VIRUS-L Digest Thursday, 21 Sep 1989 Volume 2 : Issue 199

VIRUS-L Digest Thursday, 21 Sep 1989 Volume 2 : Issue 199

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc., and sent to [email protected] (that's
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, document, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].
- Ken van Wyk

Today's Topics:

NIST Virus Management Guide Issued
The McAfee Posting Discussion
Re: Centel Corp. and ViruScan
New Virus (PC)
MIX1 Virus (PC)
Software company distributing viruses (PC)
New variant of Ping-Pong found (PC)
Re: disinfecting nVIR from Appletalk (Mac)
Re: VirusDetective questions (Mac)
Re: Macintosh Virus
"Spanish (?) cookie virus" (PC)

---------------------------------------------------------------------------

Date: Wed, 20 Sep 89 15:35:17 -0400
From: [email protected]
Subject: NIST Virus Management Guide Issued

Computer Virus Guide Issued

The National Institute of Standards and Technology (NIST) has issued a
new publication on computer viruses. It is entitled "Computer Viruses
and Related Threats: A Management Guide", NIST Special Publication
500-166, by John P. Wack and Lisa J. Carnahan of the Computer Security
Management Group at NIST. The guide is intended to help managers
prevent and deter virus attacks, detect when they occur, and contain
and recover from an attack. It provides general guidance for
management and users, plus more specific guidance for multi-user
computer environments and for personal computer environments. It also
contains a list of suggested readings.

The guide is available from the U.S. General Printing Office,
(202) 783-3238.

Ordering Information:

"Computer Viruses and Related Threats: A Management Guide"
NIST Special Publication 500-166
GPO #003-003-02955-6
$2.50/copy

------------------------------

Date: Wed, 20 Sep 89 13:27:20 -0600
From: Chris McDonald ASQNC-TWS-RA <[email protected]>
Subject: The McAfee Posting Discussion

I think David Gursky overlooked the "subtle" point of Mr. McAfee's
posting. If indeed Centel is charging customers $25.00 for VIRUSCAN
and claims that it is losing money, then something SMELLS. I
registered my copy of VIRUSCAN with Mr. McAfee's company for $15.00.
More importantly, while the VIRUSCAN program is shareware, it does
have a copyright. The legal advice I received was that, if a
shareware package has a copyright and if the author states that a fee
or registration payment is required, then I as a govenment employee
was legally bound to pay the fee. If individuals are familiar with
VIRUSCAN, the wording on payment is direct and to the point. It is
not one of those "pay if you like type of requests."

I think it may also be argued that, if Mr. McAfee wanted to ensure a
financial "killing" for a product which has had several independent
verifications as to its effectiveness, then he would not have made it
so readily available over BBSs and the INTERNET in general.

Chris Mc Donald
White Sands Missile Range

------------------------------

Date: 20 Sep 89 23:36:29 +0000
From: [email protected] (Kelly Goen)
Subject: Re: Centel Corp. and ViruScan

Not as a flame but you have to remember that the term SHAREWARE does
NOT mean Freeware or Public Domain...Centel was attempting to
illegally capture shareware profits belonging legally to John
Mcafee.(btw Its one thing to redistribute freely...its entirely
another to charge $20.00 for the FREE distribution without permission
of the author...) WE call that theft of intellectual property rights
where I come from!!...While John Mcafee and CVIA wish to encourage the
free flow of Antiviral information... the research, collation and
codification into VIRUSCAN is a cost intensive process!! therefore
John Mcafee logically should be able to determine who can redistribute
his software for a FEE and Who shouldnt be able to...(for those that
are interested John does have a quite attractive OEM and site
licensing agreement!) Sorry to get on the soapbox but people who
receive and use shareware repeatedly should be paying fees... This
move would greatly improve the quality of software

available from shareware authors!!!.

cheers
kelly
p.s. flames to /dev/null

------------------------------

Date: Wed, 20 Sep 89 17:22:54 -0700
From: [email protected]
Subject: New Virus (PC)

Well, it's happening again. We've just received a new virus from
Randy Dean at the U.C. Davis bookstore. The virus infects COM and EXE
files, including COMMAND.COM, increases the size of infected files by
1800 bytes, and infects through the DOS COPY command, as well as
program loads. The virus contains the words - "The Dark Avenger,
copyright 1988, 1989 and the message - "This program was written in
the city of Sofia. Eddie lives.... Somewhere in Time!". The virus
bears no resemblance to the Jerusalem despite the similarity in sizes.
ViruScan V38 identifies the virus.

By the way, I'd also like to respond to the comments about ViruScan
and John McAfee. If I had written a shareware program that was being
distributed by some other company for money, I would be pretty ticked
off. John has the right to determine who can sell it and who can't,
as I see it.

[Ed. Has V38 been sent out to the VIRUS-L/comp.virus archive sites?]

------------------------------

Date: Thu, 21 Sep 89 08:39:20 +0200
From: "Yuval Tal (972)-8-474592" <NYYUVAL%[email protected]>
Subject: MIX1 Virus (PC)

There is a new virus in Israel. It has been going around in Israel
since August. The name of the virus is MIX1 becuase of its signature.
Ori Berger (the author of JIV - an anti-viral software which was
written in Israel) made a program that identifies the virus and
exterminates it. (I myself, got the virus but didn't look at it yet.
After I disassemlies it, I'll report back). This following report
was made by him:

Virus Name..............: The Mix1
Attacks.................: .EXE files
Virus Detection when....: 22.August.1989
at......: Israel
Length of virus.........: 1. The infected .EXE files are growing bigger
in 1618-1634 bytes.
2. 2048 bytes in RAM.
Operating system(s).....: PC/MS DOS version 2.0 or later.
Identifications.........: 1) The signature at the EOF of each infected
file is - MIX1 .
2) Byte 0:33C=77h.
Type of infection.......: .EXE files only. The virus is put at the end
of the .EXE file and the header is changed to
point to the virus beginning at the file.
Infection trigger.......: EXE file execution through interrupt 21h
service 4bh.
Interrupt hooked........: 14h,17h,21h, optionally 8,9 (after 6th level
of infection).
Damage..................: Garbled output on parallel and serial
connections, optionally boot is disabled,
num-lock is constantly on.
Damage trigger..........: Loading of infected file. After 6th level
infection vectors 8 and 9 are hooked.
Particularities.........: 1) All output through vectors 14h and 17h is
garbled.
2) Booting may crash the computer(possibly
a bug).
3) Memory allocation is done through direct
MCB control.
4) Does not allocate stack, and therefore
makes some files unusable.
5) Infects only files which are bigger than
16K (This makes disassembly very hard).
- -Yuval

+--------------------------------------------------------------------------+
| BitNet: NYYUVL@WEIZMANN Domain: [email protected] |
| InterNet: NYYUVAL%[email protected] |
+-----------------------------------+--------------------------------------+
| Yuval Tal | "Remember - the next time you hear a |
| The Weizmann Institute Of Science | fighter jet go by - you are hearing |
| Rehovot, Israel | the SOUNDS OF FREEDOM" - Major Bill |
+-----------------------------------+--------------------------------------+

------------------------------

Date: Wed, 20 Sep 89 17:39:39 +0000
From: [email protected] (Fridrik Skulason)
Subject: Software company distributing viruses (PC)

A few days ago I posted a note describing the distribution of PC
viruses here in Iceland. One interesting fact was that 1701/1704 is
the most common virus here, but it is only in second or third place
elsewhere.

I just got a phone call explaining why.

One software company here has been infected with this virus (1704-A)
for some time. They have sent out a number of updates to their
programs recently, with all .COM files infected.

This was discovered where one site received an update to one program
and used a virus-checking program, "just to be sure".

What was most serious about the whole thing was the ignorance of the
software company in question.

Their first response when they were told of this was something like:

"We can't have a virus - there are no pirated games here"

I guess this will happen elsewhere, but until now there have been very
few occurrences of software companies distributing viruses (only 4
that I know of).

---- frisk

------------------------------

Date: Wed, 20 Sep 89 17:16:26 +0000
From: Fridrik Skulason <[email protected]>
Subject: New variant of Ping-Pong found (PC)

I recently gave a copy of a Anti-Ping-Pong program to a person with an
infected computer. He had seen the bouncing ball on the screen some
time earlier and contacted me.

Much to my (and his) surprise, the program refused to remove the virus,
saying:

This boot sector is not infected with the Italian virus.

When I took a closer look I discovered the following:

1) He was using a '286 machine (but normally Ping-Pong only
works on '88 or '86 machines)
2) The ball could be activated as normally. (By typing TIME 0,
followed by a command that will cause a read)
3) The signature in the boot sector was identical (1357).
4) A NOP byte had been placed in the middle of the string this
program used for identification.
5) The code had been modified a bit, and the most significant change
was that the MOV CS,AX instruction had been replaced with a
sequence of instructions to do the same thing.

I will publish a full report soon - but I just wanted to know if anybody
else has heard of this variant.

------------------------------

Date: 21 Sep 89 04:49:46 +0000
From: [email protected]
Subject: Re: disinfecting nVIR from Appletalk (Mac)

In article <[email protected]> [email protected] (David Gu
rsky) writes:
> When you finally get Disinfectant, and de-Binhex it and
> de-Stuffit, make sure the diskette you keep it on is
> write-protected!!! This is very important; a virus cannot infect
> an application on a write-protected diskette!

This is a good idea, but not entirely necessary with Disinfectant.
Disinfectant is resistant to all currently known viruses and will
refuse to run if it has been changed in any way. I have run
Disinfectant on a System infected with nVIR A with SAM Intercept
active to let me see when nVIR attempts to infect anything. Even when
I allow nVIR to access Disinfectant, it cannot infect it!

Another thing to note is that Disinfectant _can_ disinfect the
currently running System. This means that once you have
Disinfectant, you can put it on a floppy, disinfect the floppy, lock
it and use it to disinfect everything else.

Please note that this method should be used only when you don't have
a clean copy of the System. In fact Disinfectant should only be
used to disinfect when you have no clean master for a program.

Henry Schmitt
Author of Virus Encyclopedia
H3nry C. Schmitt | CompuServe: 72275,1456 (Rarely)
| GEnie: H.Schmitt (Occasionally)
Royal Inn of Yoruba | UUCP: [email protected] (Best Bet)

------------------------------

Date: 21 Sep 89 05:05:58 +0000
From: [email protected]
Subject: Re: VirusDetective questions (Mac)

In article <[email protected]> [email protected]
(Richard Nixon) writes:
>Has anyone used VirusDetective for the Mac? We've
>used it, but it seems to detect viruses in files that
>we doubt are affected.
>
>How reliable is this bit of software?

How certain are you that these files are not infected? Have you
checked them with other programs such as Disinfectant and Virus RX?

The latest version of VirusDetective (3.0.1 if memory serves) seems
quite reliable. It was the program with which I discovered the nVIR
A infection on the disk which came with the Brady Utility book
_Applied HyperTalk_.

If VD is reporting a virus, I'd be sure to check those files with
another detection utility before dismissing it as a false alarm.
I'm not saying that VD will never give a false alarm, but since the
different utilities use different detection methods the probability
of both giving false alarms on the same file is small.

Personally I never trust only one program to tell me whether or not
I have a virus. I run at least two on a weekly basis.

Henry C. Schmitt
Author of Virus Encyclopedia
H3nry C. Schmitt | CompuServe: 72275,1456 (Rarely)
| GEnie: H.Schmitt (Occasionally)
Royal Inn of Yoruba | UUCP: [email protected] (Best Bet)

------------------------------

Date: 21 Sep 89 05:23:45 +0000
From: [email protected]
Subject: Re: Macintosh Virus

In article <[email protected]> JOHN P. BRADLEY writes:
> Well it was bound to happen - why should we be any different? We
>believe we have discovered a virus in our microcomputer lab.
>education of the users, hoping that this won't get out of hand.
...[stuff deleted]...
> Any ideas would be greatly appreciated.

John -
The first thing I recommend is to pick up Disinfectant 1.2 by
John Norstad of Northwestern University. It is available from a
number of places such as BBSs and Mac Users' Groups as well as FTP.
Read the documentation that comes with it, especially his
recommendations. He explains the policy they use at Northwestern to
combat viruses. This will allow you to find and remove existing
viruses. Note that you should replace infected files with known clean
copies whenever possible, rather than disinfecting. Use this on a
regular basis!

To help prevent future infections, get a Virus prevention
INIT such as Vaccine, or GateKeeper. Prevention INITs also come
with commercial packages as well. Put a copy on every Startup disk
you can find. Note this will not help in cases where users bring in
their own startup disks (like myself).

It will definitely help to educate your users. Might I
recommend (here comes the commercial :-) my HyperCard stack Virus
Encyclopedia. It is available from the same places as Disinfectant
(I'm not sure about FTP, I'm working on that) and also BudgetBytes
and Educorp.

I wish you success in fighting viruses.

Henry C. Schmitt
Author of Virus Encyclopedia
H3nry C. Schmitt | CompuServe: 72275,1456 (Rarely)
| GEnie: H.Schmitt (Occasionally)
Royal Inn of Yoruba | UUCP: [email protected] (Best Bet)

------------------------------

Date: 21 Sep 89 13:07:00 +0200
From: Antonio-Paulo Ubieto Artur <[email protected]>
Subject: "Spanish (?) cookie virus" (PC)

I heard recently about a virus here in Spain known as "the cookie
virus" ("virus de la galleta"). I don't know if this virus originated
here in Spain or somewhere in Europe. Although I haven't seen this
virus yet (I got the following from hackers here outside of our
University) I think it really exists and seems to be really a nasty
virus, so I provide the following information to avoid possible
trouble.

This "cookie virus" seems to activate itself only when you are
using a word-processing program. At random moments it flashes you
something like "give me a cookie...!" ("dame una galleta"...!). If you
type "have a cookie" ("toma una galleta"), the virus seems to
deactivate itself after prompting "thank you" ("gracias"). If you do
not "give it a cookie" and escape some other way, it asks two minutes
after for a cookie again. If you escape again and afterwards you save
your text and exit the word-processor, you will find the next time you
try to load your text that all its extent has been replaced with the
string "this because you didn't give me a cookie" ("esto por no darme
una galleta")...

In a first approach to the detection of this virus, any search
for the string "cookie" ("galleta") was no use. The only string found
was something like "kiecoo" ("etagall"), and the virus seemed to be in
"IBMBIO.COM" and "IBMDOS.COM" files, but time and date stamp seemed to
be untouched...

Somebody out there has suffered effects like the described ones?.
Any detection and preventive methods?.

Antonio-Paulo Ubieto Artur.
Department of Modern and Contemporary History.
Zaragoza University.
50071 Zaragoza (Spain-Europe).
[email protected]

------------------------------

End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253