VIRUS-L Digest Thursday, 8 Feb 1990 Volume 3 : Issue 34 Today's Topics: AIDS Virus (Mac) and AIDS Trojan (Non-Mac) WDEF-A arrives at Smith College (Massachusetts) (Mac) Re: Are virus sources public domain software ? Re: Virus Modeling Mac Virus Harmlessness WDEF, WDEF, WDEF (Mac) W/1813 Virus (PC) Anyone heard of the SYSLOCK virus? (PC) Other progs identify trojans? (Mac) copyrighting virus code More about 847 (PC) More on the new Mac Trojans VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk --------------------------------------------------------------------------- Date: Wed, 07 Feb 90 13:58:10 -0500 From: Joe McMahon Subject: AIDS Virus (Mac) and AIDS Trojan (Non-Mac) There is a Mac virus named AIDS. It's an nVIR-b clone (i.e., the resources and code were modified to use resources of that name instead of "nVIR"). It does the same stuff that nVIR does - i.e., reproduce and sometimes beep when a program is launched. It does nothing connected with the disease. The non-Mac "AIDS Disk" being talked about lately is NOT connected with the Mac at all. It was a program that purported to be a survey which would tell you how much of a risk you had of contracting the (non-computer) virus. It instead encrypted all of your files and attempted to get you to mail $300-and-some to an address in Panama. Clear? --- Joe M. ------------------------------ Date: Wed, 07 Feb 90 13:52:00 -0500 From: PSHANNON@SMITH.BITNET Subject: WDEF-A arrives at Smith College (Massachusetts) (Mac) Our one and only Mac lab became infected with WDEF-A this past weekend. Many thanks to John Norstad, Chris Johnson, and others for providing tools to fight these things! Peggy Shannon Center for Academic Computing Smith College Northampton, Massachusetts pshannon@smith.bitnet ------------------------------ Date: Wed, 07 Feb 90 13:57:28 -0600 From: davies@sp20.csrd.uiuc.edu (James R. B. Davies) Subject: Re: Are virus sources public domain software ? ZDEE699@ELM.CC.KCL.AC.UK writes: > From: ZDEE699@ELM.CC.KCL.AC.UK > Subject: Are virus sources public domain software ? > Date: 5 Feb 90 10:31:39 GMT > > In VIRUS-L, V3-I29, Todd Hooper () writes: > > What possible technique could you use > > to make it illegal 'illegal to own or transmit virus code '? " > > Well, how about some reliable organisation (the CERT, for example) > registering the source code under copyright laws ? Is virus code > considered as public domain software ? I wouldn't think so ! If the > source was copyright, then anyone having an unauthorized copy of it > would be in illegality. In fact, one might even say that the virus > itself is illegal on the grounds that it copies itself without > authorization. Anybody who feel they *NEED* to keep the source in > their possession should then also register or ask for authorization > from the organisation holding the copyright. > > Olivier M.J. Crepin-Leblond No, in order to register a copyright you must be the author of the work, or have the rights explicitly assigned to you by the author. (I wouldn't consider an organization reliable if they WERE the authors, would you?) I suspect that there is no good legal solution for the virus problem. People who create viruses don't expect to get caught, and probably wouldn't be deterred by the threat of legal sanctions. Also, it would be an immense problem to prove who first released a virus in most (if not all) cases. For example, the Internet worm case was not quite open-and-shut, despite the following unusual facts: 1. The defendant admitted under oath that he did it 2. There was a law which explicitly forbade what he did (i.e. unauthorized access to government computers with damage) I would venture to guess that there are very few known virus authors out there, even for the oldest, most widespread varieties. The Brain virus seems to be the exception, but even in that case it would be a nightmare to try to prosecute the perpetrators. ------------------------------ Date: Wed, 07 Feb 90 19:41:17 +0000 From: rwallace@vax1.tcd.ie Subject: Re: Virus Modeling gnf3e@uvacs.cs.Virginia.EDU (Greg Fife) writes: > RWALLACE@vax1.tcd.ie writes: >> As someone pointed out, a real >>computer isn't a finite state machine because it includes the person >>operating it > > A human being may or may not be a finite state machine, but the > effect he he has on a computer system is merely to add a finite > number of transitions to the computer. (Striking one of the finite > number of keys changes the interrupt state on a PC, putting in > a new disk changes many of the bits on that mass storage device). > > You can't model exactly which inputs the human will provide, but > you can reason about behavior under any possible set of inputs. > In effect, a person at a computer is running a huge finite > automata through an input string consisting of his actions. > > Take the initial state to be one of the finite number of > states which represents the introduction of the virus into > the system. Mark the finite number of states which represent > "infection" as final states. The question: "can infection occur" > is merely the question "does this FA have a nonempty language." > That question can be settled in finite time by testing the FA > on every input string of length less than or equal to the number > of states in the FA. Do this once for every initial "infection" > state, and the result follows. :-) Take a binary file editor. Or an interactive assembler. Or uudecode reading from stdin. Any of these programs will take input from the user and based on this input can reach most of the possible states of the system, including those in which replication of the program can occur. (I'm using "almost" in a loose sense: 2^990,000 is almost 2^1,000,000). So are these viruses? By your rationale they are. Or a terminal emulator which based on input from the outside world could cause infection (it could download an infected program from a bulletin board). And what about a worm program that transmits itself to another machine but does not infect other programs on the current machine? Having said that, your method would be OK for most software, if you only want to check for viruses not worms. "To summarize the summary of the summary: people are a problem" Russell Wallace, Trinity College, Dublin rwallace@vax1.tcd.ie ------------------------------ Date: Wed, 07 Feb 90 16:32:24 -0500 From: Joe McMahon Subject: Mac Virus Harmlessness It's interesting, but up until now, most viruses on the Mac have been "damageless" - the only reason the cause trouble is because of bugs and incompatabilities, not deliberately harmful code. nVIR, at worst, causes your Mac to beep in some cases (side effects are worse - crashes, hangs, printing failures). Perhaps we just haven't had the right (wrong?) people writing Mac viruses so far. Any ideas? --- Joe M. ------------------------------ Date: Wed, 07 Feb 90 16:38:46 -0500 From: Joe McMahon Subject: WDEF, WDEF, WDEF (Mac) >From: Jason Ari Goldstein > >Just like everywhere else the WDEF is thriving here at Carnegie-Mellon >Univ. I recently removed WDEF A & B off of 15 disks of a friend of >mine. When I commented to somone here about the virus they said there >was nothing they could do to stop it, except remove it once a machine >got infected. Eradicate'em and Gatekeeper Aid both stop the virus and automatically remove it from the disk as disks are inserted. >I don't know much about Macs (Being a PC person) but if I understand >correctly every time the disk is inserted the they Virus is spread to >the disk... Close enough; the default window definition procedure also has to be invoked, and you have to be running under the Finder. >Well, why doesn't someone write an innoculation directly >based on the virus itself.... >The only problem with this is that it is a virus also, but with the >proper prompts (allowing the user the choice of being innoculated) I >don't think this would be a problem.... It might not be a problem on current Macs or current versions of the System, but would be very likely to fail in future incarnations. Also, available anti-virals probably wouldn't be able to tell the difference between your "WDEF C" and a real infection, so well-meaning disinfectors would wipe out your "inoculation". Finally, I think we all agree that viruses to fight viruses simply help to continue the upward spiral of virus technology, and that *any* virus has the potential to cause damage under some circumstances. Worse, a virus writer could take your supposedly harmless virus and hack it into a virulent one. If your anti-virus virus contains your name, you might have trouble convincing people (including law enforcement) that you didn't write the nasy variant. >In the mean time, about 75% of the time I in a cluster I remove WDEF A >or B from either a hard disk or someone elses floppies. Jason, if no one there has the programs I mentioned above, they are available from our LISTSERV. Worst case, there is a very simple way of getting rid of WDEF infections, and it's BUILT IN to the Mac! When you insert a disk, hold down the Command and Option keys. You'll get a message asking if you want to rebuild the Desktop file. Click "OK". This will blow away any existing WDEF infection. The same can be done for boot disks: just hold down those two keys after the "Welcome to Macintosh" screen appears. You'll get the same dialog, to which you respond in the same way. Nothing could be simpler. Rebuilding the Desktop causes it to be thrown away, virus and all, and a new copy built. Since WDEF doesn't live anywhere else, you're all set. >From: Fung P Lau > > I have recently read something about Disinfectant 1.6 from this >newsgroup. Its author said that there was no Disinfectant 1.6... At the time the message was posted, that was true. John Norstad created 1.6 since then, so versions of that program from sumex, John's node, or the SCFVM LISTSERV are true, valid copies of Disinfectant 1.6. >From: wcpl_ltd@uhura.cc.rochester.edu (Wing Leung) > > Can someone tell me is WDEF an illegal string in the resource code? WDEF resources are "window definition procedure" resources. They define how windows look and act. They are legal. >How about the program called WDEF uploaded in comp.binaries.mac? It's an alternate window definition procedure and is OK. >In fact, I've found some WDEF resource code in system version 6.0.3. > Please tell me more about this resource code. That's the code that defines the standard Mac window (scroll bars, go-away box, zoom box, etc). DON'T DELETE IT or your System file will no longer be usable. Whew. --- Joe M. ------------------------------ Date: Wed, 07 Feb 90 15:16:15 +0000 From: mikem@gaudi.Berkeley.EDU (Mike Mize) Subject: W/1813 Virus (PC) I'm looking for info regarding the W/1813 virus. It seems that a PC in one our campus labs is infected and we can't get rid of the virus. Could someone please mail me info on symptoms and iradication methods for this virus. I would greatly appreciate it. |\ /| | | : Michael Mize | \/ | * __ |__ __ __ | : C. S. U., Fresno MS 93 | | | | | | | | |__| | : Fresno, Ca. 93740 | | | |__ | | |__|_ |__ |_ : mikem@gaudi.CSUFresno.edu ------------------------------ Date: Tue, 06 Feb 90 15:46:15 +0000 From: jjsc@informatics.rutherford.ac.uk Subject: Anyone heard of the SYSLOCK virus? (PC) I'm posting this request on behalf of a friend who doesn't have access to news. Also, I don't always read this newsgroup, so please mail any replies direct to me. If there is sufficient response, I will summarise to the net. The subject line says it all really...does anyone know anything about the so- called "SYSLOCK" virus, and in particular, how it works, how to get rid of it? It has been discovered on "Compaq 286 & 386's and PS2/30 + 20Mb HD". All my friend knows about it is that it appears to add ~3500 bytes to files and spreads quickly! Any help anyone could give would be much appreciated! Thanks in advance, John =============================================================================== John Cullen || JANET : jjsc@uk.ac.rl.inf System Support Group || ARPA : jjsc%inf.rl.ac.uk@nsfnet-relay.ac.uk Informatics Department || BITNET: jjsc%uk.ac.rl.inf@ukacrl Rutherford Appleton Laboratory || UUCP : {...!mcvax}!ukc!rlinf!jjsc Chilton, Didcot, Oxon. OX11 0QX || VOICE : +44 (0)235 821900 ext 5739 =============================================================================== ------------------------------ Date: Wed, 07 Feb 90 16:38:58 -0700 From: Peter Johnston Subject: Other progs identify trojans? (Mac) To the best of my knowledge, only SAM and the VD string I specified will identify these two trojans at the present time. I would assume that the anti-viral software developers will be updating their products fairly quickly, and would expect to see announcements fairly quickly though. One point I would like to re-iterate, as several people have contacted me about it and I may not have been very clear in my original posting: Neither the "Mosaic" nor the "FontFinder" trojans are viruses. Neither has the ability to reproduce or self-propigate. The only way that either of these applications can be duplicated is by a user copying the file, or by up/down-loading the files to/from a BBS... - - - - - - - - - - - - - - - - - - - - - - - - - - Peter Johnston, Senior Analyst, University Computing Systems, 352 - GenSvcBldg, The University of Alberta, Edmonton, Alberta, CANADA Voice: 403/492-2462 Bitnet: USERGOLD@UALTAMTS - - - - - - - - - - - - - - - - - - - - - - - - - - ------------------------------ Date: Wed, 07 Feb 90 18:49:30 -0500 From: Steven C Woronick Subject: copyrighting virus code M.J. Crepin-LeBlond suggests that all you have to do to make having virus code illegal (except for the privileged few who obtain permission) is to copyright it. I'm no lawyer, but it was my impression that once something has been released in some form (uncopyrighted) to the general public, it could then never be copyrighted. Even if you could copyright viral code, it's not likely to discourage the kind of people who write viruses (aren't those the ones you are really after?) from copying it. Also, what happens if some virus-loving person copyrights it before you do and then grants universal privilege to copy? Just wondering... ------------------------------ Date: Thu, 08 Feb 90 08:18:57 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: More about 847 (PC) The "Bulgarian" 847 virus is closely related to the Amstrad virus. They are not identical, however. The text is different, and some minor changes have been made to the code. It is however so similar that existing virus scanners can detect any program infected with "847" (PIXEL), "345" or "299". - -frisk ------------------------------ Date: 07 Feb 90 22:15:00 -0800 From: D1660@applelink.apple.com Subject: More on the new Mac Trojans More on the new Mac Trojans: In response to Peter Johnston's message about the Trojans Mosaic and FontFinder, I'd like to add a few things: The Trojans hang (whether or not SAM denied the write attempt) due to a bug in the code. When the bug is 'fixed', Mosaic goes on to give further information to the user about what it has done. As Peter mentioned, disks ARE undamaged if the Trojans' write attempt is denied in SAM. All versions of SAM will alert you to this write attempt with the message 'There is an attempt to bypass the file system'. HOWEVER, this alert will only be given to the user if SAM is configured in ADVANCED level. Again, the best protection, as always, is to be sure your files are backed up! Paul Cozza ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253