VIRUS-L Digest Thursday, 18 Apr 1991 Volume 4 : Issue 64 Today's Topics: Re: AF/91 and April Foolism in general AF/91 and April Foolism in general Re: HyperCard anti-virus script bad (Mac) Norton's Antiviral program Question (PC) Self-extracting files (PC, mostly, I guess) Amiga Virus Listing (Amiga) Stoned Problems (PC) New virus at Oxford? (PC) Re: Unix viruses (UNIX) Norton Anti-Virus (PC) Re: April Fool? Re: Gantz' Infoworld Column the MDEF series of viruses (Mac) Documented mainframe viral attacks (mainframe) Re: Is virus infection by inserting floppy disk possible? (PC) (Mac) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: 17 Apr 91 04:46:37 +0000 >From: viki@crash.cts.com (Victoria Harkey) Subject: Re: AF/91 and April Foolism in general The problem with the joke is that I did run across a trojan horse that did activate on 4/1. If the system clock was reset to a date prior to 4/1, no music played when the infected files were accessed... however, any date =>4/1 caused numerous songs. It was not benign.. In trying to trap and eradicate the virus, it hit the File Allocation Table and wiped out all access to the drive. They were using DOS 4.01, and my software tools couldn't salvage the disk. I've devirused a number of systems and networks; this little sucker was not a joking matter. Victoria Harkey Certified NetWare Engineer ------------------------------ Date: Wed, 17 Apr 91 14:48:59 -0500 >From: pjc@sirius.melb.bull.oz.au (Paul Carapetis) Subject: AF/91 and April Foolism in general > Date: Fri, 12 Apr 91 09:46:16 +0100 > From: Anthony Appleyard > > In reply to these, I say this. Jokes can only be allowed to go so far. Too > often people try to cap each other's jokes and go too far and cause much > unfunny nuisance. Ref what someone in my scubadiving club said after a bout I agree that there should be a limit to "jokes" but it seems to me that such articles are easily spotted if read in full and have their own merit in the form of some relief from the serious and morbid atmospheres in this industry with a small light-hearted beam of joviality! I don't know about you, but I don't belive anything written in journals, magazines, newspapers etc. without confirmation from a reliable source (none of the previous fit into this category, IMHO). To go off in a big flap over an obvious april fools joke is a sign that a holiday/vacation should be the next course of action. Have a laugh - you'd be surprised how good it can make you feel! Yours with a smile :-) Paul | Paul Carapetis, Software Advisor (Unix, DOS) | Phone: 61 3 4200944 | | Melbourne Development Centre | Fax: 61 3 4200445 | | Bull HN Information Systems Australia Pty Ltd |-------------------------| | Internet: pjc@melb.bull.oz.au | What's said here is my | | ACSnet : pjc@bull.oz | opinion (so I am told!) | ------------------------------ Date: Tue, 16 Apr 91 22:50:00 -0500 >From: F8DY@VAX5.CIT.CORNELL.EDU Subject: Re: HyperCard anti-virus script bad (Mac) mike@pyrite.SOM.CWRU.Edu (Michael Kerner) writes: > Unfortunately, Bruce, if the script is going to spread, it has to get > past the scripts in the HOME card of HC. Passing the message directly > to HC does not bypass the HOME scripts. A direct quote from Hypertalk Reference stack (2.0): "If you send a message directly to Hypercard, you ensure that no other objects will handle the message." This includes the Home stack script, no matter what kind of HyperGatekeeper you've installed in your Home stack. Not only could the virus spread to your home stack, it could then spread to any other stack w/o warning from your "on set" script. _____________________________________________ | / \ / \ | | / You can't fight | | Mark Pilgrim \ | | | in here -- this |\_______/| | | \_____| is the WAR ROOM! |// \\| f8dy@cornella. |_____/ | (from Doctor /// \\\ cit.cornell.edu | | Strangelove) /// \\\ | \_______________/// \\\_______________/ My thoughts may not be my own, but they're certainly not my employer's. ------------------------------ Date: Tue, 16 Apr 91 22:24:54 -0700 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Norton's Antiviral program Question (PC) axtlp@acad2.alaska.edu (PIKEY TAM L) writes: > I have heard there was an article in a mag. comparing Norton's > antiviral to McAfee's scan and that the Norton's program failed to > identify the Stoned virus. Can anyone confirm or deny this? In my testing of the Norton Antivirus program (see the reviews in the cert and MIBSRV archives) it identified 3 versions of the Stoned virus. I do not have copies of the "Stoned II/Donald Duck" versions, so I can't vouch for that. ============= Vancouver p1@arkham.wimsey.bc.ca | "Don't buy a Institute for Robert_Slade@mtsg.sfu.ca | computer." Research into (SUZY) INtegrity | Richards' First User Canada V7K 2G6 | Law of Data Security | Security ------------------------------ Date: Tue, 16 Apr 91 22:54:46 -0700 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Self-extracting files (PC, mostly, I guess) Since this got chopped up good, the first time ... We've had various discussions on the merits of "archived" and "self- extracting" files for virus protection. The following is from a local bulletin board: Original message from: Rene Blais, to: All -- RB> simple way to detect viruses without scan or any similar RB> program, as long as the virus infects EXE files no RB> self-extracting compressed files will work as the virus RB> scrambles the code. just a friendly hint from your friendly RB> neighborhood virus-hater I'm afraid it isn't that simple, Rene. If the virus is an "overwriting" type, then yes this procedure should work. However, if the virus is a "prepender" then it will execute *before* the code that decompresses the program. The self extraction module then may or may not fail to successfully run the program, depending upon how it deals with the additional code at the beginning of the file. In any case, if the viral program is one that "goes resident", then the machine's memory is infected. If the virus is an "appender", most of the same applies. It will have a "jump" placed at the beginning of the file to the virus code at the end, and then a "jump" instruction to the beginning of the file and, again, executes the virus before the self-extraction module starts to work. As with the prepender, the extraction of the program may or may not be affected by the presence of header and trailer information. However, in the case of the newer "spawning" viral programs, this procedure does nothing at all for detection, because "spawning" viri never touch the original file, relying on MS-DOS's "execution order preference" for .COM files, and creating a separate virus file. The separate file may be hidden from detection in various ways, and still be "infectious." ============= Vancouver p1@arkham.wimsey.bc.ca | "Don't buy a Institute for Robert_Slade@mtsg.sfu.ca | computer." Research into (SUZY) INtegrity | Richards' First User Canada V7K 2G6 | Law of Data Security | Security ------------------------------ Date: Tue, 16 Apr 91 22:48:57 -0700 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Amiga Virus Listing (Amiga) BOXALL@qut.edu.au writes: > Does anybody have a list of AMIGA viruses and their actions? There is > an excellent list available for the IBM PC. Any info would be > appreciated. Klaus Brunnstein's excellent Computer Virus Catalog covers all the bases: MS-DOS, Mac, Atari and Amiga. I do recall some difficulties they have had obtaining samples for Amiga viri, since Amiga users tend to want to "swap", and CARO won't do that. ============= Vancouver p1@arkham.wimsey.bc.ca | "Don't buy a Institute for Robert_Slade@mtsg.sfu.ca | computer." Research into (SUZY) INtegrity | Richards' First User Canada V7K 2G6 | Law of Data Security | Security ------------------------------ Date: Wed, 17 Apr 91 11:13:33 +0100 >From: LBA002@PRIME-A.TEES-POLY.AC.UK Subject: Stoned Problems (PC) We are having problems with STONED here at Teesside Polytechnic. We can detect it on our hard disks using SCAN and then get rid of it using CLEAN, although we can detect it on floppies CLEAN hangs when we try to get rid of it and the floppy is subsequently unusable. The weird thing is that the floppies don't have any programs on them, the particular case I dealt with just had 3 disks of wordstar files. Does STONED scramble the FAT? Can it "hang around" in memory so that SCAN reports the A drive as being infected although it is not on the floppy in the A drive? Can STONED scramble the FAT of a floppy in the A drive from the C drive or from memory? Any help gratefully received. Rgds, Iain Noble - ----------------------------------------------------------------------------- Iain Noble | LBA002@pa.tp.ac.uk | Post: Main Site Library, JANET: LBA002@uk.ac.tp.pa | Teesside Polytechnic, EARN/BITNET: LBA002%pa.tp.ac.uk@UKACRL | Middlesbrough, INTERNET: LBA002%pa.tp.ac.uk@cunyvm.cuny.edu | Cleveland, UK, TS1 3BA UUCP: LBA002%tp-pa.ac.uk@ukc.uucp | Phone: +44 642 342121 - ----------------------------------------------------------------------------- ------------------------------ Date: Wed, 17 Apr 91 11:32:00 +0000 >From: LYNNE@vax.oxford.ac.uk Subject: New virus at Oxford? (PC) Can anyone help us please. We are seeing a lot of corrupt PC files recently from various departments in the university. They all have the same file header which includes a small capital e with an accent acute followed by the characters MSDOS3.3 then a load of garbage. The software that created the files is unable to read them. We've scanned some of the machines that produced these file with McAfee's SCAN v76. SCAN doesn't detect anything. Has anyone any ideas. I'm stuck except to suggest to the people affected to do a low-level format and restore their software from known clean copies. Could you please pass on my thanks to A. Padgett for his reply to my last query about IDE drives. I've tried to mail him personally but keep getting unhelpful messages at my end about "site unknown". Thanks in advance. Lynne Munro ------------------------------ Date: Wed, 17 Apr 91 03:23:00 -0700 >From: mrs@netcom.com (Morgan Schweers) Subject: Re: Unix viruses (UNIX) Some time ago padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) happily mumbled: >In the VAX world, use of version numbers in file calls (does anyone >else ?) would make such script spoofs more difficult. > >Key here is that "good" multi-user systems (e.g. unix) already have >good defense mechanisms built in but rarely used. Greetings, Beg to differ, but... [Wherein I deleted, a description of a very successful VMS worm, based on version numbers] There really *ARE* some things a person shouldn't post. Suffice it to say that a person I knew used the version number facility of VMS to make 'script spoofs' easy. (As well as using MBX's as a 'trapdoor' facility which trapped the System manager even. Scary. Took less than a few days.) The 'version numbering' of VMS makes it susceptible to worms and such. DCL worms, also, have been around a while. All these things require that people run things out of other's accounts. However, in an educational environment this can be considered to hold true. In many other environments as well. The problem here is that *WORMS* are easy on almost any system, but Viruses seem to be only 'easy' on PC's. (I consider a worm a program of which there is an entirely *SEPERATE* program, and a virus a program which incorporates itself into the main program.) If you are running a Un*x system, work on the intricacies of protections. Proper passwording, proper protection, make sure your users are 'security aware'. Run COPS on your system occasionally. For the most part, you won't need to worry about worms or viruses. As Padgett says, you've got great protections available. Now *USE* them! Of course if you *DO* run into one, comp.virus/VIRUS-L would probably be very interested in it. -- Morgan Schweers +---- I'm out of my company's field here, so they probably don't care what I'm saying now. -- mrs@netcom.com - ----+ ------------------------------ Date: Wed, 17 Apr 91 11:50:00 -0400 >From: Garb@DOCKMASTER.NCSC.MIL Subject: Norton Anti-Virus (PC) In testing the Norton Anti-Virus product against a file with multiple infections of the Jerusalem B virus, I found that it will remove only one instance of the virus at a time. It reports that the virus has been "successfully removed" even though the remaining copies of the virus remain attached to the file. Other products I've tested will remove all instances of a multiple infection automatically, without user intervention. I consider this aspect of the Norton product to be a serious defect and I would hope to see it corrected in a subsequent release. Gary Garb Unisys Corp. Blue Bell, PA (215) 986-4038 ------------------------------ Date: Wed, 17 Apr 91 16:53:18 +0000 >From: twong@civil.ubc.ca (Thomas Wong) Subject: Re: April Fool? wes@thor.srl.caltech.edu (Wes Boudville) writes: > I read that Infoworld article. Like many readers, I'm sure, >I got a chuckle out of it. A lot of us are aware that media >articles dated 1 April should be regarded with a grain of salt >[like the story one year about Big Ben going digital]. Personally, I >regard such articles as a refreshing and harmless sign of creativity. > As a non-American, I find your comment to be a classic >glimpse into the litigious nature of US society. I have to agree with you there. It seems that as the days goes by, there are stranger and stranger cases in the Amermican courts. People are being sued from anything to everything. There was a joke about this I read somewhere (can't recall where). The relevant part of the story goes something like this. A lady trips over a branch on the sidewalk in front of a building. She sues the gardener of the building for malpractice, sues the owner of the building for negligence, sues the city for pollution, sues the county for lack of control over its cities, sues the State for not increasing the city spending for the purchase of one more street cleaner, and sues President Bush for not buying that Nintendo Danny wants so that he can actually be doing something. >Go ahead with your lawsuit. I suspect it will be thrown out >of court. I'm not so sure about that. I have seen some strange decisions before. You know what they say in the US, if you have enough money to pay for a good lawyer, you can get away with murder (or seek refuge in Canada). :) But come now. A joke is a joke. We all know what April fools mean. I thought Americans are supposed to be funloving, free spirited group of fellows. Not to mention freedom of speech and all that jazz. Thomas. ------------------------------ Date: 17 Apr 91 17:02:49 +0000 >From: kevinc@cs.athabascau.ca (Kevin Crocker) Subject: Re: Gantz' Infoworld Column ROsman%ASS%SwRI05@D26VS046A.CCF.SwRI.EDU writes: >I'm almost amazed that you were so taken in by Gantz' article. I will >admit to reading the article with some interest initially, but it >became clear that it was a farce towards the end. I have a lot of >respect for the folks at NSA, but they play by the same laws of >physics and math that the rest of us do, and I seem to remember some >claims toward the end of the article that grossly violated both. The >final "nail in the coffin" was the date of the issue (April 1,1991). >I wish I had the issue in front of me so I could quote chapter and >verse, but I don't. I've keep quite about this because I enjoy a good yuck as much as the next person. However, there are a lot of people that read a variety of magazines just for info and pleasure that do not have the math/physics/computer background to understand the sillyness of what was written. There are a lot of neophytes running around making all kinds of decisions about computers that affect entire companies. Articles like this one do an incredible disservice and create more uneasiness about computers and viruses. Computer viruses are NOT something to joke about. Several years ago I lost an entire 40Mb hard disk to something (probably a trojan but I could never find it) Even though I had backups I lost quite a bit of work that cost me several months to recreate. Viruses and trojans are not something that should be joked about, especially if there is the slightest chance that the "joke" could fall into a novices lap. Kevin - -- Kevin "auric" Crocker Athabasca University UUCP: ...!{alberta,ncc}!atha!kevinc Inet: kevinc@cs.AthabascaU.CA ------------------------------ Date: 17 Apr 91 17:48:29 +0000 >From: v134q2mg@ubvmsb.cc.buffalo.edu (Robert A Carlin) Subject: the MDEF series of viruses (Mac) Hi. I was wondering if someone could help me with a slight problem I seem to be having. I'm a graduate student here at UB (SUNY Buffalo), and I work in a laboratory that has 4 Macs (3 SE/30s and a IIsi). Recently, we found that two of the SE/30s were infected with a virus called MDEF C. We tried to use SAM on it, but the best we could do was detect the infected files - SAM couldn't repair them. Only applications and the desktop were infected by this virus. Our solution was to simply delete the infected files, rebuild the desktop, and reinstall new versions of the System, Finder, and other infected applications. However, some of the other students aren't sure whether SAM is going to be effective in detecting this again, as it didn't notify any of us about the infected floppy disk in the first place. Are there any free- or shareware virus protection/disinfection programs available? I had copies of Binhex and Stuffit which I was fiddling around with, and they got infected, so I can't readily go the archives to get programs... Also, how long has the MDEF series of viruses been circulating? I would assume that MDEF 'C' is the third version detected...? What does it do? And finally, if the desktop of a floppy has been infected with this virus, can that desktop be repaired/rebuilt and the floppy put back into service? Thanks in advance for your time. Please reply by email - this topic has (most likely) been brought up before, and I don't want to waste space. Thanks! Rob Carlin - ------------------------------------------------------------------------------- Robert Carlin, State University of New York at Buffalo INTERNET: v134q2mg@ubvms.cc.buffalo.edu OR carlin@autarch.acsu.buffalo.edu It's is not, it isn't ain't, and it's it's, not its, if you mean it is. If you don't, it's its. Then too, it's hers. It isn't her's. It isn't our's either. It's ours, and likewise yours and theirs. - Oxford University Press, Edpress News ------------------------------ Date: Wed, 17 Apr 91 17:05:32 -0400 >From: Arthur Gutowski Subject: Documented mainframe viral attacks (mainframe) In Virus-L V4 #63: >Date: 16 Apr 91 22:38:13 +0000 >From: braunste@sal-sun12.usc.edu (Gil Braunstein) >I was wondering whether there are documented cases of viruses >infecting mainframes or minis (basically not PCs). ... > my instructor claims that there have not been any >documented cases of viruses infecting mainframes that he knows of. On >the other hand, another instructor claims to know about some cases but >one of the few sources that he pointed out was Fred Cohen's paper. To my knowledge, there are no known mainframe viruses (documented). Unless you count the VM Xmas EXEC (and others like it) viruses. I think these have been classified by most as worms rather than viruses, because they are stand-alone programs and not parasitic. Some time ago (late last year) there was extensive discussion as to the possibility and feasibility of mainframe viruses. As a starting point, you may want to check the Virus-L archives on cert.sei.cmu.edu for these mainframe discussions. As for the Cohen paper, that may too be on the cert archives (if it's available in electronic form-- Ken??). I think the general consensus then was that viruses were definitely possible, but not a huge concern given the complexity of mainframe environments and the different culture associated with mainframes. For what it's worth, [Ed. Sorry,the Cohen papers are not available on our archives; if they are publicly available electronically, I would be happy to place them there, though. If anyone has info on this, please drop me a note.] Arthur Gutowski MVS System Programmer Wayne State University AGUTOWS@WAYNEST1 (BitNet) 1+1=10 AGUTOWS@cms.cc.wayne.edu (InterNet) -Murphy's Base Law of Addition ------------------------------ Date: 17 Apr 91 18:23:51 +0000 >From: ingoldsb%ctycal@fsa.cpsc.ucalgary.ca (Terry Ingoldsby) Subject: Re: Is virus infection by inserting floppy disk possible? (PC) (Mac) p1@arkham.wimsey.bc.ca (Rob Slade) writes: ... > On a PC: no. Or at least, not with standard machines. (I use an old NEC > laptop for my comm sessions, and it growls at every disk insertion so it > must be doing *something*. But most PC's don't.) I recently installed a floppy disk drive on a non-PC computer (actually a Radio Shack Color Computer). I bought the drive without power supply or cabinet and assembled the unit myself. I discovered that the drive would cycle the power on for about 5 seconds every time a disk was inserted, even when the drive was not connected to a computer. It appears to be a feature that makes certain the disk has seated itself properly before any data operations take place. As far as I could tell the computer is not advised of the insertion. Perhaps this is what you are experiencing? - -- Terry Ingoldsby ingoldsb%ctycal@cpsc.ucalgary.ca Land Information Services or The City of Calgary ...{alberta,ubc-cs,utai}!calgary!ctycal!ingoldsb ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 64] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253