VIRUS-L Digest Monday, 20 Nov 1989 Volume 2 : Issue 244

VIRUS-L Digest Monday, 20 Nov 1989 Volume 2 : Issue 244

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc., and sent to [email protected] (that's
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, document, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].
- Ken van Wyk

Today's Topics:

Virus Stoned and Jerusalem - B (PC)
Re: Sophisticated Viruses
Virus Disinfectors (PC)
Re: Reverse engineering CRC validation code.
Re: Help...Virus Attack (Mac)
EAGLE.EXE Virus (PC)
Internet worm impact (UNIX & Internet)
Re: Sophisticated Viruses (Mac)
The Brain...again (PC)

---------------------------------------------------------------------------

Date: Fri, 17 Nov 89 19:12:52 +0000
From: [email protected]
Subject: Virus Stoned and Jerusalem - B (PC)

Can anyone help? We have recently discovered that a cluster of about
12 Pc`s have become infected with the above mentioned viruses. What
preventative action can we take and is there any simple way of
removing the viruses without destroying data? Is any software
available to do this?
The STONED virus is a boot-sector virus and the other one seems to
have attached itself to various .com and .exe files.
Any help and advice would be much appreciated.

R.Gowans
- -----------------------------------------------------------------------------
JANET: [email protected]
Internet: R.Gowans%[email protected] Dept Civil Eng,
EARN/BITNET: R.Gowans%MCC.ac.uk@UKACRL U.M.I.S.T,
UUCP: ...!ukc!umist!R.Gowans Sackville Street,
Manchester.
FAX: [044 61 | 061] 200-4016 M60 1QD.

------------------------------

Date: 17 Nov 89 21:51:32 +0000
From: [email protected] (Jon Hutto)
Subject: Re: Sophisticated Viruses

In article <[email protected]> ttidca.TTI.COM!hollombe%sdc
[email protected] (The Polymath) writes:
>[email protected] (Kenneth R. van Wyk) writes:
>}There's an important distinction to be made here - detection during
>}propagation vs. detection after (presumably) successful propagation.
>}A virus could well attempt to conceal its existence while propagating,
>}and then do quite the opposite (!) during a destructive phase. No one
> An unfriendly government wants to cause dislocation in the United
> States. It commissions a difficult to detect virus that spends 5
> years propagating, then wipes the hard disks of every machine it's
> on, without warning or explanation.

This is scary. A Virus writen by someone who knows what they are doing
coulsd be very dangerous. Or even one by someone who knows more than
viruse writers at any rate.

One writen by a non-friendly government would be especaly bad. Forget
the cold war, this is the Technical war, between Super computers. We,
the users would really be caught between a rock and a hard place.
Nothing we could do, but watch them destroy each other.

Could you imagine someone who knows IBM-PC ASM well, like Peter
Norton, or McAfee writing a virus? (completly hypathetical, no hidden
meaning) It would be the worst virus to hit ANYONE.

Jon Hutto PC-Tech BBS (214)271-8899 2400 baud

USENET: {ames, texbell, rutgers, portal}!attctc!hutto
INTERNET: [email protected] or [email protected]

------------------------------

Date: Fri, 17 Nov 89 09:35:59 -0800
From: portal!cup.portal.com!Alan_J_Roberts%[email protected]
Subject: Virus Disinfectors (PC)

There have been a number of questions on Virus-L in the past few
weeks about "cures" for the various infections that have been
reported. While not all infections can be "cured" without the loss of
some or all of the infected programs, there are a number of
disinfectors that can remove the more common viruses and repair the
damage to the infected application in many cases. Disinfectors
available on HomeBase (408 988 4004) are:

Dark Avenger - M-DAV.ARC
Traceback/3066 - M-3066.ARC
Vienna - M-VIENNA.ARC
Ping-Pong (all vers.) - MD.ARC
1701 - M-1704.ARC
1704 - M-1704.ARC
1704-C - M-1704C.ARC
Jerusalem - M-JRUSLM.ARC
Stoned - MD.ARC
Ghost (Boot seg.) - MD.ARC
Brain - MD.ARC (bootable diskettes only)
Alameda - MD.ARC "
Den Zuk - MD.ARC "
Disk Killer (Ogre) - MD.ARC

For all other viruses, the ViruScan (versions 48 and above) /D
option will overwrite all infected files with C3H and then delete the
file. This will effectively remove the virus from the system, but
infected applications will be deleted. It'll save a re-format though.
If you are looking for a non-shareware (yuch!!) solution, then the
VirClean program is an integrated package that does just about all of
the viruses. Seems to work but requires money.

Alan

------------------------------

Date: Sat, 18 Nov 89 08:55:09 -0500
From: dmg%[email protected] (David Gursky)
Subject: Re: Reverse engineering CRC validation code.

In VIRUS-L Digest V2 #243, David Hoyt ([email protected])
speculates about patching an internal CRC check for authentication to
always return "True".

I would like to counter that a virus designed to defeat an internal
consistency check in this manner would not be a very good infector.
It would have to rely upon either (1) always knowing where to find the
consistency check or (2) always being able to *find* the consistency
check.

In the former case, the virus would only be able to infect files would
be limited to the number of files it knows about, and the more files
it would know about would cause the virus to be larger and larger.
The larger the file, the more likely the virus will be detected by a
simply size check.

In the latter case, the virus would be unnecessarily cumbersome
because of the needed search code to find the consistency check,
again, increasing the likelyhood of detection because of the size of
the code needed to do the search and any delay caused by the virus
performing the search. Also, the virus would be limited to attacking
files with the targeted consistency check. If the check is subtly
varied from one file to the next, the search would have to be even
more complicated.

None of this says such an infector is not possible, just that it would
be a poor infector.

------------------------------

Date: 18 Nov 89 22:31:27 +0000
From: [email protected] (Chris Johnson)
Subject: Re: Help...Virus Attack (Mac)

Garry Feldman, Supervisor, CCSU Apple Computer Lab, writes about his
problems fighting viruses in a public access computer lab and mentions
a problem that forced him to abandon the Gatekeeper anti-virus system:

>I tried using gatekeeper, but programs such as Excel would not work.

Judging from this description, you need to use the current version of
Gatekeeper, 1.1.1. It's been out since 26-June and can be found in
the sumex info-mac archives. The problem, for the record, was in
Excel - not Gatekeeper. Nonetheless, I coded around that problem (and
a number of others) in the interest of sparing people just the sort of
problems you've experienced. So give 1.1.1 a try - I think you'll
find that it works well.

By the way, the Computation Center here at U.T. has installed
Gatekeeper on all the Macs (33 of 'em) in its public access
microcomputer lab, and found it completely effective.

Of course, if users insist on starting Macs from their own disks,
Gatekeeper is effectively out of the picture. In practice, though, we
don't have much trouble with that since (a) users tend to need
software like the LaserWriter driver and the UserInfo RDEV that tend
to be unique to the disks we provide, and (b) we scan the disks
checked out to each user with Disinfectant 1.2 after the user leaves -
if we find the disks are infected, that student (whose ID number was
logged when they checked-in) is not allowed to use the facility again
until they've allowed us to clean their disks (we explain about
viruses and give them copies of Disinfectant and Gatekeeper at that
time).

This approach has kept our lab completely clean, and has
*dramatically* reduced the number of viruses present in our user
community.

Of course, this approach isn't possible in an unattended lab. In that
environ- ment, you have to depend on automatic systems like Gatekeeper
almost entirely. And Gatekeeper works extremely well in such
environments. Even if some users start Macs from their own, infected
disks and thereby infect your lab's Macs, Gatekeeper is still valuable
since it will protect later users who do startup from your disks from
the viruses left behind by the other users.

I hope this helps,
- ----Chris (Johnson)
- ----Author of Gatekeeper
- [email protected]

------------------------------

Date: Sat, 18 Nov 89 13:45:21 -0800
From: portal!cup.portal.com!Alan_J_Roberts%[email protected]
Subject: EAGLE.EXE Virus (PC)

The EAGLE.EXE virus reported by Wakeem Rashad was not detected by
SCAN because the Jerusalem Virus (and the trojan it was attached to)
had been purposely compressed into a self extracting EXE file by a
program called AXE (from SEA Systems, Wayne, NJ). This program has
been used by a number of crackers to try to plant infected software
onto bulletin board systems. There is unfortunately little that can
be done to detect viruses in these AXE'd EXE files. The virus will be
caught as soon as it attempts to spread, since the next file it
attaches to will be infected in the normal manner. It would be
possible to screen out all AXE'd files, but that would be detrimental
to the legitimate use of AXE by original program authors who wish to
decrease the size of their executable modules.
If you have run one of these self extracting programs and suspect
a virus, run SCAN with the /M option to search for it in memory.
Alan

------------------------------

Date: 20 Nov 89 00:00:00 +0000
From: David.M..Chess.CHESS@YKTVMV
Subject: Internet worm impact (UNIX & Internet)

Alan Roberts, commenting on Pam Kane's book, writes:

> We know that 50% of the connections were
> downfor 24 hours and some (including ARPANET) were down for up to 4
> days.

Do we really know that? That sounds somewhat more severe than numbers
I've heard elsewhere. ARPANET being down for 4 days is *certainly*
new news to me. The most recent estimate on the number of systems the
worm actually ran on (and I'm afraid I've forgotten the source for the
moment!) was 2500; seems unlikely that that (or even the earlier 6000
figure) would have killed 50% of the links for 24 hours. Are the
numbers you quote from any published source I could get and read? The
(very early) reports in the Seeley, Spafford and Eichlin/Rochlis
papers didn't give me the impression that the impact on connectivity
was that severe, and one chronology says (attributing it to Stoll)
that the virus was "pretty much eliminated" by 1800 on 11/4, which is
only 48 hours after it was first noticed.

I'm not trying to argue that Alan is wrong, of course. I'm only
surprised and curiosified by his numbers, and would like to read
whatever it was they came from.

DC

------------------------------

Date: Mon, 20 Nov 89 15:37:18 +0000
From: [email protected] (Christer Ericson)
Subject: Re: Sophisticated Viruses (Mac)

[email protected] (Joel B. Levin) writes:
>>I don't agree with you on any of these points, Terry. Say, on the
>>Macintosh all calls to ROM are done through trap vectors in RAM. These
>>trap vectors are patched by the system file (to fix bugs), by some
>>programs and by all anti-virus tools. However, it doesn't take a
>>genius to figure out that one could restore the trap vector to it's
>>original value and thereby bypassing the "safe" system. . . .
>> . . . A patch like this wouldn't occupy much space and is quite
>>simple to write.
>
>Except that when system patches or INIT patches or program patches to
>the traps were removed by the virus (and how would the virus decide what
>value to restore them to?--this is different for each ROM and system
>release version) the user would certainly be likely to notice the
>resultant changed program behavior -- or system crashes.
>
> /JBL

First, restoring the traps to their original values isn't that
difficult. These are initialized by the ROM, then there must be a
table from where all initial values are fetched from, right? As I
haven't been writing any viruses lately, I'm not sure if this table is
moving around from ROM version to ROM version, but attaining the start
address of this table for each and every ROM version isn't too
difficult. Also, the virus would of course restore the trap vector
after it's done, so why would there be crashes? Actually, it wouldn't
even have to change the trap vectors, it could call the ROM directly,
but I left that to your imagination to figure out (a fruitless
attempt, obviously) since I didn't want to give away freebies to
aspirant virus writers. Some things they'll have to figure out
themselves.

/Christer

| Christer Ericson Internet: [email protected] |
| Department of Computer Science, University of Umea, S-90187 UMEA, Sweden |
| >>>>> "I bully sheep. I claim God doesn't exist..." <<<<< |

------------------------------

Date: 20 Nov 89 10:37:00 -0400
From: "WILLIAM HADLEY" <[email protected]>
Subject: The Brain...again (PC)

I know the (C) Brain virus is not new...but it is back. Both George
Mason University and Northern Virginia Community College have been
re-infected with the Brain virus. From what I could tell by talking
to one of the consultants at GMU, this is the same version of Brain
that both schools were infected with before. If it is, here is some
background data: It works on MS/PC DOS operating systems (at least up
to 3.3); this version will only infect 5.25" DS DD disks; once loaded
into a machine, it will infect EVERY 5.25" disk it comes in contact
with; it is only loaded when the machine is booted.

If anyone else (or any other school) is experiencing a re-infection of
the Brain virus, please send mail directly to me and let me know...I
would be interested. Thanks in advance!!

Bill Hadley
[email protected]

------------------------------

End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253