VIRUS-L Digest Wednesday, 17 Jan 1990 Volume 3 : Issue 13 Today's Topics: Re: Shrink wrap...still safe? XENO virus infection---help!!(Amiga) Another WDEF infection (Mac) WDEF at Arizona State University (Mac) Vienna Virus (PC) Re: Shrink Wrap...still safe? Re: Biological references requested Re: Morris stands trial (Internet) Bulgarian viruses (PC) Re: virus scanning VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk --------------------------------------------------------------------------- Date: Tue, 16 Jan 90 15:04:31 -0500 From: dmg@retina.mitre.org (David Gursky) Subject: Re: Shrink wrap...still safe? Several people in Virus-L V3 #12 suggested that were vendors to distribute applications on write-locked media, the potential for vandalism by buying an application, infecting it, and return it, would be reduced. While that statement is broad enough to be true, I would suggest that the suggestion is far to easy for a vandal (and not even a very determined one at that) to get around, where 3.5" media is concerned. With 3.5" disks, a small hole can be covered by a moving tab, to indicate to the disk drive whether the disk is locked or not. Open is locked, closed is writable. If vendors disseminate applications on write-locked 3.5" media, all a vandal needs to do is cover the hole with a small piece of electrical tape. 5.25" media is more difficult to pull this stunt with. The presence of small notch in the side of the flexible case means the disk is writable. In order for a vandal to infect an application shipped on 5.25" media, the vandal would have to physically mar the case, which is a surer sign of tampering. ------------------------------ Date: 16 Jan 90 23:44:00 +0700 From: "Okay, S J" Subject: XENO virus infection---help!!(Amiga) Arrrrggghhhh...After years of vigilance and checking everything I put in the machines I use, I've finally been hit and hit bad. My A2000 has contracted a bad case of XENO in just about all the directories on my HD, so I am seriously considering a low-level format of my HD(fortunately I have been wise enough to do continual backups and offloading). So, questions for those Amiga users out there who have had Xeno, or from those who know more technical details about it: 1. How did you deal with it???---I've about running KV on all of the infected files, but it appears that KV only disables, and doesn't remove the XENO virus. If this is true, how dangerous is an immobilized XENO, compared to a live one???---This is the main reason I am considering calling in an airstrike to blast my filesystem, since I'm assuming it could come back again in the same files if I ever catch a live copy again.... 2. What exactly are the general symptoms. All I know is that I found it in my CRONTAB file ( which makes it a pretty stupid virus in my book...I basically have a disassembly of the little bugger tacked onto my CRONTAB entries), and some how it got into my Cron daemon and it spread from there.... 3. Any other helpful hints/comments/ideas you might have to offer.... Comments: I know who I got it from and he checked his system and it was crawling all over there too, so the source has been isolated. The way I found it was through my Startup-Sequence failing numerous times because "echo", "date" and "read" had had their filetypes changed from executables to scripts and had to be replaced. I'd also been getting an inordinate amount of Guru meditation #'s, specifically #000000003 (CPU trap). It wouldn't have spread so fast I don't think if it hadn't gotten into Cron, which I make heavy use of.... Its easy for this one to sneak by, because until now, we Amigoids haven't had to worry about anything except for Boot-infectors. Hence, there were no readily available file-infectors to detect it until recently. If what I've seen is any indication, I'd say its a pretty stupid virus in terms of propagation...like I said, I found it in my CronTab as well as a few other script and non-executable files.... I figure if I don't hear back in a few days with contrary recommendations, I'll just have my system "duck and cover" and drop a 20 megaton low-level format bomb on the whole thing and be done with it. - ----Steve - ------------------- Stephen Okay OKAY@TAFS.MITRE.ORG Technical Aide, The MITRE Corporation ------------------------------ Date: Tue, 16 Jan 90 22:05:00 -0500 From: "Scott P Leslie" Subject: Another WDEF infection (Mac) Hello, The University of North Carolina at Chapel Hill has seen WDEF. We now have Disinfectent 1.5 and GateKeeper Aid 1.??. - -spl ------------------------------ Date: Tue, 16 Jan 90 21:31:51 -0700 From: Ben Goren Subject: WDEF at Arizona State University (Mac) For those of you trying to track WDEF (although I'm sure it's spread everywhere by now), I just yesterday discovered WDEF A on an SE/30 in the School of Music at Arizona State University. I successfully removed it with VirusDetective (after rembering that you can't do this from the Finder) and immediately prepared a disk with clean copies of the latest versions (as of 1/15/90) of GateKeeper, GateKeeper Aid, VirusDetective, and Disinfectant (FTP'd from Info-Mac at Stanford), along with a TeachText file describing each briefly and urging the usual "lock disks, backup files, and don't pirate software" philosophy. I am sure that the student use sites are infected, although I haven't had a chance to check them personally--I haven't heard or seen anything on campus about it, so I plan to call the various system administrators to make sure they know about it. My thanks and compliments to the three authors. All four programs are comprehensive, fill their function thoroghly, and are easy to use. All opinions, etc., are my own. ........................................................................ Ben Goren T T T / Trumpet Performance Major )------+-+-+--====*0 Arizona State University ( --|-| |---) Bitnet: AUBXG@ASUACAD --+-+-+-- ........................................................................ ------------------------------ Date: 17 Jan 90 06:16:56 +0000 From: slezakm@nyssa.cs.orst.edu (Mark R. Slezak) Subject: Vienna Virus (PC) Just so others know about it; the Oregon State University Kerr Library Micro- Computer Lab got hit with the Vienna virus. Once I figured out what it was it was easy enough to get riof (using M-Vienna...) Just though those who track the viruses might like to know... +-----------------------------------------------------------------------------+ Mark R. Slezak {tektronix,hp-pcd}!orstcs!nyssa.CS.ORST.EDU!slezakm ------------------------------ Date: 16 Jan 90 15:42:54 +0000 From: bnr-vpa!bnr-fos!bmers58!mlord@watmath.waterloo.edu (Mark Lord) Subject: Re: Shrink Wrap...still safe? fac2@dayton.saic.com (Earle Ake) writes: > If you have a virus on your system that reproduced your master >diskette, that virus could infect the copy. If the store that >re-sells your software takes off the shrink-wrap, tests the program >and re-shrink-wraps it, there is a chance of a virus infecting it >there. If someone buys a package, takes it home and discovers it will >not work on his system and returns the software, the store >re-shrink-wraps it and sells it for new. Yet another way to infect a >disk even though it was sold 'shrink-wrapped'. Do we have to put all >software in tamper-resistant packaging like Tylenol? If a store tries >a package out so they can be able to tell customers how good it is, >can they sell that diskette as new software still? Do we have to >demand a no-returns policy on software? Hey, the customer might have >a shrink-wrap machine available to them and would be able to >shrink-wrap and return as new. Where do we draw the line? Hmm.. the simple solution to most of these problems is to distribute software on diskettes without write-enable slots (ie. built-in write protection tabs). There is simply NO way, short of modifying hardware, for such diskettes to become virus infected on the customers premises. I'm actually quite suprised that 99% of the software I purchase comes *without* write protection tabs installed on the diskettes (5.25" floppies). I really have to force myself to install that critical tab *before* inserting the disk in *any* drive. This guarantees that I don't infect the masters. This whole deal with shrink-wrap and Tylenol-packaging for software is really a big scam in a lot of ways (IMHO). I mean, think about this.. the customer is expected to plop out (here in Canada, at least) between $60 and $200 for the most trivial of store-bought software, WITHOUT any guarantee of system compatibility (most people DO NOT have IBM/COMPAQ/TANDY machines.. face it!). In addition, if the program does not work, or demonstrates bugs, TOUGH NUGGIES.. no source code to fix and no replacements available. Would you buy anything else *new* under such outrageous conditions??? [other than software, of course] Where is Ralph Nader when we need him? Ooops. Wrong country. 'cuse me while I take a long dandelion break... - -- +----------------------------------------+----------------------------+ | Mark S. Lord | Hey, It's only MY opinion. | | ..!utgpu!bnr-vpa!bnr-fos!mlord%bmers58 | Feel free to have your own.| +----------------------------------------+----------------------------+ ------------------------------ Date: Wed, 17 Jan 90 10:29:36 +0700 From: A6014JN@HASARA11.BITNET Subject: Re: Biological references requested A good reference about viruses in general as well as the analogy between them and their biological coussins is: J.C. Van Winkel, "The phenonemon computerviruses reviewed", 1989, NGI, Amsterdam. ISBN: 90-70621-29-0. Since their is a ISBN, I think you can order it in any bookstore. You can also order direct by: NGI, 184 Van Diemenstraat, NL-1013 CP Amsterdam, The Netherlands. It costs about $ 15,00. ------------------------------ Date: 17 Jan 90 13:36:11 +0000 From: Irving Chidsey Subject: Re: Morris stands trial (Internet) damon@umbc2.umbc.edu (Damon Kelley; (RJE)) writes: ------------------------------ Date: 17 Jan 90 15:05:00 +0700 From: T762102@DM0LRZ01.BITNET Subject: Bulgarian viruses (PC) Hello, everybody! I am a computer virus expert from the Eastern block. My name is Vesselin Vladimirov Bontchev and I live in Bulgaria. I have some problems with the English language, so *please* excuse my mistakes. Currently I am private for two months in Munich and for the first time in my life I have access to an e-mail system. It is really wonderful! The computer virus situation in our country is completely different. We do not have too many kinds of viruses -- about 10-12 for IBM PC/XT/AT and compatibles only -- but they are *very* widely spread. One can find them just everywhere -- not only in high schools and computer clubs. The main reason is that literally no one takes particularly care to prevent the infection and to exterminate the viruses. Another main reason is that the level of software piracy in our country is very high -- there is no copyright law there. I wrote some antivirus programs which I am distributing freely and they are widely used -- but of course, one cannot defeat alone the virus threat. If someone is interested, I am able to supply detailed information about the viruses "made in Bulgaria": - Dark Avenger - VACSINA - Yankee Doodle (In fact, the last two are different versions of a single virus -- and I know very well the person who created them.) As far as I know, these viruses are already spread in the Western countries. There are also other "Bulgarian" viruses: - V651 - V512 - V2000 I can also supply information about them. If they have already spread outside Bulgaria, please let me know. The other viruses which are spread in our country are: - VHP-648 (Vienna) - Bouncing Ball (Italian, Turin) - V1813 (Israeli, Jerusalem, Friday 13th) - V1701/V1704 (Cascade, Autumn, Falling letters) but they are too well known, so I do not think that someone will need information about them. Sincerely, Vesselin ------------------------------ Date: 17 Jan 90 15:07:00 +0700 From: T762102@DM0LRZ01.BITNET Subject: Re: virus scanning > I am told that in the November '89 issue of the American Mathematical > Monthly, to the effect that no completely safe computer virus test is > possible. The proof is suppose to be short, and along the lines of > the various proofs of the Halting problem. Yes, the problem whether a program is a virus or not, is in general undecidable. The (informal) proof follows: Let's define a virus as a program which can infect other programs. (For a more complete definition, see [1].) Let A(P) be an algorithm which applied to the program P returns a boolean value (true when P is a virus and false if it isn't). Now we can construct the program P1 in the following way: program P1; begin if A(P1) then (* do nothing *) else infect_other_programs; end. In other words, if A reports that P1 is a virus, then P1 does not infect programs, i.e. is not a virus. Otherwise (if A reports that P1 is not a virus), P1 infects programs, i.e. it is a virus. Therefore, A cannot decide whether P1 is a virus or not. Q.E.D. Vesselin [1] Cohen F., "Computer Viruses. Theory and Experiments", COMPUTER SECURITY: A Global Challenge, J.H. Finch and E.G. Dougall (eds.), Elsevier Science Publishers B.V. (North-Holland), 1984. ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253