VIRUS-L Digest Wednesday, 2 Jan 1991 Volume 4 : Issue 1 Today's Topics: EXE file compression with LZEXE and PKLITE (PC) Macvirus index? (Mac) Disk Utilities (PC) Re: Virus Protection (PC) more about the conference in Hamburg ZeroHunt Virus (PC) Re: Viruses for the holidays & admin note please stop the requests Re: (1) GAO Report on Computer Security Zmodem infected with Violator (PC) UK Computer Crime Unit MIBSRV downtime WP viri and bugs (PC) Unix and Mainframe Viruses New virus (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: 20 Dec 90 14:22:50 +0000 >From: Mark Scase Subject: EXE file compression with LZEXE and PKLITE (PC) There has been recent discussion about the use of the EXE compression program LZEXE and the possibility that viruses could hide within EXE files that are subsequently LZEXEed. Now some virus scanners can look within these compressed files to see if something nasty is hiding. I have recently discovered the shareware program PKLITE by PKWARE that appears to do much the same thing functionally as LZEXE. Does this mean now that virus scanners should include a feature to look inside PKLITEed files? - -- Mark Scase, | JANET: coa44@uk.ac.keele Dept of Communication, | BITNET: coa44%keele.ac.uk@ukacrl University of Keele, Keele, | Internet: coa44%keele.ac.uk@nsfnet-relay.ac.uk Staffordshire, ST5 5BG, UK. | Other: coa44@keele.ac.uk (Phone: +44 782 621111) | UUCP: ..!ukc!keele!coa44 ------------------------------ Date: Thu, 20 Dec 90 11:58:36 -0800 >From: rrk@planets.risc.com (Richard Killion) Subject: Macvirus index? (Mac) Does anyone know where I could down load the macvirus index. I have heard it is in the form of a self extracting archive and that it might be in an ftp site with ".fi" somewhere in its name. Thank you. ------------------------------ Date: Thu, 20 Dec 90 15:14:00 -0400 >From: Bill Thater Subject: Disk Utilities (PC) Can anybody recommend a PD/Shareware Disk Utility package (read "not too expensive 'cuase I gotta buy it myself") that will allow me to read/modify the boot sectors, FATs, et all on floppies and hard disks? I will need it to work on all types of disks. Please reply direct to me at the address below (note: Please try to use the Bitnet address, our mailer doesn't always let me get Internet mail :) ) and I'll sumerize to the list if I get any answers. Thank you all for your time and effort. Bill **************************************************************************** ** Bill Thater Centro Parking Inc. Voice: (315) 464-4539 E-mail: THATERW@SNYSRYV1.BITNET THATERW@VAX.CS.SUNYHSCSYR.EDU THATERW@139.127.2.1 **************************************************************************** ** ------------------------------ Date: Thu, 20 Dec 90 22:06:33 -0800 >From: sulistio@sutro.SFSU.EDU (Sulistio Muljadi) Subject: Re: Virus Protection (PC) Michael_Kessler.Hum@mailgate.sfsu.edu wrote in VIRUS-L volume 205: > Subject: Virus protection (PC) > > [stuff deleted]... > The one > negative comment about F-Prot is that the updates appear to be less > frequent than one might wish. One other negative comment about F-Prot is: F-driver.sys does not check drive A for any possible boot sector virus when we warm boot the machine. The V-Shield does check drive A for any possible boot sector virus and will denied the warm boot if there is any boot sector virus in the floppy drive A. Hopefully frisk will implement this for his next version of F-PROT. It is a great program. - -- /\ Merry Christmas /* \ / * \ and / * \ / * \ Happy New Year / * * \ ^^^^^^^^^^^^ sulistio@futon.sfsu.edu ||| sulistio@sutro.sfsu.edu ||| sulistio@sfsuvax1.sfsu.edu ||| UUCP mail : mul@wet.UUCP ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^* ^^ ------------------------------ Date: Fri, 21 Dec 90 11:00:10 +0000 >From: frisk@rhi.hi.is (Fridrik Skulason) Subject: more about the conference in Hamburg I was asked who organized the Hamburg conference, and the answer is perComp-Verlag Gmbh percomp@infohh.rmi.de Viren-Service Hamburg I am posting the reply here, both because the address ozonebbs!aryehg@apple.com (Aryeh Goretsky) does not work and beacuse more people might be interested... - -frisk ------------------------------ Date: 21 Dec 90 13:29:09 +0000 >From: patel@mwunix.mitre.org (Anup C. Patel) Subject: ZeroHunt Virus (PC) After recently downloading McAfee's VIRUSCAN files, I noticed a reference to the ZeroHunt virus. Accoring to the DOC file, this virus was reported by someone in the Washington, D.C. area. Can anyone tell me exactly where it was reported, and by whom? Also, are there other ZeroHunt infections around the country? Thanks for any information you can provide me. Anup Patel The MITRE Corporation patel@mwunix.mitre.org ------------------------------ Date: Fri, 21 Dec 90 06:58:26 -0800 >From: malloy@nprdc.navy.mil (Sean Malloy) Subject: Re: Viruses for the holidays & admin note writes: >While shopping for holiday gifts for my nephews and niece, I found a >toy called Virus Warriors (I could be wrong on the exact name, but >that's the gist of it). I'm not making this up! The box said >something to the extent of, "A top secret government lab has >accidentally released evil computer viruses. Their goal is to take >over all the world's computers...even YOURS!" The toy was this >sinister looking doll with "computer circuitry" on its back. Again, >I'M NOT MAKING THIS UP! I saw them last weekend when I was out Christmas shopping. My first response was "Some people will sink to _any_ depth to make a buck"; my second response was "Why didn't _I_ think of that?" Sean Malloy | I don't blame Congress. If I Navy Personnel Research & Development Center | had $600 billion at my San Diego, CA 92152-6800 | disposal, I'd be irresponsible, malloy@nprdc.navy.mil | too. ------------------------------ Date: Fri, 21 Dec 90 10:53:34 -0500 >From: OU75000 Subject: please stop the requests hello all: when i sent that message to you guys asking for help i happened to mention that i collect strains of different virii for research. i was not making an advertisement. please stop sending me requests to give out samples. i have no intention of doing this because (no offense) i do not want to be a part of someone spreading any more mischief! i have no way of knowing who any of you are - not that i am pointing fingers - and its unfair to be asking me for such sensitive things as virus code. thank you and i hope i haven't offended you... - -chris ------------------------------ Date: 21 Dec 90 16:11:37 +0000 >From: dittrich@milton.u.washington.edu (Dave Dittrich) Subject: Re: (1) GAO Report on Computer Security Kenneth R. van Wyk recently informed me that the GAO report to which I referred in <0008.9012141904.AA27940@ubu.cert.sei.cmu.edu> already exists on one of CERT's computers. The machine is cert.sei.cmu.edu (128.237.253.5) and the file name is pub/virus-l/docs/gao_rpt. Anyone interested in an electronic copy may get it from there by anonymous ftp. The part about confirmation of receipt of the report is explained in the following excerpt from above file: ************************************************************** * This is the first GAO report to be made available over * * the Internet. GAO wants to know how many people * * acquire the report this way. If you are reading this, * * please send mail to me and I'll keep * * count for them. Your name will not be saved or used. * ************************************************************** Would those of you who received the report from me via email (or who got a copy from someone who did) please email to swolff@nsf.gov. I want to encourage the government to do more of this kind of thing. P.S. Thanks again Ken :-) - -- Dave Dittrich Dept. of Chemistry BG-10, University of Washington, Seattle, WA 98195 dittrich@u.washington.edu ...!uw-beaver!u.washington.edu!dittrich "Teachers are the only profession that teach our children." Dan Quayle ------------------------------ Date: Sat, 22 Dec 90 00:25:51 -0800 >From: ozonebbs!aryehg@apple.com (Aryeh Goretsky) Subject: Zmodem infected with Violator (PC) 1. Christmas Violator Virus (PC) 2. New BBS line - ---------- CHRISTMAS VIOLATOR VIRUS There has been a hacked version of Omen Technology's DSZ ZMODEM External File Protocol Module called DSZ1203.ZIP. The DSZ file inside is infected with a new variant of the Violator virus known as the Christmas Violator or Violator-B4 virus. The virus contains a an ASCII message from a group called RABID and contains a Christmas Greeting. It is not known what else the virus does. The following search string can be used by VIRUSCAN with the /EXT switch to check for the virus: "51 ba ? ? fc 8b f2 81 c6 9b 11 bf 00 01 b9 03 00" Christmas Violator If you find this virus on your system, run VIRUSCAN with the /D option to delete the infected files. - ---------- NEW BBS LINE A new bbs line has been added to Homebase BBS at (408) 988-5190. This line has a US Robotics Courier 9600 Dual Standard providing a 9600bps connection using v.32 and MNP-5. Hopefully, this will make getting the software easier for International Long Distance callers. Regards, Aryeh Goretsky _____ +----------------------------------------------------------------+ | Aryeh Goretsky, Tech Support vox (408) 988-3832 | | McAfee Associates fax (408) 970-9727 | | 4423 Cheeney Street bbs (408) 988-4004 | | Santa Clara, California 95054-0253 // | | Internet: aryehg_ozonebbs.uucp!apple.com // | | UUCP: apple!netcom!nusjecs!ozonebbs!aryehg \X/ | | "Opinions expressed are my own and do not neccessarily reflect | | those of my employer."--universal disclaimer applied herein. | +----------------------------------------------------------------+ Aryeh Goretsky _____ +----------------------------------------------------------------+ | Aryeh Goretsky, Tech Support vox (408) 988-3832 | | McAfee Associates fax (408) 970-9727 | | 4423 Cheeney Street bbs (408) 988-4004 | | Santa Clara, California 95054-0253 // | | Internet: aryehg@ozonebbs.uucp // | | UUCP: apple!netcom!nusjecs!ozonebbs!aryehg \X/ | | "Opinions expressed are my own and do not neccessarily reflect | | those of my employer."--universal disclaimer applied herein. | +----------------------------------------------------------------+ ------------------------------ Date: Wed, 19 Dec 90 09:57:24 +0000 >From: Anthony Appleyard Subject: UK Computer Crime Unit I received this message from 'pandy ':- "The UK Computer Crime Unit hasn't got an email-address, nor do they read these UUCP-news. Pandy ****************** pandy@spiff.hut.fi" If they aren't in contact with the computing world, how can they operate effectively? If they can't email, and have to rely on GPO mail and the phone and personal visits, and can't get email circulars, they are going to be way behind developments. Can't they afford a microcomputer and a modem? from {A.Appleyard} (email: APPLEYARD@UK.AC.UMIST), Wed, 19 Dec 90 09:46:20 GMT ------------------------------ Date: Sat, 22 Dec 90 00:11:19 -0600 >From: James Ford Subject: MIBSRV downtime MIBSRV (130.160.20.80) has had a hard disk crash. Lucky for me, it was just the disk with the operating system and user home directories. :-( I will post another message when the server gets restored.......(sigh) - ---------- Each day the world turns over on someone who was just sitting on top of it. - ---------- James Ford - JFORD@UA1VM.UA.EDU, JFORD@MIBSRV.MIB.ENG.UA.EDU THE University of Alabama (in Tuscaloosa, Alabama USA) ------------------------------ Date: Sat, 22 Dec 90 12:55:39 -0800 >From: p1@rlyeh.wimsey.bc.ca (Rob Slade) Subject: WP viri and bugs (PC) GOODWIN@SMCVAX.BITNET (Dave Goodwin) writes: > I have seen several mentions of possible virii on WordPerfect. Let me > add my two cents... Oh, how true. I remember a submission some time back that asked about files which, regardless of document length, only stored a few bytes of garbage. I recently had that happen, and I'm sure it's just a bug. The problem I encountered was that Word Perfect version 5.0, when saving to 4.2 format (one of the options under F5) will save an eight byte file *and erase the previous version, not just rename the file* if the "backup" options are turned on. Let me say that, while Word Perfect is *still* currently my editor (and disk manager:) of choice, the discovery of this bug lost me four daus work on the reviews of FPROT and Anti-Virus Plus. :( ------------------------------ Date: 23 Dec 90 11:03:55 -0500 >From: "Robert McClenon" <76476.337@CompuServe.COM> Subject: Unix and Mainframe Viruses A point seems to be being overlooked in the recent discussion of the vulnerability of Unix to viruses. It was overlooked in the past discussions of the vulnerability of mainframes to viruses. It isn't necessary for a virus to infect or subvert the operating system to cause damage. A Unix virus only needs to infect applications to which the user has the Write privilege. A VM virus only needs to infect applications on the user's read-write minidisks. It is true that most MS-DOS and Macintosh viruses subvert the operating system or operating system software somehow: the System file, the boot sector, the Desktop, COMMAND.COM. But that is not an essential characteristic of viruses or the virus threat. The general threat is still present even if the threat to the operating system is absent. And if there are vulnerabilities in various versions of Unix to a gradual escalation of the privileges of the virus code, as one correspondent said, the threat is greater. Robert McClenon (Neither my employer nor anyone else paid me to write this.) ------------------------------ Date: Fri, 21 Dec 90 22:33:35 +0200 >From: public@alva.tut.fi (Public Domain PC-software) Subject: New virus (PC) I've found a new virus on PC at the beginning of December, but it has been around here at least from the end of June. I've named that virus as 2480 virus, because its size is that. 2480 Virus spreads only (I think) if the year is set to 1988 or earlier. If it is later than 1988, infected files will occasionally display the logo of European Crackin' Crew (Does anyone know anything about that group??) when user executes an infected program. 2480 Virus adds 2480 bytes to the end of every .COM file it decides to infect. It doesn't infect files very quickly and it seems that infection happens only at the certain time. It will also change the last modification time to the time when infection happened but the files' dates remain unchanged. 2480 Virus is not memory resident and it can easily be noticed because the European Crackin' Crew's logo is at the end of every infected .COM file. This virus is not detected by the ViruScan V72, but I've sent a copy of it to Mr. John McAfee and Fridrik Skulason, so hopely the ViruScan V73 and F-Prot 1.14 will find this virus :-) Tapio Keihanen Mesiheinankatu 2 B 6 33340 Tampere Finland PS. I'm sorry for my POOR English... ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 1] **************************************** Downloaded From P-80 International Information Systems 304-744-2253