crimson@wpi.wpi.edu (The Wanderer) (02/06/90)
From bk1a+@andrew.cmu.edu Sat Feb 3 20:33:50 1990
From: Bryan Michael Kearney <bk1a+@andrew.cmu.edu>
To: crimson@wpi
Subject: Fwd: Some Virus Background
Thought you may find this interesting.....
-- bryan
---------- Forwarded message begins here ----------
Return-path: <ts2y+@andrew.cmu.edu>
Date: Fri, 2 Feb 90 13:11:34 -0500 (EST)
From: Thomas Louis Stachura <ts2y+@andrew.cmu.edu>
To: Bryan Michael Kearney <bk1a+@andrew.cmu.edu>
Subject: Fwd: Some Virus Background
---------- Forwarded message begins here ----------
Return-path: <hf07+@andrew.cmu.edu>
Date: Thu, 1 Feb 90 14:09:43 -0500 (EST)
From: Howard Haruo Fukuda <hf07+@andrew.cmu.edu>
To: User Services Students <us0s+students.general@andrew.cmu.edu>
Subject: Some Virus Background
Since there was a request for more info on viruses and since I'm sooo
busy
here in CFA (4 users), here's some stuff known about Mac viruses. We
basically
see two types of viruses on campus, nVIR and WDEF, and I haven't seen
any of
the others, like HPAT or INIT 29.
nVIR has been around a while. Story has it that "to better the Mac
community" a magazine published the source code of this virus in hopes
that the
Mac would be made more virus-resistant. As a result, nVIR has many
strands and
clones. We see mostly two strands called nVIR A or B. There is an
officially
released version of Disinfectant 1.6 (released about 2 days ago) that
will
handle nVIR and all nVIR clones like AIDS, MEV#, and a newly discovered
clone
found at Stanford that uses a certain 4 letter word for its signiture
(*uck).
nVIR infects applications, the System file, and the Finder. If an
infected
application is run, the virus will try to spread to other applications,
System,
and Finders. If a disk with an infected System or Finder is the boot
disk, the
virus will try to infect as many applications as it can. To stop nVIR
from
spreading, we use RWatcher on all of our startup disks. If an infected
application is opened, it will try to infect other applications
immediately,
and RWatcher will intercept this, beep 10 times, and then exit the
application.
However, some of our application disks, like MacWrite could still be
infected
if a user has his/her own startup disk which is infected.
nVIR is transparent if RWatcher, Vaccine, GateKeeper, or SAM is not
present.
The only other symptom is that the user may get a system error while
trying to
print.
WDEF is one of the newest viruses. WDEF was made to elude normal
virus
protection schemes like Vaccine, GateKeeper, RWatcher, and SAM. WDEF
does not
infect applications, but the desktop file on each disk. WDEF can spread
simply
by inserting an infected disk into the disk drive when the Finder is
running.
If a disk that has WDEF is the startup disk, all disks inserted will be
infected. WDEF can be removed if the desktop is rebuilt (hold down
command-option and insert the disk), but the best way is to use
Disinfectant
1.5 or 1.6.
In general, WDEF is transparent. A second strand of WDEF, called WDEF
B,
will beep when it infects a disk, but WDEF, which has been seen on
campus will
not. More system errors may occur, some erratic MultiFinder, MacWrite
II, or
Word behavier may occur, but not neccessarily. WDEF will crash a Mac
IIci and
be very buggy on IIcx's, but in general it spreads silently. In Baker,
many
disks that "need minor repairs" were infected by WDEF A, however a disk
can be
infected without giving this error. In general, the only way to tell if
a disk
is infected is to run Disinfectant 1.5 or 1.6, or use GateKeeper Aid.
Disinfectant has quite a detailed set of information on viruses, if
you want
to know more, press the "about" box when you run it.
-Howard
From @po2.andrew.cmu.edu:bk1a+@andrew.cmu.edu Sun Feb 4 23:50:13 1990
Date: Sun, 4 Feb 90 23:47:51 -0500 (EST)
From: Bryan Michael Kearney <bk1a+@andrew.cmu.edu>
To: crimson@wpi
Subject: Fwd: Mosaic & FontFinder VIRUS!
---------- Forwarded message begins here ----------
Return-path: <ts2y+@andrew.cmu.edu>
Date: Sun, 4 Feb 90 22:37:03 -0500 (EST)
From: Thomas Louis Stachura <ts2y+@andrew.cmu.edu>
To: Bryan Michael Kearney <bk1a+@andrew.cmu.edu>
Subject: Fwd: Mosaic & FontFinder VIRUS!
---------- Forwarded message begins here ----------
Return-path: <pw1f+@andrew.cmu.edu>
Date: Sat, 3 Feb 90 21:45:28 -0500 (EST)
From: Pythagoras Christian Watson <pw1f+@andrew.cmu.edu>
To: User Services Students <us0s+students.official@andrew.cmu.edu>
Subject: Fwd: Mosaic & FontFinder VIRUS!
For those who don't read the cmu.mac bboard, I thought you should see
this.
Forwarded message begins
here:----------------------------------------------
Not having seen anything on the net about the viruses embedded into the
applications Mosiac and FontFinder, I decided to post this message I
received through email. If this is a re-post, well, sorry for wasting
the bandwidth, but this is a fairly important topic and I didn't want
anybody to miss it.
-------------------------------------------------------------------------
---
>From Christopher.A.Lasell@mac.dartmouth.edu Fri Feb 2 18:51:13 1990
Date: 02 Feb 90 18:47:56
From: Christopher.A.Lasell@mac.dartmouth.edu
To: Virus.Info@mac.dartmouth.edu,
consultants@dartvax.dartmouth.edu (Kiewit Consultants),
crc-staff@mac.dartmouth.edu, stu-asst@dartvax.dartmouth.edu
Subject: NEW VIRUS!!!!
--- Forwarded Message from rickc@eleazar.dartmouth.edu (Frederick L.
Crabbe)
---
We have detected a new (to us) Macintosh trojan at the University of
Alberta. Two different strains have been identified. Both are
dangerous.
The first strain is imbedded in a program called 'Mosaic', type=APPL
and
Creator=????. When launched, it immediately destroys the directories
of all available physically unlocked hard and floppy disks, including
the one it resides on. The attacked disks are renamed 'Gotcha!'.
Unmounted but available SCSI hard disks are mounted and destroyed by
the
trojan. The files of hard disks are usually recoverable with one of
the available commercial file utility programs, but often the data file
names are lost. Files on floppy diskettes usually lose their Type and
Creator codes as well, making recovery a non-trivial procedure.
The second strain was detected in a Public Domain program called
'FontFinder', Type=APPL and Creator=BNBW. It has a trigger date of
10
Feb 90. Before that date, the application simply displays a list of
the fonts and point sizes in the System file.
On or after the trigger date, the trojan is invoked and disks are
attacked as for the first strain. The trojan can be triggered by
setting forward the Mac system clock.
Because the second strain has a latency period during which it is non-
destructive, it is much more likely to be widespread. Both trojans
were originally downloaded from a local Macintosh BBS here in Edmonton.
The second version was part of a StuffIt! archive named
'FontFinder.sit'
that also contained documentation and the source code for the
FontFinder
application. This source code does NOT contain the source code for
the
trojan.
A quick-and-dirty search string for VirusDetective (v/3.0.1 or later)
has been developed that appears to detect the trojan engine in both
strains. It is:
Resource CODE & ID = 1 & Data 44656174685472616B
Note that this will detect the currently known versions, but may or may
not detect mutated versions of this trojan.
There is some evidence that these trojans are related based on
preliminary investigation of the code. It has been speculated that
the
second is an 'improved' version of the first (more sophisticated), or
that the two versions were developed by two individual perpetrators
working with the same trojan engine. There easily could be more
versions either circulating or being developed.
This appears to be the first deliberately destructive malicious code
that targets on the Macintosh. There is some suspicion that one or
both have been developed locally. There is also the possibility that
one or both were uploaded from a BBS in the Seattle, Washington area.
Our investigation is far from complete, but is continuing.
Please warn your Mac users to make proper back-ups on a regular basis,
be suspicious of all software not received from a trusted source until
tested, and generally, to practice 'safe computing'.
Any additional information on these two trojans or similar malicious
code would be appreciated. As and when our investigation turns up
more
details, they will be posted...
Peter Johnston, P. Eng.
Senior Analyst, University Computing Systems,
352 - GenSvcBldg, The University of Alberta
Edmonton, Alberta CANADA T6G 2H1
Phone: 403/492-2462
FAX: 403/492-7219
EMAIL: usergold@ualtamts.bitnet
-------------------------------------------------------------------------
---
Just what we need!!!!
Py
Live long and may all you kernels pop.
- Tomme
"Blah, Blah, Blah..."
-- bryan
.....more for you to have nightmares about.......
<crimson>
--
Disclaimer: "I'm the only one foolish enough to claim these opinions as mine."
Reality: crimson@wpi.wpi.edu Outside: 100 Institute Rd #296
crimson@wpi.bitnet Worcester MA 01609
"New Oldsmobiles are in early this year."