krvw@SEI.CMU.EDU (The Moderator Kenneth R. van Wyk) (10/23/89)
VIRUS-L Digest Monday, 23 Oct 1989 Volume 2 : Issue 216 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Protection in Operating Systems GateKeeper vs. SAM Intercept (Mac) A new version of nVIR A (mac) I'm New - What do I do with all of this? (PC) SuperClock 3.5 Virus? (Mac) Virus Information on VAX/VMS? 1701/1704 Infection report - Switzerland (PC) New Virus From the Philippines (system unknown) Equivirulence Map ? Lode Runner Virus (Apple) --------------------------------------------------------------------------- Date: Fri, 06 Oct 89 22:17:00 -0400 From: WHMurray@DOCKMASTER.ARPA Subject: Protection in Operating Systems >I wouldn't say UNIX is virus-proof (I posted a hoax article about a >UNIX virus over a year ago, just before the Internet Worm incident), >but it's sure a hell of a lot more virus-resistant than DOS. It may be useful to compare UNIX with DOS. However, if you are going to do it, you should be a little more complete. In most implementations, UNIX is a multi-user multi-tasking system requiring a system manager or operator. Media is not in the hands of the end-user. It gets whatever storage it requires. DOS is a single-user single-tasking system designed to be operated by the user. Media is normally in his hands. DOS was originally designed to run, with an application, in under 64K. (Had it not been, we would not have a virus problem; we would not even have an industry.) It is not reasonable to expect them to manifest the same vulnerability to viruses, any more than they exhibit the same functionality. However, as it relates to viruses, the big difference between them today is the number and nature of uses and users. If UNIX were being used for the same things and by the same number of users as DOS, it would be just as vulnerable. >Better than changing OS to get better virus "resistance", why not >encourage the systems designers at Apple and IBM to implement >protection in their respective operating systems? Be careful what you ask for; you might get it. The vulnerability to viruses arises from our ability to write and share programs; All complete strategies for dealing with them must ultimately involve some restriction on those capabilities. While operating system functionality may be useful, I would rather reserve the decision over such fundamental choices to the end- user. Much of what appears to be vulnerabilities to viruses in DOS, e.g., the bootblock, are simply the virus designer exploiting a feature in the way that it was intended to be used. The bootblock is intended to give control to the program on the media. It operates the way that it was intended. It contains no surprises. The virus designer uses it as the obvious solution to the problem which confronts every virus designer, i.e., how to get control, how to get his program executed. In the absence of malice the mechanism would be beneath the users level of notice. In the presence of viruses, he must be careful what media he boots from and must avoid putting his media in machines already booted. In the absence of the feature, the virus designer would get his program executed in some other way. As a last resort, he would simply dupe users. We may decide that being able to switch programs by switching media is too dangerous a feature to have, but I am not ready to concede it yet. >I am sure that there are many complex issues facing a >company such as Apple, with regards to this problem, and changes at >the OS level to deal with viruses will, and probably should, be slow. Here we are clearly in agreement. >What users should be doing, is overtly pressuring computer >manufacturers to address this need at the OS level, and start buying >equipment from vendors who move in that direction. The only machines that fully address this problem at the OS level are "application machines" which do not present any ability to modify or install programs. Fred Cohen suggests that in a world of such machines we would still enjoy many, but not all, of the benefits of computers. I would assert that we would enjoy many, but not most, of those benefits. Indeed, the advantages of user programmability are so great that there is no chance that the readers will follow your advice, or that manufacturers would yield to any such pressure. In the end, it is not an operating system issue; it is an application issue. No matter what you do at the system layer, if you include user-programming at the application layer, then you are vulnerable to viruses. Even interpreted languages, such as REXX, BASIC, or key-board macro languages, which need not even know what system they will run in, can be used to implement viruses. William Hugh Murray, Fellow, Information System Security, Ernst & Young 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ------------------------------ Date: 06 Oct 89 18:52:50 +0000 From: chinet!henry@att.att.com Subject: GateKeeper vs. SAM Intercept (Mac) In article <0002.8910051142.AA12544@ge.sei.cmu.edu> ut-emx!chrisj@cs.utexas.edu (Chris Johnson) writes: [Stuff Deleted] >Furthermore, I gather that GateKeeper is significantly more >configurable than SAM insofar as it maintains a privilege list which >can be easily viewed and edited (I've never used SAM, so I don't speak >from first-hand experience on this point, but people assure me that >it's a *very* important difference in practice). I have used both GateKeeper and SAM Intercept and I prefer the latter. The main reason? When "something suspicious" happens, GateKeeper says "you can't do that!" then if you want to override, you must open the Control Panel select GateKeeper and set up the permission; with SAM Intercept, at the time of the happening you can allow the action once or LEARN the action then and there! >GateKeeper doesn't provide a virus-scanner, but with Disinfectant >available (also for free) it's not much of a problem. Agreed. But it is handy to be able to scan as soon as you pop in a floppy. VirusDetective DA is a good way to do this. >One other thing that makes GateKeeper unique in the world of Macintosh >anti- virus systems is that it keeps a log file that details exactly >what virus related operations have been attempted, when, by whom and >against whom. I only see this as being useful if you're trying to track the propagation of a virus, but then you have to allow the "suspicious action" which GateKeeper doesn't do (unless you gave permission, in which case it isn't logged!) >- ----Chris (Johnson) >- ----Author of GateKeeper I'm not trying to put down GateKeeper, if you want to fight viruses cheaply, it's a must! Keep up the good work Chris! Henry C. Schmitt Author of Virus Encyclopdeia Latest Version dated 6/8/89 H3nry C. Schmitt | CompuServe: 72275,1456 (Rarely) | GEnie: H.Schmitt (Occasionally) Royal Inn of Yoruba | UUCP: Henry@chinet.chi.il.us (Best Bet) ------------------------------ Date: 07 Oct 89 03:10:03 +0000 From: prieto@gem.mps.ohio-state.edu (Juan Pablo Prieto-Cox) Subject: A new version of nVIR A (mac) It seems that there is a new version of nVIR A, or at least that's what the program Disinfectant reported. I will try to explain what it did to my system. Unfortunately before I noticed that it didn't behave as the well known nVIR A I erradicated it with Disinfectant. After I run the infected program (a THINK C program) it changed the type of the files in the same folder (and folders therein) into a seemingly random type, taken from another file. That is, if you list the files by KIND under normal circumstances you would get THINK C as the kind, but after I run the infected program it changed the type to "vamos.c" that was just a file in the same folder. Upon further explorations with ResEdit I found in the Desktop file in the APPL resource a repetition. With Creator KAHL (as for all THINK C programs) but Application "vamos.c". I also found a resource of type =/VIR (for typographical reasons by =/ I mean the symbol for not equal). Remember that I had already ran Disinfectant. Does anyone have a clue? or a similar problem? Juan Pablo Prieto-Cox ------------------------------ Date: 06 Oct 89 14:56:54 +0000 From: eschner@mdcbbs.com Subject: I'm New - What do I do with all of this? (PC) I have a question that maybe others want to ask too: I am new to BBS'es. This is my first other than our company one, so I don't think that my PC at home is "bugged" (though I have bought some shareware disks). I find all of this talk about viruses facinating - and frightning. 1) How do I make sure I don't have any viruses on my machine, and 2) How do I remove any found viruses? Do I have to by programs, or are there some in public domain? Can they only be obtained from PC BBS'es, or over this network? Brian Eschner eschner@mdcbbs.COM ------------------------------ Date: Sat, 07 Oct 89 11:10:00 -0800 From: JOHN LOUCH <LOUCHA%CLARGRAD.BITNET@VMA.CC.CMU.EDU> Subject: SuperClock 3.5 Virus? (Mac) Is there a virus on superclock 3.5 for the macintosh. I would like to no since I own that program. Thanks, John Louch Loucha@clargrad.bitnet ------------------------------ Date: Sun, 08 Oct 89 12:18:00 -0400 From: The one and only RED MENACE!!! <CCSST%SEMASSU.BITNET@VMA.CC.CMU.EDU> Subject: Virus Information on VAX/VMS? To whom it may concern: I have been following the discussion on the possibility of a virus on the VAX/VMS. I am wondering if there is any more word on this particular topic? The reason I ask is because I am one of many users at Southeastern Massachusetts University that are concerned about the welfare of our VAX systems. As it turns out, I have submitted the information on possible VAX/VMS viruses to our SYSTEM MANAGER to inform him of the possible threat. If there is anynmore information, could you please send me the information? Thanks in advance, Scott Turbiner ------------------------------ Date: Mon, 09 Oct 89 03:40:00 +0100 From: Markus Fischer <FISHER%CGEUGE52.BITNET@VMA.CC.CMU.EDU> Subject: 1701/1704 Infection report - Switzerland (PC) Infection report from Geneva - Switzerland. =========================================== The Cascade 1701/1704 -B virus has been found in Geneva (Switzerland) this week. It is the first time I see infected machines in that city. At least two machines are infected. The diagnosis was made with VIRUSCAN V35. There is no doubt. It is possible that the infection is going outside the infected computer club, but we are not sure at the moment. I'll publish every interesting news. Fred Demole Disclaimer: ^^^^^^^^^^ "I am posting this through a friend's account. His consent to my use of his account in no way implies his consent to responsibility for the opinions expressed herein." /---------------- Fred Demole - Geneva (Switzerland) ----------------\ / ---------------------------------- \ | "I know my english is very bad... | fisher@sc2a.unige.ch | | Remarks are appreciated. | fisher@CGEUGE52.BITNET | | Congratulations too." | --------------------- | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ------------------------------ Date: 09 Oct 89 10:01:00 -0400 From: <USADS%EMUVM1.BITNET@VMA.CC.CMU.EDU> Subject: New Virus From the Philippines (system unknown) I have a user on campus who brought back a few disks from the Philippines and is now having problems with all of his disks. (hard and floppy) He states that all of his disks have bad tracks at the end of the disks, and he receives "can not load" messages when trying to load files from these disks. I know very little about viruses and would like to know where I can send a disk that I suspect might have a virus. I only have one copy of the disk that I believe is infected, and I don't want to send it to just anyone. Thank you Al Shelton Emory University MicroComputer Support 404-727-0816 ------------------------------ Date: 10 Oct 89 03:29:46 +0000 From: edvvie!eliza!johnny@relay.EU.net (Johann Schweigl) Subject: Equivirulence Map ? Has it ever been tried to verify the center of 'epidemic' virus attacks? What's in my mind is a map of the (PC)known world, splitted into area codes. Whoever catches a virus reports the type (if known), symptoms and number of occurences on the PC's he takes care of. One for the late night home hacker, lots for a company's support staff or universities. If a virus begins to spread, USENET data exchange should be faster than PD or pirated software exchange. Data could be collected at one site in a relational database, with reports sent every week (or so) to a new newsgroup (comp.virusmap)? Some questions arise: Do you think, that - the typical infection paths could be analyzed? - this information would be useful to us? - hyperproductive virus developers could be tracked down? - virus avoidance could be made more effective? - this would make any sense at all? If the answer is yes, any ideas how to deal with - the amount of data that should be expected? - the world could be organized into areas (no problem within a town, but I talk about something a little larger)? In my opinion future Virus defence has to be active and aggressive, not the passive sit-down-and-wait-for-somebody-developing-a-serum. There's lot of infomation in this group, but it has to be cross-referenced to be really useful and can be given to persons not in the USENET family. By the way, has anybody read Michael Crichton's 'The Andromeda Strain'? It's a evil book about a virus, just nothing to do with computers. Shoot the viruses to Pluto. Then, never trust software from there. Johnny - -- This does not reflect the | Johann Schweigl | DOS? opinions of my employer. | johnny@edvvie.at | Kind of complicated I am busy enough by talking | | bootstrap loader ... about my own ... | EDVG Vienna | ------------------------------ Date: Mon, 09 Oct 89 12:33:43 -0500 From: davidbrierley@lynx.northeastern.edu Subject: Lode Runner Virus (Apple) Here is a copy of a virus report posted on Info-Apple. The report, I believe, originally was posted on Compuserve by Brian McCaig. I would like to point out that subsequent messages on Info-Apple have indicated that Speedy Smith is not the primary carrier of the virus. I also have some questions. (1) Does any reader of VIRUS-L know if the French expression "non-destructeur" means "non-destructive" or "indestructible?" (2)Could anyone post a version of VIRUS.KILLER (source code follows the report) written in BASIC? (It could be posted here or to Info-apple@brl.mil) (3) Because the university does not import VIRUS ALERT I have not posted this report to it, for fear of replication. Could someone post this message to VIRUS ALERT if it has not appeared there already? - ------------------------------------------------------------------------- Well folks, here it is...installment number 3 in the Saga of the virus for the Apple II. First it was CyberAids, which wasn't all that great and was quickly defused. It was followed in June of 1988 by Festering Hate, a more sophisticated and deadly evolutionary offspring of CyberAids. F.H. spread rapidly throughout the Apple II world and was particularly insidious as it; infected (usually) the first .SYSTEM file in the root directory, usually Basic.System, would infect more than one file per disk, would infect files in sub-directories, and when it 'went off' would destroy all volumes currently on-line at the time. This included RAM disks and Hard Drives! By now, most of you are aware of Festering Hate and that there are several good virus detecting/protecting programs available that have virtually eradicated the FH virus. It is to the credit of the Apple II community in general, and selfless people like Glen Bredon that FH was halted before it got too out of hand. As a matter of fact it was the very vehicle that spread the virus so rapidly that was also responsible for its quick demise. After I did my initial research on FH last year I wrote a brief study of it and uploaded the study to most of the active BBS's in Canada and the U.S. I also sent copies to Glen Bredon and others who acted very quickly to develop the 'cures'. But it was the massive telecommunications network of Apple II users that spread the details so quickly and stopped FH. Now, number 3 virus has just appeared. Called, rather nostalgically, "LODE RUNNER", it is not quite as destructive as its predecessors but its a virus nonetheless. Here's what I've been able to pull together so far: SOURCE - Although we're not 100% positive it appears that the program called SPEEDY SMITH is the culprit. A recent import from France, Speedy Smith is one of the fastest copy programs for the IIgs. A full 800K disk copy takes about 50 seconds (without verification) to 70 seconds (with) using SS. It has an excellent SHR screen with 'thermometers' that indicate the copy's progress. Unfortunately the reason we cannot either convict or acquit SS is that its creators have seen fit to invent their own DOS. This DOS is not readable by standard Apple II sector editors such as the one in Copy II Plus. There are several reasons, however, for suspecting Speedy Smith. First SS's displays are in French and the virus's text screens are as well. When catalogued Copy II+ indicates that there are 292 used Prodos blocks, but adding up the individual files' blocks only totals 148. And lastly, what better vehicle for the spread of a virus than a copy program? HOW WAS IT DISCOVERED? - Lode Runner was discovered almost by accident by several members of the Apples BC Computer Society. Shortly after receiving several new disks of IIgs software, including Speedy Smith, one member found that his Test Drive II refused to run. This was followed by backups and originals of Space Quest I and Police Quest. At first it was thought that the member's IIgs was having hardware problems. But at the same time another friend from Eugene, Oregon contacted us about having seen a French hi-res screen appear on his monitor just before his Copy II+ disk was trashed. Not being Canadian he was only able to pick out the word "virus". Armed with this info and the 'damaged' Space Quest disks I spent a weekend checking things out. At the same time other friends in Oregon & California were independently analyzing infected disks. HOW DO YOU KNOW IF YOUR DISKS ARE 'INFECTED' - There are 4 ways of detecting Lode Runner: 1) When the virus "goes off" and erases your disk...not exactly the most desirable way, 2) If you have a copy of Space Quest I then you can use it to check all your disks. Boot any suspect disk and wait until the drive stops. Replace the disk with Space Quest and do the 3 or 4 fingered salute (OA-CTRL-RESET). NOTE: Keep Space Quest write protected so that it dosn't get screwed up. If Space Quest boots to the point where it asks you to press a joystick button then you can be pretty sure that the previous disk is OK. If Space Quest trashes with an error message (#206) then the previous disk is likely infected. If you DO get an infected disk then you MUST either power down your IIgs or run the self-test before continuing with your testing to clear the RAM as the virus seems to install itself there. 3) A better check (and much faster) is to boot Copy II+ and run the 3.5" Sector Editor. Do a read of Block 0000 (Track 00, sector 00, side 01). If the first 3 bytes are 01 A9 50 then the disk is infected. Those 3 bytes aren't the only bytes that are different but they are all that is necessary to identify the virus. 4) If you recall, last year during the Festering Hate panic it was noted that one of the best ways to have an Apple II virus was in BLOCK (0) on any Prodos disk. At that point, anticipating another virus, Guy T. Rice wrote a small virus detector/fixer. If you put this program into the SYSTEM/SYSTEM.SETUP folder on IIgs disks then it would automatically detect and correct modifications to Block (0). Now for LODE RUNNER this will also work.. that is, it WILL detect LODE RUNNER and it will try to correct Block (0). BUT, it appears that due to the method of spreading of LR Guy's program cannot correct it. Every time you boot the disk it'll give you the virus detect error. I think the reason for this is that LR installs itself in RAM upon bootup in preparation for infecting a new disk.. and the only way you can be sure that its gone is to either power down or run the self-test.. and since Guy Rice's program does an auto-reboot and corrects the block (0) all in one step then the RAM never really clears and the virus re-infects the disk. And since you cannot write-protect the disk it becomes a vicious circle. I am going to try to get these observations to Guy Rice in the hopes that he can modify his program. NOTE: Three other problems with using Guy's program: its no good for 5.25" disks, it only works with a IIgs and it only works with disks that are bootable. LODE RUNNER can infect ANY Prodos disk because it resides in one of the blocks created when a disk is formatted. There is a 5th way.. the friends in Eugene, Ore have written a Binary program to detect and disarm the virus and I will try to include it in this file when I upload it. The reason theirs is successful is that the detector is not part of the disk being checked and thus the "circle" is broken. METHOD OF SPREADING - As far as we can tell the virus is spread two ways: by being copied with a copy program and by booting an uninfected disk (using OA-CTRL-RESET) immediately after running an infected disk. NOTE: For a disk to be infected it must not be write-protected. The virus does NOT infect actual files so none of your files will look modified in either their file length or their modified date. The virus also does not search all drives, as did Festering Hate, so cannot be detected that way. Because it doesn't infect files it only infects one spot per disk and cannot destroy any sub-directories. Therefore your cannot get rid of the virus just by re-copying the files...the virus is actually part of the Prodos kernel created when the disk is formatted. WHAT HAPPENS WHEN IT "GOES OFF"? - To get Lode Runner to "go off" you must set your Control Panel's clock to the following: the MONTH must be October, the DAY must be an odd numbered day and the minute must be a number divisable by 8. Next you must boot an infected disk then boot (using OA-CTRL-RESET) any other disk. This second disk must NOT be write-protected or the virus won't activate. - Once the second disk is booted the virus will appear. Its a red screen with text characters as follows: +++ SYSTEM FAILURE in : +++ 08 and proceeds to count down to zero where the screen changes to another with a multi-colored scrolling background and the following text; 000E Copies. Distr:Artistes Associes === L O A D R U N N E R === Premier virus NON-DESTRUCTEUR sur IIGS par SUPER HACKER & SHYRKAN du MASTERS CRACKING SERVICE 1988 Lyon By the time you've read the first screen the disk that you just booted has been rendered useless. LR does not appear to erase more than the current disk and doesn't seem to affect 5.25" disks. Not being an expert in French I am unable to determine whether the phrase below the title means: "The first non-destructIVE virus for the IIgs" or "The first non-destructIBLE virus for the IIgs". This is a 'moot' point however as it DOES destroy one disk when it goes off. In addition, and I believe that the writers of LR didn't plan this, LR will destroy Space Quest 1 and Police Quest for the IIgs if they are booted AT ANY TIME after an infected disk.. and if they are not write-protected. It is not necessary for LR to "go off" for these programs to be rendered useless. I have only found these two that behave in this fashion but I am sure there are more.. likely most of the Sierra programs for the IIgs. ACKNOWLEDGEMENTS - As with the studies on Festering Hate there are many people who collaborated on the research for this virus. Many thanks go out to: APPLES BC members, Ross Woodhouse - for being so insistant that something WAS wrong. Pat Daley - for gathering data, programs and relaying info. EUGENE, OREGON users, Jack Stalcup - for accidentally setting the virus off because the battery in his IIgs was dead. And for sending the programs and keeping the communications alive. Neil Parker and Mike Suiter (sp?) - for analyzing LR and writing the detection/correction program. PLEASE upload this file and Virus.killer to all bulletin boards. Please tell everyone you know about this virus so that we can wipe it out as fast as Festering Hate. PLEASE.. if you find out any more information that is either not in these notes or that refutes any of these observations then let me know. I can be reached at (604)294-4471, 8:30am to 4:30pm Pacific time, Monday thru Friday up until September 30, 1989. I can also be either reached by answering machine or in person at home (604)947-9722 anytime. I will also be in attendance at Applefest in San Francisco Sept.22, 23, & 24th. Messages can also be left on Compuserve...to 76475,642 (>>>---Brian--->). >>>---Brian---> (Brian McCaig, Virus Busters) [Ed. Program deleted - please contact message author for copy.] ------------------------------ End of VIRUS-L Digest *********************