jap2_ss@uhura.cc.rochester.edu (Joseph Poutre) (09/29/89)
We here at the University of Rochester may have discovered a new virus, or a variation on a theme. What it does is infect Macwrite and the Chooser, so that when a document is printed, Macwrite crashes. The virus changes the name to Macwight or Macwite, but this is the only clue so far. I am trying to get more data, more none is forthcoming. I will do what i can today and tommorrow, and give furthr reports. Disinfectant 1.1 doesn't work, so please email me the latest version of disinfectant to try. The sooner the better, because the Vice-Provost's office is infected, and they may lose a 75 page report for the government. (What, no backups? What do you think. Argh.) The Mad Mathematician jap2@uhura.cc.rochester.edu Understand the power of a single action. (R.E.M.)
XRJDM@SCFVM.GSFC.NASA.GOV (Joe McMahon) (10/03/89)
>Subject: New virus? (Mac) I'm afraid so... >We here at the University of Rochester may have discovered a new >virus, or a variation on a theme. What it does is infect Macwrite ... (sundry details omitted) > ... Disinfectant 1.1 doesn't work, so please email me the >latest version of disinfectant to try... I'm afraid it won't help. You should send some mail to John Norstad *immediately* and let him know about it. He may request a copy of your infected files. His net address is in the Disinfectant documentation. >The virus definitely attacks Macwrite. It adds a str ID 801 and >modifies the icon to say Macwite instead of the standard application >icon. The application increases in size by 104 bytes, 56 in the >string. they are added in sector 014F, according to Fedit Plus 1.0. Actually, you should check it out with ResEdit and see what resource they get added to. Ditto for the System; look for INIT resources. There are a few that are supposed to be there, but the virus may add new ones. (more details omitted) This sounds very much like a new virus. Have you Vaccine or GateKeeper installed? Either should keep infections from spreading, unless the virus is doing its own disk I/O at the driver level (very dangerous and could lead to screwed-up disks). Things to try: - Write-protect a known-clean version of MacWrite and try running it on the infected system. - Change another application's signature (type/creator) to MacWrite's and see if the virus tries to infect it. - Name MacWrite something else and see if it is attacked. - Look at the system healp with Macsbug and and try to identify all of the resources loaded into it. This may help in tracking down the infection mechanism. I'd appreciate hearing further details; post them to me personally if you'd like. --- Joe M.
XRJDM@SCFVM.GSFC.NASA.GOV (Joe McMahon) (02/22/90)
Michael Greve <GREVE@wharton.upenn.edu> writes: > I think a new MAC virus has turned up here at Penn... > ...When I put the disk into my machine Gatekeeper Aid remove a >WDEF A virus then I got a message saying "GateKeeper found an "Implied >Loader 'INIT'" virus, it has been removed"... It sounds as if you *might* have a case of INIT 29 running around. Gatekeeper and Vaccine both block INIT 29, and Disinfectant will remove it. --- Joe M.
warthman@softvax.radc.af.mil (WARTHMAN) (08/16/90)
I received a report last night about a potentially new virus - a variant of MDEF. The report originated with Symantec, but I haven't as yet gotten confirmation. Has anyone else heard of this one? Symantec's present guidance is: > SAM 2.0.2B users, set your protection level to Advanced or Custom > with all the options checked, and when SAM Intercept alerts you > to an MDEF resource being modified, just choose DENY. Any further information is appreciated. - -- Jim Warthman - -- Principal Engineer & Macaholic - -- Computer Science Innovations, Inc. - -- voice 407-676-2923 - -- Internet Warthman@SOFTVAX.RADC.AF.MIL
PSYMCCAB@VM.UoGuelph.CA (Bob McCabe) (12/08/90)
I got word today of a possible new virus that was apparently deliberaty
spread around at the Canadian Computer Show. As I have not heard or seen
any postings of a simular virus I thought I'd post a description here to
see if anyone knows anything about it.
The virus apparently infects the CMOS on an AT, changing the drive type
after an incubation period, and the locking out the hard drive. It can be
spread by running a program from an infected disk (how disks are infected
is unknown, nor is it know if a particular program is the source).
According to one distributor that got hit, the only way to remove the
virus is to disconect the AT board from the battery backup and to wipe the
BIOS on the hard disk controler. This may be a little extreme, but I have
yet to see an infected machine.
Apparently there is also a message displayed when the virus becomes
active, calling the virus 'THE INVADER'.
Does this sound simular to any know virus? Does SCAN pickup the virus, and
if so which version? Is there a simpler way to remove the virus from an
infected machine? Any help would be appreciated. I should get a copy of
an infected disk on monday and may have more information then.
========================================================================
INET : PSYMCCAB@VM.UOGUELPH.CA Bob McCabe
CoSy : bmccabe Psycholgy Dept.,
Compuserv : 72260,1501 University of Guelph
Phone : (519) 821-8982 Guelph, Ont. Canada
=========================================================================davidsen@crdos1.crd.ge.COM (Wm E Davidsen Jr) (12/11/90)
PSYMCCAB@VM.UoGuelph.CA (Bob McCabe) writes: | According to one distributor that got hit, the only way to remove the | virus is to disconect the AT board from the battery backup and to wipe the | BIOS on the hard disk controler. This may be a little extreme, but I have | yet to see an infected machine. This is unlikely. Any decent BIOS will have a way to get into the CMOS config at cold boot time. The parameters can then be set well enough to boot from your recovery floppy and restore the CMOS you saved when you made the disk, right before you write protected it. A number of programs to save and restore CMOS are on archives and have been posted to c.b.i.p as well. If you have a NEAT chipset you should back up the settings of that with setneat. - -- bill davidsen (davidsen@crdos1.crd.GE.COM -or- uunet!crdgw1!crdos1!davidsen) VMS is a text-only adventure game. If you win you can use unix.
Otto.Makela@jyu.fi (Otto J. Makela) (12/15/90)
davidsen@crdos1.crd.ge.COM (Wm E Davidsen Jr) writes: PSYMCCAB@VM.UoGuelph.CA (Bob McCabe) writes: | According to one distributor that got hit, the only way to remove the | virus is to disconect the AT board from the battery backup and to wipe the | BIOS on the hard disk controler. This may be a little extreme, but I have | yet to see an infected machine. This is unlikely. Any decent BIOS will have a way to get into the CMOS config at cold boot time. The parameters can then be set well enough to boot from your recovery floppy and restore the CMOS you saved when you made the disk, right before you write protected it. Some Suntac chip sets CAN be set by CMOS to such a state that the CPU will hang even before it can start up the BIOS. It has to do with setting the memory wait states and refreshes. If you manage to set it up incorrectly, you WILL have to disconnect the battery and wait for the CMOS to go dead. However, there seems to be some confusion about "viruses in CMOS". Facts are, on a PC/AT the CMOS is not in the processor address space - -> no programs can reside in it. Thus, all a virus can do is scramble the CMOS contents. - -- /* * * Otto J. Makela <otto@jyu.fi> * * * * * * * * * * * * * * * * * * */ /* Phone: +358 41 613 847, BBS: +358 41 211 562 (CCITT, Bell 24/12/300) */ /* Mail: Kauppakatu 1 B 18, SF-40100 Jyvaskyla, Finland, EUROPE */ /* * * Computers Rule 01001111 01001011 * * * * * * * * * * * * * * * * */
martin@cs.UAlberta.CA (Tim Martin; FSO; Soil Sciences) (04/11/91)
Has anyone else seen the boot sector virus that is plaguing some of the DOS computers at U of A? It displays an eight line text about the USA being the "evil empire" in the "impending war with Iraq". Obviously it was written before Jan 15, 1991. It wreaks havoc in the partition table of hard disks, and doesn't know how to properly format 3.5" floppies. McAfee's SCAN calls it "Stoned / Swedish", and the F-DISINF program calls it "a new version of stoned", and doesn't offer to remove it. We are now trying to decide whether this is a local virus, and also whether it has spread elsewhere. Tim Martin Soil Science, University of Alberta tmartin@vm.ucs.ualberta.ca
dougmc@ccwf.cc.utexas.edu (doug d'glaren) (05/29/91)
I just finished cleaning up my hard disk after getting a virus from a local BBS, and I've told them about it, and they've removed the offending program, and everything is fixed, but some questions remain. I know some things about virii, mostly from what I've read in various text files on the subject and anti-virus program's doc files, so I was able to figure out what was going on and get rid of it, and I had backups of most of the files that were damaged so I came out ok, but I would like to know if anybody else has had problems with this virus. First of all, SCAN77 does not recognize this virus. So I am led to believe that it is rather new. If only SCAN77 did recognize it, it would have saved me a lot of aggravation! I now use a disk monitoring program when checking new programs, but hindsight is always 20-20 ... Well, here's some characteristics of this virus: I got it from a program called DI.Exe, which is a small directory making program. When this program ran, it ran drives A and B (I noticed this, but paid it no mind! Once again, hindsight ...) It was, I later learned, looking for files to infect. What it did was copy a copy of the virus to every EXE file it could find. When these programs were run, they again tried to copy the virus. The virus apparantly does NOT go TSR, but infected EXE files seem to only have about 24k to run in, (An infected MEM.Exe file said maximum executable file size was about 24k) so most of my EXE programs wouldn't work after that, complaining about lack of memory. DI.EXE ran fine, of course. These EXE files grew by about 3k, the exact amount varying from file to file. The virus did not seem to care if a file was read only or not. It also created hidden system files in every subdirectory, named just A, B, C, D, E etc. I don't know what their purpose was, but as the infection progressed, I saw higher and higher letters. Perhaps a countdown of some sort? I don't know. The virus did not appear to do anything else other than infecting EXE files which propagated it. The virus contains this string which I used to search for it (it doesn't appear to be self encrypting or anything funky like that ...) 43 83 FB 0A 72 ED 2B DB EB E9 C3 2E FF 06 FD 00 2E FF 2E FF 00 In the scanning program that I made I looked for the text string of Alt-114, Alt-237, ... 043 219 235 233 195 046 (you get the idea ...) Does anybody know anything about this particular virus? I would like to know a little more about it. Besides the sysop of the BBS isn't convinced that it was a virus, and I'd like to know it's not just me. dougmc@ccwf.cc.utexas.edu aka Doug McLaren
PETI1010@DOSUNI1.BITNET (06/08/91)
Hello Netlanders, we yesterday observed strange behaviour on one PC with 386 DX (in Osnabrueck W-Germany). Chkdsk reported an "Allocation error, size adjusted" on several Exe-Files. For example KRNL386.EXE and KERNEL.EXE of Win 3.0 but not the KRNL286.EXE. Windows worked only in Standard-Mode but in Real and 386 Enhanced the System crashed. Scanning the HD after booting from Floppy (I hope a clean one :-)) with F-PROT 1.15a and SCAN v 77 revealed nothing. Restoring the obviously damaged files we observed an increase of the File-Length of 4280 bytes in case of the damaged (infected ?!) files. Maybe any kind of Tequila shows his (ugly :-() face? Any suggestions? Regards, Frank Petersen B.t.w.: I'll send a copy of an infected file together with the uninfected version to Ken. Maybe he'll be so kind to pass it to the masses of famous :-) and intelligent (and so on) virus researchers, so they can have a close look at the nasty stuff. (Thanks Ken). **************************************************************************** * _________ _________ * * * / ______/ / ___ / * via EARN/BITNET: PETI1010 @ DOSUNI1 * * / /____ / /__/ / * * * / _____/ / _____ / * via FIDONET: (2:245/20.9) * * / / / / * * * /__/ rank /__/ etersen * Reserved for future expansion * * * * ****************************************************************************