VIRUS-L Digest Wednesday, 4 Oct 1989 Volume 2 : Issue 211 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: New virus? - further report (Mac) Lost mail in U.K. Tiger Teams Re: Followup on new virus (Mac) Columbus Day Virus in the Military Virus protection (PC) NIST Special Publication Re: viruses in Commercial Software Correction to previous posting (Mac) new IBMPC anti-virals UNIX virus proof?! (UNIX) Jerusalem Virus -B (PC) --------------------------------------------- Date: 03 Oct 89 14:49:03 +0000 From: jap2_ss@uhura.cc.rochester.edu (Joseph Poutre) Subject: New virus? - further report (Mac) Here is a further report on the possible virus at the U of R. The student consultants at the University computing center made copies of programs they believed infected and sent them to our computer center. I had an infected copy of Macwrite 5.01 for a while., where I discovered the added STR and the changed ICN. I have had reports of Macwrite II being attacked, but the info I have is inconplete. I am still trying to get another infected program, but I am never around when an infected disk is found. When I get one those that requested a copy will be sent one via email, if it works. The infected System on the consultants' hard drive is 6.0.2, and the only symptom it has shown so far is the "Last Modified" date and time change at irregular intervals, including this morning. I was able to induce a change by repeatedly doing a Get Info on the system. The virus probably found its way onto the disk when a consultant put recovered files from a disk showing what may be sysmptoms of the virus onto the hard drive. Vaccine is installed in teh System folder, and did nothing. The system also has NVIR immunity. The applications known to be attacked, so far, are Macwrite 5.01, Macwrite II, the System and its associated files. All of them, even the clipboard. I just watched to Last Modified date change on Laserwriter change during a copy. (Needless to say the consultants are working on replacing and File Locking everything. This appears to protect against the virus.) I will obtain copies of the infected stuff and try to do some comparisons using Resedit. To repeat, Disinfectant 1.2 has no effect, and Vaccine does not protect against it, at least from infecting within a disk. I plan to spend today working with infected and non-infected programs, and report my findings, and those of the others working on tis problem. Joseph Poutre (The Mad Mathematician) jap2_ss@uhura.cc.rochester.edu Understand the power of a single action. (R.E.M.) ------------------------------ Date: Mon, 02 Oct 89 09:40:10 -0000 From: "David.J.Ferbrache" Subject: Lost mail in U.K. Due to disruption of the mail gateway at Heriot-Watt University mail during the month of September has been intermittent. Anyone who has sent mail to me and not received a reply, please accept my apologies and resend the letter. The info-server facility is currently clearing a backlog of requests and should return to normal service shortly. Many thanks - ------------------------------------------------------------------------------ Dave Ferbrache Internet Dept of computer science Janet Heriot-Watt University UUCP ..!mcvax!hwcs!davidf 79 Grassmarket Telephone +44 31-225-6465 ext 553 Edinburgh, United Kingdom Facsimile +44 31-220-4277 EH1 2HJ BIX/CIX dferbrache - ------------------------------------------------------------------------------ ------------------------------ Date: 03 Oct 89 14:03:00 +0700 From: "Okay S J" Subject: Tiger Teams In VIRUS-L V2NO208 "Thomas B. Collins, Jr." writes: >Say I get my new system, put all the software on >it, and run a few virus scanners that turn up nothing. I then run all >applications from my hard drive, and don't use any floppy disks. It >wouldn't make sense for me to check my hard drive every day for viruses, >because they don't just pop up from nowhere. You're discounting the fact that your machine could be on a network. Having an infected machine on a network where one transfers files between machines can be just as bad as sticking a floppy in the machine. One shot does not cure all >If I did add software to my system, I would check it for viruses before >adding it. I think it would make more sense for the Tiger Teams to come >in in the middle of the day, ask you to please save your work, and then >run a virus checker on your system. It would cause too much of a loss of productivity and interruption of the work routine. Night is better if you're going to do it. Plus the public embarrasment of having ones machine checked. Seriously, its kind of like any test for drugs or AIDS or anything like that. Its not so much as to whether you are infected, but just the idea that it was done. After all, why have a test done if there isn't some suspicion...This at least would be the view of most people around those who had their machines tested. 'Did you hear George got busted by the Tiger Team last week?---They didn't find anything, but you never know....' >If anything is found, you are "cited" as letting a virus into your system. >If you're clean, you go back to work, and the Tiger Team moves on. What exactly does 'cited' mean? Disciplined?, public marked as a electronic leper in the company? fired? --Now that we've established how they would operate, what should be the penalties for those 'caught'? Stephen Okay Technical Aide, The MITRE Corporation x6737 OKAY@TAFS.MITRE.ORG/m20836@mwvm.mitre.org 'Geez...I actually have to use a disclaimer now, I must be getting important!' Disclaimer:Its mine, mine, mine, mine, mine !!!!!!!!!!!!!! ------------------------------ Date: 03 Oct 89 16:14:59 +0000 From: eplrx7!milbouma@uunet.UU.NET (milbouma) Subject: Re: Followup on new virus (Mac) >No anti-virus program has been able to find it, including Interferon, >Virus Rx, Anti-pan, and Disinfectant 1.2. If this is recognized by anyone, >please email me ASAP at the address below with devirusing help. I tried to e-mail but the message bounced. I do not recognize the virus by your description, but if it is new then no one will including the antiviral apps that you mention. I can recommend Symantec's new antiviral package, SAM, which will flag any abnormal writes from an application (like Vaccine if you're familiar with it, but better than Vaccine). SAM will at least protect your machines from getting infected and also has a Virus scanner program that scans for known viruses and can also repair irreplaceable apps that are infected. Part of the protection init also will ask you if you want to scan a floppy for known viruses whenever you insert one. I also recommend that you contact Symantec and give them a copy of your virus so they can update their Virus scanner program. Symantec can be contacted at (408) 253-9600, (800) 441-7234. Please keep the net posted on further developments with this virus. I would especially be interested to know if the SAM INIT flags infection attempts by the virus. Thanks (I do not work for Symantec) ------------------------------ Date: Tue, 03 Oct 89 11:10:34 -0600 From: Chris McDonald ASQNC-TWS-RA Subject: Columbus Day Virus in the Military While I did not see the computer chronicles report referenced by a poster in a recent Virus-L edition, I would propose that there really is no accurate way at the present time to gauge any computer viral infection within the military given existing policies and organizational structures. The diversity of organizations has resulted in differing policies as to whether such reporting is or is not mandatory. This "discretionary" rather than "mandatory" reporting ensures in my opinion that viral infections go unreported. Indeed, I am aware of an outbreak of the Israeli B virus strain which infected several PCs at a particular Army activity which I subsequently learned was not reported through its chain-of-command. In all fairness the written policies applicable to that activity do not make reporting mandatory. In so far as the Columbus Day virus is concerned, the Army's Information Systems Command through a variety of sources has tapped the resources of Virus-L to alert its users as to the potential threat. An advisory message on the subject has been distributed utilizing information first seen on Virus-L. Other Army Commands have retransmitted the same information. I would like to propose that the military subscribers to Virus-L perhaps pursue the problem of reporting by answering these questions: 1. Has your site experienced a viral infection? 2. What viruses were present? 3. Was it reported to the next level of command? I am volunteering to compile the results and then post a summary of the responses received to Virus-L. I will of course ensure the confidentiality of the identity of all sites. Responses should be sent to me directly at . If this is unacceptable, then perhaps someone out there in NETLAND has a better idea. Parenthetically, I wonder if Ken might provide a breakdown of who actually subscribes to Virus-L in terms of military, university, and contractor subscribers? This would be important to assess the level of participation. [PS: Congratulations on your marriage!] [Ed. Thanks! It would be extremely difficult to quantify the different VIRUS-L subscribers, particularly since we're now distributing VIRUS-L via the comp.virus Usenet newsgroup. I can tell you, however, that the actual mailing list contains just shy of 1300 subscribers, over 200 of which are redistribution points. These sites represent a solid cross-section of educational, commercial, military, and government sites in several countries. Most (perhaps 70%) of the sites are educational, with approximately equal numbers of com, mil, and gov sites. Let me stress that these are not accurate numbers for any sort of statistical analysis.] ------------------------------ Date: Tue, 03 Oct 89 14:01:11 -0600 From: Brian Piersel Subject: Virus protection (PC) I'm a new owner of an IBM AT compatible computer, and so I am not very familiar with the various anti-virus programs. Could someone explain to me how these work, and/or recommend one to get? Respond directly to me, if possible. Thanks in advance... ------------------------------ Brian Piersel BITNET: S1CH@SDSUMUS ICBM: 96.50W 44.20N INTERNET: S1CH%SDSUMUS.BITNET@VM1.NoDak.EDU (The Internet address doesn't always work) "Live long and prosper." ------------------------------ Date: Tue, 03 Oct 89 14:16:52 -0600 From: Chris McDonald ASQNC-TWS-RA Subject: NIST Special Publication I would like to add some additional thoughts to those who have already commented on the NIST "Computer Viruses and Related Threats: A Management Guide." 1. I believe there is a signifiant error on page 2-6. The report in discussing the INTERNET Worm states: "It was unclear what the network worm's objective was, as it did not destroy information, steal passwords, or plant viruses or Trojan horses." I think there is substantial evidence to prove that the Worm in causing denial of service attacks did indeed destroy information. Donn Seeley has made the point that the author of the Worm program specifically "deleted" an audit file so as to hide his location. There are also numberous reports that the program successfully "captured" passwords on other hosts to which the Worm author was not entitled. The NIST authors reference Dr. Spafford's report on page A-1 which addresses the "stealing" of passwords. Both Seeley's and Spafford's analysis of the incident can be found, along with other related papers, in the Jun 89 edition of the "Communications of the ACM." This ACM edition is probably the best reference on the entire incident available in the public domain. I think it should have been included in the NIST reference list. 2. I differ from several commentators who suggest that the document is "prejudiced" against the use of public domain and shareware products. I think on pages 3-3 and 5-3 the document stresses only that organizations should develop a clear policy on the acquisition and on the use of such software. 3. I am struck by the lack of any reference to Virus-L, RISKS Forum and other INTERNET services which have for years provided we users the best available, open source information on the subject of computer viruses. There is also little in the way of reference to the work of professional associations such as ACM, IEEE, the Computer Security Institute, and the Information Systems Security Association in addressing the computer virus phenomenon. Surely "technical managers", who are the audience for this publication, could use such resources to implement the virus prevention suggestions in the NIST publication. Chris Mc Donald White Sands Missile Range ------------------------------ Date: Tue, 03 Oct 89 12:11:00 -0400 From: Subject: Re: viruses in Commercial Software We too have been hit, though not recently. Last semester, a freehand disk from Aldus had scores on it right out of the box. These 'professionals' should pay more attention to what they are doing. Alex Z... . . . ------------------------------ Date: Tue, 03 Oct 89 20:31:00 -0500 From: Subject: Correction to previous posting (Mac) Sorry, folks, I spread a little misinformation without realizsing it. I have Disinfectant 1.2, not 1.5. (BTW- does anyone know where the latest versions can be obtained as they become available?) I had gotten swamped with requests for 1.5. Sorry! ------------------------------ Date: Tue, 03 Oct 89 21:37:54 -0500 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: new IBMPC anti-virals New additions to the archives. For the most recent site listings, see vol 2 num 209 of VIRUS-L (or better yet, save those monthly site lists!). All the files in this batch are shareware. bootchk.exe Program to verify boot sector of disk. Performs comparison with secure copy of boot sector. To be used in autoexec.bat. Sent to me by author. Version 1.00 (first release). Self-extracting zip. m-1704.arc Update to previous file of same name. Only change is in docs to warn of possible false alert issued by viruscan. Direct from author's BBS. netscan.arc Network compatible program to scan disks for known viruses. Version 0.4v33, update to previous releases. Direct from author's BBS. scanrs39.arc Resident program to scan executables for viruses before loading. Version 0.9v39, update to previous releases. Note minor change in spelling of archive name. Direct from author's BBS. scanv40.arc Program to scan disk and report any viruses found. Version 0.7v40, update to previous releases. Direct from author's BBS. shez48.exe Shell program for manipulating archives which, with this new release, is compatible with viruscan. Version 4.8. From HomeBase where it was placed by author. Self-extracting LZH archive. [ I was unable to get the viruscan aspect to work as advertised ] [ but I only put forth a minimal effort. -- jrw ] BOOTCHK.EXE Verifies boot sector against secure copy, v1.00 M-1704.ARC Repairs and removes infections of 1704A and 1704B viruses NETSCAN.ARC Network compatible program to scan for viruses, 0.4v33 SCANRS39.ARC Resident program to check for viruses, 0.9v39 SCANV40.ARC Scans disks and reports viruses found, 0.7v40 SHEZ48.EXE Shell for archive manipulation w/ virus checking, v4.8 Jim ------------------------------ Date: Tue, 03 Oct 00 19:89:58 +0000 From: ficc!peter@uunet.uu.net Subject: UNIX virus proof?! (UNIX) I wouldn't say UNIX is virus-proof (I posted a hoax article about a UNIX virus over a year ago, just before the Internet Worm incident), but it's sure a hell of a lot more virus-resistant than DOS. ------------------------------ Date: 04 Oct 89 07:14:43 +0000 From: consp06@bingvaxu.cc.binghamton.edu Subject: Jerusalem Virus -B (PC) SUNY Binghamton has been hit by the Jerusalem Virus. It seems to be spreading pretty well. We are looking for: 1) Advice. 2) SCAN38, SCANRES, etc... any of those. 3) UNVIRUS We have SCAN28, and we want to know where to get everything else we need to arm ourselves against this nasty villain. Thank you very much. -Robert Konigsberg ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253