krvw@SEI.CMU.EDU (The Moderator Kenneth R. van Wyk) (10/23/89)
VIRUS-L Digest Monday, 23 Oct 1989 Volume 2 : Issue 217
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, document, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: krvw@SEI.CMU.EDU.
- Ken van Wyk
Today's Topics:
Datacrime II (PC)
Data on viruses in Brunnstein format?
Re: Virus protection (PC)
Operating System virus protection (DOS & UNIX)
0 bytes in 1 hidden file, virus? (PC)
RE: IBM-PC virus scanning program from IBM
Re: New Mac Virus Not In 'Moria' But in SuperClock (Mac)
Re: New Mac Virus Not In 'Moria' But in SuperClock (Mac)
Virus list popularity
Re: The not-so-new virus (Mac)
---------------------------------------------------------------------------
Date: Mon, 09 Oct 89 20:45:50 +0000
From: Alan Solomon <drsolly@ibmpcug.co.uk>
Subject: Datacrime II (PC)
In his article dated 5-10-89, Yisrael Radai says that he has
discovered that Datacrime II does the low level format on every day
between Jan 1 and Oct 12 except Sundays.
I have a specimen of what I believe is Datacrime II. My analysis of
it is different - it does the low level format on every day between
October 13th and December 31st inclusive, except *Mondays*. Perhaps my
specimen is different to the one that Yisrael is reporting? It
certainly announces itself as "DATACRIME II", and matches the rest of
his description in file size and avoidance of files whose second
letter is "B" and infection of both COM and EXE files. Another
possible explanation is that the date comparison has not been
disassembled correctly by whoever did the disassembly, so could I ask
that Yisrael check his specimen; if he is correct, then we have two
Datacrime IIs.
While on the subject of Datacrime in general, although the virus
certainly exists, there has not been a single reported infection in
the field in the UK, and I rather think very few indeed elsewhere. On
the other hand, there seems to be a considerable tidal wave of media
scare building up in the run up to October 13th. My advice to anyone
who might be concerned is: work normally, take normal backups
regularly using Dos BACKUP or any other back up utility.
One thing that will happen is this: there are, say, 10 million PCs in
the world. If the average computer lasts 10 years, 3650 days, then on
average about 3000 computers go down per day; I've been deliberately
conservative about these figures. There is no reason to suppose that
October 13th will see significantly fewer of these normal failures.
Please remember that computers fail all the time, for assorted
non-virus reasons.
Myself, and a number of other researchers, have noticed that there
seem to be a number of viruses emerging that do not seem to exist in
significant numbers (or indeed, perhaps at all) in the field. Could
it be thet virus authors are writing viruses and sending them directly
to the virus research community, so cutting out the middle man? Or is
it that we are more alert now, and trap viruses before they get very
far?
Dr Alan Solomon Day voice: +44 494 791900
S&S Anti Virus Group Eve voice: +44 494 724201
Water Meadow Fax: +44 494 791602
Germain Street, BBS: +44 494 724946
Chesham, Fido node: 254/29
Bucks, HP5 1LP Usenet: drsolly@ibmpcug.co.uk
England Gold: 83:JNL246
CIX, CONNECT drsolly
------------------------------
Date: 09 Oct 89 22:24:03 +0000
From: mpl@csd4.csd.uwm.edu (Mary Patricia Lowe)
Subject: Data on viruses in Brunnstein format?
I recently came across Fridrik Skulason's message to this
news group from 10 July 89 detailing the Icelandic Virus
in "Brunnstein Format". I was wondering if the 40 some
other known viruses and their mutants are similarily
cataloged and if this data is retreivable.
Thanks,
Patti Lowe
..................................................................
mary patricia lowe computing services division
mpl@csd4.csd.uwm.edu university of wisconsin - milwaukee
...................................................................
------------------------------
Date: 09 Oct 89 23:24:28 +0000
From: steve@ucsd.Edu (Steve Misrack)
Subject: Re: Virus protection (PC)
I was wondering if somebody could tell me where I can find program
to detect machines infected with viruses. I would appreciate
knowing where and how to get these programs.
Thanks in advance,
Steve
smisrack@ucsd.edu
[Ed. Start by taking a look at VIRUSCAN, available via anonymous FTP
from the comp.virus archive sites (including ms.uky.edu).]
------------------------------
Date: 10 Oct 89 00:21:35 +0000
From: jlg%lambda@LANL.GOV (Jim Giles),
jlg@lanl.gov (Jim Giles)
Subject: Operating System virus protection (DOS & UNIX) Re: UNIX virus proof?!
(UNIX)
ficc!peter@uunet.uu.net writes:
>I wouldn't say UNIX is virus-proof (I posted a hoax article about a
>UNIX virus over a year ago, just before the Internet Worm incident),
>but it's sure a hell of a lot more virus-resistant than DOS.
How do you know? The only machines DOS runs on are PCs and compatibles.
UNIX implemented on these machines would be just as vulnerable as DOS.
The most obvious weaknesses of DOS are unimportant compared to the fact
that the hardware itself has no protection mechanisms.
------------------------------
Date: 10 Oct 89 00:45:59 +0000
From: tasos@bu-cs.BU.EDU (Anastasios Kotsikonas)
Subject: 0 bytes in 1 hidden file, virus? (PC)
When I run CHKDSK it reports "0 bytes in 1 hidden files" and I
am wondring if I have a virus. I have been unable to see a hidden file
with 0 bytes with PCTOOLS or Norton Commander. I would appreciate any
comments on how I could list all of the hidden files, or how does
CHKDSK find hidden files (i.e. is it looking for the second bit set ?)
Thanks,
Tasos
Internet: tasos@cs.bu.edu
------------------------------
Date: Mon, 09 Oct 89 18:30:06 -0400
From: Thomas Lapp <thomas@mvac23.uucp>
Subject: RE: IBM-PC virus scanning program from IBM
Regarding a recent message sent which reproduced an IBM internal memo
about their VIRSCAN program:
> September 29, 1989
>
> The program tests executable files on disks for signature strings that
> are found in some common DOS computer viruses. For each drive specified
> it will also test the drive for boot sector viruses.
>
> VIRSCAN.EXE is the executable program. It will run under DOS 2.0, 2.1,
> 3.1, 3.2, 3.3, 4.0 and OS/2* 1.0, 1.1, and 1.2. It will not support
> OS/2 1.2 with high performance file system names.
I used this program on some PC's at work last week. The program
VIRSCAN is the executable, however it uses two other files to obtain
the search strings and the message to be sent to the user if the
search string is found. The search files are in ASCII and can be
modified to include more virus strings as necessary. Obviously,
greater the search string, the less likely there will be a false
positive. Since it reports the number of files searched and number of
disks checked, I suspect that this program would not be able to find
those viruses which reside on sectors which are then marked bad.
- tom
- --
internet : mvac23!thomas@udel.edu or thomas%mvac23@udel.edu
uucp : {ucbvax,mcvax,psuvax1,uunet}!udel!mvac23!thomas
Europe Bitnet: THOMAS1@GRATHUN1
Location: Newark, DE, USA
Quote : Virtual Address eXtension. Is that like a 9-digit zip code?
------------------------------
Date: 10 Oct 89 15:51:33 +0000
From: ut-emx!chrisj@cs.utexas.edu (Chris Johnson)
Subject: Re: New Mac Virus Not In 'Moria' But in SuperClock3.5!
In article <0009.8910062006.AA22699@ge.sei.cmu.edu> d9bertil@dtek.chalmers.se (
Bertil Jonell) writes:
>Today when I had time to check the various downloads that had been occuring
>during the last few days I found that the recource STR ID 801 appeared
>in the document Clock Doc (a word document). I double checked this by
Actually, the file *type* is 'WORD', but it's not a Microsoft Word
document. The 'WORD' document type is specific to MacWrite files.
Actual MS Word documents have a type of 'WDBN' and a creator of
'MSWD'. The creator for MacWrite files is 'MACA' (short for
MacAuthor).
>extracting it from the .sit archive again and examinig it directly
>(On Cue from StuffIt to ResEdit). Since Stuffit and Resedit seems to be
>clean from this and othe known viruses I can only assume that the virus
>was there when Clock Doc was packaged!
Incorrect assumption. First it must be established that there *is* a virus.
>What I'm wondering now is: Is it confirmed that the STR ID 801 really *is*
>a sign of a virus? Is there any chance that it is a legitimate resource?
STR 801 *is* a legitimate resource in (at least) MacWrite versions 4.5
& 4.6. It's also likely to be valid in files created by versions as
early as 3.0, and as late as 5.x.
To quote from an old copy of Tech. Note #12 (February 20, 1986) "Disk Based
MacWrite Format:
"FONT MAPPING - In the document's resources is a resource of type STR with
the ID #801. It contains a mapping of fonts to font resource IDs
and information on real fonts. This resource begins with a word...."
>(I've tested making new MacWrite documents with a locked copy, They have
> resources this 'International Resource' and a STR resource ID 701,
I think you mean STR 700 -- I don't know of any MacWrite format that
uses a STR with an ID of 701. If you're curious, STR 700 contains the
fifteen most commonly used letters in whatever language MacWrite
happens to be set-up for. It's used as an encryption/decryption key
for MacWrite's nibble-wise text compression scheme.
>None of them have had a STR ID 801) Clock Doc comes with the
>SuperClock! 3.5 INIT Recently posted to the comp.binaries.mac
>newsgroup. I'm sorry for causing constenation by proclaming Moria as
>a possible source, (Frankly, That .sit archive had been deleted so I
>couldn't check it, But since the known infected machines both had
>Superclock 3.5 installed within the last few days, Moria hav dropped
>off the list of prime suspects)
>- -bertil-
>
>Bertil K K Jonell @ Chalmers University of Technology, Gothenburg
In conclusion, STR 801 is nothing to worry about, (1) because it's
supposed to be there, and (2) because, *in and of itself*, it couldn't
transmit a virus since no known program, and certainly no portion of
the Mac Toolbox or OS, is going to try to load a STR resource into
memory and execute it.
All in all, from the evidence listed above, there's no reason to
believe there's *any* form of virus present.
Cheers,
- ----Chris (Johnson)
- ----Author of GateKeeper
------------------------------
Date: 10 Oct 89 21:12:25 +0000
From: isle@eleazar.dartmouth.edu (Ken Hancock)
Subject: Re: New Mac Virus Not In 'Moria' But in SuperClock3.5!
In article <0009.8910062006.AA22699@ge.sei.cmu.edu> d9bertil@dtek.chalmers.se (
Bertil Jonell) writes:
[Garbage about finding a STR 801 resource in SuperClock 3.5 documentation]
Since when does a STRING RESOURCE become a virus?
Get real, folks.
Ken
Ken Hancock '90 | E-mail: (BITNET/UUCP/INTERNET)
Computer Resource Center Consultant | isle@eleazar.dartmouth.edu
- -------------------------------------+--------------------------------------
DISCLAIMER? I don't get paid enough to worry about disclaimers.
------------------------------
Date: Wed, 11 Oct 89 10:59:24 -0000
From: "David.J.Ferbrache" <davidf%cs.heriot-watt.ac.uk@NSFnet-Relay.AC.UK>
Subject: Virus list popularity
For the avid followers of statistics just a quick note from the September
89 USENET readership report, comp.virus now has:
14000 estimated readers worldwide, is received by 87% of all sites,
averages 214 messages a month (352Kbytes), no crossposting to other
groups, costs 4 cents per month per reader to distribute and is
read by 2.7% of all newsreaders.
[Ed. Thanks for the stats, David!]
------------------------------
Date: 11 Oct 89 17:18:24 +0000
From: Richard Kennaway <jrk@sys.uea.ac.uk>
Subject: Re: The not-so-new virus (Mac)
We have not seen any symptoms of the MacWrite-attacking MacWight virus
at this site, but on seeing the messages about it, I started looking for
STR 801 resources. I doubt if they have anything to do with the virus.
A scan of my hard disc showed that something like half the MacWrite docs
had STR 801 in them. There didnt seem to be any pattern in which files
had STR 801 and which didnt. The STR 801s are not all the same size, BTW.
Opening a file which did not have it with MacWrite4.6M had the effect of
adding a STR 801. In response to a local enquiry, a colleague said:
> I don't have all that many MacWrite docs. on my hard disc, but I managed
> find a few that I created about two years ago. They had STR id. = 801
> resources. As far as I can remember, I haven't touched them since
> Christmas '87 (other than copying the folder [that contains the folder ...]
> that contains them, in the Finder, and running Disinfectant).
>
> I've also just looked at the MacWrite floppy that came with a new Mac+
> about two years ago. As far as I can remember this disc has been
> languishing in its box since a day or two after the machine arrived: the
> "Sample Memo" doc. on this disc also has a STR id. = 801 resource on it.
I suspect that STR 801 is legitimately used by newer versions of
MacWrite for its own inscrutable purposes. Disclaimer: only Apple or
Claris can make a definitive pronouncement.
Paranoid speculation follows.
Maybe someone is using the Joker's trick. There could be several
infected applications out there, all quietly spreading harmless-looking
things like STR 801 that dont ring GateKeeper's alarms, but when they
all come together in one application, the real virus is triggered...
Plug for Virus Detective: with this it was easy to search for all files
containing STR 700 (legitimate MacWrite resource) or STR 801. All the
other virus detectors I've seen have the symptoms to look for
hard-wired. I have no relationship with the author other than being a
satisfied customer.
- --
Richard Kennaway SYS, University of East Anglia, Norwich, U.K.
Janet: kennaway@sys.uea.ac.uk uucp: ...mcvax!ukc!uea-sys!jrk
------------------------------
End of VIRUS-L Digest
*********************