krvw@SEI.CMU.EDU (The Moderator Kenneth R. van Wyk) (10/23/89)
VIRUS-L Digest Monday, 23 Oct 1989 Volume 2 : Issue 218
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, document, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: krvw@SEI.CMU.EDU.
- Ken van Wyk
Today's Topics:
Comments on IBM Virus Scanner (PC)
Article pre-Datacrime
New anti-viral software (PC)
Yale / Alameda Virus (PC)
Vacsina virus + Den Zuk virus. (PC)
OHIO Virus (PC)
Virus infection report (PC)
Worms again.... (VAX/VMS)
Want suggestions on how to delete virus (PC)
---------------------------------------------------------------------------
Date: Thu, 12 Oct 89 11:41:49 -0400
From: Peter Jaspers-Fayer <SOFPJF%UOGUELPH.BITNET@VMA.CC.CMU.EDU>
Subject: Comments on IBM Virus Scanner (PC)
We got a copy of IBM's virus scanner. It is much like McAfee's SCAN,
with these differences:
- - It is out of date. McAfee's product is disseminated via network (a
fact which is looked upon with scorn - or at least with distrust -
by many corporate people) so it is very current. IBM's checks for 20+
viruses which are mostly fairly old, vs 40+ for John's program, some
of them only weeks old. I feel this is an important point, as viruses
CAN spread as fast as eMail.
- - IBM's says it checks the "master boot" (partition) record. Does
McAfee's? The documentation says so, but the 'running commentary'
does not mention it.
- - The 'characteristic code signatures' are in plain text, in separate,
easily editable files. This allows one to easily add new viruses
with any DOS text editor. So when you read (here for instance)
that the new 'garble' virus can be located by scanning for '00486921FF'
it is trivial to edit your copy of the table to add scanning for that
type of virus. You can also use the same program in a 'grep-like'
way to scan for any arbitrary string on the disk. (eg 'Copyright')
To my mind, this has it's advantages and disadvantages. I like the
idea of publishing 'code signatures', and having people configure
their own scanners. Unfortunately, this also makes it easier for
virus/modifiers to see how they are being caught (like bank robbers
monitoring Police radio, I guess), and make small mods to make the
virus 'undetectable' with that particular signature.
I certainly have nothing against John and all the work he's done for us,
but it seems to me IBM's way moves control into the hands of the people,
and is more 'open' (gee, come to think of it, that's pretty strange,
considering origin ;-) (N.B. 'smiley', IBM!) Any other thoughts on the
pro's and con's of having the search strings in pain human-editable
text? Could someone CC this to John McAfee and post his reply?
/PJ
How did a fool and his money ever get together in the first place? - Anon
------------------------------
Date: Thu, 12 Oct 89 12:17:31 -0400
From: "Bruce Guthrie" <BGU%NIHCU.BITNET@VMA.CC.CMU.EDU>
Subject: Article pre-Datacrime
[Ed. Well, this is a bit late, but...]
"'Friday the 13th' Virus Bugging Computer Users"
by Evelyn Richards
Washington Post, pg E1, Oct 12 1989
Just a hair after midnight tonight, or soon thereafter, as
unsuspecting computer users log on, malicious programs now lying
dormant inside IBM and IBM-compatible personal computers will be
unleashed to begin a reign of terror, scrambling the information
stored on the computers' hard disk.
Or so some computer-security experts say. Others believe
such fears are nothing more than a false alarm. Whether the
virus turns out to be a real threat or not, one this is
certain--the prospect of a destructive virus attack tomorrow has
sent thousands of computer users into a panic and turned up more
news reports of the virus than actual sighting of the virus
itself.
An official at International Business Machines Corp., which
is pooh-poohing the prospects of widespread havoc, reported
yesterday that the firm is getting "more press calls than
customer calls." And John McAfee, a computer security expert in
Santa Clara, Calif., has taken to calling this "a media virus."
McAfee, who spent yesterday dashing from one ringing phone to
another, is reassuring callers that "nothing is going to happen.
The virus is a phantom."
But PC czars aren't taking any chances. The wheels of
Washington have been busy grinding out warnings that the rogue
computer program, best known as the "Friday the 13th" virus,
could wrest control of a PC and effectively destroy months of
information carefully stored within it. The General Services
Administration and the Department of Veterans Affairs, for
example, have distributed internal memos admonishing users to
take certain precautionary steps, among them: backing up their
data so that anything destroyed can be replaced, avoiding
software programs obtained from friends or from public
computerized "bulletin boards", and storing diskettes behind lock
and key when they're not in use.
Companies are taking similar precautions.
In McLean [Virginia], Planning Research Corp. refrained from
issuing a special advisory but instead put out the word at
departmental meetings. "We thought it would be remiss not to
warn people, but we also didn't want them to go overboard," said
Jude Franklin, general manager of the technology division.
Dennis Steinauer heads the computer security forces at the
National Institute of Standards and Technology (nee the National
Bureau of Standards), which issued an early advisory about the
virus and is partly responsible for coordinating computer
security throughout the federal government. Is Steinauer
worried?
"I'm leaving on Friday the 13th, and I haven't changed my
plans," said Steinauer, who plans to attend a conference in
Brussels.
Steinauer isn't the only computer security expert who will
be out of touch tomorrow. Some 2,300 such experts are gathered
in Baltimore this week for their annual meeting.
------------------------------
Date: Thu, 12 Oct 89 12:50:24 -0500
From: jwright@atanasoff.cs.iastate.edu (Jim Wright)
Subject: New anti-viral software (PC)
More anti-viral software. Datacure was sent to me from the
Netherlands with the author's permission, the other three came
from HomeBase. A note on the DataCrime virus. By the time
most of you read this, Friday, October 13 1989 will have passed.
Unfortunately this doesn't mean that the DataCrime worry is
over. Please keep in mind that all the information I have
indicates this virus is uncommon in all places except press
reports. Nonetheless, better safe than sorry. Remember,
DataCrime is set to go off ANY DAY between Columbus day and
New Year's, not inclusive. So any latent infection could show
up with unpleasant consequences. Now, on with the show...
datacure.arc
One program that will identify files infected with
DataCrime and optionally cure them. A second memory
resident program that will block the destructive
effects of DataCrime and warn you. Only works on
DataCrime II virus. Shareware. No version #.
[ I was unable to get datacure.com to perform ]
[ properly. I'm trying to find out why, and ]
[ will post any updates. It isn't destructive, ]
[ just ineffective. -- jrw ]
dc89scan.arc
A program to identify the DataCrime virus. This
package was released largely as a bit of public
relations for the company involved, but is useful
despite this. Only works on the two strains of
DataCrime I (1168 and 1280). Freely redistributable.
No version #.
scanrs42.arc
Resident program which checks each program for viruses
before it is allowed to execute. Update to previous
version. Shareware. Version 0.9v42.
scanv42.arc
Program to scan a disk, directory or file for viruses.
Will work with SHEZ to scan archives also. Update to
previous version. Shareware. Version 0.7v42.
DATACURE.ARC Detect and disable the DataCrime II virus
DC89SCAN.ARC Detect the two strains of DataCrime I virus
SCANRS42.ARC Resident program to scan for many viruses
SCANV42.ARC Program to scan files for many viruses
Jim
------------------------------
Date: 13 Oct 89 20:18:15 +0000
From: news@acsu.buffalo.edu
Subject: Yale / Alameda Virus (PC)
Has anyone heard of the Yale/Alameda virus, and know what it does?
A friend here at school found 3 of his floppies (he's lucky he
doesn't have a hard drive) infected with this by using Viruscan.
Apparently it had only infected the hidden boot files so by
using the SYS command he feels as if his is rid of it. The real
question though is if this is a safe assumption, and how does it
duplicate itself (ie, could it possibly be hidden in other files).
Doug McKee
@relay.cs.net:mckee@canisius.edu
[Ed. Here's what I have (from Joe Hirst's list, which should be
available from the documentation archive site(s)):
15. Yale - AKA Alameda, Merritt
Boot virus - floppy only
Type description:
This virus consists of a boot sector only. It infects floppies in the
A-drive only and it occupies 1K of memory. The original boot sector is
held in track thirty-nine, head zero, sector eight. It hooks into INT
9, and only infects when Ctrl-Alt-Del is pressed. It will not run on
an 80286 or an 80386 machine, although it will infect on such a
machine. It has been assembled using A86. It contains code to format
track thirty-nine, head zero, but this has been disabled.
]
------------------------------
Date: 15 Oct 89 07:50:12 +0000
From: munnari!minyos.xx.rmit.oz.au!s864292@uunet.UU.NET (F.S. Seow)
Subject: Vacsina virus + Den Zuk virus. (PC)
The IBM computer of a friend of mine, has just been attacked by
Vacsina and Den Zuk simultaneously.
Would anyone know where in Metropolitan Victoria,
can my friend get the antidotes ( affordable commercial,
shareware or public domain ) for these viruses ?
Even better is there such a thing as an all-purpose-multi-virus
antidote existing ?
F.S.
------------------------------
Date: Mon, 16 Oct 89 11:33:00 -0400
From: <rwmira01%ULKYVX.BITNET@jade.Berkeley.EDU> (Rob Miracle)
Subject: OHIO Virus (PC)
Does anyone have any information on the Ohio virus? What does it do? How is
it triggered etc?
Any information would be helpful.
Thanks in advance
Rob Miracle
- --
Rob Miracle | Bitnet : RWMIRA01@ULKYVX CIS: 74216,3134
Programmer/Analyst-II | INTERNET : rwmira01%ulkyvx.bitnet@cunyvm.cuny.edu
University of Louisville | UUCP : ...psuvax1!ulkyvx.bitnet!rwmira01
"Greed Kills" -- Anton Devious
------------------------------
Date: Mon, 16 Oct 89 11:49:28 -0500
From: Bill Hobson <X043BH%TAMVM1.BITNET@VMA.CC.CMU.EDU>
Subject: Virus infection report (PC)
We had one lab hit at Texas A&M University in out Architecture
department. Unfortunately, I found about it AFTER they low level formatted
all of their hard disks. There are probably many student disks out there
with the infections still present, but unfortunately I can't get my hands
on them to find out what they had. It happened on THE DAY (Friday 13th),
but there are two viruses that blow up on that day. I have personally
eradicated the Jerusalem virus from two departments on campus, so I
suspect that is it. More later as I find out more!
------------------------------
Date: Mon, 16 Oct 89 15:59:21 -0500
From: Gene Spafford <spaf@CS.PURDUE.EDU>
Subject: Worms again.... (VAX/VMS)
If you have not yet heard, another network worm incident is in
progress.
The following bits of information have been collected from multiple
sources. I am mailing this so that people don't tie up the phone
lines only to get the same information. The folks at SPAN & CERT
will issue a report when more details are known.
Please refer members of the press and other callers to the SPAN NIC @
(301) 286-7251. DO NOT have them call the CERT -- the folks there are
busy enough as is right now, and they won't respond to questions
without a need-to-know. The folks at DEC probably won't respond
either -- if you can find anyone who knows what it happening in this
incident. The folks at NASA will issue formal reports when appropriate.
The story so far:
Around 4:30 this morning, a worm program was found on machines in the
SPAN network. The worm is apparantly similar to the worm that hit
SPAN in December (on Christmas eve) in that it is spreading on Decnet
and affecting VMS systems. According to a few of the people I talked
with, it is not clear what the program is doing other than printing a
message labelling the program as "Worms Against Nuclear Killers" and
spreading to other machines. There are NO CONFIRMED reports at this
time that the worm is doing damage to machines or data. If the worm
is still spreading, it is spreading VERY slowly -- only about a half
dozen machines have been detected as infected (so far).
All of the appropriate authorities have been notified. CERT, DEC,
NASA, & various Federal agencies are involved. The problem is being
examined by experts in the area, and as soon as the situation is
clarified, a public report will be issued.
In the meantime, we can all help with the situation:
* DON'T PANIC -- it is limited in scope and machine type.
Unless you have a Decnet link to SPAN, your machine is in no
danger,
* Copies of the code are under analysis by experts, so fixes
are undoubtedly on the way. If you run Decnet and installed
the fixes last December, you are *probably* immune already.
* Don't call the CERT, DEC or SPAN about this -- they'll be sure
to release details when they are certain enough about them to be
sure that they won't cause problems.
* Refer any members of the press to the SPAN number. PLEASE be
careful what you say to members of the press -- remember that
the press doesn't understand the difference between DECnet, the
Internet, VMS, Unix, etc, and we don't need another media scare
about network invasions.
- --spaf
------------------------------
Date: Mon, 16 Oct 89 20:29:26 -0400
From: Elizabeth Caruso <LIZBB%CUNYVM.BITNET@VMA.CC.CMU.EDU>
Subject: Want suggestions on how to delete virus (PC)
Today, our Novell LAN reported a hardware error when users tried to
access programs stored on our File Server. At first we did not know
it was a virus because the same programs would run for one user and
not run for another. I had a feeling it might be a virus when I
performed a Novell Netware command "NCOPY" and the screen messages
where overwritten by characters that did not make sense. We decided
to run "VIRSCAN" to check for viruses. 39 files where infected with
the JERUSALEM virus including the "NCOPY" file.
HAS ANYONE ENCOUNTERED THE JERUSALEM VIRUS ON THEIR LOCAL AREA
NETWORKS?
We would like to delete the infected files and replace them with clean
copies but we don't know if this will be a correct action to take.
Will recoping be enough or do we have to format our File Server? IF
ANYONE HAS DELETED JERUSALEM FROM THEIR SYSTEM, (LAN OR PC SYSTEM) WE
WOULD LOVE SOME ADVICE!!!! HOW DOES THIS VIRUS INFECT A SYSTEM AND
SPREAD?
------------------------------
End of VIRUS-L Digest
*********************