VIRUS-L Digest Thursday, 9 May 1991 Volume 4 : Issue 78 Today's Topics: The Shape of the World (PC) Virii in Factory Software; Legal Stuff; "Eddie Lives" Virii on Factory Software & Legal Issues Far West is a BEACH mirror (PC) The dangers of self-extraction (general) F-PROT & FluShot+ problems 2 (PC) SNEAK virus (Mac) CLEAN77 for a network? (PC) re: Viral or other problem? (Mac) Re: F-PROT and FluShot problems (PC) re: Original-Equipment Viruses re: Diskette write protection. RE: vanishing space on Mac hard disks (Mac) re: help with mac "virus"? (Mac) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: 08 May 91 10:30:15 -0400 >From: "David.M.Chess" Subject: The Shape of the World (PC) This is an open note to other folks in the anti-virus field, to see if some (potentially significant) things that we've noticed about (primarily PC-DOS) viruses look the same from other people's perspectives. Some informal questions to individuals suggest that these are reasonably common observations; is there anyone out there who would disagree with them? (Or have other comments, for that matter?) 1) Most viruses in the collections of anti-virus workers have, as far as anyone knows, never been found on an end-user system. (We, for instance, have a few hundred viruses, but know of only about 50 that have ever bothered an end user.) 2) When a virus shows up on an end-user system ("in the wild", as we say) that has never been seen on an end-user system before, it's usually a brand-new virus, rather than a virus that's previously been in collectors' collections. That is, it's very rare for a virus from the "collectors only" category to move into the "in the wild" category. Do these two things match the experience of other anti-virus workers? Can anyone give some examples of viruses that were at one time thought to be "collector only", but later showed up in the wild? (Very isolated incidents, such as the rather obvious direct 'seeding' of an end-user machine with a stupid virus like the Whale, don't really count.) As a sort of a spot-check, has anyone ever seen any of the "Anti-Pascal" viruses (AP-400, -440, -480, -529, -605, I think they are; something like that) infecting an end-user machine? (I ask about these just because they're sort of prototypical "collector-only" viruses; rather stupid, and seemingly unlikely to spread.) DC ------------------------------ Date: 08 May 91 10:22:00 -0600 >From: "William Walker C60223 x4570" Subject: Virii in Factory Software; Legal Stuff; "Eddie Lives" I haven't yet read enough of the back issues of VIRUS-L, so please excuse what duplication I may make. I have just run across (and cleaned up) the MusicBug virus from the factory-supplied SVGA disks for a Packard Bell computer. The virus was on both disks of the set. Also, the virus was NOT on any of the other disks which came with the computer. Fortunately, the user had not used the disks yet. These disks were labelled simply "SVGA." I have also checked the disks which came with another user's Packard Bell computer, but found no virii. These disks were labelled "16 Bit VGA Card" or "16 Bit VGA Board" (I forget which). A. Padgett Peterson (padgett%tccslr.dnet@uvsl.orl.mmc.com) writes: > Bring in the lawyers ! We need some civil actions to force manufacturers > to take due care (I'm amazed it hasn't happened before). [Ed. See follow-up in the next message.] It HAS happened before. Aldus (I believe - someone correct me if I'm wrong) shipped a package which contained a virus, and when they discovered this fact, recalled the shipped pieces and replaced them with clean ones. Also, MSgt Chester Howes (of this base) discovered an occurrence of Jerusalem B being shipped on a copy of BitCom communications software included with an internal modem. The vendor of the modem then sent clean copies of the software and said to destroy the old copies. There are probably other examples. In both of these instances, the manufacturers took full responsibility and made efforts to remedy the situation, once they were informed of the problem. No legal action was necessary. Should there be in this case? Granted, the Music Bug virus has been reported on the SVGA disks since December, and Azusa a couple of weeks ago, but has anyone informed the manufacturer or distributors? Also, how do you know they're NOT checking the disks? Suppose they're using VIRUSCAN V74, which won't find Azusa. Or worse, suppose they're using Norton Antivirus. While it is a good package, the Symantec Virus Newsline recording, where one gets new virus descriptions, is pretty old (as of yesterday, 7 May, it was dated mid- February), and doesn't include the Azusa virus or (if memory serves correctly) the MusicBug virus. They may indeed be looking, but the virii are getting by. While I don't have a number for Packard Bell or Trident Microsystems, I am calling Service Merchandise and Sam's Wholesale, distributors of Packard Bell computers in this area. It costs less than a civil suit, and will achieve the same results, probably in less time. One unrelated comment: I had thought that the phrase, "Eddie lives... somewhere in time" referred to the film "Eddie and the Cruisers," in which the lead singer is thought to be dead, but no one is 100% sure. Sorta like Elvis, huh? ;-) Bill Walker ( WALKER@AEDC-VAX.AF.MIL ) | "If you were locked in a room with OAO Corporation | Saddam Hussein, the Ayatullah, and Arnold Engineering Development Center | a lawyer, but you had only two M.S. 120 | bullets, which would you shoot?" Arnold Air Force Base, TN 37389-9998 | "I'd shoot the lawyer twice." ------------------------------ Date: 08 May 91 14:24:00 -0600 >From: "William Walker C60223 x4570" Subject: Virii on Factory Software & Legal Issues In an earlier message I had written: > A. Padgett Peterson (padgett%tccslr.dnet@uvsl.orl.mmc.com) writes: > > Bring in the lawyers ! We need some civil actions to force manufacturers > > to take due care (I'm amazed it hasn't happened before). > It HAS happened before. In that message, I thought that Mr. Peterson was referring to infections on factory diskettes not happening before. However, on reading further back in the VIRUS-L archives, it would appear that he is referring to the civil actions not happening before. I apologize for the misunderstanding. I still contend, though, that civil actions are not necessary right now. The reason that virii are being distributed on factory diskettes is most likely the same reason that virii spread in general: the lack of education or information about virii. Admittedly, software publishers should be more aware about the computing environment than Joe Novice Computer User, but let's face it, it's difficult even for virus experts to keep up with the new virii, much more for a non-virus-related hardware company. On the other hand, once informed about a virus problem with their product, a vendor must be prompt to correct the problem, or it is indeed time to bring in the lawyers. Bill Walker ( WALKER@AEDC-VAX.AF.MIL ) | OAO Corporation | "I think, therefore I am. Arnold Engineering Development Center | Nah, I think not." M.S. 120 | *POOF* Arnold Air Force Base, TN 37389-9998 | ------------------------------ Date: Wed, 08 May 91 06:02:38 -0500 >From: perry@farwest.FIDONET.ORG (John Perry) Subject: Far West is a BEACH mirror (PC) Hello Everyone! This is just a reminder that the Far West BBS (713)337-3289 is a mirror for BEACH.GAL.UTEXAS.EDU concerning the PC anti-viral software. This service is set up for those that do not have FTP access. John Perry KG5RG You can send mail to me at any of the following addresses: DECnet : BEACH::PERRY THEnet : BEACH::PERRY Internet : perry@beach.gal.utexas.edu Internet : perry@farwest.fidonet.org BITNET : PERRY@UTMBEACH SPAN : UTSPAN::UTADNX::BEACH::PERRY FIDOnet : 1:106/365 - -- John Perry - via FidoNet node 1:106/365 UUCP: uunet!nuchat!farwest!perry INTERNET: perry@farwest.FIDONET.ORG ------------------------------ Date: Wed, 08 May 91 17:15:49 -0700 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: The dangers of self-extraction (general) The perils of using self-extracting programs may be more potential than real at the moment, but consider some of the following features: LHARC (and now LHA) allow the inclusion of a batch file which allows newly de-archived programs to be run automatically. Of course, being a batch file, it doesn't have to be limited to that. What a wonderful palce to put a trojan! Of course, you can just have it run an infected program, before anyone has a chance to use a nasty old virus scanner on the programs ... ARJ has a nifty new feature that allows the archiver to state that all queries are to be answered "yes". (At least, I think that is what it means. The documentation isn't entirely clear.) This means that the archivee doesn't have to worry about whether or not they want the de-archiving to proceed, it just does. "User-friendly" always seems to run counter to security. In this case, the features that make self-extraction appealing, are the very ones that you have to somehow circumvent in order to be safe. ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ Date: Thu, 09 May 91 04:49:47 +0000 >From: umbc3!umbc3.umbc.edu!cs106132@uunet.UU.NET (cs106132) Subject: F-PROT & FluShot+ problems 2 (PC) HI, This is a follow-up on my previous posting regarding a problem with F-PROT & FluShot+ (1.81) packages and a variant of 4096 virus. I have received messages from the developers of these products requesting a sample of the mentioned virus so that they can update. The previously described scenario happened on an isolated system that is used solely for testing. The mentioned variant of 4096 was modified for testing purposes. Neither developer needs to worry about updates since this strain will not exist outside the test machine. The point was, however, that such sophisticated viruses defeat the "hunt-for-pattern" approach. Both developers are invited to improve their techniques dealing with this variety of viruses instead of trying to add just another pattern to search for. Regards, Tarkan ------------------------------ Date: Thu, 09 May 91 11:35:29 +0200 >From: shiekh%ITSICTP.BITNET@ICINECA.CINECA.IT Subject: SNEAK virus (Mac) Have just located a new virus for the Mac called SNEAK, in Italy, Trieste may 1991. Found with Interferon, having infected the system and TOPS. Can anyone suggest a cure or inform us of how much damage this little beast might do. Thanks Andy [Ed. If memory serves me correctly, Sneak is a false alarm issued by Interferon. Try Disinfectant or some other program - I think that you'll find that there is indeed no virus present.] ------------------------------ Date: Thu, 09 May 91 13:42:44 +0000 >From: boone@athena.cs.uga.edu (Roggie Boone) Subject: CLEAN77 for a network? (PC) I am installing a Local Area Network in our department that will be running Novell Netware 386. I am thinking about using the McAffee Netscan77 virus detection program. I am curious if there is a network version of CLEAN77, or can CLEAN77 remove viruses from a network such as described above? Any info would be appreciated. Thanks in advance. Roggie Boone boone@athena.cs.uga.edu ------------------------------ Date: Wed, 08 May 91 10:48:11 -0400 >From: JK_APPLEREP@UNHH.UNH.EDU (Joe Kazura) Subject: re: Viral or other problem? (Mac) dennisp@AIC.NRL.Navy.Mil, The problem you are encountering is not due to any problems with the CPU's and the version of the System software. The problem is with older versions of some software. I can tell you right now that SuperPaint 1.1 is a major problem and if that MacPaint is one of the original versions (vot 2.0) then it's just too old! I use MacDraw II all the time on an SE/30 and a IIfx with 2 and 4mb respectively and I have no problems at all with 6.0.7 I would suggest (STRONGLY) moving all fonts & DAs from your current System version (esp. ones you don't have back-ups of) into a seperate file on your HD. Re-Boot the system with an original Sysytem 6.0.7 Tools disk, open the system folder and remove the SYSTEM, FINDER & MULTIFINDER files, trash 'em! Now run the Installer program from the System Tools Disk (make sure that you have the other three disks handy ... Util. 1, Util. 2 and Printing Tools). Select the CUSTOMIZE button, now select the items you need while holding down the shift key. (i.e. for the IIfx: Sys soft. for IIfx, etc.) As a general rule, when you get system bombs: check to see that you are using the current version of whatever software, check for Viruses, and re-install the system software as I have outlined above! This system works 99% of the time for me and the people I support here at UNH. If anyone needs more help E-Mail me directly! Joe Kazura Apple Student Rep. University of New Hampshire [JK_APPLEREP@UNHH.UNH.EDU] or [ST0566@APPLELINK.APPLE.COM] ------------------------------ Date: 08 May 91 22:46:04 +0000 >From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: F-PROT and FluShot problems (PC) umbc3!umbc3.umbc.edu!cs106132@uunet.UU.NET (cs106132) writes: >It happened when a variant of 4096 was active. Since F-PROT did not know >this strain, it could not detect it. This is expected as the documentation >hints. However, when I ran F-OSCHK, the virus infected the system files >.....This is not a bug type of thing, it is a design flaw! This problem is of course not unique to F-PROT - every other scanner has this same problem. In fact, the DOS 'COPY' command can also cause a similar effect - infection of files when they are read. Is it a design flaw in DOS ? The reason for the problem is as follows: If a file is opened for reading, with a virus active in memory, the file may become infected when it is read. A scanner may therfore infect the entire system, just by scanning the files. This is the major reason why one should generally only run a scanner after having booted the computer from a write-protected system disk. The problem is harder in the case of a "stealth" virus, like 4096, as no change may be apparent after the files are infected. This can be avoided by either scanning the memory for viruses before scanning the files, or by running a resident virus-monitor which will prevent the virus from ever being activated. However, in the case of a brand new "stealth" virus, as in this case, these methods are of no use. Memory scanning will not detect anything, and file scanning will just help spreading the virus, and will not pick up any infection. So - with the current generation of scanners, this problem cannot be avoided. - -frisk ------------------------------ Date: Wed, 08 May 91 21:15:13 -0400 >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: re: Original-Equipment Viruses >I would like to get more information on viruses originating from >manufacturers, such as Packard Bell recently. Is this widespread with >this particular company? Reports concerning infected distribution disks (COMBASE, SVGA, & TVGA) are still coming in, six months after the first discovery. >What has been the remedy to this situation? Floppies: Replace the boot record Hard Disk: MusicBug: a) Format the disk - PB is said to be supplying a special version of DISK MANAGER to people with IDE drives. Lose all data or b) Replace the boot sector (boot cold from floppy, SYS the HD, correct the number of hidden sectors in the BPB) Azusa: a) Low level format the hard disk - see a) above or b) Boot cold from floppy then rebuild the partition table manually Note that in every case I have seen, it has been possible to recover nearly all of the information on a disk and formatting has not been necessary. >Should purchasers scan new software for viruses before using? I do & now have quite a collection of "master" disks containing viruses, most came on distribution disks with hardware, not in software packages. These include the STONED, AIRCOP, AZUSA, & MUSICBUG (all so far have been boot sector and partition table infectors). Have yet to contact a vendor who has shown any concern about distributing viruses (subjective opinion) beyond offering to replace disks. Warmly, Padgett ------------------------------ Date: Thu, 09 May 91 10:30:36 +0100 >From: "Pete Lucas" Subject: re: Diskette write protection. I have some 5.25 inch diskettes that do not have a 'write protect' notch in them, yet i can still write to them in certain drives. The jackets of these diskettes are a pale blue color, and partially transparent (if you hold them against a strong light source you can see the outline of the internal magnetic medium). If i put a sticky tab on the disk where the notch would be, this cuts down the light transmission enough to make the disk 'unwritable'. Most confusing! Pete Lucas PJML@UK.AC.NWL.IA G6WBJ@GB7SDN.GBR.EU ------------------------------ Date: Wed, 08 May 91 10:17:15 -0400 >From: BENEDICT@vax.cs.hscsyr.edu Subject: RE: vanishing space on Mac hard disks (Mac) When space on a MacIntosh hard drive dissappears, it is likely that some part of the the directory structure has been corrupted. This happens frequently on software crashes. The 'Disk First Aid" program which comes on the Utilities 1 disk with every MacIntosh usually will do a good job of recovering the lost space, and appears to seldom, if ever, cause additional damage. You do need to remember to boot your Mac from the Utilities 1 disk before you can do this, however. Paul DeBenedictis Manager, Academic Computing ------------------------------ Date: 08 May 91 15:43:49 -0500 >From: maimer@kuhub.cc.ukans.edu Subject: re: help with mac "virus"? (Mac) CANDERSO@uga.cc.uga.edu (Christopher T. Anderson) writes: >> recently, we've come across a problem with one of the macs in our lab. >> we really don't know if it's a virus or not, but it does act something >> like one. anyway, here are the symptoms: >> >> - - the mac has a 40 meg hard disk >> - - there is only about 16 meg of software installed >> - - both the finder and mactools report 38 meg used, 2 meg free >> - - disinfectant can't find anything, and neither can virus detective >> - - there are no hidden files anywhere on the disk (if there are, neither >> mactools nor resedit can find them) >> - - the "virus" hasn't spread to any of our other macs >> >> what we really want to know is: is this some sort of new virus, or is >> our mac just confused?" > > This problem is not necessarilt indicative of a virus, but an > otherwise corrupted Directory (or possibly Desktop). You could try > rebuilding your Desktop, but probably should defrag/optimize the > drive. This would rebuild your directory. For this I reccomend Disk > Express II, it has always worked wonders for me. It could also be damaged extents tree or some arcane part of the disk like that. If rebuilding the desktop doesn't help, consider running Norton's Disk Doctor (part of Norton Utilities for the Mac). This has found problems with several of our drives which kept them from optimizing (the damaged area said part of the disk was in use when it wasn't really and so the optimizer couldn't find the file to pick up, got confused and said the h*ll with it and woiuld quit). |\ \\\\__ Tony Maimer __ | \_/ o \ / | > _ (( <_ / | | / \__+___/ maimer@kuhub.cc.ukans.edu /o /_/| |/ |/ < )) _ < \ \ \| \ | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 78] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253