VIRUS-L Digest Monday, 2 Apr 1990 Volume 3 : Issue 66 Today's Topics: Stoned virus technical report (PC) New Macintosh virus: ZUC (Mac) Files on PC growing by 128 bytes (PC) New ZUC virus (Mac) Virus cure Response to Skulason Death of a Virus ZUC & SAM 2.0 (MAC) VIRUS-L is a moderated, digested mail forum for iscussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Tue, 27 Mar 90 15:05:06 -0800 From: CCML.RURES@f4.n494.z5.fidonet.org (CCML RURES) Subject: Stoned virus technical report (PC) Seeing the recent articles in lists.virus about the Stoned virus, I did some recent work on clearing this virus, and prepared an article (unpublished as at now) as appended. It's a bit long (750 lines), so I am hesitant to put it into the newsgroup without advice from someone like you. My article describes how the virus manifests itself, how it propogates, and gives the algorithm used. A source listing of the code takes up 250 lines, and it might well be of interest to someone who wishes to learn how these wretched things work. Feel free to put it into the newsgroups or anywhere else, simply acknowledge the source as mine. Mike Lawrie Director, Computing Services, Rhodes University, Grahamstown 6140, South Africa - --- Rhodes University condemns racism and racial segregation and strives to maintain a strong tradition of non-discrimination with regard to race and gender in the constitution of its student body, in the selection and promotion of its staff and in its administration. [Ed. Thank you for your effort, Mr. Lawrie! Due to the length of the report, I'm placing it for anonymous FTP on cert.sei.cmu.edu, and forwarding a copy to David Ferbrache, the U.K. VIRUS-L coordinator. The filename on cert.sei.cmu.edu (IP # 128.237.253.5) is: pub/virus-l/docs/stoned.descript.lawrie ] ------------------------------ Date: Fri, 30 Mar 90 10:30:13 -0700 From: Brian Bechtel Subject: New Macintosh virus: ZUC (Mac) This was posted on Applelink this morning. Obviously, the original message is from Compuserve. I know nothing more than what's posted below. - --Brian Bechtel blob@apple.com "My opinion, not Apple's" Sub: New Virus Discovered #: 38171 S12/Hot Topic 28-Mar-90 17:47:26 Sb: #New virus: ZUC.Virus Fm: Jeff Shulman 76136,667 To: ALL A new virus was discovered in Italy called the ZUC.Virus (after Don Zucchin who brought it to the attention of Francesco Giagnorio who sent it to me) that causes the cursor to "go crazy" within a few minutes after an infected application is run. PRELIMINARY information shows it to infect applications only by adding a 1256 byte piece of code at the end of the first executed CODE resource (much the same way the ANTI virus works). An infected application can be detected using VirusDetective 3.1.1 (or later) by adding the search string: Resource Start & Pos -1256 & Data 082A#F1655#30832 ; For finding ZUC.Virus At this point it is my personal belief that this virus is not wide-spread since Francesco spent around a month isolating it and no other "strange" reports have been seen. I would appreciate hearing from anyone who discovers this virus to see just how wide-spread it is. More info will be forthcoming as more is known about this virus. It has been sent to the Mash Mac Anti-Virus task force which I, and all the other Mac anti-viral authors, are on. Jeff Shulman VirusDetective author #: 38356 S12/Hot Topic 29-Mar-90 11:46:49 Sb: #38328-#New virus: ZUC.Virus Fm: Jeff Shulman 76136,667 To: Fred Hollander 72077,3544 (X) What ZUC.Virus will do 90 seconds after launching an infected application is take over the cursor and move it diagonally until you reboot. After looking at the code it seems harmless (though it can reboot your machine if it can't get the memory it needs) but VERY infectious. More news to follow. It only infects applications. Jeff ------------------------------ Date: 30 Mar 90 11:05:00 -0500 From: EVERHART@ARISIA.dnet.ge.com Subject: Files on PC growing by 128 bytes (PC) Where one finds a set of files that are 128 bytes too long, I would suspect that someone used the MSDOS BACKUP utility to copy a diskful of files, and some or all of the files were read onto the destination machine with COPY. Diskettes created by BACKUP have all the files under their original names, but there's a 128 byte header added to allow RESTORE to merge pieces of files correctly (and probably tell where the file goes in a directory tree). The resulting files sometimes will run, sometimes not, and often appear flaky. That EVERYTHING should be 128 bytes too long sounds like a screwup, though...not a virus. Glenn Everhart Everhart@Arisia.dnet.ge.com ------------------------------ Date: Fri, 30 Mar 90 15:24:23 -0700 From: Ben Goren Subject: New ZUC virus (Mac) Does anyone know if Gatekeeper/Gatekeeper Aid will block this? It sounds like it will, but has anyone checked? ........................................................................ Ben Goren T T T / Trumpet Performance Major )------+-+-+--====*0 Arizona State University ( --|-| |---) Internet: AUBXG%ASUACAD@ASUVM.INRE.ASU.EDU --+-+-+-- ........................................................................ ------------------------------ Date: 30 Mar 90 23:20:39 +0000 From: nguyen@presto.ig.com (Tan Nguyen) Subject: Virus cure Hi everyone, One IBM PC at my office gets infected by virus. I used Virscan(tm) from IBM and it detected some executable files *.EXE and *.COM are infected by 1813 or Jerusalem virus. Anybody knows any kind of software which can fix the don't have to reformat hard drive. Any public domain or commercial software can do the job? Any information is highly appreciated. Thanks, Tan Nguyen ------------------------------ Date: Sat, 31 Mar 90 11:39:00 -0500 From: WHMurray@DOCKMASTER.NCSC.MIL Subject: Response to Skulason >I estimate 20 infected programs on every Jerusalem-infected machine, >and 10 infected disketted for every Brain-infected computer. > >Of course, this estimate is probably wildly incorrect, but my point is that >Jerusalem is at least as common (probably more common) than Brain, even >though it is much younger. So - Dr. Tippett's formula simplifies >the situation too much. With all due respect to Fridrik Skulason's very valuable data, he has not seen Dr. Tippett's model, but only a brief conclusion about it made by me. While I think that Dr. Tippett will find Skulason's data and analysis as interesting and useful as I do, I think that Skulason will find the model not so naive as my brief observation might make it appear. >I am willing to admit that the number of viruses may increase exponentially >at first, but I think it would slow down later. My experience has shown, >that once a virus manages to infect a single computer in an organization, >it will usually spread throughout it in a month or two, no matter how large >the organization is. (Well, organizations here in Iceland are not >that large - The Bank of Iceland is one of the largest and they only have >something like 700 PCs). To the extent that the biological analogy holds, it is clear that viruses are self-limiting; they either kill off members of the host population or make them immune. However, this is one of the places that the analogy fails us. There is not auto-immune response to viruses; they must be treated. Second, treatment may not necessarily remove the machine from the target population. To return to the biological analogy, it clearly demonstrates that YOU CANNOT STOP THE SPREAD BY TREATING THE SYMPTOMS OF THE INFECTED. >The virus may remain unnoticed for a while, but once it it detected it is >eradicated in a single day. Usually the virus is not wiped out 100%, which >may cause it to reappear a month or two later - and then, finally, some >preventive software is installed. Contrary to the impression given here, the virus is NEVER eradicated completely. All infected machines in a sub-population may be purged, but the virus persists on the media vector and in other populations. The point is that waiting until the virus appears to immunize the population is too late. We are and have been doing that. It is part of the observed doubling time. William Hugh Murray, Fellow, Information System Security, Ernst & Young 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ------------------------------ Date: Sun, 01 Apr 90 01:18:48 -0600 From: Henry Treftz Subject: Death of a Virus I think when a discusion of a virus and how to deal with a virus is talked about it is a good iead to take a look at the first disease that man has been able to eliminate totaly. That is the Small Pox virus. How small pox was eliminated is fairly simple. Frist the conditions that led to small pox were eliminated then individual cases were delt with and treated so they could not spread. So I think a simular method should be used in dealing with a computer virus. I would recomend a issue of National Geographic that talked about Small Pox. I belive the issue is from 1978 some time but. . . . Any replies or alternate thoughts are welcome - ----------------------------------------------------------------------------- Henry A. Treftz Student Northern IL Univ |a10hat8@cs.niu.edu | DeKalb IL | 'My god it's full of stars' D. Bowman | - ----------------------------------------------------------------------------- \c- ------------------------------ Date: 30 Mar 90 19:07:00 -0800 From: harvard!applelink.apple.com!D1660@garp.MIT.EDU Subject: ZUC & SAM 2.0 (MAC) For SAM 2.0 users: A new virus has recently been discovered (now named ZUC). If you happen to run across the ZUC with SAM 2.0, you can expect to see the following. 1) If you are running in standard, advanced, or custom levels, SAM will alert you to ZUC's attempt to change CODE resources within applications when ZUC is trying to spread itself. Denying this attempt with SAM keeps the infection from spreading. 2) If you have previously inoculated your applications with Virus Clinic 2.0, then if ZUC has infected any files since inoculation (if, for instance, you had SAM Intercept turned off or set to basic level), then SAM will alert you to an inoculation discrepancy when you try to launch the infected file. 3) SAM Virus Clinic will also alert you to a checksum change to any infected files if you have turned on checksumming in the Virus Clinic scans. 4) You can configure SAM (both Virus Clinic and Intercept) to find ZUC during scans and application launches with the new virus definition feature. Using the Add Virus Definition option in Virus Clinic, create a new one with these fields: Virus Name: ZUC Resource Type: CODE Resource ID: 1 Resource Size: Any Search String: 4E56FF74A03641FA04D25290 (hexadecimal) String Offset: Any You can then add this definition to both Virus Clinic and SAM Intercept. One other note: SAM 2.0 also repairs files infected with multiple viruses! Paul Cozza SAM Author ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253