VIRUS-L Digest Tuesday, 19 Feb 1991 Volume 4 : Issue 29 ****************************************************************************** Today's Topics: Virus or DOS clash ? (PC) Mouse working while PC goes crazy - explanation (PC) more on 'Virus Protection and Universities' Re: Disinfecting an AppleShare File Server (Mac) Information on the "Stoned Virus" (PC) Re: Reporter seeks help on story about a Mac virus (Mac) STONED virus (PC) Re: Observation On An Observation Re: STONED virus/ McAfee Associates (PC) Viruses and Comics MS-DOS anti-virals uploaded to SIMTEL20 Protection Model (PC) Re: VAX/VMS and Viruses The virus-ability of a machine... Repair Shops Re: Viruses in text files Re: Request for info on the Ohio virus (PC) Re: Virus Protection and Universities VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Fri, 15 Feb 91 18:13:00 +0100 From: "Olivier M.J. Crepin-Leblond" Subject: Virus or DOS clash ? (PC) A strange file has started appearing on some of the disks of one student over here. Although I do not think that it is a virus, I have remote fears that it could be. Having never come across this phenomenon before, could someone please enlighten me about the causes of the event: The file appears in the directory listing of 5 1/4in floppies: 4MSDOS 3.3 0 15-00-80 12:00a where: is the delta sign is a capital E with an accent over it I unfortunately have not got a copy of any anti-viral programs in my hand at the moment (it's friday evening [...]). So I do not know it this happening is actually recognised as a virus or not. My guess would be some clash between MSDos 3.3 format and 4.1 format. Olivier M.J. Crepin-Leblond, Internet: Communications & Signal Processing , Electrical Engineering Dept., Imperial College of Science, Technology and Medicine, London, UK. >> If nothing else works: take disk. take knife, use knife on disk. ------------------------------ Date: Fri, 15 Feb 91 22:08:27 +0000 From: Rotan Subject: Mouse working while PC goes crazy - explanation (PC) Mikael Lindberg Mortensen recently described a problem where a PC appeared to crash in a peculiar manner, leaving the keyboard locked and the speaker making beeping noises. Since the mouse appeared to remain operational, it was suspected that a virus had in some manner *partially* disabled the PC. Let me point out that most mouse device handlers (software to manage the low level operations of i/o devices, such as movement or button operation) are interrupt driven and so, if the interupt and its associated software remain intact in memory, it is quite possible for peripheral devices to exhibit normal behaviour despite a primary system failure. I cannot speculate on the cause of Mikael's PC crash (it might just have been an electrostatic discharge) but as I have illustrated, the survival of the mouse does not mean that the PC remains operational and certainly does not prove the presence of a viral infection. - --- Rotan Hanrahan, Department of Computer Science, UCD, Ireland. ------------------------------ Date: Fri, 15 Feb 91 16:32:05 -0600 From: Fred Davidson Subject: more on 'Virus Protection and Universities' An interesting thing on this topic, protecting against viruses at universities, is the policy in the quasi-public micro lab in the basement of my building. It has about 15 MACs and about 15 PCs. Upon entering, there is a MAC Plus with an external drive at the monitor's desk. The external drive has a big note taped to the top of it: "Check All Mac Disks For Viruses". If you come in and use a MAC, when you sign in, you are supposed to check any disk you bring for MAC viruses. What is odd is that there is no such requirement for users of the PCs. Does this reflect the statistical proportions of viruses in the real world? More on MACs than on PCs? ------------------------------ Date: Fri, 15 Feb 91 17:07:57 -0600 From: jln@casbah.acns.nwu.edu (John Norstad) Subject: Re: Disinfecting an AppleShare File Server (Mac) Jim Fish writes: >Can anyone give me some advice on how to disinfect an Appleshare >fileserver and protect it from further infection? I go into great detail on this issue in my Disinfectant online manual. See especially the section titled "Recommendations." John Norstad Academic Computing and Network Services Northwestern University jln@casbah.acns.nwu.edu ------------------------------ Date: Fri, 15 Feb 91 16:28:22 -0500 From: Scott Morgan Subject: Information on the "Stoned Virus" (PC) Felow Networkers, Recently we have had a student on campus here contract the Stoned virus on her floppy disk. Well, it sent a shock wave through most of our students and staffs who use our computers, to say the least. Not knowing very much about this particular virus, I was wondering if anyone on this list could provide me with some info on it (prevention, eradication, etc.). Any info would be greatly appreciated. Thanks, Scott Morgan Programmer/Analyst Florida State University Panama City Campus BITNET: SMORGAN@FSUAVM ------------------------------ Date: Fri, 15 Feb 91 17:40:34 -0500 From: fasfax!ross@cert.sei.cmu.edu Subject: Re: Reporter seeks help on story about a Mac virus (Mac) ... background info deleted... >So, does anybody know what kind of virus this might be and how common >it is? Viruses are in general more common that people would like to think. I am in general responsible for security on machines other than Mac's, unix mostly, but have enough years in this that I can perhaps give you a different perspective from your other replies. >And is it true that Mac viruses are easier to write than PC >ones (one of our PC people told me that; maybe she's biased :-) ). It's not a question of Bias, the mac system is very powerful, but part of that power comes from openness. Openness leaves one vulnerable. (I am generally biased against macs, with the exception of their usefullness for desktop publishing) >And, on the Dumb Question of the Week category: how might the virus >have gotten into the network in the first place? Someone inserted an infected disk onto a machine on the network, or that machine itself. >I assume it would be somebody >bringing an infected disk in from home (the LAN is not tied to any other >network), but might there be other ways (short of the Dukakoids >sabotaging the system, which I doubt, given they had no idea it was going >to be used to write the budget, since they did all that on their Wangs). Dukakoids aren't smart enough to do something like this, but I wouldn't put it past them if they knew how :-( Ross (I don't speak for my company) Miller - -- Ross Miller FasFax Corporation email: fasfax1!ross@decvax.dec.com (until registration complete) alt-email: ross@dino.ulowell.edu ------------------------------ Date: Sat, 16 Feb 91 03:59:23 +0000 From: amewalduck@trillium.uwaterloo.ca (Andrew Walduck) Subject: STONED virus (PC) I seem to have contracted a case of the STONED virus on my PC. So...I'm looking for the following information: 1. How to get rid of it from my machine. 2. How to ensure I can't get it from my backups. 3. How it is transmitted... 4. How many variants are known. 5. What it does! + any other info that you think that I may need. Especially on recommended virus checkers so I don't catch another one of these! Thanx Andrew Walduck amewaldu@orchid.uwaterloo.edu P.S. I used to be a regular reader of this group...but haven't had time lately. But keep up the great work...these things are a DAMNED nuisance! ------------------------------ Date: 16 Feb 91 15:15:04 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: Observation On An Observation David Gursky dg@titanium.mitre.org writes > At the time, the number of PC viruses numbered 23 distinct strains and > over a 100 total viruses. That was a loooooong time ago - now we have around 150 families, and over 400 different variants - 30-40% written in Eastern Europe. - -frisk ------------------------------ Date: Sat, 16 Feb 91 22:43:22 +0000 From: Wayne Robarge Subject: Re: STONED virus/ McAfee Associates (PC) I have a similar problem and a question. The McAfee Scan program has detected the Stone virus on some commercial software I just bought to run some lab equipment. I called them and they were surprised to hear about it as none of the disks they sold me were system disks yet the SCAN program says that the virus is in the boot sector. Are these disks infected or not? If they are infected, will the virus infect other machines if I do not boot from these disks. I am basically a Mac person but have to use an XT to run this software. The software is hanging for no apparent reson, which is why I decided to look for a vrius. Will the Stone virus cause exe files to just hang? Thanks for any help anyone can provide. This is a bummer situation and it looks like I'm stuck with it. By the way, I agree with the o previous comment, the McAfee software seems very nice and I will be sending in my shareware fee. wayne robarge soil science, ncsu nsarah@ncsumvs.ncsu.edu ------------------------------ Date: Sat, 16 Feb 91 18:26:58 -0500 From: stanley@phoenix.com (John Stanley) Subject: Viruses and Comics This is marginally related, but the April issue of the Mighty Mouse comic has our hero being abducted into a computer (by a femme of the name Dot Matrix), in order to battle a computer virus. The virus looks amazingly like a worm (segmented). MM does not want anything to do with it until Dot tells him how it can escape onto the network. He finally stops it before it interfaces to the external modem juncture. So, how soon do we start to get drawings in THIS digest? ------------------------------ Date: Sun, 17 Feb 91 12:26:00 -0700 From: Keith Petersen Subject: MS-DOS anti-virals uploaded to SIMTEL20 The following files were obtained from the McAfee BBS and uploaded to SIMTEL20: pd1: CLEAN74B.ZIP Universal virus disinfector, heals/removes NETSCN74.ZIP Network compatible - scan for 217 viruses, v74 SCANV74B.ZIP VirusScan, scans disk files for 217 viruses VCOPY74.ZIP Copy utility checks for viruses as it copies VSHLD74B.ZIP Resident virus infection prevention program Keith - -- Keith Petersen Maintainer of SIMTEL20's MSDOS, MISC & CP/M archives [IP address 26.2.0.74] Internet: w8sdz@WSMR-SIMTEL20.Army.Mil or w8sdz@vela.acs.oakland.edu Uucp: uunet!wsmr-simtel20.army.mil!w8sdz BITNET: w8sdz@OAKLAND ------------------------------ Date: 27 February, 1991 From: Padgett Peterson Subject: Protection Model (PC) > I saw one product which seems (IMHO) to come close to this - >PC/DACS by Pyramid (note: I have no affiliation with them...). It >provides boot protection, optional hard disk encryption (required to >prevent absolute sector access), username/password protection, file >access control, etc. It can preclude unauthorized access to a disk but cannot prevent data destruction (only hardware can pprevent loss), Fischer's PC-Watchdog, Certus' CERTUS, and Enigma-Logic's PC-SAFE are also all good products for this function but all require administration. Weighing the tradeoffs between CIA and system effectiveness/response is always a difficult proposition. Consider the model a "first pass" for the platform integrity maintenance that we expect from a robust OS such as VMS or MVS that does not currently exist in MS-DOS and a tool for evaluating proposed solutions rather than an end-all. Incidently, it should not cost more than $5.00 per PC as an add-on. - ------------------------------ >From: >Subject: Sunday virus detection (PC) >Now my question: What is the trigger condition and >the damage effect of this virus? The original version is supposed to trigger on any Sunday, print a little message (Today is Sunday, why do you work so hard ?), and delete all executables run. The one I have seen has a bug in it that prevents it from triggering. It is a Jerusalem variant with a 2xxx byte un-named TSR and .COM & .EXE files grow (.EXE many times). - ------------------------------------------------------------------------ >From: jackz@izuba.ee.lbl.gov (Jack Zelver) >Since we don't like to spend the taxpayer's money frivously (that's >YOUR money, folks!) we decided not to offer McAfee this huge windfall >for the privilege of locally distributing his software. We ended up >negotiating a site license with IBM for their VIRSCAN software. The >price is right for that one! This attitude bothers me a bit considering what is being compared. Certainly, the IBM product is a reasonably good detector and is rarely more than six months out of date, but what do you do then ? Format the infected disks ? On the other hand, the McAfee utilities provide detection AND recovery capabilities as well as being able to check out a network server that is not even running DOS. You might also look into the "service license" which authorizes a limited number of technicians to use the utilities on any machine. Also part of the McAfee license includes two years of updates and on-line service help with disinfecting - IBMSCAN does not include this. What is really wanted is a protection mechanism for the users that is like the idiot lights on a car - it tells them that SOMETHING is wrong. Then the technician is called in with the high-powered (and tricky) tools for use in recovery. In most cases you do not want the user to "clean" his own machine because then you loose all tracking capability (and most I have seen do their own disinfecting just wind up reinfected.) Putting all of the tools on every machine is a bit like equipping every car with its own service station. >You might consider getting virus protection packages for a few people >and put them on special write-protected system floppies. Then they >could be moved from system to system to check for suspected >infections. This is hat the service license is for. - --------------------------------------------------------------------- From: rfink@eng.umd.edu (Russell A. Fink) Many thanks to those who responded. As you recall, I had two machines with identical numbers of bad bytes on their hard drives, which made me suspect viral infection (vi). Incidently, on my home PC there is a ST-251-1 and a ST-225. Both have four sector clusters and four "bad" heads (but different ones) consequently both report 40960 bytes in bad sectors. Almost made it down to freezing last night - Padgett ------------------------------ Date: Mon, 18 Feb 91 10:53:36 +0000 From: tommyp@isy.liu.se (Tommy Pedersen) Subject: Re: VAX/VMS and Viruses bert@medley.ssdl.com (Bert Medley) writes: >Does anyone know of any virus protection software for VAX/VMS or UNIX >(Sun, DG Aviion, DEC ULTRIX)? Please e-mail to bert@medley.ssdl.com >or post. I will summarize and repost if there are answers. I NEEDD >any answers you might can give. Thanks in advance. The answer is **TCell**. My company SECTRA manufactures a system-surveillance tool called TCell which checks a unix system for different kinds of changes. The changes may have been done by an intruder, a virus or by misstake of a authorized person. Depending on what security level the TCell administrator has put on a specific item, the system will do specific tasks like mailing owners of damaged/changed files or shutting the system down. TCell currently is ported to sun and HP-UX, but will be ported to other unix systems or other operative systems if so desired. /Tommy Pedersen ________________________________________________________________ |E-mail: tommyp@sectra.se || Telephone: +46 13 235214 | |S-mail: Tommy Pedersen || FAX: +46 13 212185 | | SECTRA ||------------------------------| | Teknikringen 2 || | | S-583 30 Linkoping || | | SWEDEN || | |________________________________||______________________________| ------------------------------ Date: 18 Feb 91 10:52:07 +0000 From: lan@bucsf.bu.edu (Larry Nathanson) Subject: The virus-ability of a machine... The basic reason why mac viruses are harder to write, is the standardization philosophy behind the mac. First, the standardization requires learning how to use the toolbox - not an easy task for the average hack. As was mentioned- there's a series of 5 manuals that comprise just the documentation. Second, the standardization makes it a lot easier to spot a program pulling a fast one. If some code tries to write to the boot sectors of a disk, by making direct low level os calls, a program like SAM will pick this up, and let the user know that something is making system calls, bypassing the file manager. If a virus tries to use the file manager, then SAM gives a message saying something to the effect of "Pagemaker is trying to install an code resource". If you are in the middle of loading a letter to your brother, you would hopefully note that this is not appropriate. If you are installing a new version of pagemaker into your system, then the system call is appropriate. On PC, there is no standardization - every program runs differently.. It's very hard to figure out when someone is doing something they shouldn't. Three other major factors are the number of machines out there, the stability of the DOS, and the number of boot sources available. The IBM is very widespread, and since most have hard drives, they get booted off of the same drive. Also, the dos tends to be stable, and the boot sequence is long. This discourages frequent rebooting. The same thing on the mac- many hard drives, a stable dos, and long boot sequences. It is not uncommon to run 5 or 6 mac programs without a reboot. My old apple //e does not follow this pattern. Most //e's have floppy disks, and most apple// floppies (DOS 3.3) are bootable, and boot quickly. Also, many apple programs destroy the memory resident dos, after they have loaded. To continue, you simply reboot the machine. If I reboot every time I insert a new program to run, a virus is going to have a VERY hard time propagating. An interesting sideline- I work in a service beureau, and we have LOADS of people who come in with a mac disk, looking for the machine to make magic happen. They don't know anything about the mac, and DONT WANT to learn. They just want to wave the mouse, and see 300dpi typeset magic. So, they sign on to the machine, pop in the disk, and get a message onscreen that they have a virus. So, of course, they make the OBVIOUS leap of logic, and decide that since they didn't get this message on their machine at home, they MUST have gotten this virus from us!!! ARRRRGGHH!! I've had people get outright belligerent, insisting that we are to blame! Either that, or they decide this whole virus thing is a scam, to get them to spend more time and money on our machines. The danger isn't viruses- I can kill them quickly with any of half a dozen programs. The danger is ignorance! - --Larry - -- // Larry Nathanson . 726 Comm Av #5J . Boston, MA 02215 . 617 266 7419 \\ I've heard they just built a tunnel from England to France. The French drive on the right hand side, the English on the left. Can they save money by building only one lane? ------------------------------ Date: Mon, 18 Feb 91 09:18:12 -0700 From: rtravsky@CORRAL.UWyo.Edu (Richard W Travsky) Subject: Repair Shops When your site experiences a viral infestation, or has ongoing problems with viruses with no seeming lull between one outbreak and the next, do you notify local vendors? Like repair shops? Our site, a university town, is currently being swamped with the Stoned virus. It's all over the darn place. Since I work for the computer center here, I talked to our local vendors and warned them to check stuff (there's only four businesses that really count so it was easy). Only one so far has said people came in thinking something was wrong with their machine when in fact it was Stoned. I think some sort of communication is necessary between local businesses and oneself to help prevent the spread of viruses. In case it hasn't dawned on you yet, we really haven't had much of a problem with viruses before recently, so many of the do's and don'ts aren't necessarily obvious to us. So, comments anyone? Richard Travsky Bitnet: RTRAVSKY @ UWYO Division of Information Technology Internet: RTRAVSKY @ CORRAL.UWYO.EDU University of Wyoming (307) 766 - 3663 / 3668 ------------------------------ Date: Mon, 18 Feb 91 21:37:23 +0000 From: qualcom!news@UCSD.EDU Subject: Re: Viruses in text files XPUM04@prime-a.central-services.umist.ac.uk (Anthony Appleyard) writes: >With reference to this message:- >From: millerje@holst.tmc.edu (jeffrey scott miller) >.......... >True. Viruses cannot infect text files, as they are never executed. Viruses >CAN look to see if a certain filetype is being accesses (i.e. .DBF), but >since there is no executable code in a text file, there is no way a virus >can "latch" onto the file. >.......... >:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: >There was a long discussion in Virus-L in the past about viruses infecting >text files. Some systems and programs when reading text files treat some >character sequences as escape sequences to tell them to obey the following >characters specially, e.g. reading them as binary into store, or >trojanizing keyboard keys by altering what those keys do. So viruses >infect or trojanize text files. Strictly speaking, I believe it's only a trojan, as these "ANSI bomb"s don't spread. However, they can be rather dangerous. Someone can add a command in one of the ubiquitous ANSI picture files to have your ENTER key redefined to format your hard disk. I find that the best solution to this is to view them on-line from my terminal program, as these usually have their own ANSI handlers and will thwart any keyboard redefinition codes. Be aware, though, that they can easily sneak these into README files, and you will have no way of knowing that your keyboard has been redefined unless you either don't have an ANSI driver, or it hits you. ------------------------------ Date: Tue, 19 Feb 91 13:19:18 +0000 From: treeves@magnus.ircc.ohio-state.edu (Terry N Reeves) Subject: Re: Request for info on the Ohio virus (PC) The ohio virus exists in several varieties, 5 or 6 at least. Our local varient will spread to 5.25" floppies only, does not contain any deliberately destructive code, and causes no major problems. This is reportedly true of all varieties. So far. It is a boot sector virus, so files are not infected. In a university computer lab environment it may be easiest jut to recopy infected disks from masters and WRITE PROTECT THEM. This keeps out ALL viruses. Disks can be cleaned up with f-prot's f-disinf.exe, or the mdisk program. You can also copy all the files to another disk, format the disk and copy them back. - -- _____________________________________________________________________________ | That's my story, and I'm sticking to it! | |_____________________________________________________________________________| | Microcomputer software support, | treeves@magnus.IRCC.OHIO-STATE.EDU | ------------------------------ Date: Tue, 19 Feb 91 14:01:34 +0000 From: treeves@magnus.ircc.ohio-state.edu (Terry N Reeves) Subject: Re: Virus Protection and Universities JS05STAF%MIAMIU.BITNET@OHSTVMA.IRCC.OHIO-STATE.EDU (Joe Simpson) writes: >Is anyone using F-Prot. Does Fredrik Skullasan (appologies to FS for >spelling) have a site liscence policy? Yes and yes. We use f-prot at Ohio State. To be candid I think it's the second best anti virus software if price is ignored, but given price it is #1. version 2.0 due soon sounds like it will be #1 in ALL categories. It is FREE fro individual use and a university license for INFINITE copies is only $500 or $1 per pc for less than 500 pcs. It has a wide range of tools in the package but in labs we just install f-driver.sys which will alert us to any infection - and refuse to allow the infected program to run. we then use f-fchk & f-disinf to clean up infections. we get a lot of viruses here - Ohio,brain,ping-pong,korea,stoned,disk killer, den zuk,jerusalem,alemeda - but f-prot tells us as soon as we get one and we don't spread it. If only we could reach the great masses of students here (50,000+) to clean up their disks! - -- _____________________________________________________________________________ | That's my story, and I'm sticking to it! | |_____________________________________________________________________________| | Microcomputer software support, | treeves@magnus.IRCC.OHIO-STATE.EDU | ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 29] *****************************************