VIRUS-L Digest Tuesday, 24 Oct 1989 Volume 2 : Issue 220 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: The Power to Look Your Stupidest... (Mac) Not-equals VIR Resource (Mac) RE: IBM-PC virus scanning program from IBM (PC) Dark Avenger and scanners (PC) Re: 0 bytes in 1 hidden file, virus?? (PC) Viruses in archives (PC) init29: data->application?(Mac) Viral susceptivity of UNIX vrs MS-DOS Ohio Virus (no system given) Creating a virus free boot disk (PC) Re: /VIR ([not-equal-to-sign]VIR) App Signature (Mac) Re: The DataCrime viruses (PC) It can happen to anyone :-( (PC) --------------------------------------------------------------------------- Date: Mon, 23 Oct 89 11:17:31 -0400 From: Joe McMahon Subject: The Power to Look Your Stupidest... (Mac) Some significant facts: 1) Careful testing of SuperClock 3.5 (including dissection via ResEdit) turns up no - repeat, NO - viruses of any kind from any source I can get it from. 2) STR 801 in a MacWrite file is OK and is in fact normal. 3) No further developments have been heard. Can you please tell us more, if anything? 4) Has anyone actually gotten to see this supposed virus? If you have a copy, will you PLEASE send it to John Norstad, or your favorite author of anti-virals? I apologize abjectly to those who may have been misled by *my* contributions. Networking means having to say you're sorry to LOTS of people :-(. --- Joe M. ------------------------------ Date: Mon, 23 Oct 89 11:24:14 -0400 From: Joe McMahon Subject: Not-equals VIR Resource (Mac) A Not-equals-VIR resource on your disk or in your Desktop file just means that you ran the Interferon program at some point and haven't removed it or rebuilt your Desktop file lately. Nothing to worry about. --- Joe M. ------------------------------ Date: 23 Oct 89 00:00:00 +0000 From: CHESS@YKTVMV.BITNET Subject: RE: IBM-PC virus scanning program from IBM (PC) Thomas Lapp writes: > Since it reports the number of files searched and number of > disks checked, I suspect that this program would not be able to find > those viruses which reside on sectors which are then marked bad. All the viruses that I've heard of that live even partially in bad sectors are boot-sector viruses; the "initial hook" of the virus is written to the boot sector, and that hook then reads the rest of the virus off of some sector elsewhere on the disk (which was marked bad in the FAT at initial infection). The IBM virus scanner (and the McAfee one, and probably others) scans boot records to detect this type of virus. In general, a virus has to arrange to get executed; the viruses we've seen so far do this either by modifying executable files, or by modifying the boot record of a disk or diskette. So scanners for known viruses that scan executable files and boot records are looking in the right places! A "virus" that just marked a sector as bad and wrote itself there, without altering the boot sector or any other executable object, would never get executed... DC ------------------------------ Date: 23 Oct 89 00:00:00 +0000 From: CHESS@YKTVMV.BITNET Subject: Dark Avenger and scanners (PC) (This is in reply to Alan Roberts' warning about the Dark Avenger and scanners in VALERT-L.) The recommended procedure for using the IBM Virus Scanning Program includes, I'm pretty sure, cold-booting the machine from a trusted boot diskette before running the scanner. This will keep the "spreads to all files on the disk" from happening, since it will mean that the virus isn't in control when the scanner runs. It's also a bit of a pain, but it may be worth it. If another virus like the Dark Avenger appears, and you run a scanner that doesn't know about it, without cold-booting first, you could end up with an entire disk full of infected files, and not even know it! This isn't really a bug in the scanners that needs to be "fixed". Any program that opens many many files can have the same effect when an infect-on-open virus is active. This includes virus scanners, anti-virus programs that compute check-values for your executables to let you know what's changed, backup programs, GREP-like programs, and so on. It would certainly be a nice enhancement if the scanners also scanned RAM before going to the disk, but even that won't solve the general problem (since an infect-on-open virus not known to the scanner can still be spread to the entire disk, unless you cold-boot before scanning). DC ------------------------------ Date: Mon, 23 Oct 89 11:09:00 -0500 From: Subject: Re: 0 bytes in 1 hidden file, virus?? (PC) In reference to CHKDSK's message about 0 bytes in 1 hidden file, if I remember correctly, CHKDSK is probably registering the volume label, in which case PCTOOLS does show it (at the top of the screen, instead of in the file listing). Try installing the system onto the disk (i.e. SYS A:), and then run a CHKDSK. It should register xxxxxx bytes in 3 hidden files, where xxxxxx depends on the version of the system that you are using. Respectively, the hidden files should be: IBMBIO.COM -- Contains the BIOS routines IBMDOS.COM -- Contains the DOS routines (volume label) IBMBIO.COM and IBMDOS.COM will appear in the PCTOOLS window. They will probably have the HIDDEN, SYSTEM, and READ-ONLY bits on. It may also have the ARCHIVE bit on. Joel N. Fischoff Software Support/Technician DePaul University, Chicago, IL ------------------------------ Date: Mon, 23 Oct 89 14:25:00 -0600 From: CHRISTOPHER%GACVAX1.BITNET@VMA.CC.CMU.EDU Subject: Viruses in archives (PC) Are there any programs currently available that will check for viruses within an archive file? I am familiar with the SHEZ program and how it can be used with VIRUSCAN to scan archives, but SHEZ un-arcs the archive file before running VIRUSCAN. My question is, does a program exist or could one be developed that searched for signs of an archived and infected program? I can see two big problems with this immediately. First, each different archiving algorithm will archive a virus (call it X) differently. An ARCed X will be different from a ZIPed X will be different from a ZOOed X, etc. Secondly, say that virus X attaches itself to the end of COM files. Will the output (archived file) of an archiving algorithm translate virus X into the same byte sequence every time? For example, program A is infected and becomes AX. Is arc(AX) (archived AX) the same as arc(A) + arc(X) and is arc(BX) the same as arc(B) + arc(X)? I inquire because I have archived programs/software, and I would like to know if programs in archives are infected without de-archiving them (at last count I had over 100 .ARC files) and then SCANing them as SHEZ does. Christopher Kane ------------------------------ Date: Mon, 23 Oct 89 10:55:45 -0700 From: jim@insect.Berkeley.Edu Subject: init29: data->application?(Mac) INIT29 is a "popular" :-) new Macintosh virus that has the unusual property of being able to infect data files, as well as applications. QUESTION: If a diskette that CONTAINS ONLY DATA FILES, which are infected by INIT29, is accessed by an uninfected application residing on a clean diskette, can the virus spread to the clean disk? (Prior to INIT29, I had been advising my users that if they go to Kinko's they would be safe if they took only their data diskette. But if a data infection can spread to their application disks, this would not be good advice.) Anyone got the REAL answer? Jim Bradley, CNR Computer Facility, UC Berkeley ------------------------------ Date: Mon, 23 Oct 89 16:15:00 -0800 From: Steve Albrecht Subject: Viral susceptivity of UNIX vrs MS-DOS in: VIRUS-L Digest V2 #217 Subject: Operating System virus protection (DOS & UNIX) Re: UNIX virus proof?! (UNIX) jlg@lanl.gov (Jim Giles) writes: >>I wouldn't say UNIX is virus-proof (I posted a hoax article about a >>UNIX virus over a year ago, just before the Internet Worm incident), >>but it's sure a hell of a lot more virus-resistant than DOS. > >How do you know? The only machines DOS runs on are PCs and compatibles. >UNIX implemented on these machines would be just as vulnerable as DOS. >The most obvious weaknesses of DOS are unimportant compared to the fact >that the hardware itself has no protection mechanisms. Assuming everyone means "MS-DOS" when using the common acronym "DOS"... Every UNIX implementation on 80286/386 processors that I've seen uses the Intel Protected Mode. If used properly, this provides process isolation. This alone is a great security improvement over MS-DOS. File system security can be provided similarly by using memory-mapped rather than i/o mapped devices. Their are a few UNIX implementations which run on 8088-based PCs. It is true that hardware support for process isolation and file security are lacking in off-the shelf IBM PC and PC/XT-type machines. The rarity of such machines running UNIX is a wonderful defense against viruses, however. The fact remains that most users of PC/AT and 386-based machines use MS-DOS which, now in its 4th major version, is still incapable of using Intel Protected Mode. Thus, Peter's original statement is fully justified. MS-DOS is (also) an easier target than UNIX because of its simplicity and easy access to technical information. While UNIX internals are also widely available, they are written for more sophisticated readers. The multitudinous flavors of UNIX also inhibits low level attacks. MS-DOS is is a sitting duck (such being the price of standardization). As an aside, I abhor the idea of anyone promulating "virus hoaxes" or other forms of terrorism. As I lack complete understanding of Peter's claim to have "posted a hoax article about a UNIX virus over a year ago", I will resist further comment on this distasteful subject. (::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::) ) Steve Albrecht - IntelliCorp, Inc. - Knowledge Systems Product Development ( ( "Opinions expressed here are my own, if anyone's, and not my employer's." ) ) DDS albrecht@intellicorp.com : COMPUSERVE 73657,1342 ( ( UUCP ...!sun!intellicorp.com!albrecht : public bbs (415)969-5643 ) ) or ...!sun!icmv!albrecht : "c"omment to sysop ( (::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::) ------------------------------ Date: 23 Oct 89 14:13:01 +0000 From: wsinrn@urc.tue.nl (Rob J. Nauta) Subject: Ohio Virus (no system given) Hello everybody I'm back on a new usercode. If you still have my old one (RCSTRN@HEITUE51.BITNET) please replace it by this one, as my bitnet account expired sept. 1st. I have a question. I recently found the Ohio Virus on a disk. I've never heard of it, who knows more about it? Thanks in advance Rob J. Nauta wsinrn@eutrc3.UUCP wsinrn@urc.tue.nl ------------------------------ Date: Mon, 23 Oct 89 22:24:09 -0400 From: Dave Subject: Creating a virus free boot disk (PC) In regards to the already-resident-virus problem(disinfecting), I follow a fairly easy procedure... Do a low-level format of a new disk.. Take your original(Write-protected, of course) dos and sys the disk.. add command.com and your favorite virus scanner.. This is something that you should do BEFORE you are infected... You have to be sure that your scanner is clean.. Now write protect the disk and tuck it away somewhere.. If you think you're infected, shut down and boot from your floppy.. Now you have no resident virus's.. I don't trust mem-res scanners, myself.. Dave Hoelzer @sunyB.. CONSP12@bingvaxa ------------------------------ Date: Tue, 24 Oct 00 19:89:02 +0000 From: biar!trebor@uunet.UU.NET (Robert J Woodhead) Subject: Re: /VIR ([not-equal-to-sign]VIR) App Signature (Mac) In: VIRUS-L Digest Monday, 23 Oct 1989 Volume 2 : Issue 216 prieto@gem.mps.ohio-state.edu (Juan Pablo Prieto-Cox) writes: >I also found a resource of type =/VIR (for >typographical reasons by =/ I mean the symbol for not equal). Remember >that I had already ran Disinfectant. Does anyone have a clue? or a >similar problem? You may have a new nVIR strain (I would appreciate copies of infected files), but =/VIR is the application signature of my Interferon program. This is not the first time this has come up, and in retrospect it may have been a bad choice. Just FYI: =/VIR Interferon VIRx Virex (early versions) VIRy Virex (more recent versions) Robert J Woodhead, Biar Games, Inc. !uunet!biar!trebor | trebor@biar.UUCP Announcing TEMPORAL EXPRESS. For only $999,999.95 (per page), your message will be carefully stored, then sent back in time as soon as technologically possible. TEMEX - when it absolutely, postively has to be there yesterday! ------------------------------ Date: 24 Oct 89 09:13:11 +0000 From: jr@ncrsecp.Copenhagen.NCR.dk (Jakob Riis) Subject: Re: The DataCrime viruses (PC) In article <0002.8910062006.AA22699@ge.sei.cmu.edu> David.M..Chess.CHESS@YKTVMV writes: >> DC-2 does it on any day >> between Jan 1 and Oct 12, except on Sundays! >That's not true for the sample that I've seen. I suspect someone's >just misreading the code (it's easy to do; that area is rather >convoluted). It could be a new variant, of course, but if it really >*did* do its damage between Jan 1 and Oct 12, wouldn't it have >basically Gone Off by now? I think your source is just misinformed. You might both be right ! The de-assembled code I've seen shows that its fairly easy to trim DCII to go off anytime you would like it - in fact you can de-arm it yourself by setting the day check equal 8 ! (but I guess I would rather re-install the original programs). If I don't remember wrong the newly dreaded Columbus day Virus was such a re-programming of DCII. Just my 2 cents worth, _____________________________________________________________________________ Jakob Riis | Jakob.Riis@Copenhagen.NCR.dk NCR Corporation | or Systems Engineering Copenhagen | ..!uunet!mcvax!dkuug!ncrsecp!jakob.riis - --------------------------------------------------------------------------- ! A plucked goose doesn't lay golden eggs ! - --------------------------------------------------------------------------- ------------------------------ Date: Tue, 24 Oct 89 11:18:37 GMT From: frisk@rhi.hi.is (Fridrik Skulason) Subject: It can happen to anyone :-( (PC) Well - now I know of one victim of the Datacrime-II virus ..... myself. :-( Last Tuesday I was demonstrating how any known virus could be stopped with my anti-virus program. Unfortunately I had forgotten that it was not installed at the time :-( So, when I ran a program infected with DataCrime-II, I just got the message DATACRIME II Bye bye hard disk...... I turned the computer off, but when I turned it on again the computer would of course not boot from the hard disk, but instead jumped into BASIC. When I booted from a diskette, the computer would not even admit that drive C: existed. It sounds bad, but this took only a few minutes to fix, simply by... ... formatting track 0 with correct parameters ... running NDD and everything was back to normal again. phew ! -- frisk [Ed. NDD = Norton Disk Doctor, right?] ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253