VIRUS-L Digest Tuesday, 5 Dec 1989 Volume 2 : Issue 253

VIRUS-L Digest Tuesday, 5 Dec 1989 Volume 2 : Issue 253

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc., and sent to [email protected] (that's
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, document, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].
- Ken van Wyk

Today's Topics:

New papers on IBMPC viruses
Viruses on Demos and diagnostics
Request for Submissions
Re: Linkable virus modules
The Norton "virus"
Re: Virus attack [AMIGA]
Re: Viruses and Anti-Semitism...
Yale virus (PC)
Jerusalem-B (PC)
Preventing the "Ping Pong" virus (PC)
Re: JUDE Virus (Mac)
Morris Trial Postponed

---------------------------------------------------------------------------

Date: Mon, 04 Dec 89 14:45:21 -0600
From: [email protected] (Jim Wright)
Subject: New papers on IBMPC viruses

Two papers have been added to the anti-viral archives.

solomon.lst List & description of less common viruses
msdosvir.a89 Virus catalog, with extensive information

solomon.lst
A description of some of the more recent and obscure viruses
by Dr. Alan Solomon. The viruses described include:
Ogre
Typo
Dark Avenger
Vacsina
Mix1
Fumble
Dbase
For each virus covered, the following topics are discussed.
Recognition and detection
How the virus copies itself
What the virus does
How to get rid of it
Other information
Technical details
This information is extracted from the documentation for
an anti-viral package, and was sent by the author.

msdosvir.a89
The autumn '89 issue of Dr. Klaus Brunnstein's virus catalog
for MSDOS computers. Viruses covered in this are:
Autumn Leaves = Herbst = "1704" = Cascade A Virus
"1701" = Cascade B Virus
Bouncing Ball = Italian = Ping Pong = Turin Virus
"Friday 13th" = South African Virus
GhostBalls Virus
Icelandic#1 = Disk Crunching = One-in-Ten Virus
Icelandic#2 Virus
Israeli = Jerusalem A Virus
MachoSoft Virus
Merritt = Alameda A = Yale Virus
Oropax = Music Virus
Saratoga Virus
SHOE-B v9.0 Virus
VACSINA Virus
Vienna = Austrian = "648" Virus
A typical entry would have the following sections and
subsections:
==== Computer Virus Catalog 1.2: ====
Entry, Alias(es), Virus Strain, Virus detected when,
where, Classification, Length of Virus
---- Preconditions ----
Operating System(s), Version/Release, Computer model(s)
---- Attributes ----
Easy Identification, Type of infection, Infection Trigger,
Interrupts hooked, Damage, Damage Trigger, Particularities,
Countermeasures, Countermeasures successful, Standard means
---- Acknowledgement ----
Location, Classification by, Documentation by, Date
==== End of Virus ====
An update scheduled for the beginning of the year should
almost double the number of viruses cataloged.

Jim

------------------------------

Date: Fri, 01 Dec 89 14:45:00 -0500
From: Peter W. Day <[email protected]>
Subject: Viruses on Demos and diagnostics

Communications Week 11/27/89 p.25 quotes John McAfee to the effect
that most virus infections in the corporate world are caused by
infected demonstration software and diagnostic software sent by
software developers, distributors and other vendors to their
customers.

------------------------------

Date: Sun, 03 Dec 00 19:89:13 +0000
From: [email protected] (Ross M. Greenberg)
Subject: Request for Submissions

(In addition to contacting Ed Wilding, you may also contact me: I'm an
editorial board member.. Ross M. Greenberg, [email protected])

- -------- Call For Papers and Submissions for Virus Bulletin------

Anyone wishing to write on any of these topics, or wishing
to receive the Virus Bulletin notes for contributors should
contact Edward Wilding, Editor, Virus Bulletin, Haddenham,
Aylesbury HP17 8JD, UK. Tel. 0844 290396., Tel Int. +44
844 290396., Fax 0844 291409,. Fax Int. +44 844 291409.

For circulation to Virus Bulletin Editorial Board and all
interested parties.

Virus Bulletin copy submission deadlines 89/90.

Issue 1.6 December 1989 Friday 1st December 1989
Issue 1.7 January 1990 Friday 22nd December 1989
Issue 1.8 February 1990 Friday 19th January 1990
Issue 1.9 March 1990 Friday 23rd February 1990
Issue 1.9 April 1990 Friday 23rd March 1990
Issue 1.10 May 1990 Friday 20th April 1990

(Please note that the copy deadline for Issue 1.7 (January
1990) is before the Christmas recess).

Forthcoming Subjects

The following is a list of possible articles in forthcoming
editions. These are only suggestions and I welcome other
ideas or more extended examination than listed.

1. Should we trust public domain anti-virus software?
There are many arguments both for and against public domain
anti-virus software - this article should attempt to outline
its pros and cons and provide some guidelines for
prospective users.

2. Practical steps for non experts in dealing with a
network computer virus attack. What should be done
immediately by systems administration in the face of such an
attack?

3. Procedural steps to preventing computer virus infection.
A checklist of procedures and rules which if observed will
minimise the risk of a virus attack.

4. Anti-virus software evaluation in a corporate
environment. By which criteria do large corporate
microcomputer using organisations judge such software. Is
there consensus on this point?

5. How do you test the value of an anti-virus package
without having access to computer viruses?

6. 'Lab' viruses versus 'real world' viruses. Is it
necessary for researchers to create viruses? What are the
benefits and does experimentation present any dangers?

7. Towards a common terminology and nomenclature. 1701,
Fall, Cascade, Hailstorm, 1704 - how do we overcome the fact
that there is no agreement or consensus about naming or
classifying viruses? Why is this? Equally, can we develop
an agreed glossary of terms about the types of virus and
their methods of infection?

8. Does commercial interest on the part of the 'virus
industry' worldwide inhibit the anti-virus war?

9. Case studies. I should very much like to recieve good
case studies which detail an actual virus attack, its
impact, and the methods used to clear the infected system
and restore operations. Specifics about the organisation
need not be stated but a clear description of the affected
computer environment is necessary.

10. Worm programs. Classifying network vulnerabilities
and/or analysis of recent worm programs such as Internet or
the two well known NASA SPAN attacks. Are there any
universal procedures or methods to prevent such attacks
and/or control them?

11. Statistics about virus attacks. Will it ever be
possible to collate accurate data about the propagation of
computer viruses? Refusal to report incidents means that at
best we can only guess about the spread of specific viruses.
Can we tell how fast a virus will spread by its design?

12. Mainframe viruses/ replicative attack programs. Fact
or fantasy? Specific incidents would be helpful. What
factors have served to suppress mainframe virus writing /
propagation / reports? Patches (to increase general
security) for specific machines would be welcome.

13. Forensic evidence. Most countries have no effective
legislation to combat computer misuse. Even if laws to
criminalise virus creation are introduced (such as that
recommended by the Law Commission, UK, or implemented by the
state of California, USA) the courts will face a difficult
task in prosecuting. Are methods available to trace or
identify computer virus writers? Would this evidence be
sufficient to convict in a court of law?

- ---
Virus dissections (the analysis of a specific computer
virus) are always welcome. These should not exceed 2200
words. Also details for programmers providing virus
hexadecimal patterns, infective length, entry point and
offset.

------------------------------

Date: 04 Dec 89 04:17:15 +0000
From: [email protected] (John Gardner)
Subject: Re: Linkable virus modules

[email protected] (IA96000) writes:
>1) A new or existing virus is developed and produced as a linkable
> object file.
>
>2) Said object file is then either directly linked into an executable
> file at link time, or placed in a run-time library.

There is a virus on the amiga that looks for an executable that is in the
startup batch file and moves the executable`s code into a data segment and
inserts itself into the code segment. If it can't find the startup file
it then inserts itself into the dir command. It is easy to spot as one
of your commands changes size, and you just have to delete that command to
kill it.

- --
PHONE : (02) 436 3438
ACSnet : [email protected]

"But that wasn't the question !" - Do Androids Dream Of Electric Sheep

------------------------------

Date: Sat, 02 Dec 89 23:44:00 -0500
From: <[email protected]>
Subject: The Norton "virus"

Has anyone that has seen this NORTSHOT.ZIP know if the
McCafee SCANRES or EXERUN will detect it if you run the
obnoxious file. I have heard that the file doesn't bother
anything unless you explicitly execute it and that SCANV
doesn't detect it. Maybe these will find it if it is
executed? [Kids, don't try this at home!!]

Chris
ACSCS@SEMASSU
Business Info. Systems Major
Southeastern Massachusetts University
N.Dartmouth, MA 02747

------------------------------

Date: Tue, 05 Dec 89 13:59:28 +0000
From: [email protected]
Subject: Re: Virus attack [AMIGA]

[email protected] (George Armhold) writes:
> My question is, could this virus (Byte Bandit) have been responsible
> for the problems we had printing? We had the right printer driver,
> and the preferences settings all seemed OK but it just would not print
> properly. It changed type style randomly, stopped printing half way
> through a job, and wouldn't abide to margin settings. I've never had
> this type of problem before with Scribble!, which leads me to believe
> that the virus might have had something to do with it. I know that
> virii on the Mac tend to affect printing. Has anyone else experienced
> this situation?

I've never heard of Byte Bandit affecting printing, but you generally
can't predict what a virus will do on someone else's system. There are
too many variables and virus code is generally too badly written. The
only answer is, if the problems show up with the virus in memory and
not without it then the virus caused them.

"To summarize the summary of the summary: people are a problem"
Russell Wallace, Trinity College, Dublin
VMS: [email protected]
UNIX: [email protected]

------------------------------

Date: 05 Dec 89 07:51:49 +0000
From: [email protected] (JOHNSON RICHARD J)
Subject: Re: Viruses and Anti-Semitism...

[email protected] (David Gursky) writes:
>I could not help but notice that the lastest version of nVIR adds new
>resources called "JUDE". ... Jude is
>German for "Jew". Call me paranoid, but could there be some
>connection?
>My personal suspicion is that this clone was created by some
>anti-semitic group in Germany...

Well, my personal opinion is that someone used a random name generator
to pick a four character resource type. Then again, it could be a
virus from the depths of the USSR's intelligence community, released
to sow dissension among groups in W. Europe and distract them from the
momentous events in E. Europe. What use is speculation, though?

When someone catches the "author" of this latest nVIR clone, I think
the first question he or she will be asked by the tabloid reporters
is, "Was the virus a feeble attempt at an anti-semitic statement?"
Until then, I'll stick to the random name "theory."

| Richard Johnson [email protected] |
| CSC doesn't necessarily share my opinions, but is welcome to. |
| Power Tower...Dual Keel...Phase One...Allison/bertha/Colleen...?... |
| Space Station Freedom is Dead. Long Live Space Station Freedom! |

------------------------------

Date: Fri, 01 Dec 89 16:17:37 -0500
From: Naama Zahavi-Ely <[email protected]>
Subject: Yale virus (PC)

Hello!

The Yale/Alameda virus is essentially harmless. The message you
report was not present in the version of the virus that I am familiar
with; are you sure it comes from the virus and not from some line in
the autoexec.bat file? If it does come from the virus, then you are
dealing with a different version than the one I know and you should
take my information with a grain of salt.

The Yale virus that I know is a boot sector virus. It is easy to get
rid of -- boot the computer from a clean, write-protected floppy and
give the command SYS x:, with x: being the drive holding the infected
disk. The Yale virus that I know does not infect hard disks.

I hope this helps! Best wishes,
- -Naama

------------------------------

Date: Mon, 04 Dec 89 10:37:00 -0500
From: [email protected]
Subject: Jerusalem-B (PC)

At S.U.N.Y, Stony Brook, two of our computer labs (about 30 PS/2 50
and PC/XT machines) have been hit by the Jerusalem-B virus. We have
used B.R.M's UNVIRUS, and IMMUNE programs to successfully combat it so
far.

Could someone please send me a detailed description of what exactly
this critter does. Thanks in advance.

=================================================================
THOMAS B. THOMAS
Micro Systems/Analyst
Instructional Computing BITNET: TTHOMAS@SBCCMAIL
Computing Center INTERNET: [email protected]
State Univ. of New York VOICE: (516) 632-8031
Stony Brook, NY 11794-2400

------------------------------

Date: Mon, 04 Dec 89 10:42:00 -0600
From: "Roger Safian, VAX Systems Group" <[email protected]>
Subject: Preventing the "Ping Pong" virus (PC)

Greetings,

We seem to have an outbreak of the "Ping Pong" virus here at
Northwestern University. I am wondering if there is some sort of
anti-ping-pong utility out there. Is there such a thing that would
allow writes to a disk, but only if it is not to the boot blocks?
What is the best way to combat this beast. I think we have version B
here, as it infects floppies as well as hard disks.

On a related subject, what is the latest version of viruscan?

Thanks in advance
Roger Safian

------------------------------

Date: 04 Dec 89 21:09:00 +0100
From: [email protected]
Subject: Re: JUDE Virus (Mac)

Yes the "Jude" virus is for real. However, so far it only has shown up
at the University of Zurich and Swiss Federal Institute of Technology
(ETH) Zurich, Switzerland. It is an exact clone of nVIR type B; the
only difference being the name of the viral resource which has changed
form "nVIR" to "Jude".

VirusDetective 3.1 positively identifies the new virus as nVIR strain.
Both Vaccine and GateKeeper successfully prevent an infection.
GateKeeper will, however, let through some of the "Jude" resources,
but no contagious infection results.

New versions of Disinfectant (version 1.3) and other anti-viral tools
should be out real soon.

Markus Mueller
Institut fuer technische Informatik und Kommunikationsnetze
Eidgenoessische Technische Hochschule
CH-8092 Zurich
Switzerland

Switch : [email protected]
ARPA : muellerm%[email protected]
UUCP : muellerm%[email protected]
X.400 : G=markus;S=mueller;OU=inf;O=ethz;P=ethz;A=arcom;C=ch

------------------------------

Date: Tue, 05 Dec 89 11:23:25 -0500
From: Kenneth R. van Wyk <[email protected]>
Subject: Morris Trial Postponed

[Ed. Thanks for typing this article in, Tom!]

Quoted from COMPUTERWORLD - December 4, 1989 - page 17

`Morris seeks classified data' by Michael Alexander, CW Staff

SYRACUSE, N.Y. -- The trial of Robert T. Morris Jr., the young hacker
alleged to have launched a worm into the Internet last year, was
postponed last week after his lawyer notified the court that he needs
access to classified information he claimed is critical to the case.

Additionally, Morris' lawyer, Thomas Guidoboni, charged that the
government had not responded quickly enough to requests for a list of
computer sites allegedly struck by the worm.

"The trial was postponed at my request over government opposition
because we needed more time to prepare," Guidoboni said.

In a motion filed Nov. 21 for a continuance, Guidoboni said that
the defense had filed for a motion under the Classified Information
Procedures Act (CIPA) requesting classified information important to
the case. In the same motion, Guidoboni said the government had
failed to provide him with a complete list of the institutions that
the government intended to prove had been affected by the worm and a
list of witnesses it intended to call.

"I have been told that some of the information that is useful to
my case is classified," Guidoboni said. "It may or may not be. I
don't want to overplay it or belittle it, but we needed some time to
get that worked out.

"Less than two weeks before the trial [on Nov. 20], the government
added new names to the list that were not mentioned in the indictment
as well as filed a motion to withdraw one of the original names
mentioned," Guidoboni said. "I wanted time to look into that."

In opposition to the motion for a continuance, government lawyers
said that the national security issues raised in the CIPA motion were
being resolved and would have no effect on the defense's ability to
proceed or on the timing of the trial.

Responding to the issue of not having responded in a timely manner
to the defense's requests for a list of victims or witnesses it
intended to call, "the government has complied with all court orders
to provide discovery," said Mark Rasch, trial attorney for the Justice
Department. In addition, the defense has had ample opportunity to
request and receive additional information related to the case, he
said.

The government is seeking in a motion to remove the U.S. Air Force
Logistics Command at Wright Patterson Air Force Base in Dayton Ohio,
from a list of four sites mentioned in the jury indictment as having
been allegedly hit by the worm.

Rasch declined to comment on why the government wishes to remove
this particular site from its list of victims, while adding that it
intended to offer evidence on 16 sites in all.

Guidoboni filed an objection to that motion last week, and a
decision is pending.

Last week, U.S. District Judge Howard Munson agreed to continue
the case to the week of Jan. 8. A new trial date has not been set.

------------------------------

End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253