VIRUS-L Digest Tuesday, 24 Jan 1989 Volume 2 : Issue 23 Today's Topics: New Dirty Dozen listing! FLU_SHOT PLUS 1.5 (PC) What do we have here? (Mac) Mac virus, part II WordPerfect 4.2 and ping-pong virus (PC) Known PC Viruses in the UK and their effects (longish) --------------------------------------------------------------------------- Date: Mon, 23 Jan 89 13:04:53 -0800 From: Steve Clancy Subject: New Dirty Dozen listing! Some kind user just uploaded the latest issue (8D) of the Dirty Dozen listing! Eric Newhouse (current author of the list) moved from California, and appeared to have dropped out of sight for a time. This latest issue gives his new address and BBS # as follows: The Dirty Dozen List c/o Eric Newhouse 40 Whitney Tavern Rd. Weston, MA 02193 The Crest BBS @7 617-498-8448 1200/2400/9600 [HST] I have not yet had time to call the BBS, but plan to soon. I do have the most recent list however, and would be more than happy to post it via LISTSERV, if ANYONE can please tell me how to do this. I have been entirely unsuccessful at getting UUENCODE or UUDECODE sent to me via LISTSERV, or any other files for that matter. Can anyone give me a simple, thumbnail sketch on how to accomplish this??? The list is also available on my BBS (phone #'s below). =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= | Steve Clancy | WELLSPRING RBBS | | Biomedical Library | 714-856-7996 24 HRS | | P.O. Box 19556 | 300-9600 N,8,1 | | University of California, Irvine | 714-856-5087 nites/wkends | | Irvine, CA 92713 | 300-1200 N,8,1 | | | | | SLCLANCY@UCI | "Are we having fun yet?" | | SLCLANCY@ORION.CF.UCI.EDU | | | | | =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ------------------------------ Date: MON JAN 23, 1989 18.48.23 EST From: "David A. Bader" Subject: FLU_SHOT PLUS 1.5 (PC) I just received a copy of Ross Greenberg's FLU_SHOT PLUS now in release 1.5 (it was released on 1/15/89). A lot of bugs and options have been cleaned up. Has anyone else out there had a chance to play with it yet? -David Bader DAB3@LEHIGH P.S. Please don't write to me specifically for a copy of the file. I'll see what Ken has to say about putting on the LISTSERV at LEHIGH. [Ed. David, bring a disk in, and we'll post it on the LISTSERV. Thanks!] ------------------------------ Date: Mon, 23 Jan 89 23:34:18 ECT From: "Kenneth J. Hoover" Subject: What do we have here? (Mac) Tonight, one of the print-room operators here came to me with a hard drive that is exhibiting suspicious behavior. Here is what he gave me: 1) The system involved is a Macintosh with a hard disk. 2) All of the files on the drive (some 12-15 programs) which use the LaserWriter are incapable of printing. this has been verified on LaserWriter plus and II/NTX models. 3) Error codes 28 and 02 are returned when they are returned at all. 4) The volume is supposedly locked (although he did not lock it) and this is hindering the execution of Interferon 1.0 and Virus Detective. The user has had contact with bulletin boards, and also transfers files to and from the macintosh computers here. And now, for my guess: This looks like something that is either interfering with the Appletalk or printer ports; or a bug that looks for and messes up PostScript printer commands/code in programs. Does anyone know what could be going on here? Kenneth J. Hoover UG Consultant, Public Terminal and Microcomputer Complex SUNY-Binghamton Binghamton, NY, USA ------------------------------ Date: Mon, 23 Jan 89 23:56:38 ECT From: "Kenneth J. Hoover " Subject: Mac virus, part II the user in the previous message just came to me and informed me that after setting his system date back 20 days, the programs in question now work, and the hard drive is now unlocked. Interferon v1.0 reports back clean when used. It appears the date of activation was 1/22/89. Ken Hoover (CONSP21@BINGVMA.BITNET) ------------------------------ Date: Tue, 24 Jan 89 14:02:23 IST From: "Eldad Salzmann (+972)-3-494520" Subject: WordPerfect 4.2 and ping-pong virus (PC) Reply to Dirk Bode re my query. Dirk: Thanks a lot. Your letter to this forum following my query about WP and viruses really described precisely the problem I was facing and substantiated my suspicion. I shall start from the end: I reformatted the hard disk and re-installed WordPerfect from diskettes. Everything works now just fine. As you probably remember, I couldn't load it from the HD -- it kept looking for its main program on the diskette in drive A (well, occasionally it looked also in drive B). I *did* check the RAM with MEMMAP, and I *did* see some unidentified chunk of 1700 bytes which no program claimed to own. I did that long before you, Dirk, wrote I should check the memory, which really confirmed what I suspected. At the moment my friend's disk seems to work fine, but there is a new problem: the hidden files turn out to be damaged somehow every couple of days. I cannot think of any plausible explanation for that. Do viruses damage the two hidden files of the disk, to the extent that the affected disk is brought to a standstill after just running the autoexec.bat file? The remedy we found for this problem is just performing SYS C: each time the case reappears. Revenons a nos moutons (our "lamb" in this case is the ping pong virus :) - Since we saw on screen a bouncing little ball, I attributed the problems we had with WPerfect to the bouncing ping-pong virus. You, Dirk, presented it under totally new light: you say there's a special virus which only affects WP 4.2. Do you really think it's likely that anyone would write such a program, and that this program *just* happened to contaminate my friend's disk? That's what I would call "odd". But then, there *are* oddities, lots of them... Eldad Salzmann Subject: Known PC Viruses in the UK and their effects The article below summarises the viruses which have been known to affect IBM PCs and compatibles in the United Kingdom. It is written by Dr. Alan Solomon (drsolly@ibmpcug.CO.UK), the chairman of the IBM PC User Group in the UK and appears in the February 1989 issue of Connectivity, the newsletter of the User Group. This article is (C) Copyright 1989 The IBM PC User Group (UK). Permission is hereby granted to reproduce this article for non-profit purposes, provided this notice is retained. The Information Centre - PC Security by Dr Alan Solomon - ------------------------------------------------------- PCs are intrinsically very insecure. For many PCs, this might not matter; who cares if someone finds out that the menu for tomorrow is scrambled eggs? But increasingly, PCs are being used for critical applications, and either there is extremely important data on them, or else it is very important that they continue to run. Scrambled eggs are fine - scrambled FAT is not. Many people take backup for granted. Obviously, backups are done on a regular basis, but how do you know that you have something that is restorable? I'll be coming back to this in a subsequent article. For now, I want to update members on the virus front, because quite a lot has happened, and much of what you read in the press is distorted by the Chinese Whispers treatment. Virus facts and fiction - ----------------------- First, I have to say that the problems are very real. You have probably read in Computing that IBM has been infected by 1704 virus. Secondly, I must emphasise that viruses are still very, very rare on PCs, and many problems reported as viruses, are t he same old problems we always had. But they are getting commoner, and I am getting busier and busier in dealing with outbreaks. First, let me define some terms. A virus is a self-replicating program, that copies itself without the user realising that this is happening. A virus does not necessarily intend malicious damage. The main damage is always, always done by people's reactions, not by the viruses themselves. There is one virus around that has code in it for deleting files, and other viruses have unfortunate side-effects. But the main damage is usually done by someone panicking, and doing something extremely silly, because they don't know what is the correct procedure. Viruses - what's out there? =========================== Next - a list of the viruses that I know of so far, plus how to recognise them, and the intentional and unintentional damage done. Please remember, though, that most of these viruses have more than one variant, and it would be possible to write a virus that mimicked the action of an existing virus. So you mustn't assume that just because your symptoms match those given below, that you have the exact same virus. Also, the information given below is only a summary of all the information available, so please don't treat it as a full manual. Stoned. Every 32nd boot-up, you see ``Your computer is now stoned.'' The boot sectors of infected diskettes are obviously abnormal, and include that message. No intentional damage. Unintentional damage - trashes 1.2 Mb floppies if they have more than 32 files, trashes about 5% of hard disks. Brain. You see (c) Brain as a volume label on diskettes, and diskettes have 3k of bad sectors (the normal numbers are none at all, or 5k, or sometimes more). No known intentional damage. Unintentional damage - it slows down diskette accesses and causes time-outs, which can make some diskette drives unusable. Italian. Once every half hour, if you are accessing the disk, the bouncing dot is triggered. The dot bounces off the edges of the screen, and passes through any text, with replacement after it. Sometime, this doesn't work properly, and screen displays are messed up. Infected diskettes have 1k in bad sectors, infected hard disks have 2k (and other numbers of bad sectors are possible). No known intentional damage. Unintentional damage - the two copies of the FAT are left different; DOS might not like this. Attempts to infect diskettes slows them down, and some computers won't read floppies, due to time-outs. 1813 virus. Files grow by 1813 bytes (sometimes 1808), without changing their date and time or read/write/ hidden attributes. COMMAND.COM does not grow, to help it avoid detection. Many anti-virus products do little more than watch COMMAND.COM. Intentional damage - there is code in the virus for deleting each program that you run on every Friday 13th. Half an hour after the virus installs into memory, the computers slows down - a 4.77Mhz PC runs at about 1/5 normal speed. A small black window opens temporarily in the bottom left hand corner. Unintentional damage - .COM files grow once, taking up slightly more space. Also, .EXE files grow each time they are infected, and eventually will not load. 648 virus. .COM files grow by 648 bytes, without changing date/time or attributes. Intentional damage - one infected file in eight (at random) is changed in such a way that the program will not run. No known unintentional damage. 1701 virus. Files grow by 1701 bytes. This is a third generation virus - - the code is encrypted, to fool programs that search for viruses automatically, looking for code that is characteristic of viruses. This also meant that disassembling it took a bit longer than usual, but I've now finished the disassembly. Occasionally, 1701 triggers a ``hailstorm''. The characters on the screen behave as if the were pinned to the screen, and someone is removing the pins one at a time - it looks a bit like a hailstorm, and has suitable sound effects. In fact, it is a purely audio-visual effect - nothing is happening to your data. But most people seeing it, would be so alarmed that they would reach for the off switch, and switching a computer off in the middle of processing a database can cause big problems. IBM got infected recently by 1704 virus, which I believe is a slightly different version of 1701. They sent a letter to all customers that could conceivably have been infected - a very responsible thing to do. As you can see, there are an increasing number of viruses, and an increasing number of people affected. If you see any of these symptoms, you should do three things. 1. DON'T PANIC. That does more damage than anything else. Don't just start deleting and formatting - at least keep a specimen so that I can disassemble it. The flame thrower approach tends to destroy the evidence of how it got in (which could help the unfortunate person that inadvertently gave it to you) and without even fixing the problem. Don't let anyone else panic, either. 2. Make sure that everyone who knows about it, is told to keep their mouths shut. The press are desperately keen to find a big company that has been struck, and will have a field day. An immense amount of damage could be done to the company's name . If the company decides to tell the world, that's fine and noble, but the decision must be made at the highest possible level. 3. Seek expert advice. Do not attempt to deal with it yourself - unless you have already dealt with several cases before, a virus is outside your experience. In particular, the virus MUST be disassembled - - otherwise it could have many surprises. One of the biggest problems is in dealing with the diskettes. Every PC is accompanied by a vast cloud of diskettes, and at least some of these must be infected. Usually, less than 1% are infected (although in the case of a boot sector virus such as Brain, Italian or Stoned, anything up to 5% of diskettes could be infected before the virus is spotted), but the problem is to find them. If you leave even one infected diskette - well, it was almost certainly just one diskette that brought the problem in. My approach is to use a hopper-fed machine that can check 700 floppy diskettes per hour; the main alternative is to train sufficient operators to do it manually. How you treat infected disks and diskettes depends on the virus, and its modus operandi. I haven't yet seen a situation where it was necessary for anyone to lose any data, although the flame- thrower approach certainly can do damage. As if this wasn't bad enough, there are now a few more problems that I'm trying to fight. The first is too late - one magazine has published about 55% of the Italian virus, together with a useful plethora of technical information about how it works. I won't tell you which magazine, as I don't want things to get any worse, but many members will have seen the article, and I would suggest that you write to the editor to express your own opinions on the subject. The next problem is that a magazine has quoted someone as saying that he could write a virus that ``could put a software house out of business overnight''. I don't think that the magazine should have used that quote, and I hope that it doesn't give people ideas. But the third problem is the worst. I have a firm rule about never giving copies of a virus ``for experimental and research purposes'' to anyone (except, of course, if a company already has the virus then it doesn't matter). One could argue that this is tantamount to suppression of useful information (and this has been suggested to me). But obviously one should only give a virus to a responsible, technically capable person, and I'm frankly not very good at assessing this over the phone - I get many calls asking for viruses. So, since I can't be sure that the person asking is a suitable candidate, I have so far always refused. If a bona fide government department were to approach me, I would probably feel different, but that hasn't happened. One of the people who felt differently on this point, has obtained copies of Brain and Italian. He has said that he will give copies to anyone responsible person who asks him, for research purposes. I don't know how he will decide, but I hope and pray that he is better at judging character that I believe possible, and able to detect a plausible liar. He says that he is acting from the highest, noblest motive - freedom of information. I used to believe in freedom of information myself, so I can almost understand him. But I profoundly disagree with what he's doing, as the easiest way to write a virus, is to disassemble someone else's, and change it to do what you want. How to learn more - ----------------- The best way to keep up to date with virus developments is on Connect (01-863 6646 - 1200, N, 8, 1). There are a number of conferences devoted to viruses. This article was posted to Connect in conference connect.virus on January 10th and I will be posting further updates to this list of known viruses with their symptoms and effects as soon as I have details. One thing I have done is write a program for testing anti-virus products. This uses a few different methods for writing to the boot sector of floppy diskettes - TESTVACC is quite harmless, of course, but it is doing something that many viruses do. Many anti-virus products claim to be able to detect and/or prevent this sort of thing, so you install your anti-virus program, and then run TESTVACC. TESTVACC tries to write a simple message to the boot sector of the floppy disk, using four different methods, any of which could be used by a virus. I've tried several well-known anti-virus products, and although it detected the first two methods of writing to the boot sector, it didn't notice the third or fourth method. You can inspect the boot sector afterwards, using whatever disk sector editor you like, and draw your own conclusions. I'm making TESTVACC shareware, so it is available from the User Group Library. Also we hope to run a special series of workshops on viruses in the near future. If you would like to take part then please write to me at the User Group. This workshop will look at ways of reducing the risk of infection, what to do if you think you are infected and in the event of infection how to disinfect your systems. Submitted by: Alan Jay (alanj@ibmpcug.CO.UK), Editor, Connectivity, the newsletter of The IBM PC User Group, UK. - -- Alan Jay @ The IBM PC User Group, PO Box 360, Harrow HA1 4LQ ENGLAND Phone: +44 -1- 863 1191 Email: alanj@ibmpcug.CO.UK Path: ...!ukc!pyrltd!slxsys!ibmpcug!alanj Fax: +44 -1- 863 6095 Disclaimer: All statements made in good faith for information only. ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253