VIRUS-L Digest Monday, 9 Apr 1990 Volume 3 : Issue 72 Today's Topics: Viruses in Data Files FTP from SIMTEL20 to VM/CMS (Internet) Viruses in Data ChessMaster 2100 & WDEF A (Mac) Re: Virus in Text Files Re: Virus in Text Files Re: =VIR? (Mac) Re: Virus in Text Files Re: Death of a Virus April 1 virus ??? (Unix) New files on MIBSRV Re: Virus in Text Files Virus? (Mac) AIDS Virus Suspect Re: Validating Virus Software Re: Universal Virus Detector VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Fri, 06 Apr 90 09:46:00 -0400 From: WHMurray@DOCKMASTER.NCSC.MIL Subject: Viruses in Data Files >There is NO evidence that anything other than an .exe, .com, .ovl, or >.sys file can infect. There has been talk about .pgm files (for >dBase) and lotus spreadsheets being carriers but I have no evidence of >any known. "Not so, Mr. Schuyler!" That is a very large NO, and I do not wish to get into a shouting match with my learned colleague. Neither do I wish for the rest of you to be mislead. First, I think that my colleague speaks in the very narrow sense of MS-DOS. While this is the important territory for the moment, it is not all there is. Ken Thompson, in his Turing Award acceptance, describes a very credible scenario of a virus in source code. He makes the relevant point. "One man's data is another man's program." There is very credible evidence that a 1-2-3 .wks file, which looks for all the world like a data file, can contain a macro which will create a copy of itself in all .wks files such that use of those will cause further copies. That sounds like a virus to me. It is not clear that such a .wks file could achieve the feat of infecting .exe or .com files. And it is clear that it can only execute in a 1-2-3 environment. It cannot operate in a DOS, UNIX, or primitive hardware environment. But that was a BIG no, we do not wish to mislead, One man's data is another's program, and not everyone operates in a DOS only environment. My point is that anyone can tell a lie a in any language. Whenever you accept ANY data from another, you run some risk of being duped. While it is true that the virus writer must solve the problem of getting his program in control, and that that problem is more easily solved in some environments than in others, do not under-estimate the ingenuity of the malicious. While the current battle is being waged on the PC battlefield, and while the war may even be won or lost here, the phenomenon should be known in the broadest and most general light. William Hugh Murray 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ------------------------------ Date: Fri, 06 Apr 90 10:19:00 -0400 From: Subject: FTP from SIMTEL20 to VM/CMS (Internet) Michael, It sounds like I've had the same problems you've had when trying to FTP Disinfectant. I can successfully FTP Disinfectant to my VM/XA SP2 CMS minidisk, but when it comes time to download it to a Mac, the file is all garbled. In spite of several months of trying, I have still never successfully obtained Disinfectant over the Internet. I believe the problem has something to do with 7 databit vs. 8 databit binary. However, I just FTP'd the following help file from SIMTEL20. Although it's not Mac-specific and I haven't tested it yet, I think the FTP command TYPE L 8 is the missing link. Hope this helps.... [Ed. SIMTEL20 is a TOPS-20 system, which is 36 (!) bit based - this confuses many systems, but most FTP implementations can handle it. On UNIX systems, issue the "tenex" command at the "ftp>" prompt to set the data type appropriately.] --------------------------------------- This file is presented for those who wish to transfer BINARY(8) files from SIMTEL20.ARPA to IBM/CMS hosts. Date: Monday, 4 July 1988 06:15-MDT From: Robert E. Zaret To: Info-IBMPC@WALKER-EMH.ARPA Re: SIMTEL20->CMS->DOS Success I recently requested help transferring files from SIMTEL20 to my micro via an IBM mainframe. After reading several replies (thanks :-) and experimenting a bit, I have succeeded. The trick is to issue the FTP command TYPE I followed by TYPE 8 before transferring a file (actually, TYPE 8, TYPE 32, and QUOTE TYPE seem to have the same effect). A few details: I am using MS-Kermit 2.30 and a modem to connect my micro to an IBM 4381 via a Series/1 protocol converter. The 4381 is running CMS. I use FTP on the 4381 to connect to SIMTEL20. The following "recipe" successfully transferred the file from FTP to my micro: 1) start up FTP on the 4381 and connect to SIMTEL20 2) issue the FTP command TYPE I 3) issue the FTP command TYPE L 8 (or TYPE L 32 or QUOTE TYPE L 8) 4) use the FTP command CWD to get to the right SIMTEL20 directory 5) use the FTP command GET to transfer the file to the 4381 6) use the FTP command QUIT to log off SIMTEL20 and shut down FTP 7) start up CMS-Kermit on the 4381 8) issue the CMS-Kermit command SET FILE-TYPE BINARY (MS-Kermit doesn't need to be "told" that the file type is binary, but other communications packages, such as ProComm, do need to be "told") 9) use the two Kermits to transfer the file from the 4381 to my micro 10) "unarc" the file if it is an ARC file (I use ARCE30F). The FTP commands TYPE L 8, TYPE L 32, and QUOTE TYPE L 32 seemed to have identical effects. The copies of the file were the same length according to both CMS and DOS, and ARCE30F was able to "unarc" all three. The FTP command TYPE L 8 was inadequate unless preceded by TYPE I The FTP command TYPE I was inadequate unless followed by TYPE L 8, TYPE L 32, or QUOTE TYPE L 8. The version of FTP I use does not recognize the TENEX command. ------------------------------ Date: Fri, 06 Apr 90 10:12:00 -0400 From: WHMurray@DOCKMASTER.NCSC.MIL Subject: Viruses in Data Fred Cohen uses the term "transitivity" to describe the potential of data to flow between compartments within a system. However, the term is also used to describe the propensity for data to become a program. That is, how likely is the data to influence the behavior of the system. Let us take for example an ATM. I can put data in it. The data that I put in influences the behavior of the system in a limited way. It would not be fair to say that it has no influence at all. On the other hand, it cannot cause any change to the program library of the ATM or of the host system. I would have great difficulty entering a virus through such a portal. I would have difficulty entering any data that could cause an unintended copy of itself, executable or otherwise, through such portal. It is possible to think of restricting the generality of a port, or even of a whole computer, such that its programs cannot be modified in any way. An arcade game is an example; a user can hardly enter data that will persist longer than the privilege afforded by one twenty-five cent token. The program may be stored in read-only storage. Yet, somehow I persist in believing that the originator of that program reserved to himself to make late modifications to the program. Does not this reserved privilege contain the potential to enter malicious changes? Cohen asserts that one way to deal with the virus problem would be to move to application-only machines. Others who have posted to this list insist that the virus problem is caused, not by the size of the population of PCs, but by the generality of its architecture and the ease with which programs can be changed. Are there useful lines, between these two extreme, that we can draw? William Hugh Murray 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ------------------------------ Date: Fri, 06 Apr 90 07:53:59 -0700 From: Brian Bechtel Subject: ChessMaster 2100 & WDEF A (Mac) The following message was posted to Apple's Applelink developer services board. I know nothing more than what is listed below. I did not originate the message. ********** ChessMaster 2100 & WDEF A At ComputerWare, we found out that the game ChessMaster 2100 (by Software Toolworks) is recognized by SAM, GateKeeper, and other anti-viral programs as containing RWDEF A.S We found that GateKeeper found RWDEF AS on a number of UNOPENED boxes of the game that we pulled off the shelf in our warehouse. At first, Software Toolworks denied that they were distributing a virus-infected product, but they are looking into the matter. Can anyone confirm or deny this? Hope to hear some feedback on this one... - -Peter Corless. ComputerWare Tech Support. (415) 496-1014. ******* end posted message ******* - --Brian Bechtel blob@apple.com "My opinion, not Apple's" ------------------------------ Date: 06 Apr 90 16:55:36 +0000 From: cdss!culliton@uunet.UU.NET (Tom Culliton) Subject: Re: Virus in Text Files RKARRAS@PENNSAS.UPENN.EDU (Dr. Ruth Mazo Karras) writes: > I have heard of a concern that text files (consisting of plain ASCII text) > may contain viruses. I had thought that only executable files such as > *.com or *.exe files were subject to viruses. Which view is right? Is there > risk in moving a text file from a mainframe to a PC? How many times has this question been answered? If you can't execute the file or run it via an interpreter it can't carry a virus. If its source code for a compiler or interpreter the danger is present that it contains malicious instructions but visual inspection can quickly settle that. Most viruses are on PC class machines and are specific to one architecture. Moving a text file from a mainframe to a PC is about as safe as you can get without typing with c*****ms on your fingers. The rest is all chicken little syndrome from people who don't know what they're talking about. (Sorry if that sounded a bit hot, I've been fighting a running battle with the chicken little types about it.) BTW, Modem viruses and setup memory viruses are also fictional for the same reason, its simply not possible to execute them. ------------------------------ Date: 06 Apr 90 19:12:21 +0000 From: djb@wjh12.harvard.edu (David J. Birnbaum) Subject: Re: Virus in Text Files It is possible for a text file to contain ansi instructions to remap your keyboard, e.g., mapping a format or a global delete command (with the appropriate response to any y/n query) to a single key. This is not a virus, but it can be considered a trojan horse. The ansi command will only take effect if the file is typed to the screen; merely having it around does no harm, nor does looking at it with other types of file viewers. Ansi commands will only work if you are running an ansi driver of some sort. Keyboard remapping only works if you have configured your ansi driver to allow it. I use PC Magazine's ansi.com version 1.3 and configure it to disallow keyboard remapping. - -David ============================================================ David J. Birnbaum djb@wjh12.harvard.edu [Internet] djb@harvunxw.bitnet [Bitnet] ============================================================ ------------------------------ Date: 04 Apr 90 03:38:26 +0000 From: trebor@biar.UUCP (Robert J Woodhead) Subject: Re: =VIR? (Mac) paul@tenset.UUCP (Paul Andrews) writes: >Whilst trying to sort out a corrupted desktop file recently I noticed a >resource of the type '=VIR' (or maybe it was 'not equals'VIR). Anybody know >what this is? I'm running gatekeeper and use disinfectant and neither seem >bothered by its presence... VIR is the application signature of Interferon. VIRx is the app sig of early versions of VIREX, VIRy is the app sig of the current VIREX, and for all I know, VIRz will be the app sig of some future version of the program. - -- Robert J Woodhead, Biar Games, Inc. !uunet!biar!trebor | trebor@biar.UUCP Announcing TEMPORAL EXPRESS. For only $999,999.95 (per page), your message will be carefully stored, then sent back in time as soon as technologically possible. TEMEX - when it absolutely, postively has to be there yesterday! ------------------------------ Date: Fri, 06 Apr 90 17:15:24 +0000 From: peter@ficc.uu.net (Peter da Silva) Subject: Re: Virus in Text Files There's one class of text files that can easily carry viruses: program source files. See my "usenet virus" article (first posted shortly before the Internet Worm incident, reposted periodically whenever assertions that text files or source code files are safe come up) for more on this subject... or just consider the Obfuscated C Contest. - -- _--_|\ `-_-' Peter da Silva. +1 713 274 5180. . / \ 'U` \_.--._/ v ------------------------------ Date: 07 Apr 90 01:21:30 +0000 From: kelly@uts.amdahl.com (Kelly Goen) Subject: Re: Death of a Virus CHESS@YKTVMV.BITNET (David.M.Chess) writes: >Dave Ihnat writes: > >> elimination of the conditions that lead to viruses basically means >> redesigning the computers that are attacked to eliminate the >> simplistic hardware model that allows full access to the single user. > >Unfortunately, viruses do not depend on this hardware model; viruses >can spread in any system that allows both programming and information >sharing, regardless of whether or not programs have direct access to >the hardware, whether or not the system is assumed to be single-user, >and so on. See various papers by Fred Cohen on the subject. As long >as (roughly) some programs sometimes have write-access to some other >programs, viruses can spread. > >Dave Chess >IBM T. J. Watson Research Center Yes dave but under environments which use say the VM8086 model on the 386 (such as VPIX) file writability and/or hardware acces is TOTALLY under the control of unix... weak unix security weak dos security good unix security = good dos security in this case.... cheers kelly ------------------------------ Date: 06 Apr 90 15:44:17 +0000 From: rruxg!jpage@bellcore.bellcore.com (J Page) Subject: April 1 virus ??? (Unix) Any reports of an April Fools Day virus ... We are running Ultrix 3.1 on a VAX 8650 and since 4/1 it has been "hanging" about once and hour. Since it hangs there is no crash dump to analyze.... Nothing unusual from uerf's either. We have had the hardware folks in and they have been replacing boards left and right, without any success. Please excuse the crosspost. Any help would be appreciated. Jim Page Bellcore INTERNET: jpage@rruxe.cc.bellcore.com UUCP: ihnp4!bellcore!rruxe!jpage ------------------------------ Date: Sat, 07 Apr 90 13:54:56 -0500 From: James Ford Subject: New files on MIBSRV The following files are now available for anonymous FTP from MIBSRV.MIB.ENG.UA.EDU (130.160.20.80) in the directory pub/ibm-antivirus: xxencode.c C source for xxENcode xxdecode.c C source for xxDEcode uxencode.pas VM/CMS pascal source for XX/UU encoding/decoding files. I have taken PKZ110.EXE off the server. I was unaware of any export control laws concerning its data encrypting. I will try to replace it as soon as possible. Thanks to Keith Petersen, Grant Deason and other who wrote me on this. - ---------- Be kind. Remember everyone you meet is fighting a hard battle. - ---------- James Ford - JFORD1@UA1VM.BITNET, JFORD@MIBSRV.MIB.ENG.UA.EDU THE University of Alabama (in Tuscaloosa) ------------------------------ Date: 07 Apr 90 22:14:42 +0000 From: kelly@uts.amdahl.com (Kelly Goen) Subject: Re: Virus in Text Files Agreed no NON executable file can be used to infect however another technique without providing examples would be the case of a bat file being used to feed debug along with infectious code(SMALL) being kept beyond the EOF marker in the last allocated cluster... note all DOS routines(I/O) read the Entire cluster(not just up to EOF...) this can be quite a bit of spare space on present drives... more ambitious schemes would be a triply/redundant encrypted shadow file system using either Hamming or other ER schemes such as Reed Solomon...this could be used to store quite sophisticated system penetration/Interdiction/ICE-Breakers... with out visibility to normal virus scanners(most use the FAT and/or Directory Structures to analyze the disk...) this vunerability does in certain cases extend to other OS's besides **-DOS.... Something indeed to think about....still another reason to upgrade completely to MMU managed architectures(386/486 etc) using the VM8086 model ... cheers kelly ------------------------------ Date: 07 Apr 90 23:30:21 +0000 From: wb69@tygra.UUCP (Alan Beck) Subject: Virus? (Mac) We've got a problem with a bunch of Mac SE, and SE 30. We have gotten a virus into them somehow. I have no idea how this could have happened, since they are not networked together (other than Appletalk), and we know 99.99995 of our software is store boughten, right off the shelves. I'm not that familiar with Mac viruses, but here are the symptoms: - --It just eats up space, and makes everythink larger. It sort of became evident when our 20 meg hd was 27 megs... - --It may or may not copy itself onto floppy disks that are put into the system. - --It seems to have been gotten rid of, and then it comes back. - --When we find the virus on the SE (These d - --When we find the virus on the SE (These don't have hds) we seem to get rid of it. - --The SE/30 (with hd) seems to always have it. - --The plain SE gets it from when a disk was carried from the SE/30 to the reg. SE. So, I know where it's coming from. - --It hasn't done anything drastic, YET!!! Can you please tell me what this Virus is, and how to stop it??? We try to use the SE/30 as least as possible, so it's down 75% of the time, so I think the virus can be left alone untill we get some antidotes here. We have tried one (a store one, can't remember the name), that doesn't seem to help it. I really need some suggestions... Here comes the screwy .sig file (I have no controll over it)..... = CAT-TALK Conferencing Network, Prototype Computer Conferencing System = - - 1-800-825-3069, 300/1200/2400/9600 baud, 8/N/1. New users use 'new' - = as a login id. <>> = E-MAIL Address: wb69@ThunderCat.COM ------------------------------ Date: Sun, 08 Apr 90 01:57:11 -0500 From: Mark Parr Subject: AIDS Virus Suspect What ever became of Dr. Joseph Popp, Jr., who was arrested in Cleveland on charges stemming from the PC Cyborg AIDS Virus/Trojan Horse. Has anyone heard anything? Mark Parr ------------------------------ Date: Sun, 08 Apr 90 23:44:14 +0000 From: gm@cunixa.cc.columbia.edu (Gary Mathews) Subject: Re: Validating Virus Software WARD@SENECA.BITNET (David Ward -- Computer Support/Special Needs) writes: >Periodically we hear concerns about the validity of SCANVxx and other >antiviral programs. I think these concerns are valid since a >virmentor creating a virus would likely take great joy in attaching >the virus software to a product designed to fight viruses. > >I do not have complete confidence in our local sources of SCANVxx > >A simple solution to this problem is that when new versions of scan >are announced on this digest, the announcement should include the >validation strings given by McAfee. Then we can download from any >local source and compare the strings published in Virus-L to >those we generate with the validate program. Dave, I agree with you fully and I think that the Virus Discussion List and/or John McAfee himself should post the validate strings to the *NET* In fact, a list of must commonly used programs should be included on such a list, but for now the validated strings of the lastest versions for the scan and clean programs should be publically accessible. Many people will hesitate from getting an updated version because it may be a virus in disguise. After people can be assured that the program is valid, then they could get the new copy and register it. Gary Mathews - ------------------------------------------------------------------------------- Gary Jason Mathews | gm@cunixd.cc.columbia.edu Columbia University | Death is life's way of telling you you've been fired. - ------------------------+ CPU time flies when you have a lot of bugs ------------------------------ Date: 09 Apr 90 03:00:22 +0000 From: woody@chinacat.Unicom.COM (Woody Baker @ Eagle Signal) Subject: Re: Universal Virus Detector Don't forget to check for RAM shadowed BIOS and modifications to the bios. Cheers Woody ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253