From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V5 #15 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Monday, 27 Jan 1992 Volume 5 : Issue 15 Today's Topics: Leading Edge distributes Michaelangelo virus (PC) New virus????? (PC) Re: 1575/1591 Virus (PC) Re: i/o ports (was re: Iraqi virus) (PC) Pentagon and Keypress virus found (PC) Trojan program collects passwords vsum info... (PC) Green Caterpillar Virus (PC) Total memory available to DOS less than 655360 (PC) Re: Reviews and request (PC + Amiga) FAQ: benign use of viri... Re: Signature viruses Re: Signature viruses Re: Signature viruses Iraqi Virus Question? CCC91.ZIP on risc (text) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 27 Jan 92 07:42:00 -0600 From: Ken De Cruyenaere Subject: Leading Edge distributes Michaelangelo virus (PC) This is from the latest RISKS digest: - ------------------------------ Date: Sat, 25 Jan 92 14:14:47 PST From: "Peter G. Neumann" Subject: Leading Edge distributes Michaelangelo virus Between 10 and 27 December 1991, Leading Edge Products shipped up to 6000 IBM-compatible personal computer systems each of which included among the hard-disk software the Michaelangelo virus -- which wipes the hard disk on the artist's 6 March birthday, although it also has some earlier destructive effects as well. [See San Francisco Chronicle, 25 Jan 1992, p. B1] ------------------------------ Date: Thu, 23 Jan 92 21:51:22 +0000 From: diaz@leland.stanford.edu (Kathy Diaz) Subject: New virus????? (PC) I have a question it seems that I have come across some sort of virus. My Dos Machine has in every directory a file called aux. It seems also that you can't find it by normal means. I guess the best way to find it is to use any editor(edlin, edit, vi, etc..) to look at it, but what you actually get is a computer freeze. You could also try to rename a file to aux and you will some sort of duplicate file error. Each aux file is about 112 bytes long. It doesn't seem to be malicious aside from taking up space but I can't even look in the file and try to dump the contents onto a file or something. And scanv85 doesn't find it. Same thing with CPAV. If anybody knows something about this all your help will be greatly appreciated. diaz@neon.stanford.edu Katherine Salas Diaz ------------------------------ Date: 24 Jan 92 13:55:58 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: 1575/1591 Virus (PC) frisk@complex.is (Fridrik Skulason) writes: > >There are 6-7 variants of this virus, but they are essentially the > >same. > Eh, no...Alan Solomon discovered he was wrong - he included one variable > byte in his checksumming range. There seem to be at most two variants. We sorted this out with him yesterday. The final result is: 3 different variants. In my original posting I also forgot to say that the virus does not infect files with 8-character names, due to a bug... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 24 Jan 92 14:51:45 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: i/o ports (was re: Iraqi virus) (PC) stus5239@mary.cs.fredonia.edu (Kevin Stussman) writes: > >Nonsense, complete nonsense. If it is in the printer, it cannot force ^^^^^ > >you to execute it. It cannot copy itself to the computer. It cannot > >exist. Period. > This brings up an interesting problem. Can it happen via a > serial / parallel port? This would mean there has to be direct control No. And for the same reason. > over the CPU from a device attached to the port. Usually there is > software driving the IO of the port, but can an device sieze control > and send instructions without driving software? Now if this isn't No, it can't. Actually, data can be transmitted in both direction through both ports (serial and paralel), but an external device has no way to -FORCE- the computer to accept any data the latter is not willing to. It would be possible, if a special program already runs on the computer. Say, a software device driver for the printer, which secretly downloads a virus from the printer's ROM. This is possible, but just useless - why not imbedding the virus in the device driver in the first place? No, there is no way an external device to force your computer to accept data, unless there it a program already running, which plays the active part. > possible then I can see that it would be impossible. But just saying > NO because it's on a chip is nonsense. There is nothing saying I cant I didn't say NO because it's on a chip. I said NO, because it is introduced by an external device. > place an EPROM in a strategic place that will place a virus of my > choice on a hard drive or floppy, OR DO ANYTHING without even striking > a key. If that chip has code to blank the screen, it will be blank > before any control is given the user. (how do you think a PC knows Right. You just don't have a way to make the computer download all this nasty code. No way from the printer, that is. > Where is this article? And it seems strange to me that CNN wouldn't > have known this. Then again, don't believe everything you hear. As several people already mentioned, it has been published in the Aprit 1st issue of InfoWorld (1991). Even the virus there is called AF/91, that is April's Fool / 1991. As you can see, even CNN can get cought... And it was not alone in this case, believe me... :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Fri, 24 Jan 92 11:51:55 -0500 From: Eric Carlson Subject: Pentagon and Keypress virus found (PC) Pentagon and Keypress viruses were found on floppys in one of our labs. Pentagon virus was NOT FOUND by SCANv84, but it was found with SCANv69. This could be a problem. We did not allow that person to use his disk in the lab. I wasn't there, so I didn't analize it further. - Eric Carlson - Microcomputer Software Support - - Northern Virginia Community College System - - NOVA BBS 703-323-3321 - 14,400 BPS - ------------------------------ Date: Fri, 24 Jan 92 17:55:38 -0600 From: Ellen Brewer Subject: Trojan program collects passwords A program that collects logins and passwords by masquerading as a telnet connection to either of two local computers was found this week at the University of Illinois on PCs at sites used by large numbers of students. The information below was posted by the CCSO Site Manager to a local newsgroup and is forwarded to VALERT-L with his consent. > Date: Mon, 20 Jan 1992 13:43:15 -0600 > From: "Declan J. Fleming" > Subject: Trojan Horse - Your uxa & ux1 password may be known > > One of my Site Consultants found a program at the Illini Union > Site that looks just like Telnet (the software used to access > mainframes) BUT is actually a password and login recorder. > It will prompt you for your login: and Password: then tell you > that the host is unreachable. > > So far this has only been found on DOS machines. > > What to look for: > > REAL Telnet doesn't leave a login screen up on the screen for an > extended period of time - it will time out back to the menu screen. > If you sit down at the computer and see a login screen already > present, contact a Site Consultant right away! We'd like to track > this software and see how far it gets. DO NOT try logging in until > the Site Consultant has been notified and you have re-booted your > machine with the Control-Alt-Delete keys. > > We have no idea how long this software has been around, so your > present password may already be known. It is advised that you > change it right away. > > We've seen the software in two versions - one that looks like a > uxa login screen and one that looks like a ux1 login screen. > There may be others. Ellen Brewer (ebrewer@ux1.cso.uiuc.edu) "Non ignara mali, miseris succurrere disco." ------------------------------ Date: Sat, 25 Jan 92 19:29:32 -0800 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: vsum info... (PC) hobbit@vax.ftp.com (*Hobbit*) writes: > there a plaintext version of vsumx.h! that is readable by humans Unfortunately, VSUM is not longer provided in this form. You may, however, wish to get the Brunnstein Virus Catalogue, the various files of which are ftpable from cert.sei.cmu.edu. ============== Vancouver p1@arkham.wimsey.bc.ca | "A ship in a harbour Institute for Robert_Slade@sfu.ca | is safe, but that is Research into CyberStore Dpac 85301030 | not what ships are User rslade@cue.bc.ca | built for." Security Canada V7K 2G6 | John Parks ------------------------------ Date: Sun, 26 Jan 92 18:38:56 +0000 From: Crispi Subject: Green Caterpillar Virus (PC) Dear all, I have just found the Green Caterpillar virus (1575/1591), and would like some information about it. Firstly, which machines are vulnerable to infection, and on which machines does the payload work? How many strains are there? Secondly, and more generally, I tried to activate the virus on a PC running DR-DOS 6 (with a compressed disk). I wasn't able to infect any files. I know the virus spreads via the Findfirst and Findnext calls. Is DR-DOS immune in some way? Many thanks, Christopher J. Wells. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % cjw1@merlin.ukc.ac.uk | disclaimer: Since UKC do not represent my views, % % University of Kent | I do not represent theirs. % %------------------------------------------------------------------------------% % "I seem to be having this tremendous difficulty with MY lifestyle" - A. Dent % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% ------------------------------ Date: Mon, 27 Jan 92 09:27:20 +0700 From: Josep Fortiana Gregori Subject: Total memory available to DOS less than 655360 (PC) After reading the note by Padgett Peterson about the Michelangelo virus, I checked my machines and found that one of them (a 486/33MHz clone AT with 8M ram) reports total memory = 654336 = 655360 - 1024 when booted from drive C: and 655360 when booted from A: No other symptom of infection can be observed. (and SCAN '85 reports "no viruses found") Does someone know if there is a possible cause of this behaviour, other than infection? Josep ...................................................................... Josep Fortiana Departament d'Estadistica (Facultat de Biologia) Phone : 34 - 3 - 4021561 Universitat de Barcelona E-mail: ubaesq01@ebcesca1.bitnet Av. Diagonal 645 08028 - Barcelona (also ubaesq01@puigmal.cesca.es) SPAIN ------------------------------ Date: Sat, 25 Jan 92 16:40:03 +0000 From: d90mb@efd.lth.se (Maarten Berggren) Subject: Re: Reviews and request (PC + Amiga) p1@arkham.wimsey.bc.ca (Rob Slade) writes: >per recent requests for reviews, the following is my current list (in >order): >EliaShim's ViruSafe >Worldwide's Vaccine >Solomon AntiVirus Toolkit >Sophos Vaccine >Fifth Generation's Untouchable > >(Of course, any more rumours like this past week, and this could be >delayed a long time.) > >Now, a request. We haven't heard much from the Amiga people lately. Can >I get some feedback on the top Amiga antiviral shareware of recent date? I more or less write this to prove that Amiga-owners read this channel, although there isn't much amiga-related stuff here. I havn't had much problems with viruses recently. The only virus got last year was a lamer-exterminator, and I think I used BootX to remove it. I think that more Amiga-owner ought to write to this channel, to share the latest info. about viruses. Merten Berggren (d90mb@efd.lth.se) ------------------------------ Date: Fri, 24 Jan 92 19:11:08 +0000 From: euzebio%dcc.unicamp.ansp.br@UICVM.UIC.EDU (Marcos J. C. Euzebio) Subject: FAQ: benign use of viri... Does anybody have any experience/references/etc. on the use of viri/worms as a paradigm for distributed applications? Thanks, Marcos Euzebio. - -- euzebio@dcc.unicamp.ansp.br ------------------------------ Date: Sat, 25 Jan 92 19:26:00 -0800 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Re: Signature viruses willimsa@unix1.tcd.ie (alastair gavi williams) writes: > So, what's a signature virus? Does it require the file to be > written to an acc before it will infect it? After having sent my last response to this, I had second thoughts. I am still not sure that I understand the question, but the poster may be referring to virus signatures, the specific sections of code used to identify a virus or infection. ============== Vancouver p1@arkham.wimsey.bc.ca | "A ship in a harbour Institute for Robert_Slade@sfu.ca | is safe, but that is Research into CyberStore Dpac 85301030 | not what ships are User rslade@cue.bc.ca | built for." Security Canada V7K 2G6 | John Parks ------------------------------ Date: Sat, 25 Jan 92 23:05:19 +0700 From: swimmer@stage.hanse.de (Morton Swimmer) Subject: Re: Signature viruses willimsa@unix1.tcd.ie (alastair gavi williams) writes: > > So, what's a signature virus? Does it require the file to be > written to an acc before it will infect it? Was this meant as a joke? I was missing the ":-)" Just in case this was not a joke, the "signature" virus is nothing but a joke. Many people are putting a text like "This is a .signature virus. Please copy me into your .signature file" or the likes. A .signature file is of course the signature that is appended to e-mail. BTW, as a joke I devised an anti-signature-virus: "rm -i .signature". It's just about as intellegent as doing a low-level format to cure a file virus. Cheers, Morton PS: :-) .............................................................................. .morton swimmer..odenwaldstr.9..2000 hamburg 20..germany..tel: +49 40 4910247. .internet: swimmer@stage.hanse.de or swimmer@rzsun1.informatik.uni-hamburg.de. ..............to leave only footprints, and take only memories................ ------------------------------ Date: Fri, 24 Jan 92 00:32:38 +0000 From: mcafee@netcom.netcom.com (Morgan Schweers) Subject: Re: Signature viruses Some time ago willimsa@unix1.tcd.ie (alastair gavi williams) happily mumbled: > > So, what's a signature virus? Does it require the file to be >written to an acc before it will infect it? Greetings! A .signature virus is a voluntary self-inflicted virus, requiring the consent of the to-be-infected to spread. It's a Usenet joke. (IMHO, a pretty funny one.) After all, it's non-destructive, clearly announced, and requires user intervention to become "infected". It's easy to scan for, as well! *grin* Removal of a .signature virus under Unix requires the use of an extensively technical Unix virus-removal program, such as 'emacs' or 'vi'. Less technical methods may be used ('ed', or 'ex'), and in the worst case a low level format of your .signature file may be required. ('cat > .signature'). .signature viruses are unique in that they can spread to non-similar file systems. (The only requirement for spreading is a similar user mindset, across which the virus has ease spreading.) Removal under other file systems may require different techniques than under Unix. For example, VMS comes with a easy-to-use .signature virus removal program named EDIT. Even old MS-DOS systems have the easy capacity to remove this virus through the use of the arcane 'EDLIN' command. Modern versions of the MS-DOS .signature virus remover contain a full screen visual interface. I'm not certain as to its efficacy spreading to non-text-oriented brainsets (such as Amiga and Mac users), but I'm sure that with a sufficiently interested and consenting user, something could be arranged... Enjoy! -- Morgan Schweers - -- Hacker, Furry, SF reader, gamer, art collector, writer. 24 hours isn't enough. mrs@netcom.com | I'm a practicing furry! Some day I hope all the practice Freela @ Furry | will pay off, and I'll grow fur! -- me K_Balore @ Furry |___________________ CLEAN C:\USR\SPOOL\*.* [SigVir] /SUB Hi! I'm a .signature virus! Add me to your .signature and join in the fun! ------------------------------ Date: 25 Jan 92 19:48:00 -0600 From: "379BMWMASQ" <379BMWMASQ@sacemnet.af.mil> Subject: Iraqi Virus Question? Hello All I have been watching in the list the message treads on the Iraqi printer virus, and I have a question to pose to the group. 1. Postscript printers receive printouts in the form of Postscript Program Code, which is in turn run by the printer to printout the Page. Now if that Postscript printer is on a Network and is capable of sending information to the network, then could the printer CPU be programmed to access the well known and some not so well known security features of the network to plant code or overload the system with bogus traffic. I know that this requires the information on the type of network and the types of computing platforms in use, but seems to me that they bought most of thier computers from us, over the last 10 years and it would only be smart for one of the watchers (CIA, FBI, NSA, DIS) to keep track of this. This is of course is my own ideas, guesses, or what ever. Chris Cohen 379BMWMASQ@SACEMNET.AF.MIL ------------------------------ Date: Sun, 26 Jan 92 14:24:34 -0600 From: James Ford Subject: CCC91.ZIP on risc (text) The file CCC91.ZIP has been placed on risc.ua.edu for anonymous ftp. This zip file contains various (German?) text mentioned in earlier issues of Virus-L. (Thanks to the anonymous FTPer who uploaded it!) File Size --------------------------- ----- pub/ibm-antivirus/ccc91.zip 74085 If someone would like to tackle the translation, I will be more than interested in posting the resulting files on risc. Uploading a file: - ----------------- If you want to upload a file to risc.ua.edu, you must place the file in /pub/00uploads. You will not be able to see your uploaded file when you finish. I have only one rule that I follow when posting a file on risc.ua.edu: If the zip contains any sort of executable (COM, EXE, SYS, BIN, etc), the uploader *MUST* send a message to JFORD@UA1VM.UA.EDU or the address JFORD@RISC.UA.EDU. I h Downloaded From P-80 International Information Systems 304-744-2253