VIRUS-L Digest Wednesday, 30 Jan 1991 Volume 4 : Issue 17 ****************************************************************************** Today's Topics: Re: Text in MLTI Virus (PC) Query - Disinfectant vs. Virex (Mac) Problems installing F-PROT 1.14 (PC) Anti-Viral Utilities (PC) Virus Guidelines Update on GAME2 (IBM VM/CMS) SimWare 3.1 (Mac) Re: Review of SCAN (PC) Hungarian text in virus (PC) Nimbus machines and viruses ? (PC) Re: Processor-specific viruses and other subjects (PC) Re: Need OTS Virus package (UNIX) Re: RSCS Protection (IBM VM/CMS) Word Perfect and change checkers (PC?) Updating Disinfectant (Mac) Re: Problem with F-Prot 1.14 (PC) Possible bug in FPROT 1.14? (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Mon, 28 Jan 91 09:02:18 -0700 From: DGB@BNOS.BLDRDOC.GOV Subject: Re: Text in MLTI Virus (PC) Regarding the discussion about "Eddie," I have always associated the phrase, "Eddie die somewhere in time" along with the action of randomly picking a location to kill with the book Slaughterhouse 5 by Kurt Vonnegut Jr, where the hero has become unstuck in time. Am I alone? Regards, Dave Beausang Bell: (303)497-5174 BITNet: DGB@NISTCS2.BITNet Internet: DGB@BNOS.BLDRDOC.GOV The opinions expressed herein are not necessarily those of my employer; and upon futher reflection they may no longer be mine. ------------------------------ Date: Mon, 28 Jan 91 15:42:40 +0000 From: Mr Gordon S Byron Subject: Query - Disinfectant vs. Virex (Mac) how do you rate SAM 6 in relation to the two under discussion. curious as we've recently got a site license for it. Wnat to know if we've been silly. ******************************************************************************* Snailmail: Gordon Byron, Arts Computing Advisor,Pathfoot Building, University of Stirling,FK9 4LA Stirling, Scotland, UK. Voice: Phone: 0786 73171: Ext 7266 FAX +78651335 ******************************************************************************* ------------------------------ Date: Mon, 28 Jan 91 15:52:19 +0700 From: "J.C. Kohler" Subject: Problems installing F-PROT 1.14 (PC) I encountered a small problem while I was installing f-prot 1.14. When I tried f-flock *.* in my wordperfect directory, it couldn't lock a number of files, one of them was wp.exe. Since this is the most used file of wordperfect, it is important that it is kept locked. The error message from f-flock looks something like 'unable to lock wp.exe, invalid header'. I'm using Wordperfect 5.1 dutch version. Anybody has an idea to solve this problem Thanks in advance Christian - -- [J.] Christian Kohler Keele university, United Kingdom JANET : csw76@uk.ac.keele.seq1 INTERNET : csw76%keele.ac.uk@nsfnet-relay.ac.uk BITNET : csw76%keele.ac.uk@ukacrl UUCP : ..!ukc!keele!csw76 ------------------------------ Date: 28 January, 1991 From: Padgett Peterson Subject: Anti-Viral Utilities (PC) For some time I have been debating whether or not to mention a possibility concerning the spread of Partition Table/Boot Sector infections lest anyone get ideas. Watching the postings lately leads me to think that possibly it has already happened. In short, it would be trivial to write a trojan or virus that would place a P-Table or BSI on a machine. At the moment, I suspect that in the interest of speed, signature scanning routines only look for these infections in memory and in the partition table and boot sector and not inside executables. For this reason, I would suggest that people experiencing multiple unexplainable infections utilize Mr. McAfee's new extension to SCAN and check all executables for a random code sequence taken from such an infection. As some of you know, I have been experimenting with anti-viral routines implanted in the partition table of the fixed disk and have become convinced that effective protection against malicious software MUST include such programs. So far the technique has proven equally effective against both "stealth" and non-"stealth" software. Used in conjunction with any number of authentication programs specific to the operating system (is effective with MS-DOS, and should be equally effective on an OS/2 or unix platform with an IBM-type BIOS) it can detect (only hardware can block) infections carried on the boot sector of a floppy immediately (before DOS loads), can block any later attempt at infection of the partition table or boot sector, and can provide an authenticatable path to the disk for other routines loaded later. Interestingly, the technique started out as a password protection scheme to protect fixed disks from intrusion. The full capability just fell out in testing. Padgett ------------------------------ Date: Mon, 28 Jan 91 11:51:57 -0700 From: rtravsky@CORRAL.UWyo.Edu (Richard W Travsky) Subject: Virus Guidelines Below are some draft virus guidelines we're chewing over at our site (the University of Wyoming). So far we've been real lucky and not had a real problem with viruses; lately tho things have picking up. As this list is very specific to our site, I'll stick explanatory notes after some items. I'm posting this for the benefit of those in similar circumstances or to elicit comment from those who've already been around the track a few times, as it were. (I use "should be" and "will be" below to distinguish between things that WILL be done no matter what and things that should be done [but might not, matter is still open to debate here].) 1. Viral Software a. Viral scanning/cleaning software will not be used unless the accompanying documentation has been read by the support person doing the scan/cleanup. b. Viral scanning/cleaning software should be kept reasonably up to date. [As stated, we've had fairly low virus activity, so being up to date with the latest is not real important - yet.] c. More than software product should be used for cross checking purposes. d. After removal of a virus, the machine/disk should be re-scanned to verify removal. 2. Maintenance [We maintenance machines owned by the University as well as those in the student labs.] a. All incoming machines should be checked for infection. b. All returning spares will be checked for infection. [We supply spares when possible so that the user is able to continue working.] c. All diagnostic disks will have write protect tabs. d. If software is being restored to someone's machine (like a backup, format, and then a restore) the disks should be checked for infection. 3. Installs [We install software - like PC SAS - on users' machines. a. When possible, install disks will have write protect tabs. b. When write protect tabs can not be used, the install disks will be checked for infection upon return. [Some software, like dBase 4 we found, writes to the install floppy during installation.] c. User's machine should be checked for infection. [This would take care of b .] 4. Rentals, Loaners [We provide rentals and loaners upon occaision.] All rentals and loaned machines/software (for example, Lap Link) will be checked for infection upon return. 5. Public access IT machines (Labs, OWA) with hard disks Machines such as these should be checked periodically for infection. Ideally, some resident software (preferably a TSR) should be in place to help detect and prevent infection. The question of requiring users to check their disks before insertion should be left open for the time being. 6. User Support a. User Support staff should periodically check their machines for infection. b. Users bringing in disks for aid should have said disks checked; barring that the machine used to help them should be checked when done. [People often bring in disks that are hammered or the software is not working right for some reason (bad Word Perfect printer files, for example.)] Richard Travsky Bitnet: RTRAVSKY @ UWYO Division of Information Technology Internet: RTRAVSKY @ CORRAL.UWYO.EDU University of Wyoming (307) 766 - 3663 / 3668 ------------------------------ Date: Mon, 28 Jan 91 11:21:00 -0800 From: "R N Hathhorn, VM Systems Support" Subject: Update on GAME2 (IBM VM/CMS) Activity on this worm has slowed down, but a report from TREARN indicates that it is still alive, at least on that node and probably others. I have updated the file GAME2 COMMENTS on LISTSERV@PCCVM with the latest information available. I am still in need of a 'dis-assembler' program for further investigation of this and other viri/worms. Your assistance is requested. +---------------------------------------------+-------------------------------+ | | | | Russell N. Hathhorn, VM Systems Support | BITNET: SYSMAINT@PCCVM | | Portland Community College | | | Computer Services Department, CC B27c | COMPU$ERVE: 76636,1036 | | P. O. Box 19000 | | | 12000 S. W. 49th. Avenue | Voice: (503) 244-6111 x 4705 | | Portland, Oregon 97219-0990 | FAX: (503) 452-4947 | | | | +-----------------------------------------------------------------------------+ ------------------------------ Date: Mon, 28 Jan 91 16:52:31 -0600 From: THE GAR Subject: SimWare 3.1 (Mac) I just ran SAM on my Mac, because someone was using it over the weekend, and I don't know what they did. I was told that my desktop was infected with WDEF. This bothered me, so I contacted the person who had been using it. They said that they had only used my hard drive to type a memo in MS WORD and print it, and they had then deleted the file. So I started checking all the disks that I have received from "unknown" sources this month (a SAM scan on Jan 5 had been clean). I of course suspected disks first where someone had said "Hey, here's some cool game/sound/graphic". All of them were clean. I then began to check "legitimate" software. White Knight's new ScreenShare, and MacKeymeleon II, both of which I received un-solicited, were clean, BUT . . . SIMWARE's "SimMac 3.1 Application Disk" (Master Program), which I received on or about Jan 11 was infected! SAM reports that it was last altered on 12/21/90 at 12:55 PM. This INFURIATES me, as I had up until today always trusted the programs that come straight from the manufacturer sealed in the "Read Carefully BEFORE Opening" license envelope! Just thought someone out there might want to know. /++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\ ! Later + Systems Programmer ! ! Gary Warner + Samford University Computer Services ! ! + II TIMOTHY 2:15 ! \+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++/ ------------------------------ Date: 28 Jan 91 23:38:30 +0000 From: gt1546c@prism.gatech.edu (Gatliff, William A.) Subject: Re: Review of SCAN (PC) Pardon my input into something I know very little about, but I have a question/comment: I have observed that, according to a lot of the posts in this newsgroup, many of these viri infect the boot sector of a disk. To help combat this, what would be the possibility of 'delibrately' infecting ones boot-sector with a piece of code that would display some kind of 'ok' message if it hadn't been tampered with? For example, as the computer goes to boot, it loads the boot sector and prints something like 'All is ok as of ... as instructed by the program that lies there (the one I *put* there.) Ok. Now, if the user doesn't see that message when he boots, he can suspect that all is not ok. Maybe this piece of code would run some kind of check on itself to be sure it hadn't been relocated or something... This is just a brief flash of insight I had, I'm *not* a programmer or anything. Would this be a helpful tool in the war against viruses? I would like to add that even within the very short amount of time I have spent reading this newsgroup I have been impressed with the amount that you guys seem to know about these animals. It makes me feel good that there are a number of obviously very capable dudes/dude-etts working on the side of those who need protection from these creatures. b.g. ------------------------------ Date: Tue, 29 Jan 91 12:43:04 +0000 From: Anthony Appleyard Subject: Hungarian text in virus (PC) This text in the POLIMER PC virus: "A le'jobb kazetta a POLIMER kaz!" is Hungarian for "The best case/casette is the POLIMER case/casette! This is mixed/chemical!". {A.Appleyard} (email: APPLEYARD@UK.AC.UMIST), Tue, 29 Jan 91 12:38:20 GMT ------------------------------ Date: Tue, 29 Jan 91 12:42:09 +0000 From: Aidan Saunders Subject: Nimbus machines and viruses ? (PC) Hi there! A friend of mine is responsible for a network of RM Nimbus machines. So far they have not had any problems with viruses (at least, not that they know about!) These machines behave largely as PCs (so I'm told) but for some applications need to use an IBM-emulator. So, a couple of questions: 1) Are Nimbus machines susceptible to 'normal' PC viruses? 2) Are there any viruses specific to Nimbuses? If anyone has any experience of viruses and Nimbuses (or should that be virii and Nimbii :-) ), I would be most interested to hear from you. Thanks, Aidan - ---------------------------------------------- ARPA :: a.c.g.saunders@newcastle.ac.uk UUCP :: ...!ukc!newcastle.ac.uk!a.c.g.saunders - ---------------------------------------------- ------------------------------ Date: 29 Jan 91 17:10:51 +0000 From: tbeke@phoenix.princeton.edu (Tibor Beke) Subject: Re: Processor-specific viruses and other subjects (PC) KLUB@MARISTB (Richard Budd) writes: >frisk@rhi.hi.is (Fridrik Skulason)writes in VIRUS-L V4 #13: >>From the POLIMER comes this text - is this Polish ? And what does it >>mean ? > >> A le'jobb kazetta a POLIMER kazetta ! Vegye ezt ! > >The last sentence looks like Magyar (Hungarian). I've had some It is Hungarian, indeed, and reads: POLIMER brand casettes are simply the best! Go for them! Incidentally, this brand is by far the worst anybody, even in the East Bloc, could have conjured up. Tibor Beke (Beke Tibor, tinektek magyaroknak) a Hungarian citizen who miraculously got full undergraduate scholarship -:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-: There is something fascinating about science. One gets such wholesome returns of conjecture out of such a trifling investment of fact. Mark Twain Disclaimer: one thing i can trust is my absentmindedne ------------------------------ Date: 29 Jan 91 19:59:12 +0000 From: bryden@chopin.udel.edu (Chris Bryden) Subject: Re: Need OTS Virus package (UNIX) limes@Eng.Sun.COM (Greg Limes) writes: }ssdc!jbasara@uunet.UU.NET (jim basara) writes: }|> I would like to request recommendations for off-the-shelf packages }|> which will prevent/isolate/monitor/etc. viruses on a Sun workstation }|> under unix. } }Occasionally, I see people asking about such things on this list and }elsewhere, and I am underwhelmed by the amount of information that }therefore appears on the net. } }Has anyone ever actually SEEN a "virus" on a UNIX box? And, don't tell }me about worms, that's a different matter ... I am specificly looking }for information about programs that propogate by modifying other }programs. You bet. _Abacus_ had a fairly lengthy series of articles on unix style viruses. The author of the article wrote a fairly simple virus and advertized the existance of deseriable programs he had sitting around. Within a week, the virus had spread to the farthest reaches of the disk on an exerimental machine. }My background as an operating systems programmer at Sun leads me to }believe that such virii would be more difficult and less rewarding for }Joe Virus-Writer to create, and easier to protect against using }mechanisms available in the system, but it might be nice if I could }have some backing information that I could give when people ask me }about such things ... I'm surprised. Does the word "crt0" mean anything to you? Break a fairly mundain security hole, learn some assembly, and wait for the next big rebuild. Complicated by the fact that most sites with a source license get their updates in the form of source code, we're talking about a major hole in Unix. In fact, if you don't know when the bug was introduced, you may have to go back several operating system revisions to get back to "normal". And, hey, I'm not even going to start talking about packet scanners on a network that has NFS traffic. At some point, the distinction between virus, worm and trojan horse break down. Has anybody seen a formal specification that delineates the difference between each? Ever wonder why? I saw a Unix virus long before I ever saw a PC virus. Chris - -- {gateway}!udel!brahms!bryden | I am a direct result of the policies and actions bryden@udel.edu 302-451-6339 | that are endorsed by the University of Delaware. ------------------------------ Date: Tue, 29 Jan 91 16:06:31 -0600 From: Jon Eidson Subject: Re: RSCS Protection (IBM VM/CMS) I wrote such an exec just the other day when the CMS worm was announced the other day. I lists out all rdr files with at file type of "EXEC" or "MODULE" and I run it periodically. Fortunately, the only occurance of the "GAME2" worm came to one for our VAX/VMS user ... of course it couldn't go any furthers. I'll be happy to post the REXX programs if anyone desires. Jon Eidson Senior Systems Programmer Texas Christian University ------------------------------ Date: Tue, 29 Jan 91 12:11:36 -0800 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Word Perfect and change checkers (PC?) csw76@seq1.keele.ac.uk (J.C. Kohler) writes: > I'm using a Dutch version of WP 5.1, does anybody has an ideay why > F-XLOCK can't lock them, it displays an error message, which contains > something about a illegal header. All versions of Word Perfect (at least since 4.2) have had a self testing module on them. Neither F-XLOCK nor SCAN /AV nor any other slef checker that adds code to the program can be used on it, since the added code invalidates the internal self test. ------------------------------ Date: Wed, 30 Jan 91 01:54:41 -0500 From: Eric Weisberg Subject: Updating Disinfectant (Mac) To Whom It May Concern, I was given this address by someone at Syrcause University. I am interested in getting iformation about the Virus Package Update Server. I quess that's what it's called? Anyways, I am in charge of kepping quite a few Macintoshes virus free, and I would like to always have the latest version of Disinfectant. The SU Computing Services is still passing out version 2.0 and when I last got a copy from a friend it was 2.4. -- That's why I have gone in search of a better source. If you could tell me where I can always download the latest version or pay to get it in the mail I would be most thankful. If this is not the place to get this information could you please help direct me to the person or people who can give it to me. Thanx, Eric Weisberg ------------------------------ Date: 30 Jan 91 11:55:51 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: Problem with F-Prot 1.14 (PC) csw76@seq1.keele.ac.uk (J.C. Kohler) writes: >I installed the new version of F-PROT (1.14) today and I encountered a >small problem. When I tried to do a F-XLOCK *.* in my WordPerfect >directory, there were many files which it couldn't protect. This problem is a side-effect of the correction of another problem. Here is what happened: The "length" of EXE files can be defined in two ways - the actual (physical) length of the file, and the length according to the header. Case in point: Turbo C++ is an 800K file, but according to the header it is only 165K long. When it is executed, only 165K are loaded into memory, but the program may later load parts of itself as necessary. Using F-XLOCK (to add automatic detection of infection of unknown viruses) involves adding a small module to the end of the file. If Turbo C++ was F-XLOCKed in this way, it would not run, as the resulting length of the file was 800K (according to the header), and the file just could not be loaded into memory. For this reason, I decided to prevent F-XLOCK from adding the module to EXE files, if the actual length was different from the length, according to the header. But, in many cases the difference between the two "lengths" is small, and adding the module has no undesirable effect - I plan to change F-XLOCK a bit in the next version, and will try to improve this. - -frisk ------------------------------ Date: Wed, 30 Jan 91 09:31:38 -0500 From: Paul D. Shan Subject: Possible bug in FPROT 1.14? (PC) I recently obtained a copy of F-PROT 1.14. As timing would have it, we also had a staff member from another department come in with a virus on his disk. By checking the file with Norton Utilities and the VIRUSSUM.DOC file, I knew that it was the Sunday virus. So I ran F-FCHK against that disk, and sure enough it found the Sunday virus. I answered YES when it asked if I wanted to disinfect the file, but it said that it could not disinfect the virus because it looked like a new strain. Not liking that answer, I ran McAfee's CLEAN 72 just to see if it would work. Indeed it did work and the virus was removed. Has anyone else discovered any problems like this one? Thank you! Paul D. Shan Microcomputer and Personal Workstation Support Center for Academic Computing 12 Willard Building University Park, PA 16802 (814) 863-4356 PDS2@PSUVM.psu.edu ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 17] *****************************************