VIRUS-L Digest Monday, 11 Dec 1989 Volume 2 : Issue 257 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Ping Pong B (PC) Re: Network Virus Protection (Mac) Seagate drives (PC) Wiping out Jerusalem's virus (PC) WDEF (Mac) Jerusalem B virus found (long story) Re: WDEF Virus (Mac) re: DIR EXEC remedies (VM/CMS) Disinfectant 1.4 (Mac) Protecting Users form Letter Bombs Use of Digital Signatures JUST WHAT IS *LSD? (Mac) SCANV51 (PC) --------------------------------------------------------------------------- Date: Fri, 08 Dec 89 15:23:22 -0500 From: Peter Jones Subject: Ping Pong B (PC) We have a PC virus in our labs, which is detected as Ping Pong B by SCANV49, and as the Ping Pong Virus by IBM's virus scanner. Unlike the Ping Pong described in file MSDOSVIR.A89, it does not have the bytes 1357 at offset 1FCO. The virus appears to be a boot-sector virus; it has not been detected by SCAN in the .COMs or .EXEs. As with Ping Pong, a strange character (not a lower-case 'o') bounces around the screen. Sometimes the "ball" bounces off a non-blank character. Sometimes characters fall down. The virus appears to be triggered, like Ping Pong, when a disk access occurs near a quarter-hour. CHKDSK issued about 5 seconds before such a time usually does it. Occaisonally, we have observed two independent "balls" on the screen. We have been unable to cause this behaviour deliberately on our test PC. The virus can be spread by an infected boot sector on non-system data diskettes, if the user accidentally leaves such a diskette in drive A and tries to boot from it, then presses any key to continue booting after the "non-system disk" message from DOS. Questions for you readers: 1) Is there a complete description of the virus available? 2) What damage does it do? 3) What prevention and disinfection procedures can be used a) in computer labs with many users per machine b) in professor's office (few people using a machine) (I've read about the idea of scanning the diskettes used by students in labs before giving the diskette to another student.) 4) Is there a version of SCANVRS that will detect boot-sector viruses on data disks? Aside from disk utilities such as Norton's absolute sector editor, is there a simple way to disinfect a data disk? SYS A: after a clean boot doesn't work because there isn't space for a system on A:. Peter Jones MAINT@UQAM (514)-987-3542 "Life's too short to try and fill up every minute of it" :-) ------------------------------ Date: 08 Dec 89 22:53:47 +0000 From: emx.utexas.edu!ut-emx!chrisj@cs.utexas.edu (Chris Johnson) Subject: Re: Network Virus Protection (Mac) C0195@UNIVSCVM.BITNET (Gregory E. Gilbert) writes: >Is there any freeware that will provide virus protection when using a >network such as AppleShare or TOPS? I know SAM will work fine. Will >Gatekeeper or Vaccine provide adequate protection? Will Disinfectant >provide adequate diagnosing capabilities? Gatekeeper will work fine - just install it on all your machines. 'Makes no difference what sort of file server (if any) that you use. If Gatekeeper sees an attack taking place, it stops it - no matter what sort of volume the attacker is stored on. This is equally true of SAM and Vaccine, but I wouldn't recommend Vaccine. Vaccine requires (1) that your machine is only used by highly skilled users/ programmers, i.e. people who always know how to respond to the Granted/Denied queries and (2) that the viruses be very simple - Vaccine's protections are minimal compared to Gatekeeper (and I'm currently working on further extending Gatekeeper's protections.) I hope this helps, - ----Chris (Johnson) - ----Author of Gatekeeper - ----chrisj@emx.utexas.edu ------------------------------ Date: Fri, 08 Dec 89 14:29:34 -0600 From: James Ford Subject: Seagate drives (PC) Question 1: (PC) Some (all?) Seagate drives come with a program called DM. This program lets you set the partitions to whatever size, etc. It also includes an option to allow you to set a partition to "read-only". Would this be effective against any/some/all boot infectors, IBMBIOS, IBMDOS and COMMAND.COM infectors? How hard would it be to get around this program (DM)? Question 2: (all) Could the PC, MAC, or TI99/4A wizards post some of their methods of protecting their files/machines from infection(s)? Right now, I just use SCANRES, but have been thinking about spending the time to install some other (PC) programs (FluShot, Sentry, etc) on my machine. What would be the best combination? For those of you who are keeping records of various infections, the Jerusalem Virus version "B" was detected yesterday by SCAN V50. The machine infected was a PS/2 Model 50, located in the graduate students office. It was noticed when a grad student kept getting strange results when running Turbo Pascal (machine slowdown). The disks that have been in contact have been re-formatted (micros, that is) and the search is on for the disk that origionally brought it to the machine. James Ford - JFORD1@UA1VM.BITNET "Gee, a one-line tag..............." ------------------------------ Date: 09 Dec 89 13:50:43 +0000 From: inesc!ajr@relay.EU.net (Julio Raposo) Subject: Wiping out Jerusalem's virus (PC) 1: This is the C source of a program I made to clean the JERUSALEM's virus from the EXE and COM files, restoring those files to their original state. Just cut between the start -- end lines and compile. 2: I have no access to FTP sites, so can anyone (preferably from EUROPE, it is cheaper) mail me virus scan programs for the IBM PC - DOS ? ========================================================= [Ed. Due to its length, I'm forwarding the C program to the archive sites.] =========================================================== Antonio Julio Raposo (ajr@inesc, LISBOA, PORTUGAL) ------------------------------ Date: Sat, 09 Dec 89 10:15:08 -0500 From: "Frank Steele" Subject: WDEF (Mac) The new WDEF virus for the Mac has infected some of the Mac labs at the University of Georgia. I've had a chance to see its effects, here are a few: If your machine is infected, WDEF slows down window updates. You may hang in the middle of trying to open or close a window. Generally, the arrows in your monitor's upper left-hand corner (denoting network connection) will show during the entire process (they usually blink) and, if you're closing a window, you may see the radial lines within the close box even long after (15-30 sec) you've clicked in it. From my understanding of the proper role of the W(indow) Def(inition) resource, this makes sense. The spooler window on an AppleShare window can take a similarly long time to update. I can't tell yet whether the virus can spread to/from AppleShare servers over the network (or only by disk contact) or whether the special desktop files, Desktop DB and DF, associated with AppleShare servers can be infected (None I've seen so far have been). Further input from others on these possibilities would be appreciated. Also, I don't think infection is automatic. I checked a floppy disk belonging to a user who had been using an infected hard drive for an hour, and the floppy was clean. Virus Detective, version 3.1, will search for the resource and will remove it. In fact WDEF is the only virus I'm aware of that Virus Detective can safely remove. Others?) Don't be intimidated by the rather lengthy dialog box telling you that removing a single resource won't necessarily remove a virus. In this case, it will. One problem I've seen is that, if you're running Symantec Anti- virals for the Mac, telling Virus Detective to remove the resource brings up an alert box disallowing you (in about five different ways) from changing any resources, then bombs the machine. Therefore, if you're using SAM, disable it until you've removed WDEF, then re-enable it. This is one of the more innocuous viruses to hit the Mac, but the unusual propagation method is going to make it extremely difficult to completely clean up, especially in an unattended environment, as many campus Mac labs are. I'll be happy to help anyone with questions as much as I can through BITNET... I'd appreciate hearing from others with additional information (Has anyone this apart and discovered whether it has a purpose beyond propagation?)... My address is FSTEELE@UGA.BITNET. Frank Steele ------------------------------ Date: Sat, 09 Dec 89 13:27:57 -0500 From: HJW2@PSUVM.PSU.EDU Subject: Jerusalem B virus found (long story) FOR THOSE WHO RESPONDED TO MY PREVIOUS VIRUS POSTING, I HAVE THIS STORY FOR YOU: How I got Jerusalem virus in my computer A user's nightmare came true (88 lines long, anything longer than that would be VIRUS...) To make a short story long, let me go back to some day in late September.... I was playing with my computer, as usual, and my wife was doing her works in the kitchen, as usual. I was using PC Tools to copy some of my files from hard disk to floppy and when I went back to root directory in C:, I saw an empty file that was new and weird to me. It looked like this in PC Tools: Filename File length Attribute Date gEgEgEgE.gEg 0 .SR. 11/07/14 Since I have deleted countless files using PC Tools, I tried the same way to select that file and delete it. To my surprise, PC Tools responded "File not Found". So I said to my self:"It must be the problem of zero length." and tried to write something on it so I can delete it, and you know, it didn't work that way. And the strange thing was that whenever I changed its attribute by using Edit/View function, it didn't work as it supposed to be. So I kept that file and forgot it until someone on campus(or Wall Street Journal) brought up the issue of October 13th and computer virus attack. I went to 12 Willard to get a scanv4 disk and used it to scan my hard disk for at least 13 times and did not spot a virus. I was still nervous about the virus attack, so I got another virus protection program (Flushot, in case it matters) and checked the hard disk again and again and again until my wife reminded me to do homework. I survived the virus hit in October. Before the first snow in November about three weeks ago, I booted up the machine as usual and press the turbo switch when I noticed the slow speed of computer checking my Intel Aboveboard memory. The computer suddenly went nuts for the first time since I bought it a year ago. There was nothing on the screen, the keyboard didn't respond, and the speaker beeped. I powered off and on again and the computer prompted me "8237 Error" and refused to work. I was nervous but not afraid. Since I have played around with computers for a while, I tore down my machine to check what might be the source of error. I didn't find anything suspicious but BIOS and DMA. I went to a local computer store and had my BIOS replaced and the computer worked again. So I gave them $35 for the Phoenix BIOS that worked wonder on my computer. But honeymoon soon was over. One day when I was using my primitive word processor PFS:Professional Write, the computer hung me without any warning. I lost all my editing file and had to reboot it again using reset button not ctrl+alt+del. And after that, it hung from time to time whenever I changed from editing document to print or to spell check. After few days, I found out I cannot use turbo mode anymore, I had to stay with normal mode. When I press the turbo button to boost speed, I got hung. Since I just replaced BIOS, I suspected the problem is in DMA. So I brought my computer back to that local store after Thanksgiving and they said that I need a new motherboard because they cannot fix the motherboard problem. Because they were asking ONLY $200 for a new 12MHz 286 motherboard, I decided to get it replaced. Everything worked fine with the new board until I tried to run Harvard Graphics, it hung again. Same thing happened to Minitab and the new PFS:Professional Write v2.0. I questioned the store about the compatibility of that kind of motherboard and got pissed off. They claimed that their motherboard has been running thousands of software and has never encountered non compatible problem. So I tested everything I could, changing faster memories, changing different BIOS, changing video board, and even swapping hard disks. I could not find out the problem until someday I used MAPMEM to see memory usage and saw an unknown program occupying about 1732k memory above configuration and dos command and I realized that something weird was going on. I immediately (well, next day) got the virus detection disk from office and started checking my hard disk. Boy, was I astonished! I saw a warning line as soon as I issued SCAN command: SCAN file has been damaged.... In the next few minutes, I saw 50 of my command files were infected by Jerusalem B virus. I used pctools to erase all infected files and got a map of my hard disk to see if everything is ok. But I saw some secctors marked "unremovable" where they should be "usable" space. And I realized that the only way to get rid of the virus would be reformatting my entire hard disk. So I did. I am glad I have a back up for every program I have in the hard disk. Now all the viruses are gone except one that I keep in a floppy as a memory or for future research use, I start thinking where I got this little virus. There are only two places: PCLIB at Penn State or that computer store. I cannot think of any other sources except these two. The weired file with 0 byte and unremovable is from some file in PCLIB, but I have checked every file before October 13 and found no virus. After that date, I have not downloaded anything. On the other hand, every weired thing started after I replaced BIOS and used testing software from the computer store. It's also possible that the virus is attached to some file that store has. I will keep tracking down the suspicious source of this virus and if anything comes out interesting, I will summarize and post it. GOOD BYE ! _____ ___ H. WU HJW2@PSUVM.BITNET _|_ |___| DEPARTMENT OF BUSINESS LOGISTICS |_|_| |___| THE PENNSYLVANIA STATE UNIVERSITY _|_|_|_ |___| | | _/ |__| ------------------------------ Date: Sat, 09 Dec 89 18:07:23 +0000 From: yale!slb-sdr!sdr.slb!shulman@uunet.UU.NET (Jeff Shulman) Subject: Re: WDEF Virus (Mac) C0195@UNIVSCVM.BITNET (Gregory E. Gilbert) writes: >Recently there was a posting on VALERT-L about a new virues, WDEF. In the >alert it is mentioned that: >(stuff deleted) >"Jeff Shulman, the author of Virus Detective 3.1, recommends adding the >following search string to detect the virus: >CREATOR=ERIK & Resource WDEF & Any >Virus Detective can also be used to remove the virus ......" >Where or to what do we add the "following search string". Please >pardon my ignorance. >Greg These instructions only apply to VirusDetective 3.x 1. Select VirusDetective from the DA menu. 2. Click the Modify Search Strings button. 3. Type Creator=ERIK & Resource WDEF & Any ; For finding WDEF, etc. 4. Click the Add button. 5. Click the Save button. 6. That's it! Specific instructions can be found both in the VD doc file, online docs and is going to be mailed out to registered users early this week. I will also be posting a file full of the latest search strings that you can read in by clicking Read from File instead of steps 3 & 4, and I will be posting VD 3.1a that has this string already built in (NO code modifications were made). If you are a registered user and you still need more assistance don't hesitate to contact me either electronically or by phone. Jeff Shulman VirusDetective Author As usual, this is *me* speaking and no other organization. uucp: ...rutgers!yale!slb-sdr!shulman CSNet: SHULMAN@SDR.SLB.COM Delphi: JEFFS GEnie: KILROY CIS: 76136,667 AppleLink: KILROY ------------------------------ Date: Sat, 09 Dec 89 19:10:00 -0500 From: "Gerry Santoro - CAC/PSU 814-863-4356" Subject: re: DIR EXEC remedies (VM/CMS) Marty Zimmerman writes: >What are other VM/CMS installations doing to slow down the spread of >the DIR EXEC? I seem to remember that the CHRISTMA EXEC prompted >someone to write a program to scan/clean the SPOOL queue, and I was >wondering if anything similar is available for DIR. At Penn State we are taking a broader approach. The systems folks here may be scanning spool files for a file named DIR EXEC (don't really know if they are), but we've also placed a logon warning message talling users not to receive and execute *ANY* EXEC unless they know exactly what it does. Although DIR EXEC and CHRISTMA EXEC (also distributed as XMAS EXEC) cause well-known havok, it is rather easy for a mischevious student to send a custom EXEC to an unwary faculty/staff/student who then tries it out to see what it does. I did a poll of some of my students (i teach computing for humanities here) and was horrified at how many of them were given 'neat' EXECS by perfect strangers, which they then proceeded to use and distribute to others. Not a single one of them reads REXX and they had no suspicion that any of these EXECS could be doing something behind their backs. Another common problem here is that eager students will 'customize' the environment of faculty who are novices to VM/CMS by linking them to their (the students) disks, which have lots of custom EXECs on them. At the very least, when the student graduates and their account disappears we get questions about the faculty regarding why "the computer dosen't work anymore". gerry santoro, ph.d. *** STANDARD DISCLAIMER *** center for academic computing This posting is intended to penn state university | represent my personal opinions. gms @ psuvm.psu.edu -(*)- It is not representative of the gms @ psuvm.bitnet | thoughts or policies of anyone ...!psuvax1!psuvm.bitnet!gms else here or of the organization. (814) 863-4356 ---- "I yam what I yam!" ---- ------------------------------ Date: Sun, 10 Dec 89 00:10:16 -0500 From: jln@acns.nwu.edu Subject: Disinfectant 1.4 (Mac) Disinfectant 1.4 is a new release of our free Macintosh virus detection and repair utility. Version 1.4 detects and repairs infections by the new WDEF virus (see below). In version 1.4 we no longer refer to the various clones of the nVIR B virus by name. We refer to them simply as generic "clones of nVIR B." All references to the individual clone names have been removed from both the document and the reports generated by the program. We feel that the creators of these clones do not deserve the publicity they receive when they see the names they have chosen in print, especially since some of the names are offensive. Disinfectant 1.4 is available now via anonymous FTP from site acns.nwu.edu [129.105.49.1]. It has also been posted to comp.binaries.mac, info-mac, and CompuServe, and should be available from those sources soon. The following text is extracted from the new section on WDEF in Disinfectant's online document. It describes what we know to date about this new virus. The WDEF virus was first discovered in December, 1989 in Belgium and in one of our labs at Northwestern University. It has also been reported at several other major US universities, so we fear that it may be widespread. We also have reason to believe that the virus has been in existence since at least mid-October of 1989. WDEF only infects the invisible Desktop files used by the Finder. With a few exceptions, every Macintosh disk (hard drives and floppies) contains one of these files. WDEF does not infect applications, document files, or other system files. Unlike the other viruses, it is not spread through the sharing of applications, but rather through the sharing and distribution of disks, usually floppy disks. WDEF spreads from disk to disk very rapidly. It is not necessary to run a program for the virus to spread. Although the virus does not intentionally try to do any damage, WDEF contains bugs which can cause very serious problems. In particular, one bug in the virus causes the Mac IIci to crash. We have also noticed unusually frequent crashes on infected Mac IIcxs, and severe performance problems with infected AppleShare servers. Several people have also reported frequent crashes when trying to save files, and we have two reports that the virus can damage disks. When using Disinfectant to repair WDEF infections, you must use Finder instead of MultiFinder. Under MultiFinder the Desktop files are always busy, and Disinfectant is not able to repair them. If you try to repair using MultiFinder, you will get an error message. Unfortunately, none of the current versions of the most popular virus prevention tools are effective against the WDEF virus. This includes Vaccine 1.0.1, GateKeeper 1.1.1, Symantecs SAM Intercept 1.10, and HJCs Virex INIT 1.12. However, by the time you read this, it is very likely that new versions of these tools will have been released. Symantec and HJC are preparing new releases of their products, and we expect that a free prevention tool or tools will also be available soon. This version of Disinfectant is being released only a few days after the discovery of the WDEF virus. We do not yet understand it as thoroughly as we do the other older viruses. We have disassembled it completely, and we understand the basic replication mechanism. We know that it can cause serious problems, and we know why it causes some of the problems. Research into the behavior and adverse effects of this virus will continue for some time. You should keep in touch with your local Mac user group or bulletin board for more information about this new virus as it becomes available. Commercial online services like CompuServe and Genie and the Macintosh trade press publications like MacWeek are also good sources of information. John Norstad Academic Computing and Network Services Northwestern University 2129 Sheridan Road Evanston, IL 60208 Bitnet: jln@nuacc Internet: jln@acns.nwu.edu CompuServe: 76666,573 AppleLink: A0173 ------------------------------ Date: Sun, 10 Dec 89 10:17:00 -0500 From: WHMurray@DOCKMASTER.ARPA Subject: Protecting Users form Letter Bombs >On this subject: how far should system administrators go to protect >users from this type of "letter bomb". It seems a bit heavy-handed to >purge ANY file from the queue with a filetype of EXEC, XEDIT, or MODULE. >Is it best to let the users fend for themselves, or overprotect them? A reasonable compromise is to protect them from surprise by arbitrarily renaming and re-typing the object so that they will not execute it by accident. William Hugh Murray, Fellow, Information System Security, Ernst & Young 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ------------------------------ Date: Sun, 10 Dec 89 10:51:00 -0500 From: WHMurray@DOCKMASTER.ARPA Subject: Use of Digital Signatures I suspect that Y. Radai misses the point of Bob Bosen's posting. The point is, why re-invent the wheel thinking up new authentication schemes when standard ones of known strength already exist. He was not making knew claims about how effectively such schemes can be implemented. However, there is a more subtle point. In the most general, non-trivial (read PC), case, a virus designer cann always get his program executed by duping users. The law of large numbers suggests that, as Abraham Lincoln said, you can always fool some of the people some of the time. If the population is sufficiently large, that will be enough to insure the life of the virus. Again, in the most general non-PC case, an effective way to get a program executed is to make it appear to come from a known and trusted source. The Christmas cards are a good example. When the copies are distributed they are distributed under the source ID of the last victim. Since the names of the targets are taken from the address book (NAMES file) of the source, this ID is likely known by many of the victims. Another example is the re-shrink-wrapped software of a reputable vendor on the shelf of a naive or irresponsible distributor. Many of us are likely to be duped into executing such software. How can we know that the software is what the vendor shipped? How can the vendor demonstrate, even to his own satisfaction, that he did not ship it? Digital signatures (which are not simply CRCs) provide at least a partial answer to these questions. They provide compelling evidence that a data object originated in a particular place and that they have not been contaminated since leaving that point. They do not and cannot protect us against all lies and all malice. They may not protect us at all if we refuse to apply them or reconcile them. However, they make it possible to protect the innocent. If we refuse to accept data objects that are not signed by the source, then they will help to fix accountability for malice. In the presence of such accountability the quantity of malice can be expected to be less than it would be the absence of such signatures. Finally, the ability of a virus to spread in a population, as opposed to its ability to detect and bypass the controls in a member of the population, depends upon there being exploitable similarities among the members of the population. The insistence of Mr. Radai et. al. that, since it is possible to detect and bypass any control, that all is futile does not stand up. By subtle changes to my machine and its use, I can make it sufficiently different from the population at large, to make it effectively immune from practical attacks. If we were all doing that, viruses would be far less successful. That I cannot make it theoretically resistant to hypothetical attacks, may be of little interest. It is time to stop condemning the useful out of hand. Those who insist upon doing so are contributing to the problem rather than the solution. William Hugh Murray, Fellow, Information System Security, Ernst & Young 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ------------------------------ Date: Sun, 10 Dec 89 18:10:00 -0500 From: someone please stop the bunny Subject: JUST WHAT IS *LSD? (Mac) The recent notification of the WDEF virus residing in the Desktop got me thinking so I poked through our fileserver's desktop with resedit. I found a resource that began with a diamond and followed up with LSD sort or *LSD but with a diamond instead of a star. Does anybody know what this is? - Zav ________________________________________________________ `!' | - Southeastern Massachusetts University U S of A - | | Live From the 'REAL' SMU... iiiiiiit's Alex! | _-----_ | alias Alex Zavatone, RoadHazard (I've earned that one)| / _ _ \ | Discmaimer?!: You must be kidding | | O o | |-------------------------------------------------------- | v | | Bitnet -> ACSAZ@SEMASSU | ACS - It's not just a job | \ '___` / | Hepnet -> ALEX@SMUHEP | It's an Adventure! | | \_/ | |_________________________|___________________________| \___/ ------------------------------ Date: Sun, 10 Dec 89 15:53:12 -0800 From: Alan_J_Roberts@cup.portal.com Subject: SCANV51 (PC) SCANV51 is now available on HomeBase. It checks for the Datacrime II-B, the Payday and the Amstrad viruses as new additions to the list. The Datacrime II-B and Payday viruses were submitted by Jan Terpstra of IBM in the Netherlands and the Amstrad was submitted by Jean Luz of the University of Lisbon in Portugal. All three are described in the VIRLIST.TXT file included with SCAN. Five new viruses (at least new to McAfee and the HomeBase group) have been submitted by Andrzej Kadlof, an editor of KOMPUTER Magazine in Warsaw, Poland. These viruses have been reported in the public domain within Poland and many other Eastern block countries, according to Kadlof, but we are not aware of any reports from Western Europe or the U.S. David Chess at IBM has been given copies as has Joe Hirst in London to determine whether these are indeed new viruses. In any case, they are new to SCAN and will be included in the next release. Two are EXE and COM infectors and three are just COM infectors. Hopefully I can report details of how they work within a few days. Alan ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253