VIRUS-L Digest Wednesday, 17 Apr 1991 Volume 4 : Issue 63 Today's Topics: F-PROT version 1.15 available (PC) Stoned and Dark Avenger mutations (PC) New programs ob BEACH (PC) Joshi virus fixed! (PC) Re: AF/91 - John Gantz "joke" in Infoworld RE: Norton's Antiviral program (PC) Wasting my time Malicious Code Responce Policy (ALL) Re: UNIX & Viruses (UNIX) Re: HyperCard anti-virus script bad (Mac) Re: HyperCard anti-virus script bad (Mac) Documented Cases of Viruses -- NOT on PCs or MACs Re: Stoned 2 query (PC) EMPIRE Virus (PC) Re: Is virus infection by inserting floppy disk possible? (PC) (Mac) Viraphobia (Re: AF/91 and April Foolism in general) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 15 Apr 91 23:14:02 +0000 >From: frisk@rhi.hi.is (Fridrik Skulason) Subject: F-PROT version 1.15 available (PC) Version 1.15 of the F-PROT anti-virus package is now available. There are no major changes from version 1.14 - you have to wait for 2.0 to see all the new features. I have uploaded the program to beach.gal.utexas.edu, but several other FTP sites will probably have the package in a couple of days or so. Version 1.15 added the following features: Detection, but not disinfection of Akuku Doom2 Mardi Bros Microbes MIX2 Ontario Spyer Swedish disaster USSR-1594 X-boot Detection and removal of 10 past 3 1575 1600 (Jerusalem variant) 403 4th Black Friday (Jerusalem variant) Aircop AntiCAD/Plastique-2576 AntiCAD/Plastique-3004 (COBOL) Azusa Burger-382 Cascade 1701-YAP Christmas Violator Dark Lord (variant of Terror) Deicide Dutch-555 Enigma Fichv 2.1 Flip/Omicron-2153 The 4th Black Friday (Jerusalem variant) Frere-2 (Jerusalem variant) G-Virus, version 1.3 (731) Gergana Grither (Vienna variant) HIV Hybryd Iraqui Warrior (Vienna variant) Jeff (impossible to disinfect) June 4th (Stoned variant) Klaeren (impossible to disinfect) Kylie (Jerusalem variant) Leprosy-A Leszop (Stoned variant) Magnitogorsk Michelangelo (Stoned variant) Micro-128 Minimal-45 Mirror MG-4 Monxla-B Paris Phantom Plague Rostov (Stoned variant) September 18th-789 (first reported as "805") September 18th-801 (first reported as "817") Sexual revolution (Stoned variant) South African-408 Spanish Telecom (boot-form) Staf SVC 3.1 Taiwan-C (752 byte variant) Taiwan-D (677 byte variant) Testvirus B Vienna VHP-622 from Bulgaria Vienna 822 from Hungary Wolfman Removal of the following viruses, which were detected in 1.14 905 Lovechild Terror Vienna-644 The "405" and "382" viruses have now been reclassified as Burger-variants. The names of some viruses have been changed, in most cases because the viruses had only a temporary, numeric name. 1600 --> Happy New Year 417 --> F-word Perfume --> G-Virus /NOBOOT switch added to F-DRIVER to disable memory check at boot time. Should only be used on computers with Network Boot ROMs, where the standard F-DRIVER has caused problems. /QUICK switch added to F-FCHK. Using it results in faster scanning, but reduces the chances of detecting previously unknown variants of "old" viruses. /DELETE switch added to F-FCHK. If it is used, infected files will be overwritten several times and then deleted. The F-INOC and F-DIR programs are not included any more, as they were practically useless. F-FCHK will now indicate if a program has been compressed by DIET, LZEXE or PKLITE. The programs will not be scanned - that will be added in a later version. A small program (F-TEST) has been added to determine if F-DRIVER is installed and working properly. See USAGE.TXT for further information. The following bugs/problems have been fixed: F-DISINF /MULTI did not work under all circumstances. Conflicts between F-DRIVER and PC-NFS have been eliminated. Version 1.14 was not able to remove all variants of Jerusalem, including some which 1.13 handled successfully. This has been fixed. ------------------------------ Date: Mon, 15 Apr 91 22:00:00 -0300 >From: Raul Fernando Weber Subject: Stoned and Dark Avenger mutations (PC) Three slightly different versions of the Stoned virus were detected during the last months in Porto Alegre (Southern Brazil). The first version contains the string "Your PC is now Stoned! LEGALISE MARIJUANA!". In the second version this string now reads "Your PC is now Stoned! LEGALISEm disk or d". Curiously, the last part of the modified string seems to be derived from the original boot sector, where the string "Non-System disk or disk error" can be found at the same offset. I wonder if this can happen due to a failure at the propagation routine? The third version is quite different, and was first detected in a city near Porto Alegre. The string now reads "Collor, um tiro basta! Call John MacAFee? ". The first line is in Portuguese and means "Collor, one shoot is enough!", a protest against the economic plan of President Collor. There is another modification, however, probably to protect this mutation against virus scanners. Beginning at the offset 63, four bytes were changed from BE 04 00 57 to 57 BE 04 00. With this change, SCAN and CLEAN cannot detect the virus anymore. The program F-BOOT from the FPROT114 package, however, is still able to detect and remove the virus (Good work, Frisk!). Another virus that also appeared in the last weeks was Dark Avenger. The string "Eddie lives...somewhere in time!" can be detected at the beginning of the virus body, but the final string was modified to "This virus was created in Singapore (C) Copyright 1990-91 Data Maniac". Both SCAN/CLEAN and F-FCHK (from FPROT114) are able to detect and eliminate this virus. Raul F. Weber Institute of Informatic Federal University of Rio Grande do Sul Porto Alegre - RS Brazil e-mail: weber@sbu.ufrgs.anrs.br or weber%sbu.ufrgs.anrs.br@lbl.gov ------------------------------ Date: Tue, 16 Apr 91 08:45:00 -0500 >From: John Perry KG5RG Subject: New programs ob BEACH (PC) The anonymous FTP server at BEACH.GAL.UTEXAS.EDU has added the following programs to the [anonymous.pub.virus.pc] directory: FPROT115.ZIP SCANV76C.ZIP NETSCN76.ZIP VSHLD76C.ZIP INAZUSA.ZIP John Perry KG5RG University of Texas Medical Branch Galveston, Texas 77550-2772 You can send mail to me at any of the following addresses: DECnet : BEACH::PERRY THEnet : BEACH::PERRY Internet : perry@beach.gal.utexas.edu Internet : john.perry@f365.n106.z1.fidonet.org BITNET : PERRY@UTMBEACH SPAN : UTSPAN::UTADNX::BEACH::PERRY FIDOnet : 1:106/365.0 ------------------------------ Date: 16 Apr 91 04:36:52 +0000 >From: awl@extro.ucc.su.oz.au (Tony Locke) Subject: Joshi virus fixed! (PC) Thanks to all those who replied to me with advice for fixing the Joshi virus. I never actually got to see a program eliminate it on my particlar machine, ever using Clean and Scan, I managed to eliminate it using a low level format from the BIOS. Thanks for all help Tony Locke ------------------------------ Date: 16 Apr 91 15:03:32 +0000 >From: CAH0@gte.com (Chuck Hoffman) Subject: Re: AF/91 - John Gantz "joke" in Infoworld sharp@mizar.usc.edu (Malcolm Sharp) writes: > I'm not laughing. No, I guess you're not. It sounds like you went to a lot of trouble in response to it. > I'm searching for the adjectives to describe this irresponsible > act. > > Anyone else spend time investigating this virus from the 4/1 columns? "Thoughtless," maybe. "Irresponsible?" I don't think so. He's not responsible for what you do on the basis of one, uncorroborated report. I think I might have checked with this network first before spending a lot of time. > I'm *seriously* considering a class action suit for compensatory > (small $) and punitive (BIG $$$) damages. > > Interested in hearing from others. Maybe you should hear from John Gantz (privately). You didn't mention whether or not you called him to discuss this before you put a lot of effort in. I've called authors of professional articles and textbooks several times, and they all have seemed pleased to get the call. They've all had more to say than was actually in print. A call might have helped, here. Or even a non-public exchange of e-mail, before launching a difficult virus hunt. I'm sorry that you went to such trouble. Maybe a little beforehand communication with the net or the author will be helpful next time something like this comes up, and it might save you a lot of effort. - - Chuck Hoffman, GTE Laboratories, Inc. | I'm not sure why we're here, cah0@bunny.gte.com | but I am sure that while we're Telephone (U.S.A.) 617-466-2131 | here, we're supposed to help GTE VoiceNet: 679-2131 | each other. GTE Telemail: C.HOFFMAN | ------------------------------ Date: 16 Apr 91 14:40:58 -0400 >From: "John D. Hopkins" Subject: RE: Norton's Antiviral program (PC) > I have heard there was an article in a mag. comparing Norton's > antiviral to McAfee's scan and that the Norton's program failed to > identify the Stoned virus. Can anyone confirm or deny this? I can absolutely guarantee you that this is false!! The Norton Anivirus program found the bloody Stoned virus on one of our machines and sucessfully removed it with no bother. I had trouble getting the thing cleaned off a floppy, but McAfee didn't do any better. So far we have no complaints with Norton. +-------------------------------------------------------------------------+ | John D. Hopkins, Operational Support |Through the darkness of future | | |past, The magician longs to see| | Col. of Business Admin. Computer Center |One chants out between two | | University of Georgia ph. 2-3829 |worlds, Fire... walk with me. | +-------------------------------------------------------------------------+ ------------------------------ Date: Tue, 16 Apr 91 15:51:00 -0500 >From: R3B@VAX5.CIT.CORNELL.EDU Subject: Wasting my time I am amusingly considering a classless action against Malcolm Sharp et al for wasting my time on their hurt pride. "I'll have my computer get in touch with your computer" - ---------------------------------------- Richard Howland-Bolton Manager Publications Computing Cornell University Internet: R3B@VAX5.CIT.CORNELL.EDU Compuserve: 71041,2133 AppleLink: CUGURU Voice: (607) 255-9455 FAX: (607) 255-5684 Post: Publications, East Hill Plaza Ithaca, NY 14850 Etc, etc. - ---------------------------------------- ------------------------------ Date: Tue, 16 Apr 91 14:02:52 -0600 >From: Peter_Johnston@mts.ucs.ualberta.ca Subject: Malicious Code Responce Policy (ALL) The University of Alberta has recently been hit by a new PC virus ("Evil Empire"). As often happens in such cases, we were caught less than fully prepared and have been scrambling (with much help from various anti-viral experts on the net) to react to this threat. We are now making progress and hope to soon announce a full recovery. We have also over the past two years started seeing other examples of malicious code on Macintosh and PC machines, both in our public labs and on individual student and staff machines. As a result, management here is now more sensitized to the problem and we are in the process of developing a more formalized campus-wide "Malicious Code Response Policy" that can be used as a starting point for future responses. It will address all facets of the problem when it is done: emergency response, prevention, escalation policies, who to contact, how to do certain things, etc. I have been asked to develop it, and have several ideas of my own with with which to start. However, I am sure that other organizations have faced the same situation and may have such policies already in place. I would appreciated receiving advice, suggestions, or text of already developed anti-viral policies from members of the net. In return, I would be pleased to share our policy when developed with members of the net. If you can help, please forward materials to me either electronically or by physical mail (machine readable if possible) to one of the addresses below. The QuickMail address is not (yet!) quite as reliable as the others. If there are any special conditions that you wish attached to material submitted (such as confidentiality), please so state and we will abide by them. Thanks... - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Peter Johnston | Voice : 403/492-2462 University Comput Systems | FAX : 403/492-1729 352 GenSvcBldg, | BitNET : usergold@ualtamts The University of Alberta | Internet : usergold@mts.ucs.ualberta.ca Edmonton, Alberta | QuickMail: Peter_Johnston@ Canada T6G 2H1 | : quest.ucs.ualberta.ca - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ------------------------------ Date: Tue, 16 Apr 91 21:00:20 +0100 >From: Paul Subject: Re: UNIX & Viruses (UNIX) ethan@thinc.COM (Ethan.Lish@THINC.COM) writes: > The simplest form of a *NIX virus is : > cp $0 . > Now *every* *NIX platform I know of will run this "virus" > P.S. **NOTE DO NOT RUN THIS VIRUS, SO I DON'T HAVE TO SAY "I TOLD YOU SO"** Ooops, just ran it! It said "No file for $0.". Thats on Sun OS 4.1 running csh. Just how is cp $0 . supposed to be a virus? Even if $0 was defined to something valid all it would do is copy a file into your current directory. Paul Sutton Department of Computing, University of Bradford, Bradford, BD7 1DP, UK p.c.sutton@bradford.ac.uk ------------------------------ Date: Tue, 16 Apr 91 15:47:34 +0800 >From: bcarter@claven.idbsu.edu Subject: Re: HyperCard anti-virus script bad (Mac) >Unfortunately, Bruce, if the script is going to spread, it has to get >past the scripts in the HOME card of HC. Passing the message directly >to HC does not bypass the HOME scripts. > >Mike >Mac Admin >WSOM CSG >CWRU >mike@pyrite.som.cwru.edu Of course sending to HyperCard bypasses the Home stack scripts, which you could have easily verified if you had bothered to check. Here is a simple example. There is a handler called "xy" in the stack script of the Home stacks of both version 1 and 2 of HyperCard. Execute the following handler from a button, or execute the statements individually from the message box. on mouseUp xy send "xy" to HyperCard end mouseUp The first xy executes the xy handler in the Home stack (which gives you an updating mouseLoc in the message box). Click to exit the xy handler. The send executes and you get a "Can't understand xy" message because HyperCard doesn't know what to do with the "xy" message. The handler is in the Home stack and has been bypassed by the send. Or here is a more directly related example. Put the following in your Home stack. on set answer "Tried to use set" end set This should prevent any set from being executed. It is easily bypassed by using the send format. Bruce Carter, Courseware Development Coordinator Lab: (208) 385-1859 Faculty Development Lab - Room 213 Office: (208) 385-1250 Simplot/Micron Technology Center CompuServe ID: 76666,511 Boise State University CREN (BITNET): duscarte@idbsu 1910 University Drive Internet: duscarte@idbsu.idbsu.edu Boise, ID 83725 --> Preferred: bcarter@claven.idbsu.edu =============================================================================== ------------------------------ Date: Tue, 16 Apr 91 14:36:19 -0900 >From: "Jo Knox - UAF Academic Computing" Subject: Re: HyperCard anti-virus script bad (Mac) > mike@pyrite.SOM.CWRU.Edu (Michael Kerner) writes: > Unfortunately, Bruce, if the script is going to spread, it has to get > past the scripts in the HOME card of HC. Passing the message directly > to HC does not bypass the HOME scripts. Untrue---sending the command to HyperCard DOES bypass the normal HyperCard message inheritance path! (Course, I know nothing about 2.0...) jo ------------------------------ Date: 16 Apr 91 22:38:13 +0000 >From: braunste@sal-sun12.usc.edu (Gil Braunstein) Subject: Documented Cases of Viruses -- NOT on PCs or MACs I was wondering whether there are documented cases of viruses infecting mainframes or minis (basically not PCs). So far all books about viruses that I read do not document cases of viruses they simply describe how it can be done. I'm a CS graduate student at USC and I'm taking a course in information security (unfortunately not given by the CS department), my instructor claims that there have not been any documented cases of viruses infecting mainframes that he knows of. On the other hand, another instructor claims to know about some cases but one of the few sources that he pointed out was Fred Cohen's paper. The Fred Cohen paper seems to be missing from the school's library so I was wondering if any of you have access to that paper and can send me a copy and also about any other documented cases of viruses infecting non-Pcs. Thanks in advance, Gil. ------------------------------ Date: 16 Apr 91 23:17:18 +0000 >From: sharp@mizar.usc.edu (Malcolm Sharp) Subject: Re: Stoned 2 query (PC) According to my sources, Stoned 2 is a "shadow" of Stoned... if you use the McAfee CLEAN [Stoned], Stoned 2 will go away. ------------------------------ Date: Wed, 17 Apr 91 12:30:00 +1200 >From: "Nick FitzGerald" Subject: EMPIRE Virus (PC) In VIRUS-L Digest V4 #62 padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) wrote: > In my previous alert on the EMPIRE virus, I had not yet seen the >second sector with the transposed text. Since then I have received >this >[deletions] >Text of encrypted message follows: > >I'm becoming a little confused as to where the "evil empire" is these >days. >[rest of virus message deleted] If it's not too late, I would respectfully suggest that "Evil Empire" is a better name for this virus as it is more easily identified when the beasty does trigger and display its message, _AND_ it is a "more unique" name. Tim also sent me a copy of this virus, and it has an interesting feature when it infects a HD with a controller that writes to the MBR. A week or so ago, it was mentioned that some XT HD controllers write up to 17 bytes (yep, 17!) of guff to the MBR immediately before the 64 bytes reserved for the partition table. Well, my XT at home has just such a controller and when that machine is infected with the Empire virus (I'll use this name for now to avoid/prevent confusion) the HD is rendered unbootable. This is because the HD controller seems to always slip its mystery bytes into a write to 0,0,1, including the viral infection write. As the Empire virus code requires all of the MBR sector apart from the last 66 bytes, its code is corrupted by these 17 mystery bytes, and it doesn't execute correctly, hanging the machine at boot-up. - --------------------------------------------------------------------------- Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. Internet: n.fitzgerald@csc.canterbury.ac.nz Phone: (64)(3) 642-337 ------------------------------ Date: Tue, 16 Apr 91 22:24:00 -0500 >From: F8DY@VAX5.CIT.CORNELL.EDU Subject: Re: Is virus infection by inserting floppy disk possible? (PC) (Mac) mike@pyrite.SOM.CWRU.Edu (Michael Kerner) writes: > That's what WDEF viruses do on the Macintosh - they transfer from the > "desktop" file of the infected floppy to the host. However, they are > also extremely easy to kill, and don't do any real damage, so they are > not (yet) seen as a big threat. It may be easy to kill (rebuild your desktop!) but it also spreads like wildfire. And it certainly does do "real damage" -- where I work, people have lost papers because WDEF crashed their system and corrupted their files. It causes printing problems, it crashes a Mac II almost immediately, and God help you if you get it on a server! In reply to the original question, CDEF (Mac) also works like this: infecting the desktop file, usually on disk insertion. And since it was written at Ithaca High School, it is _all_over_ Cornell. (Lucky us.) _____________________________________________ | / \ / \ | | / You can't fight | | Mark Pilgrim \ | | | in here -- this |\_______/| | | \_____| is the WAR ROOM! |// \\| f8dy@cornella. |_____/ | (from Doctor /// \\\ cit.cornell.edu | | Strangelove) /// \\\ | \_______________/// \\\_______________/ My thoughts may not be my own, but they're certainly not my employer's. ------------------------------ Date: 17 Apr 91 02:27:05 +0000 >From: "Eric C. Pan" Subject: Viraphobia (Re: AF/91 and April Foolism in general) I am getting tire of all the people whose hair stand on ends at the mentioning of viruses. I think April Fool's Day is a nice way to relax.... I believe some people are too easily paniced by any mentioning of virus. I am beginning to wonder if you will believe me if I claim that the human acquired immune deficiency syndrome, i.e. the HIV virus is spreading to computer. Gosh, I am tired of all the people who ask me to check their disks for viruses everytime they get a system error, or their drive makes a funny sound. Track Record so far? Out of 20 some people I helped, none of them have ANY VIRAL INFECTION. NONE! And yet everyday, someone would scream "Computer Virus" because they crashed their system, sometimes because they pushed their reset button. Is there someway we can stop this PARANOIA? I think sueing anyone who bring up virus as a joke is definitely not a solution. ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 63] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253