VIRUS-L Digest Wednesday, 6 Jun 1990 Volume 3 : Issue 108 Today's Topics: Analysis of the KEYBGR / FACE problem (PC) Re: intentional viruses and happy face (general and Mac) Re: Mac Happy Face turns into a Devil... (Mac) Stoned (PC) Re: Removing Stoned from harddisks (PC) Re: How to reset CMOS configuration that prevents booting? (PC) Re: Mac Happy Face turns into a Devil... (Mac) Search strings for IBM VIRSCAN program (PC) How many Universities have a site-license for McAfee's programs (PC) Possible virus (PC) The Devil Made Me Do It WARNING: Potential Trojan Horse 'STEROID' (Mac) Gutowski Comments on Unix v. MVS et. al. F*** Clone of nVir B (Mac) Info wanted - European Computing Services Assoc. VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Tue, 05 Jun 90 16:14:39 -0500 From: Christoph Fischer Subject: Analysis of the KEYBGR / FACE problem (PC) Hi over the weekend I analysed the KEYBGR.COM it is a hacked version of the original KEYBGR.COM MSDOS V2.1. I asked Mr Joest to keep an eye on the replacements (original) maybe they change again, this could possibly be a hint that they have a trojan horse producing a trojan horse. (This is theory sofar and they ran tests that turned out negative, so lets hope it stays that way) Again as a result: it is *not* a virus! It is a trojan horse with transient damage. Christoph Fischer ***************************************************************** * Christoph Fischer * * Micro-BIT Virus Team / University of Karlsruhe / West-Germany * * D-7500 Karlsruhe 1, Zirkel 2, Tel.: (0)721-608-37 64 22 * * E-Mail: RY15 at DKAUNI11.BITNET * ***************************************************************** ------------------------------ Date: Tue, 05 Jun 90 11:43:33 -0400 From: Joe McMahon Subject: Re: intentional viruses and happy face (general and Mac) >I have had just the strangest thought about all of the commercial >products out there on the market that protect from viruses, for >example Symantec's Anti-Virus for the Macintosh -- a product that >"learns"... Two points: Deterction is the best solution to viruses. Find them and replace the programs if you want to be sure you're safe. Second, I know where SAM's author lives :-). Seriously, you've got to trust someone. Especially that if someone got caught doing that, I'm sure that there are plenty of existing laws they could be convicted under (extortion?). >Subject: Mac Happy Face turns into a Devil... (Mac) > >I just experimented with a public Mac which wasn't >working too well. When I watched it boot up, the usual >smiling Macintosh icon turned into a devil with horns, >fangs and a long tail. I checked it with Disinfectant 1.8 >and found nothing. Does the "Welcome to Macintosh" window appear afterward? If not, someone's probably put a startup screen in the System Folder. I just tried this - I got my Mac to stick out its tongue at me :-). --- Joe M. ------------------------------ Date: 05 Jun 90 16:19:10 +0000 From: nikhefk!keeshu@relay.EU.net (Kees Huyser) Subject: Re: Mac Happy Face turns into a Devil... (Mac) wayner@svax.cs.cornell.edu (Pete) writes: #I just experimented with a public Mac which wasn't #working too well. When I watched it boot up, the usual #smiling Macintosh icon turned into a devil with horns, #fangs and a long tail. I checked it with Disinfectant 1.8 #and found nothing. # #My questions are: # #1) Is this a virus or is it some legitimate program I've #never experienced before? # #Peter Wayner Department of Computer Science Cornell Univ. Ithaca, NY 14850 #EMail:wayner@cs.cornell.edu Office: 607-255-9202 or 255-1008 #Home: 116 Oak Ave, Ithaca, NY 14850 Phone: 607-277-6678 Take a look in the System Folder on this Mac. If you find a file called StartUpScreen, take a look at it with MacPaint. This will probably show you the devil in all its glory... If you don't find StartUpScreen, *or* if it doesn't contain a devil you might be in trouble..... - --kees /* -------------------------------------------------------------------- */ /* keeshu@nikhefk.uucp or {..!uunet.uu.net}!mcsun!hp4nl!nikhefk!keeshu */ /* The National Institute for Nuclear Physics and High-Energy Physics */ /* P.O.Box 4395, 1009 AJ Amsterdam, The Netherlands, phone:+31205920124 */ /* -------------------------------------------------------------------- */ ------------------------------ Date: Tue, 05 Jun 90 10:44:06 -0400 From: padgett%tccslr.dnet@UVS1.orl.mmc.com (A. Padgett Peterson) Subject: Stoned (PC) >During the last two months there were several asks how to remove >the STONED-virus from harddisks. The solution is quite easy : In previous issues, I have seen a number of postings on the STONED virus reguarding disinfecting disks. One thing that is often missed is that three separate methods seem necessary: a) floppy disks b) un-partitioned hard disks c) partitioned hard disks It is not well documented but on boot up with a partitioned disk there is executable code in the partition table that tells DOS where to find the boot record for the first partition and that the STONED is reported to be able to infect this (I have a copy but have not had the time to check it out). DEBUG cannot read/modify the partition table so some of the methods presented thusfar will not necessarily work on such a disk. I suspect that the STONED simply replaces the first physical sector (DEBUG uses logical sectors) and does not care whether it contains the boot sector or the partition table and stores the original sector in physical sector 7. Padgett Peterson ------------------------------ Date: Tue, 05 Jun 90 19:35:11 -0500 From: "Zoltan DAROCZI (8350893)" <8350893@AWIWUW11.BITNET> Subject: Re: Removing Stoned from harddisks (PC) Martin Zejma ( 8326442-awiwuw11.bitnet) writes: >4) write this sector over the infected boot sector of the harddisk. > ( that's Head 0 , Track 0 , Sector 0 , just to make it failsafe). the sectornumbers on harddisks are starting at 1, not at 0 || so the right position is Head 0 , Track 0 , Sector 0. at 3) the sectornumber is correct. ------------------------------ Date: 05 Jun 90 17:49:46 +0000 From: bwb@sei.cmu.edu (Bruce Benson) Subject: Re: How to reset CMOS configuration that prevents booting? (PC) CCBOBVER@uqvax.decnet.uq.oz.au writes: >> manner that the machine will no longer boot; when I reset it, it goes >> beep-beep-beep pause beep-beep-beep... > > The three beeps seem to indicate a memory error. You may have > done some unintentional mods to your memory configuration on the > motherboard. Any PC will not boot if it either finds an error in > the first 16KB of RAM or cannot locate it as this is usually where > it tries to load the startup BIOS. Just within the last 5 days my Zeos 386 w/AMI Bios has started this same pattern of three beeps. The AMI documentation says this means an error in the first 64K. A few other facts: - seems to happen when I first boot the machine after being off many hours - repeated cold boots eventually resulted in a successful boot - replacing all simms (4mb) had no affect on the problem (but I do now have a total of 8Mb of memory, good excuse to buy!) - using the hardware reset switch clears the problem immediately - the only system changes in this period was to add an internal MNP modem I am still playing with the problem, but anyone with more insight into the meaning of the 3 beeps, or why the reset switch would work differently than power on/off, please offer up your insights. * Bruce Benson + Internet - bwb@sei.cmu.edu + + * Software Engineering Institute + Compuserv - 76226,3407 + >--|> * Carnegie Mellon University + Voice - 412 268 8496 + + * Pittsburgh PA 15213-3890 + + US Air Force ------------------------------ Date: 05 Jun 90 17:54:38 +0000 From: rdclark@Apple.COM (Richard Clark) Subject: Re: Mac Happy Face turns into a Devil... (Mac) The "Fanged Happy Face" is a deliberate side effect of installing the Levco "Monster Mac" RAM upgrade (and an accelerator, I think.) - -----------------------------+----------------------------------------------- Richard Clark | "If you don't know where you're going, Instructor/Designer | don't go there" -- Sybalski's Law Apple Developer University +----------------------------------------------- AppleLink, GEnie, Delphi, MCI, Internet: rdclark CI$: 71401, 2071 ------------------------------ Date: Tue, 05 Jun 90 14:35:48 -0400 From: Ken Rosenberry Subject: Search strings for IBM VIRSCAN program (PC) The VIRSCAN.EXE program from IBM uses two signature files as input when performing a virus scan. These files are: SIGFILE.LST - a list of signature entries for EXE and COM files SIGBOOT.LST - a list of signature entries for boot sectors We have versions of these files dated Sept 11, 1989. Are there any persons who maintain updated versions of these files as new viruses are discovered? If so, could you please either E-mail me the new files or post info on where they could be obtained. Thank you Ken Rosenberry BITNET: hkr@psuvm Senior Systems Programmer Internet: hkr@psuvm.psu.edu Pennsylvania State University APPLELINK: u0485 ------------------------------ Date: Tue, 05 Jun 90 14:55:39 -0400 From: Ken Rosenberry Subject: How many Universities have a site-license for McAfee's programs (PC) Various organizations within our University are attempting to negotiate a site license for John McAfee's virus scan and clean programs. We are finding that the cost for the programs is VERY high ($18,000 per year). That is a significant portion of our computing center's software budget for new acquisitions. I'd like to know what other institutions are paying for the rights to use this software. Please E-mail your responses directly to me; I will keep the information confidential. Thank you. Ken Rosenberry BITNET: hkr@psuvm Senior Systems Programmer Internet: hkr@psuvm.psu.edu Pennsylvania State University APPLELINK: u0485 ------------------------------ Date: Tue, 05 Jun 90 16:24:00 -0500 From: SEAN KRULEWITCH Subject: Possible virus (PC) To Who it may concern: I am fairly new to the whole idea of viruses and the like. I recently purchased an IBM clone (AMI motherboard 386-20) and have experienced a few unusual things. Files seem to be vanishing off the disk, and other programs are acting weird. For example when I run Windows386 I get a KERNSTUB error during boot, and I am sent back to the dos prompt. When I try again, I get an incorrect Dos version error. If I then proceed to type ver it says Dos 3.41. However I am running Dos 4.01. If i type ver a few more times it continues to say dos 3.41. After the third or fourth time it goes back to saying Dos 4.01. Also Procomm locks up when I try to enter the setup mode (ALT-S) and I am forced to turn the machine off (Warm boot doesn't work). After a while the whole system seems to slow down considerably. One symptom that seems to be common is a small section of the lower left hand side of the screen seems to shift up, leaving a small "hole". This happens in various programs and at the dos prompt. I thought it may be a problem with my video card, but the card checks out ok. Certain programs that worked before no longer work. If anyone knows what this may be, please contact me. I can be reached at the following addresses: KRULEWIT@IUBACS.BITNET or IBNG300@INDYVAX.BITNET Sincerely, Sean V. Krulewitch ------------------------------ Date: Tue, 05 Jun 90 17:50:42 -0400 From: wayner@svax.cs.cornell.edu (Pete) Subject: The Devil Made Me Do It Thanks to the help of several people on the net, I've discovered that it is quite easy to make the Happy Mac Screen turn into anything you please. Just include a startupscreen file in the system folder. This is exactly what a clever person did. SuperPaint lets you create these automatically. I would think it was rather clever if I hadn't spent the day wringing my hands. The worst casualty of the virus epidemic may not be lost data, but our senses of humor. - -- Peter Wayner Department of Computer Science Cornell Univ. Ithaca, NY 14850 EMail:wayner@cs.cornell.edu Office: 607-255-9202 or 255-1008 Home: 116 Oak Ave, Ithaca, NY 14850 Phone: 607-277-6678 ------------------------------ Date: 05 Jun 90 21:55:00 +0000 From: chuq@Apple.COM (That's MR. Idiot to you) Subject: WARNING: Potential Trojan Horse 'STEROID' (Mac) I have just been warned by some people here at Apple that a new Trojan Horse has been discovered. The INIT 'STEROID', which supposedly speeds up QuickDraw on a 9" monitor, has a time bomb in it that will cause it to erase any mounted volumes when it is booted after June 6, 1990 (that's Wednesday). The program has been disassembled here at Apple and the actions have been confirmed. IF YOU HAVE STEROID ON YOUR SYSTEM, DISABLE IT IMMEDIATELY. The details: Type INIT, Creator qdac, Code size 1080, data size 267, File Name " Steroid", name "Quickdraw Accelerator" More data when I have it. chuq Chuq Von Rospach <+> chuq@apple.com <+> [This is myself speaking] It isn't easy being green. -- Kermit ------------------------------ Date: Wed, 06 Jun 90 07:45:00 -0400 From: WHMurray@DOCKMASTER.NCSC.MIL Subject: Gutowski Comments on Unix v. MVS et. al. >Again, it is just a matter of choice. Unix was intended to be a programmer's >system; as such it does a great job. With all systems, there is a tradeoff >between functionality and security, the trick is to find the right >balance. True. But it also makes the point of what happens when systems outgrow, or simply outlast, their intended application and environment. The Unix problem is complicated by the fact that it carries with it styles of use and management that were appropriate for stand-alone support of small homogenous user populations, but which are disastrous when employed in networked systems with large heterogenuous populations. (I will spare you a re-cap of "The Cuckoo's Egg.") William Hugh Murray, Executive Consultant, Information System Security 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 203 966 4769, WHMurray at DOCKMASTER.NCSC.MIL ------------------------------ Date: Wed, 06 Jun 90 08:04:00 -0400 From: "Gregory E. Gilbert" Subject: F*** Clone of nVir B (Mac) Can someone tell me about what date the "Fuck" clone appeared? Thanks. Greg. Postal address: Gregory E. Gilbert Computer Services Division University of South Carolina Columbia, South Carolina USA 29208 (803) 777-6015 ------------------------------ Date: Wed, 06 Jun 90 15:33:22 +0500 From: AHMET KOLTUKSUZ Subject: Info wanted - European Computing Services Assoc. Hello Folks; Does anyone know anything about the EUROPEAN COMPUTING SERVICES ASSOCIATION .. like its address or anyone there whom I could possibly get in contact with ? or anything.. All helps will be appreciated deeply.. Thank you I hear that those folks are interested in computer laws against computer abuse or something... Please acknowledge to: ------------------------------ End of VIRUS-L Digest [Volume 3 Issue 108] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253