VIRUS-L Digest Monday, 25 Sep 1989 Volume 2 : Issue 201

VIRUS-L Digest Monday, 25 Sep 1989 Volume 2 : Issue 201

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc., and sent to [email protected] (that's
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, document, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].
- Ken van Wyk

Today's Topics:

Re: Centel Corp. and ViruScan
New IBMPC anti-viral programs
should we fight fire with fire?
Re: Should we fight fire with fire? NO!
Macintosh Lock-up
Anti-virus virus
Re: Software company distributing viruses (PC)
The anti-virus virus
MIX1 (PC)
RFC: Guide to Fighting Macintosh Viruses:...
A boincing diamond star (What is it???)
SCANV38 (PC)
Is this a virus ?

---------------------------------------------

Date: Fri, 22 Sep 89 08:21:07 -0400
From: [email protected] (David Gursky)
Subject: Re: Centel Corp. and ViruScan

In
([email protected]) writes...

The creator of VirusX for the Amiga certainly feels this way, [that "I
want you to get your information from me and no one else"], and for a
very good reason: It's the only way to make certain that the program
hasn't been tampered with to make it a virus spreader instead of a
stopper.

It just so happens that I agree with him. What better way for some
sleazo to get a virus or trojan horse spread than to make it look like
it's a common, otherwise trusted, shareware virus killer program?

- -----

I have no qualms with any of this per se. If the author of a package
wants to limit the sources from which his or her work is available,
fine! But by doing so you forfeit the right to label your work as
shareware!

Shareware, by definition, is software that is shared with other users
for the purpose of preliminary evaluation. If the user finds the
application useful, the user is honor- and legally-bound to pay the
requested fee for the software.

Shareware works because the distribution system is the users
themselves. The author has only a minimal say in the distribution.
Certainly if the author wants to more strictly limit the dissemination
of his or her work, he or she is welcome to do so. The proper manner
is a commercial distributor; anything that tries to mix commercial and
shareware, "isn't kosher".

As far as Ed's other argument goes (about using trusted shareware
virus killer programs as a carrier for a virus), I can't be the only
one who has failed to notice that despite that this is a common fear,
it has not happened recently or often (the last case I know of was a
"version" of Ross Greenberg's original FluShot, that was a Trojan
Horse that destroyed FATs or some-such; even then, this wasn't a virus
but a trojan).

Let me take this one step further. Anti-virus applications (IMO) make
a poor carrier for a virus. In order for a virus to succeed, it must
go undetected. This means that prior to the activation of the virus'
logic-bomb or time-bomb, it cannot interfere with the normal operation
of the computer or the applications in use on the computer. To do so
greatly improves the chances the virus will be discovered (to wit, the
Jerusalem virus). If we work under the assumption that when a user
acquires an anti-virus application, they actually use it (in fact we
must work under this rule; otherwise the virus would not spread), the
virus necessarily undergoes an increased chance of detection because
an application is running that looks for viruses!

Standard disclaimers apply.

David Gursky
Member of the Technical Staff, W-143
Special Projects Department
The MITRE Corporation

------------------------------

Date: Fri, 22 Sep 89 09:14:40 -0500
From: [email protected] (Jim Wright)
Subject: New IBMPC anti-viral programs

More programs for the IBMPC anti-viral archives.

columbus.arc
Program to backup track zero of a hard drive and restore
track zero. Meant for disaster recovery, such as that
from "Columbus Day" virus. Includes source!
m-3066.arc
Program to repair damage due to the new "3066" virus.
Checks and repairs and entire drive. Use with caution.
scanres7.arc
Memory resident program to check each program for viruses
before it is executed. This replaces the previous release
of scanres.
scanv37.arc
Scans hard drives or floppies for viruses. This replaces
the previous release of scanv.
virsimul.arc
Program to simulate the non-destructive effects of various
viruses. Very useful in figuring out what everyone else
is talking about.

COLUMBUS.ARC Save & restore track zero of hard drive.
M-3066.ARC Recover from the 3066 virus.
SCANRES7.ARC Resident program to detect viruses.
SCANV37.ARC Scans drives and reports presence of viruses.
VIRSIMUL.ARC Simulates non-destructive behavior of viruses.

Jim

------------------------------

Date: Fri, 22 Sep 89 11:42:25 -0400
From: "Ronald Johnson," <RJOHNSON%[email protected]>
Subject: should we fight fire with fire?

*** Reply to note of 09/22/89 00:11

The proposed "solution" is not acceptable.
1. It would be the beginning of a new "ARMS RACE" with each side trying to
overpower the other with increasingly sophisticated viruses.
2. The possibility for abuse is frightening.

.
Regards,
Ronald Johnson, acting Data Security Manager
Security Services, LDB, Vancouver, 254-5711 ext. 353

------------------------------

Date: Fri, 22 Sep 89 09:51:53 -0700
From: [email protected] (Michael Odawa)
Subject: Re: Should we fight fire with fire? NO!

Thank you for bringing this issue up with others before you acted. We have
had previous discussions about this issue, and here are some of the
considersations:

a) Virus technology is still relatively primitive; there is much we do
not know about the interaction of viruses with other software
functions, such as real-time, cycle counting procedures. Hence even
a well-intentioned virus writer can not anticipate all the effects
his code may produce.

b) It is highly likely that bugs and unintended side effects will be
present in any complex piece of software. Thus even an intended
"beneficial" virus is likely to take action beyond what was designed
by the author.

c) The existence of "good" viruses in the environment would create a
massive identification problem for the anti-viral software routines
which currently exist and which are being developed. How could a
virus detector distinguish between a "good" virus and a "bad" virus
that was masquerading as a "good" one?

d) One of the worst aspects of virus propagation is that it alters the
contents of other people's computers and storage media without their
consent. This is a very serious ethical principle which cannot be
broached even in the name of public service. You simply do not have
permission to muck with people's computing hardware without asking
them first.

For these reasons and others, we ask you not to become seduced by the
temptation to create a "good" virus. Indeed, we believe that,

The only good virus is a dead one.

Michael Odawa
Sofware Development Council
[email protected]

------------------------------

Date: Fri, 22 Sep 89 13:26:00 -0500
From: "Chris_C.Conner" <13501CCC%[email protected]>
Subject: Macintosh Lock-up

This is the first time I've written to the digest and I hope someone
out there has some information on my topic. I work at the Graphics
Lab in Michigan State University's Computer Center, so we get plenty
of people coming through to use our MacII and scanner. A fellow came
in the other day and when he inserted his disk into the Mac, the
machine locked up. We run VACCINE, and Disinfectant 1.2. After
restarting the machine, I checked the hard-disk and found nothing, so
I inserted his disk again (while Disinfectant was still running) and
it locked up again.
I was wondering if anyone knew about this. If it is some kind of
virus it could be a real nuisance. You couldn't use the disk, or
reformat it because you couldn't put it into a machine. The only
thing I can think of doing is using a bulk eraser.

If anyone has anything, help me out...

CCC

------------------------------

Date: Fri, 22 Sep 89 16:02:39 -0500
From: Joe Simpson <JS05STAF%[email protected]>
Subject: Anti-virus virus

Recently another proposal to create an anti-virus virus was made on
valert-l. I posted a note that discussion belonged in virus-l and
that I would be responding here.

[Ed. Thank you!]

Concerning writing an anti-virus virus. Such an entity would make
unauthorized use of equipment not owned or operated by this virus's
creator. The creator would be acting in just as immoral a fashion
as the creators of joke, political, or deliberately desctructive
viruses. In fact, I prefer not to make moral judgements based upon
the intent of the virus creator. I would prefer that they simply
refrain from this anti-social behavior no matter what the motivation.

------------------------------

Date: 22 Sep 89 12:57:23 +0000
From: [email protected] (James Borynec)
Subject: Re: Software company distributing viruses (PC)

In article <[email protected]>, [email protected] (Fridrik S
kulason) writes:
> "We can't have a virus - there are no pirated games here"
> I guess this will happen elsewhere, but until now there have been very
> few occurrences of software companies distributing viruses (only 4
> that I know of).

Software companies may be the largest source of virus contamination
around. After all, they send disks everywhere and no one worries
about 'shrink wrap' software being 'unclean'. I have only been hit by
two viruses - both came from software companies - one of which was
Texas Instruments. The guy in the office next door was hit by a copy
of a virus on his (shrink wrap) copy of WordPerfect. I think it is
shocking that people are told just to watch out for viruses when
engaged in software 'swapping'. Everyone should regard EVERY disk
that enters their machine with suspicion.

J.b.
- --
UUCP : utzoo!bnr-vpa!bnr-di!borynec James Borynec, Bell Northern Research
Bitnet: [email protected] Box 3511, Stn C, Ottawa, Ontario K1Y 4H7

------------------------------

Date: Sat, 23 Sep 89 11:49:00 -0500
From: <CTDONATH%[email protected]>
Subject: The anti-virus virus

(regarding a note of 9/22/89 on VALERT-L)

Using a virus to destroy other viruses is a good idea IN THEORY. It
assumes two points: 1. the AVV (anti-virus virus) is assumed to work
properly under all conditions; 2. the virus-writers are assumed to not
create new anti-anti-virus-virus viruses i.e. start a viral arms race.

Regarding point 1:
Robert Morris Jr. seemed to want his worm to be "well behaved", with only
one rather tame worm living on each system on Internet. However, one little
bug (from what little I know) caused the worm to run out of control.
Like the author of the Internet worm, the authors of the AVV would probably
be crucified if anything went wrong. In fact, the virus hysteria would
cause a major uproar even if it worked (would you like a virus to appear
on your system without your permission even if it did no damage?)

Point 2:
I assume one reason that viruses are written is because it "lives", i.e.
it exists, multiplies, travels, and survives in a way resembling, say,
a flea. The existance of a virus that "eats" viruses would be seen as a
challenge that would become a "survival of the fittest" contest.
A viral war would break out between the "bad" virus writers and the
"good" virus writers. The battlefield would be computers in general.

- -=- CTDONATH@SUNRISE -=-

------------------------------

Date: Sat, 23 Sep 89 13:59:23 +0000
From: [email protected] (Fridrik Skulason)
Subject: MIX1 (PC)

Actually I was not planning to write more about viruses from Israel
for a while, but I just could not resist.

You see, the latest virus reported there, the MIX1 virus, is in fact just
a variant of the Icelandic virus. I would not be surprised, if this was
in fact the variant mentioned some time ago, as

"...a hacked variant of the Icelandic virus, that a group of
hackers intends to distribute to various BBS..."

Fortunately, it is just a variant of the Icelandic-1 virus, like Saratoga.
If the authors of MIX1 had instead based their variant on Icelandic-2, we
might be seeing the start of a serious problem.

I have now almost finished disassembling MIX1, and here are a few details
not mentioned by Yuval Tal in his report:

The virus has been modified in several places, in order to fool virus
detection programs. The changes include replacing instructions with
other equivalent ones.

Examples XOR AX,AX ---> MOV AX,0000

MOV ES,AX ---> PUSH AX
POP ES

Also, NOP instructions have been inserted in several places, including inside
the identification strings used by VIRUSCAN and most other similar programs.

This seems to be a response by virus writers to anti-virus programs that look
for infection by using identification strings. This method has so far only
been used in two viruses that I know of, MIX1 and the '286 variant of the
Ping-Pong virus.

Apart from these changes, two parts of the virus are almost identical to other
variants of the Icelandic virus. In the installation part, the code to
check INT 13 has been removed. (as in Saratoga and Icelandic-2). The infection
routine has been modified in the following ways:

Infect every file (instead of every tenth program run.)
Do not infect a program, unless it is at least 16K long.

The Icelandic virus was first detected in June, disassembled a week later,
and the disassembly was made available around the beginning of July. The
MIX1 virus appeared in Israel in August - which is a very short time for a
virus to spread around the globe.

Now - the question is: How did the authors of MIX1 obtain the Icelandic virus ?

It is almost certain that these viruses do not have the same author, because
then the virus would surely have been based on Icelandic-2, which is a much
more dangerous and effective variant.

I see the following possibilities:

1) The author of MIX1 obtained a copy of Icelandic-1 from somebody
who got infected with it, disassembled it and created a new virus.
This sounds reasonable, but there is one major problem, which is
that the Icelandic virus has (as far as I know) not been detected
outside of Iceland.

2) The author obtained a disassembly, modified it and re-released it
as MIX1. It is already known that at least one virus writer has
access to virus disassemblies, that were only intended for virus
specialists.

The problem is that obtaining well-commented virus disassemblies is not hard,
and I would not be surprised if a number of new variants of viruses, based
on them would appear in the near future.

MIX1 and Ping-Pong '286 may be just the first of this new generation.

---- frisk

------------------------------

Date: 23 Sep 89 20:36:15 +0000
From: [email protected] (Christopher E. Shull)
Subject: RFC: Guide to Fighting Macintosh Viruses:...

Macintosh Virus Experts:

I have just finished the second draft of a roughly two page
guide to fighting machintosh viruses. (The first draft was proofread
only within my group, so don't feel left out if you didn't see it.)

This set of instructions is fundamentally the advice I have been
loosing my voice repeating. To save my voice, I have written it down.
Please mail your comments, suggestions and constructive criticism to
[email protected], so I can enhance this document.

In the meantime, if you are tired of explaining how to defend
against viruses and you like what I have written, please feel free
to distribute my "Guide to Fighting Macintosh Viruses: Instructions
for the Rest of Us", subject only to terms of the Copyright Notice.

Thanks in advance!
- -Chris

%--cut here-------------------------------------------------------

R E Q U E S T F O R C O M M E N T

Guide to Fighting Macintosh Viruses:
Instructions for the Rest of Us

September 23, 1989

Christopher E. Shull
The Wharton School
University of Pennsylvania
[email protected]

Disclaimer and Copyright Notice

This document may help you understand and cope with Macintosh
viruses. It may however fail in this objective. Use it at your own
risk. Neither the author, Christopher E. Shull, nor his employer,
the University of Pennsylvania, make any warranty, either express
or implied, with respect to the information contained herein.

Copyright 1989, University of Pennsylvania. Permission is granted
to make and distribute copies of this document, provided this
disclaimer and copyright notice are preserved on all copies. The
document may not, however, be sold or distributed for profit.

Instructions

This file describes how to cope with Macintosh viruses.

1) Do Not Panic. As of this writing, all known Macintosh viruses
are easily detected, destroyed and prevented.

2) Read these instructions from front to back, and then follow
them step by step.

3) Using Disinfectant to Find and Kill Viruses.
a) Obtain a boot-able diskette containing the program
Disinfectant from a trusted source. Disinfectant was written
by John Norstad of Northwestern University. The current
version is 1.2, dated August 4, 1989. (This is also a good
time to get copies of Vaccine and GateKeeper, which are
described in steps 5) and 6).
b) Write Lock this diskette by sliding the write protect tab to
the open position (so you can peek through the little hole).
c) Start or Restart your Mac from this diskette.
d) Run Disinfectant by doubling clicking on its icon, and then
following the simple on-screen instructions:

Please read the instructions before running Disinfectant
for the first time. Click on the About button.

Special key summary. Hold down the key(s) while
clicking on the Scan or Disinfect button. (See the
instructions for details.)

No keys = Scan or disinfect the selected disk.
Option key = Scan or disinfect a single folder or file.
Command key = Scan or disinfect a sequence of floppies.
Option and Command keys = Scan or disinfect all drives.

Note that Disinfectant suggests that you read its documentation
first (by clicking the About button.) This is an excellent
idea. However, if you are in a hurry and willing to risk using
software you don't understand, just read the summary above and
then click on the Disinfect button while holding down the
appropriate key(s) (Scanning before Disinfecting has no benefit
for normal folks).
e) Disinfectant will report the details of its work in its center
window.
f) Examine the summary report to make sure all viruses were
removed and no errors were encountered. If there were errors,
try to fix the problems and disinfect the problem files or
device again. If they do not go away, you need to read the
instructions or get help from a Mac expert.
g) When Disinfectant reports that no Viruses have been found, your
main disk is clean. After disinfecting, be sure to restart
your computer so memory resident viruses are destroyed! This
is an excellent time to Disinfect all of your diskettes using
the command key-Disinfect button combination. The next step
is to make sure you don't get any more viruses in the future.

4) Using Disinfectant to Prevent Viruses.
a) Disinfectant can be used to prevent the spread of viruses
simply by scanning and disinfecting every new diskette that you
ever use on your Mac, and every diskette that you use on
someone else's Mac, and every program you buy or download.
b) Because this requires a conscious, methodical and conscientious
effort, an automatic method of preventing the spread of viruses
is desirable.

5) Using Vaccine to Prevent Viruses.
a) Vaccine, by Donald Brown of CE Software, Inc. is a Control
Panel Document. The current and last version is 1.0. (The
author declines in advance to fuel the escalating viruses and
defenses game.)
b) To use Vaccine, just copy it into your System Folder and
restart your computer. You do not want to do this until your
System Folder has been disinfected (see step 3), or your
computer may not be able to start.
c) Vaccine is now at work. No further configuration is required,
although some is possible.
d) To configure Vaccine, select Control Panel from the Apple menu,
then select the Vaccine icon on the Control Panel, and follow
the Instructions therein.
e) As Vaccine's instructions explain, it may prevent some viruses.
For more rigorous defense, you will need to use GateKeeper.

6) Using GateKeeper to Prevent Viruses.
a) GateKeeper, by Chris Johnson, is also a Control Panel Document.
The current version is 1.1.1, dated June 26, 1989, and is much
easier to configure than version 1.1.
b) Using GateKeeper requires more study on the part of the user,
but should result in a more rigorously defended system.
c) The first step in using GateKeeper is therefore to read, from
front to back, the GateKeeper Introduction and the GateKeeper
Release Notes documents, which come with GateKeeper in MacWrite
format and are therefore readable in most Macintosh word
processing programs.
d) Following the instructions therein you can tighten your Mac's
defenses against Viruses.

7) If Vaccine or GateKeeper Detects a Virus, return to Step 3) to
remove it.

8) Join a Macintosh Users' Group so you can keep abreast of virus
developments. This is important, because new viruses will
appear that manage to circumvent the safeguards above, but we
will simply develop new programs to combat them.

------------------------------

Date: Mon, 25 Sep 89 07:44:33 +0100
From: [email protected]
Subject: A boincing diamond star (What is it???)

A friend of mine has a PC that recently has been infected
by some sort of a virus.

The thing that happens is that a small diamond star is randomly
bouncing like a ball on the screen.

My questions :

Does anyone know what damage this virus might do ?
Is there any virus removal software developed for it ?

------------------------------

Date: Mon, 25 Sep 89 01:00:12 -0700
From: [email protected]
Subject: SCANV38 (PC)

ViruScan V38 is out and has been sent to Compuserve and the
comp.binary sites. This version identifies the MIX1, the New Ping
Pong, the Dark Avenger, Syslock (3551) and a new Vacsina string
identifier. The MIX1, by the way, is identified by SCAN as an
Icelandic varient, since it is 85% or more the original Icelandic
virus. All earlier viruses are still identified by SCAN and the
strings have not changed for this version. SCANRES has also been
updated to prevent a system from being infected by any of the above
viruses. Its version is SCANRES8.
Alan

------------------------------

Date: 25 Sep 89 18:54:15 +0000
From: [email protected] (Kauto Huopio)
Subject: Is this a virus ?

My Taiwanese-origin Comper AT ( a 12 MHz-machine with 1 meg of RAM)
ran into trouble last night. My friend was playing Tetris (the
original version), and after that I begun to test WordPerfect 4.2. I
looked to some directories and there was some *VERY* odd characters in
the directory listings, blinking high intensity white. Quite often
there was a "smiley face"-character, also blinking high intensity
white. Also, there was some ODD characters just at the beginning of
the next line after the command prompt, when giving a DOS command.
When I edited a small text with WP and tried to save it..the hard disk
light just stayed on and.. I think you can guess the rest. I booted my
AT with a floppy disk and ran DIAGS. To my suprise, the hard disk came
back! This morning I put up the system, and it worked for a couple of
minutes, but died again (Sector not found error on drive C: )

I am running DOS 3.30. Now, I have some questions:

1) What is the right size of DOS 3.30 COMMAND.COM ?

2) Should I do a low-level format with Ontrack Disk Manager 3.2 and try to
do a clean system.

3) If this is caused by a virus, what is the bogus program ??

All help is welcome!!

- --Kauto

PS: Sorry about my poor English..

****************** Kauto Huopio ([email protected]) **********************
*US Mail: Kauto Huopio, Punkkerikatu 1 A 10, SF-53850 Lappeenranta, Finland *
*Project: Learn some GNU Emacs first.. :-) *
*****************************************************************************

------------------------------

End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253