VIRUS-L Digest Monday, 13 Nov 1989 Volume 2 : Issue 239 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: New Virus (PC) Interferon & The Vision Fund (Mac) "The Cuckoo's Egg," Cliff Stoll, Doubleday, New York ($18.95), Virus trivia (PC) Re: MacWight? (Mac) Re: Where are the Sophisticated Viruses? (PC) Previous Incorrect Attribution New Virus (PC) Re: Identify Ashar Virus (PC) --------------------------------------------------------------------------- Date: Fri, 10 Nov 89 09:32:38 -0800 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: New Virus (PC) A new COM infector was submitted to the HomeBase board this evening by Jean Luz of Lisbon, Portugal. The virus is in many respects similar to the Vienna virus - the size increase is 648 bytes, and instead of overwriting every eigth file (on the average) with the re-boot sequence, it overwrites with the characters "AIDS", thus crippling those applications. This virus shoulkd not be confused with the original AIDS virus (very dissimilar). Asside from the mentioned similarities with Vienna, the virus appears to be written from scratch. The 648 length seems to be a chance result. No effects of the virus have been observed other than the above mentioned. The virus has been in Portugal at least two months according to the submitter. Alan P.S. The following presumably straight-faced request was posted on HomeBase by John McAfee. Thought it might be of interest to Virus-L readers: To: All Users From: John McAfee Subject: Reported Possible Virus I received an unusual call from a Mr. Fred Hankel of Fargo, North Dakota this morning. Mr. Hankel was highly agitated and after hearing his long and involved story, I was moved to pass on this condensed summary to all who might be interested: Mr. Hankel reports, and I have no grounds for doubting, that a computer virus invaded his system from a bingo game he purchased in mid-October. The virus activated at 11:00 A.M yesterday and promply melted his power supply and mother board. As he reached for the power switch to turn off the machine, the virus blasted a perfectly circular hole in the front panel of his AT clone and left a three foot oval scorch mark on the back wall of his den. I had not heard of this virus before and felt that an alert might be in order. Anyone experiencing similar symptoms should contact us immediately. Thank you. [Ed. Sounds (to me) like paranoia strikes deep. I trust that everyone will have the good sense to take this report with a large grain of salt...] ------------------------------ Date: Fri, 10 Nov 89 22:17:27 +0000 From: biar!trebor@uunet.uu.net (Robert J Woodhead) Subject: Interferon & The Vision Fund (Mac) On behalf of the Vision Fund, I would like to thank everyone who has sent in a Shareware donation for use of the Interferon program. We have collected a substantial amount of money that has gone to good use. Now I have a request: Please don't send in any more money! Interferon is now an obsolete program; Shareware programs like Disinfectant and commercial programs like (plug, I wrote it) Virex are faster and better. In addition, I've been told by my accountants that the informal structure of the Vision Fund can cause me some tax problems if too much more money comes in. Therefore, I declare both Interferon and MandelColor (another Vision Fund program) to be Freeware. After a certain date, any cheques received made out to the Vision Fund will be returned. Any cash sent in, or cheques made out to Yours Truly, will be spent on wooing women. - -- Robert J Woodhead, Biar Games, Inc. !uunet!biar!trebor | trebor@biar.UUCP Announcing TEMPORAL EXPRESS. For only $999,999.95 (per page), your message will be carefully stored, then sent back in time as soon as technologically possible. TEMEX - when it absolutely, postively has to be there yesterday! ------------------------------ Date: Sat, 11 Nov 89 07:41:00 -0500 From: WHMurray@DOCKMASTER.ARPA Subject: "The Cuckoo's Egg," Cliff Stoll, Doubleday, New York ($18.95), >(In my personal opinion, by >the way, "The Cuckoo's Egg" should be considered required reading by >anyone who runs, or is interested in, computers - *highly* >recommended.) -- Ken Van Wyk As much as I like Cliff Stoll, I still hate to be forced to sell his book. Nonetheless, I am force to agree with Ken on this: the book is required reading. It is so much so, that I do not even harbor any qualms about saying so on the network. William Hugh Murray, Fellow, Information System Security, Ernst & Young 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ------------------------------ Date: Sat, 11 Nov 89 12:34:24 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Virus trivia (PC) Just a few random bits of information.... * A diskette infected with the Ohio virus will be immune to infection by the Brain and Den Zuk viruses, since it contains the signature of those two viruses. * The Vacsina virus can only properly infect a .COM file, so when it infects a .EXE file it will do so in two steps, first change it into a .COM file by overwriting the 4D 5A signature with a JMP instruction and placing a 132 byte loader program at the end of the file. The next time this program gets infected it will be infected just like any other .COM file. * Almost all .EXE infecting viruses place the virus code at the end of the infected file. One virus, sURIV 2.0 does not. It will insert itself just after the header of the program it infects. And one question.. What language is "Den Zuk" ? I thought it was Dutch for "The search", but I have been told that it is not. - -frisk ------------------------------ Date: 10 Nov 89 16:46:36 +0000 From: ut-emx!chrisj@cs.utexas.edu (Chris Johnson) Subject: Re: MacWight? (Mac) XRJDM@SCFVM.BITNET (Joe McMahon) writes: >You may (or may not :-) remember the discussions we had here on the >list about this. As far as I remember, there was never a specific >demonstration that there was a virus involved. That doesn't mean that >there wasn't; it just means that there were never quite enough facts >presented to make a case either way. I'd leave it off for now, or >mention it as a "rumored sighting" or whetever. Safest not to mention >it, especially since it was never pinned down and analyzed. > > --- Joe M. I agree whole-heartedly! Please *do*not* mention this alleged virus - the paranoia the initial reports of this alleged virus have given way to is damage enough. There is still *no* evidence that this virus ever existed. Since my initial postings on this subject, I have received a couple of files that, it was thought, might have been infected by this alleged virus. I found no indication of any virus (or anything at all out of the ordinary) in those files. Once again, there is still *no* evidence that this virus ever existed. If new evidence surfaces, this disucssion can continue, but at the moment there's no evidence and, consequently, nothing to discuss. The end. "The onus of proof is on he who asserts the positive." Cheers, - ----Chris - ----chrisj@emx.utexas.edu ------------------------------ Date: Sat, 11 Nov 89 19:52:07 +0000 From: madd@world.std.com (jim frost) Subject: Re: Where are the Sophisticated Viruses? (PC) frisk@rhi.hi.is (Fridrik Skulason) writes: >jim frost writes: >>Given the limited resources of PC environments, it's >>unlikely that you'll get a very sophisticated virus. >I must disagree. In the PC environment it is not a question of limited >resources, but rather the fact that any user process has full access to >ALL resources and can even directly manipulate the hardware if required. >So, my opinion is that it is even easier to write a sophisticated virus on >the PC than in most other environments. No, it's harder. Most of the items which I consider sophisticated require fairly fancy programming which requires code space, data space, and CPU time, each of which is at a premium in most PCs. A really sophisticated virus, one targeted for UNIX, for instance, could easily approach or exceed a megabyte in size. You just can't do that on most PCs, and users would notice even if you could. On the other hand you don't need to. MS-DOS systems are so trivial that it's difficult to build a good virus detector and there are no inherent security systems. Viruses don't need to be sophisticated. >Finally, I want to add one "feature" to the description of a sophisticated >virus: >"Bypass protection programs and jump directly to the hardware, DOS or >BIOS routines." I didn't add that because that's not usually one of the "survival" traits, but rather is used in propagation and/or infection. I have a fairly lengthy document on the kinds of things a real sophisticated virus might do in each stage (what I showed before was a subset of this document). I consider the document sensitive so I am wary of posting it. jim frost madd@std.com ------------------------------ Date: 11 Nov 89 21:56:43 +0000 From: kelly@uts.amdahl.com (Kelly Goen) Subject: Previous Incorrect Attribution Hi all, Well it seems I have been guilty of incorrect attribution of an article I forwarded for Aryeh Goretsky... The forward was NOT officially from the CVIA nor does it represent an official opinion of th CVIA. The forward was from Aryeh Goretsky who was not acting in any official capacity for the CVIA. Here I am redfaced indeed!! my fault only in the incorrect attribution... cheers kelly ------------------------------ Date: Sat, 11 Nov 89 14:39:50 -0800 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: New Virus (PC) Yet another virus has been reported and sampled in the Seattle area. The virus is a COM, EXE and Overlay infector that increases the size of infected files by 1644 bytes. It activates on Sundays and displays the message: "Today is Sunday! Why do you work so hard? All work and no play make you a dull boy." File allocation table damage has been reported in two instances, although we could not dupliacte the FAT problem on our test systems. McAfee is planning to put SCAN49 out on Tuesday. 49 will detect this Sunday virus, the Lisbon Virus and Yuval Tal's Do Nothing virus (He sounds pretty haggard over the phone and begins to snarl if the words "new virus" are mentioned). Alan ------------------------------ Date: 13 Nov 89 03:40:48 +0000 From: munnari!stcns3.stc.oz.AU!dave@uunet.UU.NET (Dave Horsfall) Subject: Re: Identify Ashar Virus (PC) It has been pointed out to me (hello Kelly!) that I may have been less than gracious in my response to the report of "ld viruses found." Certainly no offence was meant to John McAfee, and I hope none was taken. However, actual bug details aside, the point I was making that the user of a virus-detector has to have absolute trust in it, and any errant behaviour by the program can only weaken that trust, no matter who the author is. Certainly, a failure to correctly report the number of viruses found would seem to imply a lack of testing. Virus detectors must not only be above reproach, they must be SEEN to be above reproach. Anyone here read comp.risks/RISKS-L ? - -- Dave Horsfall (VK2KFU), Alcatel STC Australia, dave@stcns3.stc.oz.AU dave%stcns3.stc.oz.AU@uunet.UU.NET, ...munnari!stcns3.stc.oz.AU!dave ------------------------------ End of VIRUS-L Digest *********************