grr@cbmvax.UUCP (George Robbins) (01/01/89)
The following Virus report was posted on BIX today. My recollection is that
Steve is English, so perhaps this virus hasn't arrived here. Still, be
warned and take the usual care with suspicious disks...
TITLE: New Virus
While I'm not 100% certain of all the details of what this virus does,
(I got it yesterday), I figure I should post this anyway.
(What I do say here, I'm quite certain of).
I recieved in the mail a new virus, from 2 different continents on the
same day. This one's NOT just another bootblock virus.
This one affects executable programs. It attaches itself to them.
But not just any executable (thankfully), what it does, is it parses
your startup-sequence looking for the first executable program there.
That's the one it hits.
It doesn't seem to be malicious in any way, though it will crash
your machine under KS 1.3. It intercepts the OpenLibrary() call
(that's how it stays around- whenever OpenLibrary is called,
it again checks the startup sequence (thinking maybe a disk has
changed - it uses ":S/Startup-sequence" so it will go after any
SS on the current disk). It also uses a KickTagPtr, but I'm
not sure what for yet. Seems to take about 10 seconds longer
to boot, though.
Easy way to protect yourself from it: Change your startup sequence on
any disk in any drive, so that the first character before the first
executable filename is a TAB. The virus tries to Open() the whole line,
parses out a few characters, but not the tab. Note that if you use a
pathname as in DH0:C/BLAH, and you put a tab in front, you'll get a
requester for [TAB]DH0:. Just use [TAB]C/BLAH or whatever.
For those out there who have been safe from boot block viruses thus
far, well, this one you can get from a downloaded program. Ick.
I'll be posting a little utility soon to check a program for this
specific virus.
(Also, last thing it does: On it's first invocation in a session,
it will set the title bar of the ActiveWindow to it's name
(IRQ virus), and since it's running as the first thing in your
startup sequence, it's changing the intial CLI window's title.
...Steve
--
George Robbins - now working for, uucp: {uunet|pyramid|rutgers}!cbmvax!grr
but no way officially representing arpa: cbmvax!grr@uunet.uu.net
Commodore, Engineering Department fone: 215-431-9255 (only by moonlite)grr@cbmvax.UUCP (George Robbins) (01/01/89)
More info from Steve Tibbett and co. and on the New Year's virus this evening:
From BIX:
==========
One more item on the IRQ virus. If it can't attack your Startup-Sequence
it will home in on C:DIR just to be sure that it gets executed.
This is a benign intruder that can mutate to something real nasty in the
hands of a sicko. We have the start of a real problem here.
Djj
[ which is to say it will modify the dir command if it can't mess
with the startup-sequence... ]
==========
No, (I'm a bit rusty on this hunk stuff) I believe it sticks another code
hunk at the beginning of your program, about 1.1K, and when it's done
it's job, it calls your original program.
Note that if the first file in your startup sequence is over 100K
long, it won't infect it. (big help, that... 8-)
I'm thinking of having an option in VirusX (or probably a separate
standalone utility) that would block any CMD_WRITE operation to a
disk device (and something that would just block Write() attempts),
and give the user a requester showing who asked for the Write, and
a Yes/No option. Not much good for general use, but it would
help when checking out unknown programs.
...Steve
--
George Robbins - now working for, uucp: {uunet|pyramid|rutgers}!cbmvax!grr
but no way officially representing arpa: cbmvax!grr@uunet.uu.net
Commodore, Engineering Department fone: 215-431-9255 (only by moonlite)