dplatt@coherent.com (Dave Platt) (11/23/88)
In article <5563@saturn.ucsc.edu> bushnel@ucscb.UCSC.EDU (Bill Bushnell) writes: > I recently was given a disk full of PD software by a friend. I checked the > disk with Interferon 3.1 before running any of the programs. Interferon gave > me a error #002, ironically enough, in a file called "Kill Virus INIT" and > in a file called "Kill Virus." Just thought I'd let people know... That may not indicate infection. The nVIR virus can be kept from infecting files by installing a dummy "nVIR" resource (ID=10, I believe). Some anti-nVIR programs include such a resource in their own set, and/or will install such a resource in other applications in order to render these applications immune to infection. Naturally, the presence of this resource will tend to trigger infection-alerts by virus-seekers... and so it's not necessarily a good technique. By analogy: there is an effective medical vaccine available against tuberculosis (I believe it's based on the related "BCG" bacterium) which is being used in some countries (mostly Third World, I believe). However, it's not being used in this country, because it interferes with the standard skin-patch screening test for TB infection. If you've received the BCG vaccine, then you'll respond with a "false positive" if tested for tuberculosis infection. The medical establishment in this country has decided to emphasize detection of TB infection, and treatment of those found to be infected, rather than vaccination against TB. Apparently, this makes good sense if the infection-rate is low (less expensive, no adverse allergic reactions to the vaccine, etc.). A preventive vaccine is preferable under conditions in which the disease is more common, victims are more difficult to locate and identify, or treatment is more difficult to render. So... if you're willing to run Interferon frequently (to detect infections) and apply "safe software sex" techniques (to avoid exposure to infected applications), then you should probably not use a dummy-nVIR blocking technique such as (I believe) Kill Virus uses. On the other hand, if you're not willing to do these things, then you might as well install Kill Virus and have it innoculate your applications against nVIR, and accept the fact that Interferon and VirusDetective will scream bloody murder. -- Dave Platt FIDONET: Dave Platt on 1:204/444 VOICE: (415) 493-8805 UUCP: ...!{ames,sun,uunet}!coherent!dplatt DOMAIN: dplatt@coherent.com INTERNET: coherent!dplatt@ames.arpa, ...@sun.com, ...@uunet.uu.net USNAIL: Coherent Thought Inc. 3350 West Bayshore #205 Palo Alto CA 94303
ll12+@andrew.cmu.edu (Laura Ann Lemay) (11/23/88)
Kill Virus is equipped with a foil for the nVIR virus, which will keep it from getting infected. However, since the resource is called "nVIR", it trips up interferon and other such programs. Kill virus is currently the best program for getting rid of nVIR. THE PROGRAM IS ***NOT*** infected!!!! -Laura
hgw@julia.math.ucla.edu (Harold Wong) (11/24/88)
In article <UXWUfx928k-08X=WMv@andrew.cmu.edu> ll12+@andrew.cmu.edu (Laura Ann Lemay) writes: > > >Kill Virus is equipped with a foil for the nVIR virus, which will keep it >from getting infected. However, since the resource is called "nVIR", >it trips up interferon and other such programs. > >Kill virus is currently the best program for getting rid of nVIR. THE >PROGRAM IS ***NOT*** infected!!!! > > >-Laura Does KillVirus protect all applications or just those who were infected? With applications (pd and others) going through and being copied onto my drive how will I know if the real (the bad one) nVIR shows up? It might start infecting other applications that did not get KillVirus protection. It seems to me that KillVirus will add confusion to this virus problem ------------------------------------------------------------------------------- Harold Wong (213) 825-9040 UCLA-Mathnet; 3915F MSA; 405 Hilgard Ave.; Los Angeles, CA 90024-1555 ARPA: hgw@math.ucla.edu BITNET: hgw%math.ucla.edu@INTERBIT
newsuser@LTH.Se (LTH network news server) (11/25/88)
In article <UXWUfx928k-08X=WMv@andrew.cmu.edu> ll12+@andrew.cmu.edu (Laura Ann Lemay) writes: > > >Kill Virus is equipped with a foil for the nVIR virus, which will keep it >from getting infected. However, since the resource is called "nVIR", >it trips up interferon and other such programs. > >Kill virus is currently the best program for getting rid of nVIR. THE >PROGRAM IS ***NOT*** infected!!!! Please do NEVER state that a program is NOT infected. You can't be sure! OK, it is normal for KillVirus to contain an nVIR resource, but what if some #[%&%[# idiot has put a real nVIR in it? >-Laura -- Roland Mansson, Lund University Computing Center, Box 783, S220 07 Lund, Sweden Phone: +46-46107436 Fax: +46-46138225 Bitnet: roland_m@seldc52 Internet: roland_m@ldc.lu.se or roland_m%ldc.lu.se@uunet.uu.net UUCP: {uunet,mcvax}!enea!ldc.lu.se!roland_m AppleLink: SW0022
ll12+@andrew.cmu.edu (Laura Ann Lemay) (11/27/88)
Roland Mansson writes, quoting me: .>Kill virus is currently the best program for getting rid of nVIR. THE .>PROGRAM IS ***NOT*** infected!!!! . .Please do NEVER state that a program is NOT infected. You can't be sure! OK, it.is normal for KillVirus to contain an nVIR resource, but what if some #[%&%[# .idiot has put a real nVIR in it? Ah, but I CAN be sure. KillVirus is an INIT. Unless someone goes in and physically puts nVIR resources into it, there is NO WAY that it can become infected. And even if someone did put a virus in it, there is no way it could spread anywhere else. KillVirus is safe, and I still maintain that its the best nVIR removal and protection program out there. Laura Lemay ll12+@andrew.cmu.edu
jrk@s1.sys.uea.ac.uk (Richard Kennaway CMP RA) (11/28/88)
In article <kXXnAh128k-0EOx2dn@andrew.cmu.edu>, ll12+@andrew.cmu.edu (Laura Ann Lemay) writes: > Roland Mansson writes, quoting me: > .Please do NEVER state that a program is NOT infected. You can't be sure! > > Ah, but I CAN be sure. > KillVirus is an INIT. Unless someone goes in and physically puts nVIR > resources into it, there is NO WAY that it can become infected. That's a pretty big unless. Like saying, "Unless someone physically breaks in to my house, there is NO WAY anything can be stolen from it". > And even if someone did put a virus in it, there is no way it could spread > anywhere else. Why not? INITs contain code. When run, it will do whatever it was programmed to do. It may be that nVIR itself doesnt work when run as INIT code, but there's no reason you cant make INIT viruses, or for that matter WDEF or cdev or MDEF viruses. > KillVirus is safe, and I still maintain that its the best nVIR removal > and protection program out there. May well be (I dont have it - is it free? Can someone send me a binhex?) But how do you know that something called KillVirus hasnt been subverted? > Laura Lemay > ll12+@andrew.cmu.edu -- Richard Kennaway SYS, University of East Anglia, Norwich, U.K. uucp: ...mcvax!ukc!uea-sys!jrk Janet: kennaway@uk.ac.uea.sys
billkatt@caen.engin.umich.edu (Steve Bollinger) (11/29/88)
In article <199@s1.sys.uea.ac.uk> jrk@s1.sys.uea.ac.uk (Richard Kennaway CMP RA) writes: >In article <kXXnAh128k-0EOx2dn@andrew.cmu.edu>, ll12+@andrew.cmu.edu (Laura Ann Lemay) writes: >> Roland Mansson writes, quoting me: >> .Please do NEVER state that a program is NOT infected. You can't be sure! >> >> Ah, but I CAN be sure. >> KillVirus is an INIT. Unless someone goes in and physically puts nVIR >> resources into it, there is NO WAY that it can become infected. > >That's a pretty big unless. Like saying, "Unless someone physically breaks >in to my house, there is NO WAY anything can be stolen from it". He is right, nVIR is not programmed to infect anything but applications and System files. an INIT cannot be infected automatically (someone would have to use ResEdit and put the nVIR in there, I don't why they would though, see below) >> And even if someone did put a virus in it, there is no way it could spread >> anywhere else. > >Why not? INITs contain code. When run, it will do whatever it was >programmed to do. It may be that nVIR itself doesnt work when run as INIT >code, but there's no reason you cant make INIT viruses, or for that matter >WDEF or cdev or MDEF viruses. nVIR works by patching the CODE resource ID=0 to jump to itself. INITs don't contain CODE resources, although they do contain INIT resources which consist of code, but that isn't the same thing. Therefore, there is no way for nVIR to patch anything in order to be executed. It is a common misconception that you can just place a resource in a file and it will be executed automatically. On the other hand, you are right, someone could write an INIT virus (i.e., a virus that is an INIT resource and spreads to other INIT files), but nVIR isn't an INIT virus and can't spread through INITs. +----------------------+----------------------------------------------------+ | Steve Bollinger | Internet: billkatt@caen.engin.umich.edu | | 4297 Sulgrave Dr. +------+---------------------------------------------+ | Swartz Creek, Mi. 48473 | "My employer doesn't take my opinion any | +-----------------------------+ more seriously than you do." | | "You remember the IIe, it +---------------------------------------------+ | was the machine Apple made before they decided people didn't need | | machines with big screens, color, or slots." | | - Harry Anderson (from NBC's Night Court) | +---------------------------------------------------------------------------+
tim@hoptoad.uucp (Tim Maroney) (11/30/88)
In article <3ff51312.129dc@blue.engin.umich.edu> billkatt@caen.engin.umich.edu (Steve Bollinger) writes: >nVIR works by patching the CODE resource ID=0 to jump to itself. INITs don't >contain CODE resources, although they do contain INIT resources which consist >of code, but that isn't the same thing. Therefore, there is no way for nVIR to >patch anything in order to be executed. It is a common misconception that >you can just place a resource in a file and it will be executed automatically. That's exactly how a hypothetical INIT virus would work. The INIT 31 mechanism will execute all INIT resources with legal ids in an INIT, RDEV, or cdev file. It's much easier to write an INIT virus than an application virus, since all you have to do is put the resource into the file. No jump table patching is required. -- Tim Maroney, Consultant, Eclectic Software, sun!hoptoad!tim "When the writer becomes the center of his attention, he becomes a nudnik. And a nudnik who believes he's profound is even worse than just a plain nudnik." -- Isaac Bashevis Singer
davew@hpdsla.HP.COM (Dave Waller) (11/30/88)
Well gang, Through the continued discussion over how it might or nmight not be possible to infect the Kill Virus INIT, we have once again given all the information necessary to write a virus that will operate in just such a fashion. I am not going to detail these steps, as I don't want to contribute to some scum's ability to do so. However, although viruses are a hot topic and everyone want's to know about them, we would be wise to limit discussion to eradication of known viruses, identification of symptoms, and limit the technical "how does it work" discussions to more private forums like E-mail or even better yet, land-lines. Dave Waller Technical Computer Group Hewlett-Packard Co. Pacific Technology Park Sunnyvale, CA (408) 746-5324 [ucbvax!]hplabs!hpdstma!dave
ll12+@andrew.cmu.edu (Laura Ann Lemay) (11/30/88)
Tim Maroney says: >In article <3ff51312.129dc@blue.engin.umich.edu> billkatt@caen.engin.umich.edu >(Steve Bollinger) writes: >>nVIR works by patching the CODE resource ID=0 to jump to itself. INITs don't >>contain CODE resources, although they do contain INIT resources which consist >>of code, but that isn't the same thing. Therefore, there is no way for nVIR to>patch anything in order to be executed. It is a common misconception that >>you can just place a resource in a file and it will be executed automatically.> >That's exactly how a hypothetical INIT virus would work. The INIT 31 >mechanism will execute all INIT resources with legal ids in an INIT, >RDEV, or cdev file. It's much easier to write an INIT virus than an >application virus, since all you have to do is put the resource into >the file. No jump table patching is required. Yes yes yes. But the point Steve (as well as myself) is making is that *nVIR* resources cannot be run without the jump table patching, which INITs don't have. A hypothetical virus was not what we were talking about. And discussion of how to write a "hypothetical virus" might well be better conducted through Email, rather than posting....who knows what evil hackers might be out there looking for ideas. :-) -Laura Lemay ll12+@andrew.cmu.edu (nice mail only, I'm a sensitive soul) :-)
borton@uva.UUCP (Chris Borton) (12/01/88)
In article <223@sunset.MATH.UCLA.EDU> hgw@math.ucla.edu (Harold Wong) writes: >In article <garbage #> ll12+@andrew.cmu.edu (Laura Ann Lemay) writes: >> >>Kill Virus is equipped with a foil for the nVIR virus, which will keep it >>from getting infected. However, since the resource is called "nVIR", >>it trips up interferon and other such programs. >> >>Kill virus is currently the best program for getting rid of nVIR. THE >>PROGRAM IS ***NOT*** infected!!!! >> >Does KillVirus protect all applications or just those who were infected? >With applications (pd and others) going through and being copied onto my >drive how will I know if the real (the bad one) nVIR shows up? It might start >infecting other applications that did not get KillVirus protection. > >It seems to me that KillVirus will add confusion to this virus problem There seems to be plenty of confusion around about nVIR, which is understandable. I'll summarize this as I know it; please add corrections if necessary (but only if you REALLY know--discuss it otherwise) and spread this information around as widely as possible to avoid this confusion. nVIR has a built-in inhibitor, probably so that the originator wouldn't infect his whole system as well. The virus checks for the existence of the resource 'nVIR 10' in the System file, and if it's there then it doesn't infect anything. The KillVirus INIT from Matthias Urlichs is an INIT that installs this probitor resource into the System file. [Programmer note: given the confusion this now causes, it might have been more appropriate to build that resource on the fly]. Hence, with the KillVirus INIT your system will be immune to attacks of nVIR and further spreading of nVIR. To my knowledge, KillVirus does NOT do anything to applications at all. Hence, if you have an infected application, it will be benign on your KillVirus- protected system, but if you give it to your friend who is not protected, then he will become infected. The best solution I know of: 1) boot from locked positively-healthy system 2) Run "Vaccination" on ALL programs you have. This will remove the virus if it exists, preventing further spread. 3) Replace all Systems with a known good System. If this is too painful, it can be done with ResEdit hacking, but you'd better know what you're doing. Just remove all 7 nVIR resources and INIT 32. 4) Replace the Finder and DA Handler, as the original version of Vaccination did not recognize these and they infect. 5) Keep KillVirus, VirusWarningINIT, and/or Vaccine in your system folder. The differences: KillVirus: defends attacks, will not allow spread. Installs benign nVIR 10 resource in System file. Does not, I believe, alert you when an attack has occurred. VirusWarningINIT: emits a series of beeps when an attack (attempt at infection) has occurred. Does NOT prevent the infection, but you will know about it and hence can immediately kill it. Vaccine: will cause system bomb when nVIR attacks. This is because it is trying to use a dialog/menubar at a time when that isn't allowed. Thus, if you have a consistent bomb under MultiFinder with a program you know works, immediately check it for nVIR. I hope this clarifies a few things. There are plenty of items that might have been done much more clearly (the naming of these things, for one) but they usually originate in a crisis under duress and time pressure. The best prevention overall is user education -- a little bit can go a long way. [Personal note: unfortunately the media could use some as well in order to prevent wild rumors, spreading false information and blind fear.] [[Oh a sample? CNN during the InterNet Worm crisis: 4:12 reporter: "...but the virus apparently does not do any damage to data." 4:25 anchorperson: "stay tuned, in 10 minutes another report on the data-devouring virus attacking computers all over the country." ]] -cbb -- Chris Borton borton%uva@mcvax.{nl,bitnet,uucp} Rotary Scholar, University of Amsterdam CS
isle@eleazar.dartmouth.edu (Ken Hancock) (12/03/88)
In article <579@uva.UUCP> borton@uva.UUCP (Chris Borton) writes: >In article <223@sunset.MATH.UCLA.EDU> hgw@math.ucla.edu (Harold Wong) writes: >>In article <garbage #> ll12+@andrew.cmu.edu (Laura Ann Lemay) writes: >nVIR has a built-in inhibitor, probably so that the originator wouldn't >infect his whole system as well. The virus checks for the existence of the >resource 'nVIR 10' in the System file, and if it's there then it doesn't infect >anything. > >The KillVirus INIT from Matthias Urlichs is an INIT that installs this >probitor resource into the System file. [Programmer note: given the confusion >this now causes, it might have been more appropriate to build that resource on >the fly]. Hence, with the KillVirus INIT your system will be immune to >attacks of nVIR and further spreading of nVIR. > >To my knowledge, KillVirus does NOT do anything to applications at all. Hence, >if you have an infected application, it will be benign on your KillVirus- >protected system, but if you give it to your friend who is not protected, then >he will become infected. According to the documentation, KillVirus DOES remove nVIR from any infected application any time an infected application is launched. As far as creating the nVIR on the fly, that won't solve any problems. Everyone will still see that the system is infected with nVIR. Seeing that so many people are so hyped up about viruses, it would seem that instead of just throwing all these things in the system folder and then jumping up and down yelling "It's infected", they'd take the time to first find out what does what and stop all this blown out of proportion panicing. Ken Ken Hancock '90 | BITNET/UUCP/ Personal Computing Ctr Consultant | INTERNET: isle@eleazar.dartmouth.edu -----------------------------------+---------------------------------------- DISCLAIMER? I don't get paid enough to worry about disclaimers.
Mark_Peter_Cookson@cup.portal.com (12/03/88)
Just a thought, couldn't the nVIR in Kill Virus be one of those phony nVIRs that fakes the real one out so that it doesn't execute??? Mark Cookson
michael@taniwha.UUCP (Michael Hamel) (12/04/88)
In article <579@uva.UUCP> borton@uva.UUCP (Chris Borton) writes: >nVIR has a built-in inhibitor, probably so that the originator wouldn't >infect his whole system as well. The virus checks for the existence of the >resource 'nVIR 10' in the System file, and if it's there then it doesn't infect >anything. Actually it checks for INIT 32 as well, and my own anti-nVIR program, AntiPan, installs this into systems to immunise them instead of nVIR 10 because of the likely confusion. AntiPan exterminates nVIR from the system files and all applications on whatever volume you point it at. It also requires you to reboot if nVIR is resident in the system heap. Someone (I'm afraid I don't recall who) posted a remark recently saying that AntiPan sometimes failed. I tried to mail him, but I assume my mail got lost as I have had no reply. I would be most interested in any known cases of failure, as I know of none and will fix any bugs when I get back to the sources in New Zealand next week... -- "In challenging a kzin, a simple scream of rage is sufficient. You scream and you leap." Michael Hamel ..!{unisoft|mtxinu}!taniwha!michael
brecher@well.UUCP (Steve Brecher) (12/07/88)
In article <579@uva.UUCP>, borton@uva.UUCP (Chris Borton) writes: > The virus checks for the existence of the resource 'nVIR 10' in the System > file, and if it's there then it doesn't infect anything. Actually, nVIR checks for nVIR 10 by calling GetResource. Therefore, Suitcase II users can gain the inhibition effect by creating a file containing an nVIR 10 resource and keeping the file open with Suitcase II. I am the author of Suitcase II. -- brecher@well.UUCP (Steve Brecher)
lbaum@bcsaic.UUCP (Larry Baum) (12/08/88)
In article <226@taniwha.UUCP. michael@taniwha.UUCP (Michael Hamel) writes:
.
.AntiPan exterminates nVIR from the system files and all applications
.on whatever volume you point it at. It also requires you to
.reboot if nVIR is resident in the system heap. Someone (I'm afraid I
.don't recall who) posted a remark recently saying that AntiPan sometimes
.failed. I tried to mail him, but I assume my mail got lost as I have had no
.reply. I would be most interested in any known cases of failure, as I know
.of none and will fix any bugs when I get back to the sources in New Zealand
.next week...
As it happened we discovered nVIR on our system just as AntiPan arrived. It was
extemely effective but it did fail on a couple of files. All but one of these
were Lightspeed C applications and Lightspeed C itself. We used Virus Detective
on those and that seems to have fixed the problem. Someone has told me that LSC
has nVIR immunity built in (with dummy nVIR resources maybe?), so that might be
the reason. The only other interesting thing that happened is that even though
AntiPan reported no problem with DA Handler (i.e. it either claimed to have
diinfected it or found it clean), Virus Detective still found nVIR when we ran it
subsequent to using AntiPan.
LSBmichael@taniwha.UUCP (Michael Hamel) (12/11/88)
In article <9062@bcsaic.UUCP> lbaum@bcsaic.UUCP (Larry Baum) writes: >As it happened we discovered nVIR on our system just as AntiPan arrived. It was >extemely effective but it did fail on a couple of files. All but one of these >were Lightspeed C applications and Lightspeed C itself. Ha! We haven't got LS C at Otago, it must be doing something interesting. Thank you, I will fix this. > The only other interesting thing that happened is that even though >AntiPan reported no problem with DA Handler (i.e. it either claimed to have >diinfected it or found it clean), Virus Detective still found nVIR when we ran it >subsequent to using AntiPan. Damn. AntiPan checks files with a type of 'APPL' or a creator of 'MACS'. I thought this covered what nVIR could get into, but DA Handler must be an exception. I will enlarge its range. Thankyou very much, this is exactly the kind of feedback I need... -- Where now are those who in times past have opposed the Group of Seventeen? Michael Hamel University of Otago ..!ucbvax!michael@otago.ac.nz