VIRUS-L Digest Friday, 8 Feb 1991 Volume 4 : Issue 24 ****************************************************************************** Today's Topics: Yet another virus! (PC) Re: Boot Sector/Partition Table Protection (PC) Re: Hardware damage? Apologies to Sim (Mac) Re: Hardware damage? (PC) Re: Write-protecting 3.5 inch disks Virus Protection and Universities VAX/VMS and Viruses Re: Compressors Using UUENCODE to send samples. Re: Boot sector self-check (PC) 4th Annual Ides-of-March Virus & Security Conference VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Wed, 06 Feb 91 16:34:07 -0400 From: "Michael J. MacDonald I.S.P." Subject: Yet another virus! (PC) I recieved a call on Jan 29, 91 from a local pc retailer. They seemed to have a virus. This is what I was told: 1) it ``appeared'' about a week ago. 2) any access of an uninfected disk infects it. 3) infects any version of dos, he said that ``4.01 was worse'' 4) infects a 386 5) warm boot infects. 6) infects all disks 1.2M, 5 1/4, 3.5, and hard disks. 7) formating a 1.2M disk on an infected machine will format the full disk 100% complete, and then returns a Invalid Media or Track 0 bad. Formating the exact same disk with an uninfected system the format completes successfully with no errors. 8) McAfee's(sp) scan V72 does not detect it 9) f-disinf version 1.12 July 90 says: ``This boot sector is infected with a new version of the virus.'' (no name). What I have done and ``know to be true'' 1) A fresh copy of Scan V72 and AVSearch 2.21 from the wuarchive does not detect it. 2) I watched them do 7, 8 and 9 and I duplicated 8 on my own equipment. 3) If I try to boot an IBM PC Portable (lugable) (8086) 2 floppy) no hard disk. The drive light comes on to do the boot and it never goes off. A ctrl-alt-del does not do anything. 4) If I try to boot an IBM PC (original) (8086 ) 2 floppy) no hard disk. The drive light comes on to do the boot and it goes off, no boot, no error message. If I then stick in an clean bootable floppy and ctrl-alt-del it will boot and not infect the clean floppy. 5) The person said that the disk I had could boot a clone, but it would not boot a true blue IBM 8086, it might boot a 386 didn't try. 6) f-disinf version 1.13 says: ``This boot sector is infected with a new version of the Stoned virus.'' 7) f-disinf version 1.14 says: (not a quote) This is not a typical boot sector and could be a virus. I contacted Kenneth van Wyk and after exchanging a few notes etc I recieved a confirmation that it was a new virus. Fortunately the mdisk suite of utilities appears to clean up this virus. Anyway to make a long story short. We appear to have a brand new boot sector virus. As far as a name, I suggest 910129 as the date of first appearence. There is no ascii text in the boot sector. An ugly name and if anyone has a better suggestion thats ok. I do not have a machine that I can get an active virus to run on such that I can test it. I just recieved the following note from Ken > Mike, > > Our technical contacts said that you should feel free to give the virus a > name and send a write-up to VIRUS-L about it. They also added that, > it'll eventually write junk over the master boot record of the first > hard disk (causing not-too-hard-to-reverse loss of access to C: etc). > > Hope this helps. > > Cheers, > > Ken I would like to express my thanks to Kenneth van Wyk for his assistance in tracking this down and also for VIRUS-L Thanks all . mikemac... P.S. if you want to contact me about this please feel free but NOTE 1) I will not send a copy of the virus to people who ask unless first oked by ken. 2) I will be on vacation for the next two weeks. ======================================================================== Michael MacDonald, I.S.P. Senior Systems Specialist, Faculty of Computer Science It is wrong to assume that because University of New Brunswick a computer can calculate PI to Po. Box 4400 several thousand digits in a blink Fredericton, New Brunswick of an eye that it is any more CANADA E3B 5A3 intelligent than your average toaster. (506) 453-4566 Netnorth/BITNET: MIKEMAC@UNB.CA ======================================================================== ------------------------------ Date: Thu, 07 Feb 91 09:30:00 +0100 From: "Mark Aitchison, U of Canty; Physics" Subject: Re: Boot Sector/Partition Table Protection (PC) padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) writes: >>>... what would be the possibility of 'delibrately' infecting ones boot-secto r with a piece of code ... ... > allow such intrusion to be detected prior to the load of the OS and can block > any such infection thereafter... If anybody's interested, there is such a program avaliable, i.e. stops hard disk boot viruses early in the start-up sequence. If anyone is interested, I can e-mail further details. It's a companion product to an automatic diskette boot sector scanner. Mark Aitchison, Physics, University of Canterbury, New Zealand. ------------------------------ Date: 07 Feb 91 08:05:30 +0000 From: lan@bucsf.bu.edu (Larry Nathanson) Subject: Re: Hardware damage? While the existance of the HCF assembly command (Halt and Catch Fire) has been debated, :-) I seem to remember a discussion similar to this. I believe the basic conclusion was that it is impossible to damage the CPU itself through programming. However, peripherals remain very vulnerable- if you take a standard hard drive, and drag the R/W head across the media 4 or 5 thousand times, it can't be good. While it is unlikely that any user would allow the machine to sit there grinding for several hours, it is possible to write to virus to add 2 or 3 full head sweeps to each disk access. This would slightly slow up the response time of the drive, and might make it wear out much faster. I saw a computer anecdote about some guys who had access to a printer where imprints of the letters were layed out sequentially along a linked chain. The chain spun laterally in front of 80 hammers, which would strike, when the right character was in the right position. These fellows found out the sequence of the letters, and attempted to send that string to this printer to see what would happen. They said that there were finding parts of the printer in the corners for many months. If one were to come up with a well sequenced access drive request, timed with the drive speed, and in sync with the sector interleave, a similar effect might be possible. However, as in the story, much advance knowledge about the hardware is necessary. Unless the hardware configuration is VERY public, it would almost have to be an inside job. Writing enough code to screw with every HD, and every printer around would make the virus big enough to be easily detected. I think there may be ways to screw with the refresh rate of certain brand monitors, but again- that requires inside knowledge- then there is no reason to use viral propagation- a trojan horse will do fine. - --Larry - -- // Larry Nathanson . 726 Comm Av #5J . Boston, MA 02215 . 617 266 7419 \\ I've heard they just built a tunnel from England to France. The French drive on the right hand side, the English on the left. Can they save money by building only one lane? ------------------------------ Date: Thu, 07 Feb 91 08:14:43 -0600 From: THE GAR Subject: Apologies to Sim (Mac) I would like to make a public apology to Simware, and especially to Greg Bisaillon at Simware, regarding the note that I posted previously on this list. I fear that I have caused his company some damage by the posting, an excerpt of which follows: ************************************************************************** Date: Mon, 28 Jan 91 16:52:31 CST From: THE GAR Organization: Samford University Computer Services Subject: SimWare 3.1 BUT . . . SIMWARE's "SimMac 3.1 Application Disk" (Master Program), which I received on or about Jan 11 was infected! SAM reports that it was last altered on 12/21/90 at 12:55 PM. This INFURIATES me, as I had up until today always trusted the programs that come straight from the manufacturer sealed in the "Read Carefully BEFORE Opening" license envelope! ************************************************************************ Greg Bisaillon contacted me from Simware, and together we checked our respective shipping logs. It seems that the package WAS at Samford on Dec 21! The first time that I used the disk on my machine was not until early January, however it was used in ANOTHER Mac before it came to mine. This Mac must have been the infector, NOT Simware. I was unaware that this had occurred, as the disk was in its envelope when I received the disk. All my packages are opened by the person in charge of our purchase orders, so it did not bother me, I had assumed it was open so the shipping invoice could be removed. Having spoken with Greg, I have come to understand what a thorough and outstanding job of quality assurance they provide at Simware, with each disk being checked with SAM and Disinfectant some four times before leaving the premises. I again would like to apologize, and hope that Chris Radziminski, and the MacWeek people are still reading this list, as both had expressed concerns to Simware. I have always despised the rumors that went along with the software business, and now I have unwittingly started one! [Ed. Thanks for setting the record straight, Gary!] /++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\ ! Later + Systems Programmer ! ! Gary Warner + Samford University Computer Services ! ! + II TIMOTHY 2:15 ! \+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++/ ------------------------------ Date: Thu, 07 Feb 91 14:55:21 +0000 From: gjackson@athena.mit.edu (Gregory A. Jackson) Subject: Re: Hardware damage? (PC) Not strictly a virus, but as to software damaging hardware it was true under Windows 2.1 and WordPerfect 5.0 that running grab.com to capture an Paint image from the screen caused VGA monitors to snap, arc, oscillate, and (if you didn't shut it off immediately) burn out. - -- Greg Jackson 20B-140/MIT/Cambridge MA 02139 (617) 253-3712 ------------------------------ Date: Thu, 07 Feb 91 17:22:13 -0500 From: lotus!LDBVAX!AZAVATONE@uunet.UU.NET Subject: Re: Write-protecting 3.5 inch disks Write protecting 3.5 inchers. (disks) Very simple. All you need is a pocket knife or a push pin. Pry up on the corner of the disk with the write protect tab till you hear a snap. Then, with the knife or whatever, push out the write protect tab. Finally if the edge of the disk is still seperated, squeeze it untill it snaps togeather again. Viola! Write protected disk. However, if you want to be able to write to it again, place a small strip of tape (even scotch tape) across the back of the write protect hole and write to your heart's content. I know this works for the mac. Alex Zavatone 123 Mac - Lotus Zav B!-] My opinions do not represent those of my employer, but they should. ------------------------------ Date: Thu, 07 Feb 91 16:41:02 -0500 From: RAY Subject: Virus Protection and Universities I would like to know what other universities are doing about buying virus protection packages. We have a copy of Virex for our use but would like to implement something in the labs. We have look at SCAN but McAfee shareware site licences prices are exceptionally high. The minimum purchase is for use on 100 machines for $3250. We would probably be better off buying just a few copies and putting them on machines set aside for virus checking only. Any thoughts from other university labs? =============================================================== Ray Drake ACRAY@ECUVM1.BITNET Microcomputer Consultant (919)757-6401 East Carolina University Greenville, NC 27858 =============================================================== ------------------------------ Date: Thu, 07 Feb 91 20:05:51 +0000 From: bert@medley.ssdl.com (Bert Medley) Subject: VAX/VMS and Viruses Does anyone know of any virus protection software for VAX/VMS or UNIX (Sun, DG Aviion, DEC ULTRIX)? Please e-mail to bert@medley.ssdl.com or post. I will summarize and repost if there are answers. I NEED any answers you might can give. Thanks in advance. - -- Bert Medley | UUCP: bmedley@hounix.uucp Synercom Technology | or ..uhnix1!hounix!bmedley 2500 City West Blvd., Suite 1100 | Internet: bmedley%hounix@uh.edu Houston TX 77042 | "My opinions are my own ..." ------------------------------ Date: 08 Feb 91 10:05:49 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: Compressors jguo@cs.NYU.EDU (Jun Guo) writes: > We know that signature based scanner will not search into compressed >EXE/COM file. Not 100% correct - some scanners will scan some types of compressed files simply by uncompressing them first - for example my F-PROT, and (I think) McAfee's SCAN will scan a LZEXE-packed file. Of course I want to make my scanner be able to scan all the different types of compressed files - the problem is just that I don't have a copy of all the compressors - in fact, I only have LZEXE and EXEPACK. I know some of the compressors are available on SIMTEL20 and elsewhere, but not all. So, could somebody mail me information on the status of the programs below - are they shareware/freeware/commercial, and where are they available ? No need to increase the traffic on Virus-L too much...I will post a summary of the replies I receive. > PKlite PKlite -x > Diet 1.0 Diet -r > LEXEM > TinyProg > AXE > Shrink > SCRNCH > ICE ICE breaker > CRUNCH > I'd like to hear from you of other compressors and decompressors. I know of one program from Bulgaria - perhaps Vesselin Bontchev could provide some information on it - the problem is just that he does not have a computer any more, as he was just promoted. > And one more thing: how are device drivers loaded? Can they be >compressed also? If yes, how can we decompress that? I know of no method to compress device drivers, which allows them to be uncompressed dynamically on loading - it could be written, of course, but I don't think it is worth the effort - device drivers are usually so small (less than 50 Kbytes) one does not gain much in space or loading time. ------------------------------ Date: Fri, 08 Feb 91 09:30:33 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Using UUENCODE to send samples. I often receive samples containing new viruses by E-mail, or programs suspected of being viruses or Trojans. To get the samples across, the files are encoded into printable form, often by the UUENCODE program. However, if the person sending the file is at a BITNET site, the UUencoded file will arrive corrupted. So, if you are sending binary files between Internet and Bitnet machines and want to make sure they arrive OK - please don't use UUencode - it is useless - use XXencode instead. If anyone does not have xxencode.c or xxdecode.c, I will be happy to send out copies of the programs. - -frisk Fridrik Skulason University of Iceland | Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 | ------------------------------ Date: Wed, 06 Feb 91 07:35:57 -0500 From: Padgett Peterson Subject: Re: Boot sector self-check (PC) >From: Steve Albrecht <70033.1271@CompuServe.COM> > >While waiting for the same type of self-check in the boot sector, we >have developed a small program (so far only intended to protect >ourselves against reinfection by the Stoned virus) which does the >following: (lengthy description follows) This method will detect the Stoned however "stealth" type viruses (Brain, Joshi) will return the original boot sector (floppy-Brain) or partition table (hard disk-Joshi) when an Int 13 request is processed since these viruses (as well as others) trap the Int 13 call. A proven technigue is to first perform an Int 12 call (returns # of k in hex to AX) and check for either 280h (640k) or 200h (512k). Successful BSI/PTI viruses (Brain, Stoned, Joshi) go resident at the TOM and change this value to some lower number. Padgett ------------------------------ Date: Fri, 08 Feb 91 08:54:41 -0500 From: jsb@well.sf.ca.us (Judy S. Brand) Subject: 4th Annual Ides-of-March Virus & Security Conference Who SHOULD attend this year's Ides-of-March Fourth Annual Computer VIRUS & SECURITY Conference at the New York World Trade Center? MIS Directors, Security Analysts, Software Engineers, Operations Managers, Academic Researchers, Technical Writers, Criminal Investigators, Hardware Manufacturers, Lead Programmers who are interested in: WORLD-RENOWNED SECURITY EXPERTS: CRIMINAL JUSTICE LEADERS: Dorothy Denning - DEC Bill Cook - US Justice Dept Harold Highland - Comp & Security Donn Parker - SRI Intl Bill Murray - Deloitte & Touche Steve Purdy - US Secret Service Dennis Steinauer - NIST Gail Thackeray - AZ Attorney UNIVERSITY RESEARCH LEADERS: LEGAL/SOCIAL ISSUES EXPERTS: Klaus Brunnstein - Hamburg Mike Godwin & Mitch Kapor - EFF Lance Hoffman - GWU Emmanuel Goldstein - 2600 Magazine Eugene Spafford - SERC/Purdue Tom Guidoboni - (R.Morris' lawyer) Ken van Wyk - CERT/CMU Marc Rotenberg - CPSR PLUS Fred Cohen, Ross (FluShot) Greenberg, Andy (DrPanda) Hopkins, and over 40 MORE! Over 35 PRODUCT DEMOS including: include Candle's Deltamon, HJC's Virex, McAfeeSCAN, Symantec's SAM, ASP 3.0, DDI's Physician, Gilmore's FICHEK, Certus, FluShot Plus, Iris's Virus Free, 5D/Mace's Vaccine, Norton Utilities, PC Tools, Quarantine, Viruscan, Panda's Bear Trap, Disk Defender, Top Secret, Omni, ACF2, RACF and OTHERS AS REGISTRANTS REQUEST. FIFTY PRESENTATIONS INCLUDE: Security on UNIX Platforms, Tips for Investigators, HURRICANE Recovery, Dissecting/Disassembling Viruses, 6 Bytes for Detection, LAN Recovery, ISDN/X.25/VOICE Security, Encryption, Apple's Security, EARTHQUAKE Recovery, IBM's High-Integrity Computing Lab, US/Export Issues, 22-ALARM Fire Recovery, Publicly Available Help, Adding 66% More Security, NETWARE VIRUS Recovery, Next Generation of Computer Creatures, THE WALL STREET BLACKOUT Recovery, Mini Course in Computer Crime, Great Hacker Debate, REDUCING Recovery Costs, S&L Crisis: Missing DP Controls, OSI and the Security Standard, Virus Myths, Viruses in Electronic Warfare, US Armed Forces Contracts for New Ideas.... INTERESTED? ONLY $275 one day (Thurs 3/14 - Fri 3/15) or $375 both days: * Bound, 600-page Proceedings containing ALL materials - no loose paper! * Eight meal breaks, including Meet-the-Experts cocktail party 107th Floor * 2-day track of product demo's * 2-day course for ICCP Security exam * Full-day Legal & Justice Track * Full-day disaster Recoveries Track There is a $25 discount for ACM/IEEE/DPMA members. Fourth member in each group gets in for no charge! To register by mail, send check payable to DPMA, credit card number (VISA/MC/AMEX), or purchase order to: Virus Conference DPMA Financial Industries Chapter Box 894 New York, NY 10268 or FAX to (202) 728-0884. Be sure to include your member number if requesting the discounted rate. Registrations received after 2/28/91 are $375/$395, so register now! For registration information/assistance, call (202) 371-1013 Discounted rates available at the Penta Hotel. $89 per night. Call (212) 736-5000, code "VIRUS" Discounted airfares on Continental Airlines, call (800) 468-7022, code EZ3P71 Sponsored by DPMA Financial Industries Chapter, in cooperation with ACM SIGSAC and IEEE-CS. ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 24] *****************************************