krvw@CERT.SEI.CMU.EDU (The Moderator Kenneth R. van Wyk) (09/14/90)
VIRUS-L Digest Thursday, 13 Sep 1990 Volume 3 : Issue 156 Today's Topics: re: mysterious messages Re: Mysterious messages (PC) Re: Anti-virus viruses Mac non-virus (Mac) Viruses in Sound Effects (Mac) Re: 1701/help (PC) Re: Strange things are afoot on my Mac IIcx (Mac) Incorrect date in F-PROT 1.13 (PC) Re: EEPROM BIOS (PC) Hardware damage caused by virusses? 3 new viruses (PC) SE Problems (Mac) VShield 66 and Profesional Writer (PC) os/2-viruses ? (OS/2) IBM Christmas Chain Letter Warning Who should get what viruses? Conference announcement Leaving for the US VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: 10 Sep 90 14:01:00 +0200 From: "Otto.Stolz" <RZOTTO@DKNKURZ1.BITNET> Subject: re: mysterious messages Finally I've seen Frisk's original poster (which I had missed before) and hence the whole message KONIEC PROGRAMU WABIKEXE.EXE meaning End of the WABIKEXE.EXE program >From the name of the program ended thus, it's clear that this message is Polish, as Slovac does normally not use the W. The name contains the Polish word WABIK which means BAIT -- a natural name not for a virus, but rather for a program offered to the virus to be infected. Hence I conjecture, the specimen consists of a simple bait program (written from a Polish person, and ending with the above character string) that has been infected by the virus in question. That's definitly my last word on this topic, I promise! Ihth Otto ------------------------------ Date: 10 Sep 90 16:19:35 +0000 From: dittrich@milton.u.washington.edu (Dave Dittrich) Subject: Re: Mysterious messages (PC) frisk@rhi.hi.is (Fridrik Skulason) writes: > >Call (209) 683-6858 ! Does this number exist, and if so, > to whom does it belong ? > >West Lake Software and Data Research, WA 0108077, New Orleans, (c) 1986 > > Does this company exist, and if so, > do they know anything about the > JOCKER.EXE program ? I know this is going to sound too simple, you can verify the authenticity of a phone number (at <= same cost as posting and article) by calling the number using a standard telephone. Also, the United States Postal Service will help you in finding out if an address is correct. All you have to do is put the address on the front of a postcard, along with $0.20, and if it comes back marked "No such address," you have your answer. (You can even ask that the person reading the letter tell you what they know about JOCKER.EXE.) :-), of course. - -- Dave Dittrich INTERNET: dittrich@u.washington.edu (206) 685-2438 UUCP: ...uw-beaver!u.washington.edu!dittrich Dept. of Chemistry, University of Washington ------------------------------ Date: Mon, 10 Sep 90 12:41:47 -0500 From: Joe Simpson <JS05STAF%MIAMIU.BITNET@OHSTVMA.IRCC.OHIO-STATE.EDU> Subject: Re: Anti-virus viruses I really don't care what the motivation of a virus writer is. If I could identify the writer of any virus introduced into my computer system without my permssion, I would attempt to see that person at least publicly identified, and if practical prosecuted. ------------------------------ Date: Mon, 10 Sep 90 16:47:00 -0400 From: "Mark Nutter, Apple Support" <MANUTTER@IUP.BITNET> Subject: Mac non-virus (Mac) I've seen a number of recent postings about strange Macintosh behavior, both in VIRUS-L and elsewhere. I have heard that there is a "quirk" in the 6.0.5 version of the Installer program that may be responsible for most of this MacWeirdness. Without getting overly technical, it seems that Installer leaves a value in the hard disk "boot blocks" that allocates too small a system heap. Result? The Mac operating system runs out of memory, writes over itself, often fails to detect the damage done, and proceeds to operate in "creative" mode. Test: From the (Multi)Finder, pull down the Apple menu, select About the Finder, and check the "thermometer" that shows System memory usage. If it is about 85% to 100% filled, you need more heap space. Solution: Use Symantec Tools, Fedit, or some similar program to edit the boot blocks on your startup disk. Ignore the value labelled "128K System heap"--- that's obsolete. Look at the other System Heap Size value and add one or two hundred K to it. I added 200K to my System heap size and it did wonders for my IIcx. STANDARD CAVEAT: Prior to monkeying with anything as technical as "boot blocks", always back up anything you wouldn't want to lose. (I know, I'm paranoid. That's what they pay me for.) - ------------------------------------------------------------------------------- - - Mark Nutter MANUTTER@IUP.BITNET Apple Support Coordinator "I speak for myself , Indiana University of Pennsylvania not for IUP." G-4 Stright Hall, IUP Indiana, PA 15705 "You can lead a horse to water, but you can't look in his mouth." - Archie B. =============================================================================== = ------------------------------ Date: Mon, 10 Sep 90 16:56:52 -0400 From: Joe McMahon <XRJDM@SCFVM.GSFC.NASA.GOV> Subject: Viruses in Sound Effects (Mac) Um, I hate to dispute your point that *everything* should be checked, but soundfiles (be they "snd " resources or FSSD/SFX! files from SoundEdit) have no executable code and can't be infected by nVIR. Are you sure that, say, SoundPlay, wasn't on the disk as well? --- Joe M. ------------------------------ Date: 11 Sep 90 02:27:53 +0000 From: woody@chinacat.Unicom.COM (Woody Baker @ Eagle Signal) Subject: Re: 1701/help (PC) In article <0005.9009101250.AA03627@buchholz@ese3.ogi.edu (Don Buchholz) writes : > On the bright side, we've had 2 XT-clones, with Seagate ST-225's that > had gone "sour" (for lack of a better term), that were revived (files > recovered and all!) by redoing the low-level format! I won't promis It has to be done with a utility package, like SPINRITE, or the equivalent to be able to retain the files. If you do it with the built-in formatter, i.e. debug g=c800:5 you will wipe all the files out. Repartioning the hard disk using FDISK (which is necessary in this case) also destroys any data. By using one of several reformatting utilities that do a lowlevel reformat in place, you should be o.k. HOWEVER, they all depend on the disk actualy being readable. Cheers Woody ------------------------------ Date: 11 Sep 90 16:26:57 +0000 From: rww@demon.siemens.com (Richard W West) Subject: Re: Strange things are afoot on my Mac IIcx (Mac) Daniel G. Edmunds wrote about some strange problems that looked like a possible virus: > >The first thing that happened was that Finder Sounds just stopped >working when I closed a window. Everything looked OK, but it just >wouldn't work. I ran Dis 2.1 and it said that Finder Sounds had a >corrupted data fork. So I removed it from the system folder and >continued on. > >Later that day, I tried to print out a Word file on my PaintJet and I >got a "The application 'Microsoft Word' has unexpectedlly quit (1)" I >tried again and got the same message. I tried again with the printer >set to draft mode only (the other attempts had been "Best" mode) and >it worked. Hmmm. Strangely, my problems began quite similarly. Finder Sounds, one day, decided to stop working. At the time, I did not know why, and I just thought that maybe it was due to the fact that it was a piece of shareware with some sort of time delay on it (you know, to make you pay for the use of the program). I did not bother worrying about it. Later that same week, I had installed Pyro! 4.0 on my system, and things went haywire. Applications, when run, would give me the "unexpectedly quit" error and so forth. If I restarted the system, things would run fine, (for a while) which I thought was odd. I realized that I could not have this continually happening on such a frequent basis, and considering I am the Macintosh nut in the building, I needed to discover what was going on. Well, I finally discovered that the problem was directly related to my system heap size. I had been using the installed system (6.0.4) with a bundle of INITs and the like, but I had never changed the system heap size from its original 128k. Once the system heap was enlarged enough to handle all of my INITs as well as QuickMail and Pyro!, everything has worked like a charm; no problems at all. Try increasing your system heap size, or just check the size of your heap, by using one of the many utilities out there. I used an application called "Inflator" by PCPC products (it was packaged with their network backup software) and it worked well. There are plenty of others out there, and I would suggest to try them. - -- - -Rich West Internet: rww@demon.siemens.com Siemens Corporate Research and Development Laboratories in Princeton, NJ Disclaimer: These opinions are mine. They may be yours; they may be the company's. Then again, maybe not. ------------------------------ Date: Tue, 11 Sep 90 09:17:46 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Incorrect date in F-PROT 1.13 (PC) Version 1.13 of F-PROT - the latest one currently available - contains a few files dated in 1991. This is because my computer had an incorrect date, and I sent version 1.13 out without noticing this. So, those of you with a copy of the package - don't worry about the incorrect dates - the programs have not been tampered with. - -frisk ------------------------------ Date: Tue, 11 Sep 90 18:23:32 -0500 From: <CC65SRAD%MIAMIU.BITNET@OHSTVMA.IRCC.OHIO-STATE.EDU> Subject: Re: EEPROM BIOS (PC) While I am sure more and more systems will be connected via phone lines, the telephone will always be too expensive a quirky to trust upgrading PC software to. As for the floppy upgrades, since all the upgrade disks would be produced by the manufacturer, quality control of viruses should be possible. Any problem would have to be an inside job. Also, I am sure that some security measures would be built in to the BIOS itself, since it would be possible for someone to load the wrong BIOS disk into a machine and erase the existing BIOS, replacing it with an incompatible BIOS. Also, AMI would hate for people to be switching to Phoenix via a floppy. These security measures, while probably not extremely complex, would make a viruses code so large that it could not be inconspicuous (in my opinion...I am NOT an expert by any stretch of the imagination) and would be caught quickly. It is an interesting idea...especially with machines like the Tandy (also makes Panasonic, DEC pc's, GRID) and others placing DOS and other usually attackable programs in EEPROMs. - -Chris ------------------------------ Date: 12 Sep 90 07:51:52 +0000 From: lexw@idca.tds.philips.nl (Lex Wassenberg) Subject: Hardware damage caused by virusses? Can anybody inform me whether there are virusses that can actually damage the hardware of a system? If so, what is the damage, and how is it done? Which virusses do so? Related question: I seem to remember that someone posted an article quite some time ago, which described the "12 tricks" Trojan Horse quite extensively. My memory keeps telling me that one of these tricks damaged the hard disk. The article also described the other 11 tricks. Unfortunately, I didn't save it at the time. So, if anybody has this article, can you mail it to me? (or maybe repost it, if the moderator allows it). Thanks everyone. - -- _ _ / U | Lex Wassenberg, Philips TDS, Apeldoorn, the Netherlands /__ < lexw@idca.tds.philips.nl 88 |_\ "Since nobody understands me, I speak only for myself." ------------------------------ Date: Wed, 12 Sep 90 10:09:43 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: 3 new viruses (PC) Some new viruses.... After version 1.13 of F-PROT was posted, I have received several new viruses from various sources. Violator This is an unusually long variant of the Vienna virus, over 1K. It is sufficiently similar to the standard Vienna virus to be detected as such, although F-PROT 1.13 refuses to remove it - saying it is a new variant. It is removed by 1.14 Whale (Mother Fish) This is one of the most interesting viruses I have seen - it is long, over 9K, which makes it by far the longest assembly langugage virus. It uses "stealth" methods - while the virus is active in memory, it cannot be detected in a simple manner. The virus uses at least two levels of encryption, rearranges code around and tries its best to confuse anti-virus programs. It has been reported that the virus may "turn itself inside out", changing the encryption method and so on. This would require the use of more than one signature string. Although I have not observed this behavior, I believe this is true, so the following line (which detects all infected files I have) is probably not sufficient to detect all possible forms of the virus, but at least it is better than nothing.. Whale c1Qny5tm8UN5j5ErLc2OjLMSN5dfEvlgmL2utUNKc4M-m-g7UqToYB Version 1.14 (which has not been distributed yet) can detect and remove the infected files I have been able to produce, and should be able to remove all the forms when it is finished. Phoenix I got a sample of the 1701-byte variant of Phoenix from Norway. The virus had been uploaded to a BBS there as an Bulgarian anti-virus program, called DOCTOR.EXE, version 1.7 by Valery Trifonov - 11344 bytes in length. This program IS A TROJAN - instead of scanning for viruses it will infect you with Phoenix. F-PROT is able to detect the virus if the following line is added to SIGN.TXT. Note that this string will not detect the virus in the EXE file, as it is encrypted there - only in infected COM files. Phoenix JJxNyMrMoa5Lj5nMj-7jjLOKjaV00VMSlRma5-m-mLKqMak7mLBlR34- Version 1.14 can remove the virus from infected files. - -frisk - -- Fridrik Skulason University of Iceland | Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 | ------------------------------ Date: Tue, 11 Sep 90 16:30:00 -0500 From: "SCHANG@ADMIN.RIPON.EDU" <SCHANG@ADMIN.ripon.edu> Subject: SE Problems (Mac) Recently a student brought to me a Mac SE which is corrupting disks which he uses with his internal hard drive. After about 3 uses with a floppy disk in the internal drive, the disk becomes unreadable. At first, I thought it was a hardware problem. I ran Disinfectant 2.1 on the hard disk to check for any viruses and it reported none. However, SUM-DiskClinic reported that the system folder contained a virus. The student at one time had had his hard disk infected by the nVIR virus, but he removed it with Disinfectant. He also told me that once when he tried to open a document in Word 4.0, the program would not load the entire file and gave a message which said that the program could not be loaded because Word was having "serious problems." I still think it might simply be a hardware problem, but the other circumstances make me think it is possible that there is virus present. If anyone can offer any suggestions, please let me know. Thanks, Jeff Schang Ripon College SCHANG@ADMIN.RIPON.EDU ------------------------------ Date: Wed, 12 Sep 90 13:45:00 -0500 From: TECH9Q@jetson.uh.edu Subject: VShield 66 and Profesional Writer (PC) Hello to everyone, This is my first time. I got this small problem. I have vshield 66 running in the swap mode. Well i tried to run the pfs (profesional writer) and it gives me weird characters on the screen. If I then do a vshield /remove and try to run the pfs program, it runs perfectly. Any ideas? Francisco Jovel TECH9Q@JETSON.UH.EDU p.s. Sorry if i misspelled something ------------------------------ Date: 12.09.90 16:41:46 From: "DATEV eG" <datevvt@infohh.rmi.de> Subject: os/2-viruses ? (OS/2) Hello everybody, does anybody know something about OS/2 viruses ? Will there be new possibilities to transport and/or hide viruses ? Has anybody already proved that there are new mechanisms possible, and if so: What can be done against them ? Did OS/2-Viruses already appear somewhere ? please answer to: G. Sternberg Software-Engineering Dept. Datev eG, Nuremberg, W-Germany E-Mail: datevvt@infohh.rmi.de ------------------------------ Date: Thu, 13 Sep 90 09:08:46 +0100 From: "David.J.Ferbrache" <davidf@cs.heriot-watt.ac.uk> Subject: IBM Christmas Chain Letter Warning A quick warning that an almost identical copy of the original Christmas Exec has been posted to the USENET news group Alt.hackers. The originating site path is as follows: rutgers->edu.utexas->edu.uwm->edu.uiuc->edu.ksu->edu.uiowa->ns-mx -> uunet For your information I enclose a copy of a warning note submitted at the time of the original chain letter incident: Christmas chain letter ====================== It's name was CHRISTMA EXEC . I forgot its file size, and have kept no log of it. It consisted of a single program in the REXX language, which has been available in the VM/SP operating system (for IBM mainframes) since Release 3. (The REXX language is also available under MS-DOS for IBM-PC, -XT, and -AT, and it is announced for the mainframe operating system MVS/TSO-E; but for reasons given below, I reckon the virus could reproduce itself only under VM/SP.) The source of CHRISTMA EXEC (with REXX, there isn't anything as an object code file) started with a lore of say-instructions, that apparently would display a sketch of a Christmas-tree together with some good wishes on the screen. This bunch of (in fact rather boring) statements filled one and a half screens; it was followed by a half-screen-sized comment, stating roughly "Reading source-code like this is boring, rather RECEIVE this program, and just enter CHRISTMA" (the latter CMS command would have started the program). When you actually started the thing (I didn't do it, but people told me), the program indeed displayed a Christmas-Tree and best wishes for the year to come. Then it read two files, CMS (part of VM/SP) maintains on behalf of every user. The first one is called <userid> NETLOG, and contains a log of network traffic the user has been involved in. Here is a sample entry of my personal RZOTTO NETLOG file ("disc" meaning "discarded", and "from" pointing to the sender's address): File CHRISTMA EXEC A1 disc from RZBERAT1 at DKNKURZ1 on 12/16/87 14:34:4 4 sent as CHRISTMA EXEC A1 The NETLOG file contains similar entries for notes and files having been sent by the respective user (me, in the example). The second one is called <userid> NAMES and contains sort of private directory of people you are in correspondence with. Here are four sample entries of my private RZOTTO NAMES file: :nick.VIRUS-L :userid.VIRUS-L :node.LEHIIBM1 :notebook.VIRUS-L :name.Virus Discussion List :nick.VIRUS :name. Owners of VIRUS-L :notebook. VIRUS-L :list. KenVWyk Eshleman :nick.KenVWyk :userid.LUKEN :node.LEHIIBM1 :name.Ken Van Wyk :nick.Eshleman :userid.LUJCE :node.LEHIIBM1 :name.Jim Eshleman CHRISMA EXEC extracted all network addresses from these two files, and sent a copy of itself to every of these addresses except the address, from where it came to the current user (thus avoiding the ping-pong effect). The poor victim's very next experience: he received replies from thousands of BITNET nodes, telling him where the hundreds of CHRISTMA copies went. At last, CHRISTMA EXEC destroyed its own source on the user's disk. As CHRISTMA EXEC relied on one of the two special CMS files, it probably could reproduce itself only in VM/SP systems (I don't know, how net- working is implemented under TSO or under MS-DOS). Furthermore, it depended on active help of the user being "infected" to reproduce itself: he had to enter two commands, RECEIVE and CHRISTMA. This active help was provoked by an appeal on peoples curiousity and playfulness. In spite of these two handicaps, CHRISTMA EXEC spread within two days, worldwide. The effect was enhanced, as some copies went to BITNET discussion lists, where they automatically were duplicated and distribu- ted as any sensible contribution will be. If I remember correctly (and if I can trust rumours), it originated (as a student's joke) somewhere in Germany, went through USA, and came back to our blessed country from the far east. It's severest effect was obstructing the whole network with thousands of copies of itself. The cure was very simple: every node had to run a quickly developped program that purged every file of name CHRISTMA EXEC from the node's spooling area, the only difficulty being the distribution of this "macrophage" program through the helplessly overloaded network. Even without this cure, CHRISTMA would probably be extinct by now, as any user seeing it for the second time would have discarded the file, remembering the traumatic experience of the first time, when he started that thing. Thus by now, BITNET is probably "immune" to this virus. The moral of the story: 1. read and understand programs you receive without having asked for, before you run them. 2. Think about the possible results before starting a practical joke. - ------------------------------------------------------------------------------ Dave Ferbrache Internet <davidf@cs.hw.ac.uk> Dept of computer science Janet <davidf@uk.ac.hw.cs> Heriot-Watt University UUCP ..!mcvax!hwcs!davidf 79 Grassmarket Telephone +44 31-225-6465 ext 538 Edinburgh, United Kingdom Facsimile +44 31-220-4277 EH1 2HJ - ------------------------------------------------------------------------------ ------------------------------ Date: Thu, 13 Sep 90 11:59:05 -0500 From: James Ford <JFORD@UA1VM.BITNET> Subject: Who should get what viruses? What should the policy be regarding sending (old) viruses to other people and sites? Say you received the following letter from someone: - ----------------------------------------------------------------------------- Date: Today From: Billy_Bob @ an.unknown.location.near.you Subject: I would like to get infected. ============================================================================= "We would like to receive a copy of the Ping-Pong virus for (insert_reason)." Thanks! Billy_Bob, Tractor-Trailer and Virus Research Center, Podunk USA - ----------------------------------------------------------------------------- Should (whoever) send an infected files to Billy_Bob? Should this be restricted to known virus-busters/virus-busting centers? Is there a list of qualified people/organizations available? (Should there be such a list?) I would really appreciate some input (either direct or via Virus-L) on this question. - ---------- Happiness is a warm puppy with an empty bladder. - ---------- James Ford - JFORD@UA1VM.BITNET, JFORD@MIBSRV.MIB.ENG.UA.EDU THE University of Alabama (in Tuscaloosa, Alabama USA) ------------------------------ Date: Tue, 11 Sep 90 10:51:00 -0500 From: MIS Training <0002439796@mcimail.com> Subject: Conference announcement MIS Training Institute and ISPNews (Information Security Product News) would like to invite all interested parties to the Computer Security Exhibition at the 10th Annual Conference on Control, Audit, and Security of Information Systems. Over 60 computer security vendors will be displaying products and services at the: Sheraton Washington Hotel 2660 Woodley Rd. at Connecticut Ave. NW Washington, DC Monday Oct 1, 1990 3:00 - 7:30 Tuesday Oct 2, 1990 3:00 - 7:30 In addition to the exhibits, a vendor roundtable discussion will take place on Monday Oct. 1, 4:00 - 5:30. A reception including drinks and hors devoirs will also take place on both Monday and Tuesday in the exhibition hall. Those attending the NCSC/NIST Computer Security Conference are invited to walk over from the Omni Hotel following there sessions. Entrance to the exhibit hall, roundtable and reception is $25.00, however, those mentioning VIRUS-L will be admitted for $10.00. Questions: Call MIS Training Institute 508-879-7999, E-mail MCI 243-9796. ------------------------------ Date: Tue, 11 Sep 90 18:23:34 +0200 From: swimmer@rzsun3.informatik.uni-hamburg.de (Morton Swimmer) Subject: Leaving for the US I just wanted to let everybody know that I'll be off the net as of the end of the week. I'm off to the States to visit friends and to attend the NCSC conference. If any one wants to contact me in the states, they can at the following adress: Morton Swimmer c/o Erik Swimmer 340 E. 52 St. New York, NY 10022 Tel.: (212) 753 2239 I would be more than interrested in meeting some of the people here in the newsgroup in person, while I have the chance. Cheers, Morton Virus Test Center University of Hamburg (West?) Germany ------------------------------ End of VIRUS-L Digest [Volume 3 Issue 156] ******************************************