk using software you don't understand, just read the summary above and then click on the Disinfect button while holding down the appropriate key(s) (Scanning before Disinfecting has no benefit for normal folks). e) Disinfectant will report the details of its work in its center window. f) Examine the summary report to make sure all viruses were removed and no errors were encountered. If there were errors, try to fix the problems and disinfect the problem files or device again. If they do not go away, you need to read the instructions or get help from a Mac expert. g) When Disinfectant reports that no Viruses have been found, your main disk is clean. After disinfecting, be sure to restart your computer so memory resident viruses are destroyed! This is an excellent time to Disinfect all of your diskettes using the command key-Disinfect button combination. The next step is to make sure you don't get any more viruses in the future. 4) Using Disinfectant to Prevent Viruses. a) Disinfectant can be used to prevent the spread of viruses simply by scanning and disinfecting every new diskette that you ever use on your Mac, and every diskette that you use on someone else's Mac, and every program you buy or download. b) Because this requires a conscious, methodical and conscientious effort, an automatic method of preventing the spread of viruses is desirable. 5) Using Vaccine to Prevent Viruses. a) Vaccine, by Donald Brown of CE Software, Inc. is a Control Panel Document. The current and last version is 1.0. (The author declines in advance to fuel the escalating viruses and defenses game.) b) To use Vaccine, just copy it into your System Folder and restart your computer. You do not want to do this until your System Folder has been disinfected (see step 3), or your computer may not be able to start. c) Vaccine is now at work. No further configuration is required, although some is possible. d) To configure Vaccine, select Control Panel from the Apple menu, then select the Vaccine icon on the Control Panel, and follow the Instructions therein. e) As Vaccine's instructions explain, it may prevent some viruses. For more rigorous defense, you will need to use GateKeeper. 6) Using GateKeeper to Prevent Viruses. a) GateKeeper, by Chris Johnson, is also a Control Panel Document. The current version is 1.1.1, dated June 26, 1989, and is much easier to configure than version 1.1. b) Using GateKeeper requires more study on the part of the user, but should result in a more rigorously defended system. c) The first step in using GateKeeper is therefore to read, from front to back, the GateKeeper Introduction and the GateKeeper Release Notes documents, which come with GateKeeper in MacWrite format and are therefore readable in most Macintosh word processing programs. d) Following the instructions therein you can tighten your Mac's defenses against Viruses. 7) If Vaccine or GateKeeper Detects a Virus, return to Step 3) to remove it. 8) Join a Macintosh Users' Group so you can keep abreast of virus developments. This is important, because new viruses will appear that manage to circumvent the safeguards above, but we will simply develop new programs to combat them. ------------------------------ Date: Mon, 25 Sep 89 07:44:33 +0100 From: sajn@loglule.se Subject: A boincing diamond star (What is it???) A friend of mine has a PC that recently has been infected by some sort of a virus. The thing that happens is that a small diamond star is randomly bouncing like a ball on the screen. My questions : .Does anyone know what damage this virus might do ? .Is there any virus removal software developed for it ? ------------------------------ Date: Mon, 25 Sep 89 01:00:12 -0700 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: SCANV38 (PC) ViruScan V38 is out and has been sent to Compuserve and the comp.binary sites. This version identifies the MIX1, the New Ping Pong, the Dark Avenger, Syslock (3551) and a new Vacsina string identifier. The MIX1, by the way, is identified by SCAN as an Icelandic varient, since it is 85% or more the original Icelandic virus. All earlier viruses are still identified by SCAN and the strings have not changed for this version. SCANRES has also been updated to prevent a system from being infected by any of the above viruses. Its version is SCANRES8. Alan ------------------------------ Date: 25 Sep 89 18:54:15 +0000 From: mcvax!kannel.lut.fi!huopio@uunet.UU.NET (Kauto Huopio) Subject: Is this a virus ? My Taiwanese-origin Comper AT ( a 12 MHz-machine with 1 meg of RAM) ran into trouble last night. My friend was playing Tetris (the original version), and after that I begun to test WordPerfect 4.2. I looked to some directories and there was some *VERY* odd characters in the directory listings, blinking high intensity white. Quite often there was a "smiley face"-character, also blinking high intensity white. Also, there was some ODD characters just at the beginning of the next line after the command prompt, when giving a DOS command. When I edited a small text with WP and tried to save it..the hard disk light just stayed on and.. I think you can guess the rest. I booted my AT with a floppy disk and ran DIAGS. To my suprise, the hard disk came back! This morning I put up the system, and it worked for a couple of minutes, but died again (Sector not found error on drive C: ) I am running DOS 3.30. Now, I have some questions: 1) What is the right size of DOS 3.30 COMMAND.COM ? 2) Should I do a low-level format with Ontrack Disk Manager 3.2 and try to do a clean system. 3) If this is caused by a virus, what is the bogus program ?? All help is welcome!! - --Kauto PS: Sorry about my poor English.. ****************** Kauto Huopio (huopio@kannel.lut.fi) ********************** *US Mail: Kauto Huopio, Punkkerikatu 1 A 10, SF-53850 Lappeenranta, Finland * *Project: Learn some GNU Emacs first.. :-) * ***************************************************************************** ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253