From: VIRUS-L@IBM1.CC.Lehigh.EDU VIRUS-L Digest Friday, 15 Jun 1990 Volume 3 : Issue 114 Today's Topics: RE: Documented mainframe viral attacks Re: George of the Jungle virus????? (Mac) Re: More George of the Jungle... (Mac) VSHIELD and Windows 3.0 (PC) Re: removing Stoned from harddisks (PC) Vanishing Disk Space (PC) re: UnVirus 9.02 (PC) Re: Flushot version? (PC) GateKeeper Aid 'ADBS' Query (Mac) Mainframe viruses, theoretical (Murray) Strange floppies (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Wed, 13 Jun 90 17:46:32 +0100 From: Alan Thew Subject: RE: Documented mainframe viral attacks >spoelhof@newkodak.kodak.com (Gordon Spoelhof) asks: > >>1. How many mainframe viral attacks are documented? > >The ones that come to my mind (and I believe all have been reported >here) are the XMAS, BUL, 4PLAY, and HEADACHE execs on VM/CMS and the >RTM worm [UNIX] and WANK worm [VMS]. There was also the DIR exec (VM) which was supposed to give a DOS type display of files but, I believe, after a certain date formatted your minidisk. We never saw it but were warned by a number of lists. Alan Thew University of Liverpool Computer Laboratory Bitnet/Earn: QQ11@LIVERPOOL.AC.UK or QQ11%UK.AC.LIVERPOOL @ UKACRL UUCP : ....!mcsun!ukc!liv!qq11 Voice: +44 51 794 3735 Internet : QQ11@LIVERPOOL.AC.UK or QQ11%LIVERPOOL.AC.UK @ NSFNET-RELAY.AC.UK ------------------------------ Date: 13 Jun 90 17:28:10 +0000 From: hemstree@handel.CS.Colostate.Edu (charles he hemstreet) Subject: Re: George of the Jungle virus????? (Mac) hemstree@handel.CS.Colostate.Edu (charles he hemstreet) writes: From: hemstree@handel.CS.Colostate.Edu (charles he hemstreet) Newsgroups: comp.virus Date: 11 Jun 90 14:54:01 GMT I work at a computer lab here on campus, and we had someone come in and ask about this.. I may not ahve this totally correct... [much stuff deleted] After some response (many thanks) and thought. I and the person involved have decided that this was a prank against him. The tool used was simply ResEdit. The prankster edited the STR resource of the application and the icon resource. We are currently looking to set up some security on his machine. Thanks again for the help. Much appreciated. Chip - -- !===========================================================================! ! Charles H. Hemstreet IV !internet: hemstree@handel.cs.Colostate.Edu ! ! Colorado State University ! "stay out of trouble!" -RoboCop ! !===========================================================================! ------------------------------ Date: 13 Jun 90 17:31:32 +0000 From: austing@Apple.COM (Glenn L. Austin) Subject: Re: More George of the Jungle... (Mac) hemstree@handel.CS.Colostate.Edu (charles he hemstreet) writes: >Well, I'm not sure what I've got here, but may not be as serious as I >thought. We have got a copy here at the lab. It's has the >WordPerfect feather on a trashcan Icon. I opened it on an isolated SE >by double-clicking on the trash/feather icon. WordPerfect complains >that it can't open this kind of document. On the isolated SE, >WordPerfect goes ahead and opens an untitled document. >Is this a standard WordPerfect Icon? The person found this document >in his system folder. I have a copy on floppy if anyone would care to >look at it. It sounds like that is a temporary document from the description of the location of the file and the icon. It's pretty easy to check using MultiFinder or a file DA (like DiskTop). Make sure that the file is removed from the system folder, launch WordPerfect, and check for the file. - ----------------------------------------------------------------------------- | Glenn L. Austin | "Turn too soon, run out of room, | | Auto Racing Enthusiast and | Turn too late, much better fate" | | Communications Toolbox Hacker | - Jim Russell Racing School Instructors | | Apple Computer, Inc. | "Drive slower, race faster" - D. Waltrip | | Internet: austing@apple.com |-------------------------------------------| | AppleLink: AUSTIN.GLENN | All opinions stated above are mine -- | | Bellnet: (408) 974-0876 | who else would want them? | - ----------------------------------------------------------------------------- ------------------------------ Date: Wed, 13 Jun 90 15:36:00 -0400 From: Jim Shanesy Subject: VSHIELD and Windows 3.0 (PC) Has anyone loaded VSHIELD into memory before invoking Windows 3.0? If so, did Windows functions properly? Is the ability to detect viruses at all compromised? Jim Shanesy @ National Research Council, National Academy of Sciences ------------------------------ Date: Thu, 14 Jun 90 07:31:42 +0000 From: plains!umn-cs!LOCAL!aslakson@uunet.UU.NET (Brian Aslakson) Subject: Re: removing Stoned from harddisks (PC) btr!public!gio@decwrl.dec.com (Giovanni V. Guillemette gio@btr.com) writes: >plains!person@uunet.UU.NET (Brett G. Person) writes: >>I had a friend call me who told me that Stoned actually damaged the >>media on the hard drive. He said they lost a full ten Meg. He took >>... >This has happened to me before, but not in relation to a virus. It happened >when I tried to format an RLL drive in MFM format, as RLL offers 50% more >... >Use a program like Ontrack's Disk Manager, or Speedstor to do your low-level >format. It will ask you for the drive type - and, in both cases, you should >be able to enter the specific disk (assuming it's a Seagate, but, even if it's >not, Speedstor might still have it) by brand and model. Then, let the program >partition it for you, using the *default* values. What it will do is to creat e >a small (<1MB) MFM partition for DOS to boot off of (obviously, that's where >you load your system), and another 31MB RLL partition, which DOS will only be >able to access after loading the device driver that Disk Manager (or Speedstor ) >loads automatically on the first partition for you. Hope I didn't confuse you . Wrong!!!! Or rather, right but there is a much better way. First tho, Disk Manager (a fine Minnesota company) makes software for more than Seagate drives. Also, you can make a full size partition using Ontrack software (no need to make some Mickey Mouse 1 meg partition). Call them at 1-800-752-1333. That said, I'd advise against using their software in your case. Better you should format it using regular DOS methods. (Yes, I agree with the second writer, it sounds like an MFM vs RLL problem). If you have a Western Digital controller card, you are in luck, cuz they too have a free number, with a snazzy recorded help that you can navigate with a touch tone phone. WD's number is: 1-800-356-5787. Otherwise find someone who nows DOS there and can come over and walk you through it. Going the straight DOS way is best, you can avoid all sorts of headaches later. Luck! Brian NB: I've tried to post this 3 times and if you ain't reading this, I've probably exploded into 500 billion pieces. ------------------------------ Date: 14 Jun 90 14:54:36 +0000 From: bytor@milton.u.washington.edu (Michael Lorengo) Subject: Vanishing Disk Space (PC) Does anybody know anything about a virus that eats up disk space. Currently on this Network when I do a CheckVol the amount of free diskspace seems to dwindle to 0. I delete some old files, and in a matter of minutes I have no more free space left. This is on a Novell Network and Zenith 386's. ------------------------------ Date: 14 Jun 90 14:27:44 -0400 From: "David.M.Chess" Subject: re: UnVirus 9.02 (PC) Y. Radai : > the time required by the new UnVirus is independent of the number of > viruses scanned for, so its speed relative to these other programs > will increase as the number of viruses increases. If you don't consider it proprietary, I'd be curious to know what the scanning algorithm is that it doesn't slow down as the number of viruses increases. DC ------------------------------ Date: 14 Jun 90 17:41:23 +0000 From: wagner@utoday.uu.net (Mitch Wagner) Subject: Re: Flushot version? (PC) USERQBPP@SFU.BITNET (Robert Slade) writes: #I have seen a copy of FSP_17.ARC on wuarchive.wustl.edu. The latest #version I was aware of was 1.6. Ross having not been terribly active #on the list lately, does anyone know if this is legit? I forwarded the question to Ross Greenberg, who has lost his USEnet connection for a while, and he sent me the following reply, which he asked me to forward to comp.virus: "Alas, I've lost my net connection for a short while. But, to answer your question: Version 1.7 of FLU_SHOT+ is the current version. A new version is due out shortly. New versions are available from my own BBS (212)-889-6438 (2400/n/8/1), from COMPUSERVE (check PCMagNet's UTILFORUM DL's) and from BIX, as well as from any ASP-approved disk distributor: these are all copies I can vouch for in the non-Usenet world. In the Usenet world, any of the anti-virus archives is probably safe and I know that SIMTEL20 (thanks, Keith!) is a safe place to download from. Back on more regularly when I get a Usenet connection back... Ross" - -- -- Mitch Wagner Voice - 516/562-5758 wagner@utoday.UUCP uunet!utoday!wagner ------------------------------ Date: Thu, 14 Jun 90 12:33:00 -0700 From: "Hervey Allen" Subject: GateKeeper Aid 'ADBS' Query (Mac) A member of our computing center uses GateKeeper Aid on her Macintosh IIcx and has received the following message: GateKeeper Aid found an "Implied Loader 'ADBS' virus in the Desktop file on the "Animal Sanctuary" disk. The virus was removed. "Animal Sanctuary" is the hard disk she was booting her machine from. Gate- Keeper Aid has caught and removed Wdef A from her machine on several occasions. No disk was inserted when this message appeared. She runs Microsoft QuickMail, Vaccine, AppleShare, and GateKeeper Aid. I may be asking a question that's already been answered, but I couldn't remember seeing any remarks about "Implied Loader 'ADBS' viruses" when using GateKeeper Aid. If anyone could tell me, or hazard a guess as to what GateKeeper Aid found and what an "Implied Loader 'ADBS' virus" is I would greatly appreciate it. Please send replies directly to me if this is something that has been discussed before.] Thanks In Advance! Hervey Allen <> <> Microcomputer Assisstant/Virus Consultant University of Oregon Academic Computer Services * Disclaimer: The opinions expressed here are my own and in no way reflect * * the opinions of the University of Oregon. * ------------------------------ Date: Thu, 14 Jun 90 12:22:27 -0400 From: Arthur Gutowski Subject: Mainframe viruses, theoretical (Murray) >I would not want to get into an argument about it, but the difference >in age is not significant. Unix is much older than you might guess. >... >I doubt that this is true in terms of years or hours. It is likely >true in terms of determination and other resources. Total reported >integrity flaws in MVS have likely been in the high tens. Almost >none eere detected or exploited by hackers. Most were detected by people >with special knowledge and training after the expenditure of significant >resources. Agreed, the ten or so years MVS has on Unix isn't as significant. This was only a response to a statement about the number of people trying to poke holes in Unix is greater than in MVS. The knowledge of the people involved and other resources used have a bigger impact. My impression from the mainframe discussions that Unix attracts a different class of attackers than does MVS or VM. That none of the MVS flaws had been exploited by hackers, but by knowledgeable people with the specific purpose of finding holes, and Unix source code is available (at least to some), intuitively it seems that Unix would be easier to break into than MVS by non-systems people. By the same token, I suppose it would be easier to enhance Unix security. Take into consideration that information about MVS isn't readily available to people outside of systems work. hmmmmm...... >Your confidence is poorly placed. While MVS and VM are as secure as IBM >knows how to make them collectively, individual installations or instances >are likely no better than instances of Unix. People who do penetration >studies of MVS and VM for a living report that eighty-five percent will >yield to a knowledgeable attacker in hours to days. Most will yield to >a determined attacker in days, and less than one percent will stand up >for weeks. Maybe so, maybe not. Perhaps I take it for granted (somewhat) because our installation keeps track of access controls (although there is still room for improvement). These penetration studies appear to contradict that experienced people with the aid of special training and a large amount resources only turned up integrity flaws in the high tens. These studies would suggest that number should be much higher. I do doubt that anyone but the systems people or very good applications people are going to be able crack MVS, and then it's a case of having trustworthy people on staff. *Some* instances of MVS or VM probably are no better (indeed, even worse) than Unix (or for that matter, PCs). This is a tsoris spot here too; what good is buying an OS and a security system with all the necessary controls if you're going to cripple it? I still feel MVS is a more secure system, as long as you don't compromise what was put in place by IBM and your security system vendor. >...MVS installations are rife with very general utilities that run >privileged and have poor controls. So what? One, joe-user doesn't have the ability to interrupt while the utility is in supervisor state and do his own thing (OS integrity). Two, keep privileged programs (i.e., APF authorized) restricted to what comes with the system, and systems people putting in any needed in-house authorized programs (good security practice). >All of this has little to do with their vulnerability to viruses. As >Dave Chess of IBM Research has tried to explain on this list several >times, viruses exploit the privileges of users rather than flaws in >the environment. Operating system integrity and access controls will >only slow them. If users have the privilege to execute an arbitrary >program of their choice, can create or modify a procedure, and share >data with a sufficiently large population of peers, then that is all >that is required for the success of a virus. > >The trick to the success of a virus is not in its code, but in how you >get it executed! True, it does have little to do with viruses. I did (and still do) agree with what Dave has said; I think what this discussion evolved from is a devil's-advocate scenario I had used: "how does joe-user spread a virus if he can't write to data other than his own, and other people can't execute his programs." No access controls or system integrity measures in the world can prevent a virus from spreading around "legally" accessed data. The trick is indeed how you get it executed, and if the data is widely shared, there isn't much magic involved. You just have to know how to stay in the user's address space and latch onto the next program that gets executed. If you restrict access, it becomes trickier to spread. This, like you said comes down to individual installations and how they have their system set up (hopefully they're at least smart enough to protect their payroll data from attacks :-) ). /===\ Arthur J. Gutowski, System Programmer : o o : MVS & Antiviral Group / WSU University Computing Center : --- : Bitnet: AGUTOWS@WAYNEST1 Internet: AGUTOWS@WAYNEST1.BITNET \===/ AGUTOWS@cms.cc.wayne.edu Have a day. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Disclaimer: Hey, what do I know? I'm only a tourist. ------------------------------ Date: Thu, 14 Jun 90 20:32:03 -0400 Subject: Strange floppies (PC) From: A. Padgett Peterson In view of the myriad questions concerning oddly acting floppies, here is the source code for a massive program written in a most sophisticated and little known language (to be virus-free) that will tell you what the CMOS thinks your floppy disk configuration is. This has been through an extensive V&V program (five minutes - I had to change the CMOS setup each time & reboot) on 1) a clone 386 with AMI Bios and 2) a Zenith AT with the Zenith 386 kit. It may even work on something else (usual disclaimers apply). I am sure that a neat little .COM could be developed but Ken can post this. 5 PRINT CHR$(10);"AT/386/486 CMOS floppy drive record check. 6 PRINT "Copyright (C) 1990 by Padgett (though trivial)";CHR$(10) 10 FLOC=16 20 OUTC=112 30 INC=113 40 OUT OUTC,FLOC 50 FREC=INP(INC) 60 FLOP$=HEX$(FREC) 70 F$=LEFT$(FLOP$,1) 80 GOSUB 140 90 PRINT "First floppy drive record indicates: ";R$ 100 F$=RIGHT$(FLOP$,1) 110 GOSUB 140 120 PRINT "Second floppy drive record indicates: ";R$;CHR$(10) 130 END 140 R$="Unknown code: "+F$ 150 IF F$="0" THEN R$="Not Present" 160 IF F$="1" THEN R$="360k 5 1/4 " 170 IF F$="2" THEN R$="1.2M 5 1/4 " 180 IF F$="3" THEN R$="720k 3 1/2 " 190 IF F$="4" THEN R$="1.44M 3 1/2 " 200 RETURN Good luck - Padgett ------------------------------ End of VIRUS-L Digest [Volume 3 Issue 114] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253