VIRUS-L Digest Friday, 8 Jun 1990 Volume 3 : Issue 110 Today's Topics: Stone virus & Scan 3.1v59 (PC) Re: removing Stoned from harddisks (PC) Zipped packages, lzexe, and viruses Possible virus or trojan (Mac)? Help!!! Mainframe Viruses (Gutowski) Creation of New Viruses to Sell Product VIREX upgrade (Mac) Re: VIRUS-L Digest V3 #109 New virus (PC) Wanted - MDEF configuration for SAM (Mac) Brain (PC) Steroid trojan query (Mac) First jailed UK computer hacker 1451COM / 1411EXE ? new virus (PC) ? Samsung S800 diagnostics VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Wed, 06 Jun 90 22:08:00 -0400 From: LINDYK@Vax2.Concordia.CA Subject: Stone virus & Scan 3.1v59 (PC) Hello, Two queries: 1. Could someone inform me of the symptoms of the STONE virus? 2. I intent to install AcAfee's SCAN 3.1v59 on my computer. Will this do a good job of detecting possible virus infection or is there a more recent update of the program? Any comments are welcome. You can answer me personally or through the list if you feel that the information can benefit other people. Thanks in advance. Bogdan KARASEK lindyk@vax2.concordia.ca ------------------------------ Date: 07 Jun 90 07:16:23 +0000 From: plains!person@uunet.UU.NET (Brett G. Person) Subject: Re: removing Stoned from harddisks (PC) I had a friend call me who told me that Stoned actually damaged the media on the hard drive. He said they lost a full ten Meg. He took the drive through a low-level + dos format, and only wound up with 20Meg on a 30 meg disk. Now, I know that a piece of software isn't supposed to physically destroy media, but he said that the tech from the disk company claimed that Stoned actually does destroy the media permanantly. I don't pretend to know everything about the pc, do I told him I'd ask here. My bet is that the drive was either mis-labled as a 30 meg, or somehow partitioned wrong. - -- Brett G. Person North Dakota State University uunet!plains!person | person@plains.bitnet | person@plains.nodak.edu ------------------------------ Date: Thu, 07 Jun 90 10:33:47 +0000 From: ts@uwasa.fi (Timo Salmi LASK) Subject: Zipped packages, lzexe, and viruses Thu 7-Jun-90: Lzexed files pose a problem for the present virus scanners. While waiting to see the announced scanv63 to appear with abilities to scan lzexe-compressed files, I wrote a batch to handle scanning .zip packages. This bacth checks both ordinary and lzexed files within a .zip package. The following shareware and PD programs are needed: pkunzip.exe, scan.exe, islzexe.exe, unlzexe.exe, The packages containing these programs can be found from good BBSes and eg from chyde.uwasa.fi by anonymous ftp. The new batch scanzip.bat is included in the updated /pc/ts/tsbat20.arc batch file collection. Available by anonymous ftp from chyde.uwasa.fi, Vaasa, Finland, in the usual manner. ................................................................... Prof. Timo Salmi (Moderating at anon. ftp site 128.214.12.3) School of Business Studies, University of Vaasa, SF-65101, Finland Internet: ts@chyde.uwasa.fi Funet: gado::salmi Bitnet: salmi@finfun ------------------------------ Date: 06 Jun 90 19:22:42 +0000 From: mitchell@crcc.uh.edu Subject: Possible virus or trojan (Mac)? Help!!! I've got a strange Mac problem and need help. Monday night, one of my colleagues allowed a friend in to the office to steal Mac software (using his old Mac disks, of course). After the appropriate cussing-out and running-off, the machine in question (Mac SE, 20Mb hard disk, System 6.0.3) started acting funny. Symptoms: a. We can't find any virii on it with Disinfectant 1.6 or 1.8 b. Suddenly icons can't find their applications c. Applications are increasingly unable to open data files or find them d. The parameters of applications like Versaterm are unaccountably changing themselves i.e. the baud rate changes itself or the Kermit parameters change for no known reason e. The options of the System and Desktop are unaccountably changing themselves i.e. the sound bar is turned up without anyone having done it. f. There are more system bombs, and other disk and ram error messages than I've ever seen before in two years of working with Macs. We're to the point now of chucking months worth of data and reformating the hard disk and starting over. Any suggestions? Any help? Anybody seen anything like this before? Mike Mitchell Institute of Molecular Design Department of Chemistry University of Houston (713)-749-4229 mitchell@uhrcc2.crcc.uh.edu ------------------------------ Date: Wed, 06 Jun 90 16:20:00 -0400 From: WHMurray@DOCKMASTER.NCSC.MIL Subject: Mainframe Viruses (Gutowski) >I disagree with your premise about Unix vs. VM or MVS security, though. >MVS has been in development far longer than Unix has been alive (even >back beyond the days of MVT).... I would not want to get into an argument about it, but the difference in age is not signigficant. Unix is much older than you might guess. >.... and there are many shops that use MVS and VM >(IBM ain't making >it on PS/2s alone). Total licenses for MVS and VM are measured in the low tens of thousands. >Thus, these operating systems have >had much more opportunity for people to poke around in them. I doubt that this is true in terms of years or hours. It is likely true in terms of determination and other resources. Total reported integrity flaws in MVS have likely been in the high tens. Almost none were detected or exploited by hackers. Most were detected by people with special knowledge and training after the expenditure of significant resources. >Not to say they are invincible, mind you, but I think they're less >susceptible than Unix. Your confidence is poorly placed. While MVS and VM are as secure as IBM knows how to make them collectively, individual installations or instances are likely no better than instances of Unix. People who do penetration studies of MVS and VM for a living report that eighty-five percent will yield privilege to a knowledgeable attacker in hours to days. Most will yield to a determined attacker in days, and less than one percent will stand up for weeks. This has little to do with design or implementation by IBM but with use and management by their customers. Most MVS and VM installations are guilty of exactly the same kinds of problems as are reported in the "Cuckoo's Egg." The book takes its name from the attack that exploits the gnu-emacs editor that runs privileged. MVS installations are rife with very general utilities that run privileged and have poor controls. All of this has little to do with their vulnerability to viruses. As Dave Chess of IBM Research has tried to explain on this list several times, viruses exploit the privileges of users rather than flaws in the environment. Operating system integrity and access controls will only slow them. If users have the privilege to execute an arbitrary program of their own choice, can create or modify a procedure, and share data with a sufficiently large population of peers, then that is all that is required for the success of a virus. The trick to the success of a virus is not in its code, but in how you get it executed! William Hugh Murray, Executive Consultant, Information System Security 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 203 966 4769, WHMurray at DOCKMASTER.NCSC.MIL ------------------------------ Date: Wed, 06 Jun 90 16:22:00 -0400 From: WHMurray@DOCKMASTER.NCSC.MIL Subject: Creation of New Viruses to Sell Product >This leaves a greater potential for companies to profit from the >creation of new viruses. New viruses do not sell product. Old viruses sell product. There are not enough copies of a new virus to be noticed. William Hugh Murray, Executive Consultant, Information System Security 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 203 966 4769, WHMurray at DOCKMASTER.NCSC.MIL ------------------------------ Date: Thu, 07 Jun 90 13:56:00 -0400 From: "Melissa Jehnings" Subject: VIREX upgrade (Mac) Has anyone heard when the new upgrade of VIREX was shipped? I work at an academic computing center who is registered with the VIREX upgrade program and as of 07-June-1990, we have not yet received the newest version, which checks for MDEF. Any help would be greatly appreciated. Melissa Jehnings Wheaton College Norton, MA 02766 BITNET: JEHNINGS@WHEATNMA ------------------------------ Date: Thu, 07 Jun 90 15:04:39 -0400 From: Valdis Kletnieks Subject: Re: VIRUS-L Digest V3 #109 >GLWARNER@SAMFORD.BITNET (The.Gar) writes: > > It seems to me that this is also a new way to compromise the >security of IBM equipment. A better, more secure method of dealing >with the problem (ie. not a "trick") should be found and implemented. I will overlook the fact that in order to reverse the speaker wires etc, it looks to me that you have to physically open the case. At this point, what's to stop the person from whatever he feels like? "Security" doesn't mean much when the guy has already opened the box up and is able to physically abuse the silicon. You got a hard disk? He can REPLACE it with a (almost identical, but infected) copy. You got a hardware security module? That can be ripped out. And so on... What is making the guy wait 20 mins buying you security-wise? Do you have a security guard who walks by every 15 minutes? If so, you're probably a site that has heavy duty security - why is an unknown person walking around unescorted? And if there's NOT a security guard walking by every 15 minutes, then most likely if the guy has enough time to rip it open, he won't be bothered during a further 20 minute wait. Valdis Kletnieks Computer Systems Engineer Virginia Tech ------------------------------ Date: Mon, 04 Jun 90 23:20:23 +0300 From: Yuval Tal Subject: New virus (PC) I've just received a copy of a virus called "Armagedon the GREEK". Have anyone ever seen this virus? SCAN 62 did not identify this virus so I consider this as a new virus. I've checked it a bit and from what I found out, at a certain time, the virus sends a special command to your ports which a Hayes compatible modem can understand! Greek fellows: What does the phone number 081-141 mean? I'll make a larger report after I will finish disassembling this virus! - -Yuval Tal +--------------------------------------------------------------------------+ | BitNet: NYYUVAL@WEIZMANN Domain: NYYUVAL@WEIZMANN.WEIZMANN.AC.IL | | InterNet: NYYUVAL%WEIZMANN.BITNET@CUNYVM.CUNY.EDU | +----------------------+---------------------------------------------------+ | Yuval Tal | Voice: +972-8-474592 (In Israel: 08-474592) | | P.O Box 1462 | BBS: +972-8-471026 * 20:00-7:00 * 1200 * N81 | | Rehovot, Israel | FidoNet: 2:403/143 | +----------------------+---------------------------------------------------+ | "Always look on the bright side of life" *whistle* - Monty Python | +--------------------------------------------------------------------------+ ------------------------------ Date: Thu, 07 Jun 90 18:03:00 -0400 From: Software Release Engineering - LOTUS Subject: Wanted - MDEF configuration for SAM (Mac) !-> I survived Southeastern Mass Uuu., 7-JUN-1990 Does anyone have a copy of the proper way to configure SAM 2.0 to protect against MDEF/Garfield. I can't remember if Paul Cozza already sent it out and I missed it or if he just hasn't sent it out. I am also interested in finding out if there are any Rival users out there who might already know how effective this init/cdev is against MDEF and Steroid. thanks much !-> - Alex Zavatone - Software Release Engineer PCSD Mac - Lotus s10891hk@semassu - bitnet alex@Smuhep - hepnet ------------------------------ Date: Thu, 07 Jun 90 16:37:04 -0700 From: em_pea@cc.sfu.ca Subject: Brain (PC) How does one outsmart the pakistani brain virus. I have found it on several of my disks some of which I don't have working backups for. Stupid I know but there it is. Michael Peer usereawm.sfu ------------------------------ Date: Thu, 07 Jun 90 23:31:25 -0400 From: Tom Young Subject: Steroid trojan query (Mac) Can anyone supply us all with info as to just where this Steroid trojan has been found, what the presumed route of communication has been, etc.? Trojans, by their very nature, don't tend to spread as far as viruses. Unless, perhaps, posted to a number of bulletin boards. Or shrink-wrapped. (Hmm. I've certainly run across shrink-wrapped software that makes me feel like I'm up against a trojan horse. Operating systems, as well as applica- tion packages.) Where a trojan has appeared, and in how many different places, will determine the nature of an organization's response. I don't like to push the panic button except when justified. Thanks much. Tom Young Cornell Information Technologies Workstation Systems Services ------------------------------ Date: Fri, 08 Jun 90 09:10:12 +0100 From: Anthony Appleyard Subject: First jailed UK computer hacker >From a UK newspaper called 'The Daily Telegraph', Friday 8 June 1990:- ['Mad Hacker' jailed for computer war] A computer operator who called himself "The Mad Hacker" became the first in Britain to be jailed for the offence yesterday. Nicholas Whiteley, 21, of Enfield, north London, was sentenced to 4 months with a further 8 months suspended for criminally damaging computer disks and wreaking havoc on university systems. Whiteley, who, it was said, was driven by a desire top become Britain's top hacker, wept in the dock and held his hands to his face as he walked to the cells to begin his sentence. Judge Geoffrey Rivlin, QC, described him as "very malicious and arrogant", and told him: "Anyone minded to behave in this way must be deterred from doing so.". Whiteley declared war on computer experts, using a computer in his bedroom to swamp university computers with masses of useless material including threats and boasts about his brilliance. One said: "Don't mess with me because I am extremely nutty.". He was found guilty last month of 4 charges of causing damage to magnetic disks in mainframe computers at the universities of London, Bath, and Hull. The judge said some of the computers stored important and confidential data relating to medical and scientific research. ...................................................................... {A.Appleyard} (email: APPLEYARD@UK.AC.UMIST), Fri, 08 Jun 90 08:58:20 BST ------------------------------ Date: Fri, 08 Jun 90 10:11:00 +0700 From: "Tom Erjavec" x Subject: 1451COM / 1411EXE ? new virus (PC) ? Here is some (of the rare) news from Yugoslavia: We have had some 'classical' PC viruses for two years now: 1701, 1704, Brain, Bouncing Ball, Jerusalem (1813COM/1808EXE), Yankee Doodle like (2885COM/2880EXE), Yankee Doodle (2772COM/2772EXE) and Disk Killer. Now it seems we have another uninvited guest. In early June I was given a sample of a virus, found in a small SW engineering company. They detected no strange behaviour but prolongation of COM and EXE files. I disassembled it and I'm posting a brief report: VirusName : ?, (1451COM/1411EXE) Type : indirect executable code infector Infects : COM and EXE files VirusBodyLength : 1451 bytes (COM), 1411 bytes (EXE) Expanding victim: YES, to paragraph boundary, both COM and EXE Location in RAM : before end of memory Steals interrupt: 21h Intercepts func.: 40h (write to file), 4Bh (load & execute) Attacks : Sept., Oct., Nov., Dec., each year Action : When executing int 21h, func. 40h (write to file) intercepts the call. If triggered the action code increments register DX by 0Ah, changing the address of buffer to be written to disk. Consequences : wrong data (or garbage) written to disk Program package RETROVIR (c) Proteus detects and removes the 1451COM/1411EXE from disk, along with all the other viruses mentioned above. I will be glad to receive reports on this virus from elsewhere. Does anyone know its origin? Tom. ------------------------------ Date: 08 Jun 90 09:38:39 +0000 From: Elizabeth A Sandland Subject: Samsung S800 diagnostics Has anyone out there any experience of running the diagnostics disk supplied with the Samsung S800 (AT compatible)? Specifically, any problems when you BOOT from this disk on a system with a hard disk? (Please do not 'try it out' now to see what happens.) Is there anyone out there who could examine the boot sector of said disk and let me know if it looks OK? I would like to pinpoint the source of a problem which occurred recently, when a machine crashed unexpectedly. THERE IS ABSOLUTELY NO IMPLICATION OF ANY SORT IN THE ABOVE QUESTIONS!! Thanks, Liz - ------------------------------------------------------------------------------- Liz Sandland eas@doc.ic.ac.uk Hardware Support Group Department of Computing Imperial College Tel: 071-589 5111 x5048 London SW7 2BZ Fax: 071-581 8024 - ------------------------------------------------------------------------------- ------------------------------ End of VIRUS-L Digest [Volume 3 Issue 110] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253