VIRUS-L Digest Friday, 9 Feb 1990 Volume 3 : Issue 36

VIRUS-L Digest Friday, 9 Feb 1990 Volume 3 : Issue 36

Today's Topics:

WDEF at James Madison University (Mac)
F-PROT for the PC: Is it any good?
RE: Copyrighting virus code
Re: Mac Virus Harmlessness
Re: Idea for WDEF Innoculation (Mac)
Re: Disinfectant 1.6 (Mac)
WDEF A hit, report & discussion (Mac)
Info on Stoned/Marijuana virus
Re: Mac Virus Harmlessness
Virus Bulletin

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc., and sent to [email protected] (that's
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, document, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].
- Ken van Wyk

---------------------------------------------------------------------------

Date: Thu, 08 Feb 90 13:45:00 -0500
From: <[email protected]>
Subject: WDEF at James Madison University (Mac)

Hello to all!

For those tracking WDEF, it has made it to the Shenandoah Valley. Here
at JMU, we have found WDEF in all of our Mac labs and quite a few of
the administrative offices that have Macs. Currently, we are using
Virex 2.3 and Disinfectant 1.5 to remove infections as they are found.
We are concerned about reinfections, however, and would appreciate any
and all suggestions.

Also, would someone please clear up the confusion about Disinfectant
1.6?

[Ed. See message below.]

Thanx,

John Bowers
Academic Computing Services
James Madison University
Bitnet: ACS_JOHN@JMUVAX1

------------------------------

Date: 08 Feb 90 20:19:39 +0000
From: [email protected] (Ron Warren Evans)
Subject: F-PROT for the PC: Is it any good?

I'm a user consultant at Brandeis University. Somehow the
responsibility for learning about and killing viruses for both the Mac
and the PC has fallen to me. I am in the process of making a
recommendation for antiviral packages for the PC. For a while it
seemed that there was no package that provided really adequate
protection: Flu_Shot+ would only protect against infection, but could
not identify an attacking virus or disinfect a disk, and Viruscan
could only identify viruses, not protect against them or disinfect.

Recently, though, I downloaded a package from Simtel20 called F-PROT.
If the documentation is to be believed, it protects against and
identifies viruses and disinfects disks as well. Moreover, it is
cheaper than either of the other packages. I would like to recommend
this package to my supervisor, since if F-PROT works, it will make my
job a lot easier. My supervisor, however, is suspicious. He points
out that F-PROT is virtually unknown in the U.S., is produced by a
lone Icelandic programmer, is untested here, and may not be
well-supported.

My request: would any of you Netlanders who have used F-PROT for a
while let me know how well it works in your experience and if you have
had any problems with customer support, bugs in the program, ease of
use, and so on?

Please email me your responses and I will post a summary to the Net.

[Ed. I'd be willing to bet that there's at least one "lone Icelandic
programmer" on this list that would be willing to help you out. :-)
Still, an objective (read: independent) review of F-PROT and other
products would be very appreciated. It's been a long time since we've
seen such a thing here. Any takers?]

- -----------------------------------------------------------
I don't want to die! Existence is one of my strong points!
Ron Warren Evans... [email protected], [email protected]
U.S. Snail: 139 Salem St. #6, Boston, MA 02113

------------------------------

Date: Thu, 08 Feb 90 16:30:00 +0000
From: "Olivier Crepin-Leblond" <[email protected]>
Subject: RE: Copyrighting virus code

In VIRUS-L V3-34 Steven C Woronick <[email protected]> writes:

>Even if you could copyright viral code, it's
>not likely to discourage the kind of people who write viruses (aren't
>those the ones you are really after?) from copying it. Also, what
>happens if some virus-loving person copyrights it before you do and
>then grants universal privilege to copy? Just wondering...

My idea was not to discourage hackers (or whatever name you give them)
to write viruses. Thieves steal even though it is illegal ! The idea
was to discourage computer users, students, etc. to hold copies of
viruses. In December of last year, I went to a computer fair here in
London. The machines concerned were PC compatibles. In one corner of
the place (near the... bar) hackers were exchanging code, etc. It is
perfectly illegal and I am sure the organisers of the exhibition were
not aware of the events. I discovered it while waiting to get a drink
(it's called eavesdropping). It seems that virus source code is
highly sought after by these people, aged 17 -> 30.

I can hardly imagine some individual copyrighting virus source code.
Anyone doing that will probably be in for a lot of trouble...

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|Olivier M.J. Crepin-Leblond, Comp. Sys. & Elec. Eng | On this computer, |
|Electrical & Electronic Eng, King's College London, UK | a flame-proof |
|BITNET : <zdee699%elm.cc.kcl.ac.uk@ukacrl> | shield, is an |
|INTERNET: <zdee699%[email protected]>| expensive gadget... |
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

------------------------------

Date: 08 Feb 90 20:59:34 +0000
From: vronay%[email protected] (David Vronay)
Subject: Re: Mac Virus Harmlessness

[Joe McMahon] writes:
>It's interesting, but up until now, most viruses on the Mac have been
>"damageless" - the only reason the cause trouble is because of bugs
>and incompatabilities, not deliberately harmful code. nVIR, at worst,
>causes your Mac to beep in some cases (side effects are worse -
>crashes, hangs, printing failures).
>
>Perhaps we just haven't had the right (wrong?) people writing Mac
>viruses so far. Any ideas?

(I am the last person who would want to add to virus paranoia, but..)

More sobering is the possibility that there are viruses sitting
dormant on our machines as we speak that are bug-free and thus-far
undetected. Take WDEF, for instance. Consider a scenario in which
the programmer had actually followed the compatability guidelines and
produced error-free code. It would probably be quite a while before
any of us had noticed this little "addition" to our desktop files. (I
don't know about everyone else, but I don't exactly check my desktop
file for new resources every day)

When you consider that a) the reason we know about most of the
viruses that are around today are due to stupid programming errors,
and b) to date very few viruses have been manevolent, and c) to date
most viruses have not been clever at all about how they replicate
(WDEF, for example, could have patched itself into an _EXISTING_ WDEF
resource, so that the infected WDEF would still perform normal, as
well as viral, activity) one can only conclude that we are at the tip
of the virus iceberg. The problem could get _much_ worse.

- -ice
================================
reply to: [email protected] AppleLink: ICEMAN
disclaimer: (not (apples-opinion-p (opinions 'ice))) => T
================================

------------------------------

Date: 08 Feb 90 21:30:07 +0000
From: [email protected] (William C. DenBesten)
Subject: Re: Idea for WDEF Innoculation (Mac)

[email protected] (Jason Ari Goldstein) writes:
> Just like everywhere else the WDEF is thriving here at Carnegie-Mellon
> Univ. I recently removed WDEF A & B off of 15 disks of a friend of
> mine. When I commented to somone here about the virus they said there
> was nothing they could do to stop it, except remove it once a machine
> got infected.

Install Gatekeeper Aid 1.0.1. It will check a disk as it is inserted
and remove the offending WDEF resource. It is an init that you stick
in your system folder. It is available from most archive sources or
your favorite software collector.

> ...

> The only problem with this is that it is a virus also, but with the
> proper prompts (allowing the user the choice of being innoculated) I
> don't think this would be a problem. I know I would mind not ever
> being infected by a virus that kills other viruses.

I most certianly do mind being infected by a virus. I don't care what
it does or does not do.

In theory, WDEF does not do anything destructive. In reality, WDEF
causes wierd errors. Fonts misbehave and I blame it on Quickmail
crashing. These are because of bugs in the virus code itself.

The fact that I drag something to my system folder is me giving it
permission to be executed in the future. I would much rather install
something this way than have it copy itself lord-knows-where. There
are additional problems. If there is a bug, it may not be obvious how
to remove the virus.

There is also the issue of updates. If it is automatically copied,
you will get a large body of people using it, but not knowing or
caring about making sure that they have the latest version.

- --
William C. DenBesten is [email protected] or [email protected]

------------------------------

Date: Thu, 08 Feb 90 16:02:27 -0500
From: "Robert Del Favero Jr." <[email protected]>
Subject: Re: Disinfectant 1.6 (Mac)

> I have recently read something about Disinfectant 1.6 from this
>newsgroup. Its author said that there was no Disinfectant 1.6 and it
>maigt cause potential porblems on virus detection. Someone in our lab
>downloaded it and has been using it without any obvious trouble. I
>would appreciate any further comments on this application. So, again,
>is there any upgraded version of Disinfectant after version 1.5 ? If
>not, is there any more information about this "fake" Disinfectant ?

Here's the story. A few weeks ago, when the latest version of
Disinfectant was 1.5, someone made a typo in a posting to comp.sys.mac
referring to Disinfectant 1.6. The author of Disinfectant quickly
pointed out that there was no 1.6 yet, and that if you saw a 1.6 *at
that time* then it was a fake. Then, about a week ago, the author
released a *real* 1.6 version with some new features. So, if your
friend downloaded his copy of version 1.6 in the last week or so, it
is probably legitimate.

-------------------------------------------------------------------------
Robert V. Del Favero, Jr. ISC-Bunker Ramo, an Olivetti Company
[email protected] Shelton, Connecticut, USA
OR [email protected]

------------------------------

Date: Thu, 08 Feb 90 11:18:59 -0600
From: "McMahon,Brian D" <[email protected]>
Subject: WDEF A hit, report & discussion (Mac)

I suppose it was only a matter of time, but I can still appreciate the
irony ... after posting a question about reporting and tracking
infections about a month ago, I'm now in the position of reporting one
myself.

1) DISCOVERY: "WDEF A" was found in several Macs at Grinnell College
this past Tuesday, the 6th of February. The initial discovery came
when a faculty member reported strange behavior on his machine,
including "Application unexpectedly quit" under MultiFinder, usually
associated with insufficient available memory. Disinfectant 1.5
spotted the infection. Besides machines in the faculty offices, the
building in question also contains a secretaries' office, with a few
machines used for service requests, etc. This common area was also
infected, meaning that any faculty who had used the area or sent
diskettes down were also hit.

2) INITIAL RESPONSE: Our first priority was to contain the outbreak
and to install protective software (see below). Our Mac support staff
(both of us! :-) made the rounds of faculty in the building. At each
station, we would run Disinfectant to check the machines, and if WDEF
was found, kill it by rebuilding the desktop file. No matter whether
we found anything or now, we would install anti-viral software as we
went along. We kept a running list of other potential victims, and
wound up checking most machines on campus. Besides the faculty area,
we found one isolated case in an administrative office (they
frequently send disks to service bureaus), and to our embarassment,
the public-signup station in the computer center itself.

3) FOLLOW-UP: Much to our relief, the infection appeared to be
contained to the one faculty area and the two other machines. In
particular, we were fortunate that it had not spread to faculty areas
in other buildings or to the student lab. The public station in our
office, which is used heavily for page layout and printing, posed more
of a problem. However, we did have a signup log of users, and are
contacting them individually. Our next step was user education. We
drafted an article for on-line news and the newsletter, stressing the
counter-measures available. We also placed copies of the anti-virus
tools on the public Mac, and posted a condensed version of the
newsletter article nearby.

4) TOOLS USED: For detection, we used Disinfectant 1.5. (1.6 arrived
late the same day from SCFVM -- of course!) Removing WDEF was
accomplished by rebuilding the desktop, and at the same time we
installed GateKeeper 1.1.1 and GateKeeper Aid 1.0.1 to protect against
future infections.

5) LESSONS LEARNED: Up until now, we had been very lucky at Grinnell.
Instances of infection were almost non-existent. Although the level
of virus awareness among the staff was fairly high, we'd been lulled
into a sense of complacency. Specifically, we did not aggressively
push the updates to existing tools that would have caught WDEF. In
several cases, infected machines were running older versions of virus
blockers, which the WDEF virus evades. We're now working on a way to
get updates to the users promptly as they come out.

6) TRACKING WDEF: I've noticed a flurry of WDEF reports lately,
including several from Midwestern sites, and (as mentioned) tracking
the spread of a new virus or strain intrigues me. Wild speculation
follows: Students who live in areas already infested by a new virus,
but go to college elsewhere, also new or returning faculty, would make
an excellent vector to spread the new critter nationwide. One
conclusion is that the start of a new semester or term is a time for
increased vigilance. Another would be that WDEF is now all over the
place. *sigh* Personally, I suspect that our infection actually
involved at least two sources, there being no plausible path between
the faculty area and the admin office. Most likely, the one came from
a user introducing it to the central secretarial area, the other from
a service bureau.

Usual and customary disclaimer, my opinions only ... (mumble).

Brian McMahon <[email protected]>
Grinnell College, Iowa

------------------------------

Date: Thu, 08 Feb 90 22:21:02 -0500
From: Peter Jones <[email protected]>
Subject: Info on Stoned/Marijuana virus

We suspect an outbreak of the Stoned/Marijuana virus at UQAM. Is there
any information available on what damage this beast does, and how it
propagates? What tools are available to combat it? CLEANP57 & co from
John McAfee claim to be one possiblity.

Peter Jones MAINT@UQAM (514)-987-3542
"Life's too short to try and fill up every minute of it" :-)

------------------------------

Date: 08 Feb 90 23:06:50 +0000
From: Matthias Urlichs <[email protected]>
Subject: Re: Mac Virus Harmlessness

In comp.virus, [email protected] (Joe McMahon) writes:
< It's interesting, but up until now, most viruses on the Mac have been
< "damageless" - the only reason the cause trouble is because of bugs
< and incompatabilities, not deliberately harmful code. nVIR, at worst,
< causes your Mac to beep in some cases (side effects are worse -
< crashes, hangs, printing failures).

nVIR, in its very first incarnation, didn't beep. It took a random
file in your System folder, and deleted it. Not good.

When I found it on my Mac, I tried to alert people about this. That
proved to be difficult. Someone at Apple Germany stated that due to
the nature of the Mac's resource structure, virii are impossible on
the Mac. (Ha!) I also didn't have any kind of AppleLink or Usenet
access.

The only way out, in my (at that time) unexperienced opinion, was to
disassemble the beast and rewrite it so that it (a) superseded other
versions of itself, (b) beeped instead of deleting files, and (c)
announced itself. Change (c) seems to have got lost on its way --
nVIR has a habit of partial replacement. Testing was difficult because
of general nonresponsiveness on the part of anybody I told about the
virus, and of course because I feared that the original would spread
too far.

Please, no flames about my lack of common sense, sense of
responsibility, or whatever. I know that already; what's more, it was
some years ago and I seem to have grown up since then. Growing up,
BTW, is something I would strongly recommend to any other virus
"author" who seem to get a kick out of seeing their intruding code
(crash) on as many Macs as possible.

However, my nVIR version seems to have succeeded in destroying the
older strain. At that time, there didn't seem to be any way to
convince people about the virus threat except by example, and random
beeps are somewhat more benign than silently thrashing files... Since
all other virii on the Mac are "benign" in the sense that they don't
deliberately destroy files, I guess it could have been worse.

- --
Matthias Urlichs

------------------------------

Date: Fri, 09 Feb 90 12:36:59 +0000
From: [email protected] (Fridrik Skulason)
Subject: Virus Bulletin

I mentioned the Virus Bulletin in a recent article, and as a result I
have received a number of enquiries. The following note should answer
the questions....

- ----------------------------------------------------------------------------

The Virus Bulletin is published monthly - average length maybe 16
pages or so. It contains detailed dissections of viruses, reviews of
anti virus software, virus-related articles, hexadecimal search
patterns etc.

Contents of the February issue:

Editorial
Virus Reports
Guidelines for Virus Prevention & Post-Attack Recovery
IBM PC virus patterns
Dissection: Dark Avenger
High-Level Programs & the AIDS Trojan
Evaluation: Virex 2.3
Macintosh software list
Evaluation: Iris Anti-Virus Software
News

The editor (Edward Wilding) does not have access to the net yet.

The list of editorial advisors is impressive:

Jim Bates, Bates Associates, UK
Dr. Fred Cohen, Advanced Software Protection, USA
Phil Crewe, Fingerprint, UK
Dr. Jon David, USA
David Ferbrache, Heriot-Watt University, UK
Dr. Bertil Fortrie, Data Encryption Technologies, Holland
Hans Gliss, Datenschutz Berater, West Germany
Ross M. Greenberg, Software Concepts Design, USA
Dr. Harold Joseph Highland, Compulit Microcomputer Security
Evaluation Laboratory, USA
Dr. Jan Hruska, Sophos, UK
Dr. Keith Jackson, Walsham Contracts, UK
Owen Keane, Barrister, UK
Yisrael Radai, Hebrew University, Israel
John Laws, RSRE, UK
David T. Lindsay, Digital Equipment Corporation, UK
Martin Samociuk, Network Security Management, UK
John Sherwood, Computer Security Consultants, UK
Roger Usher, Coopers & Lybrand, UK
Dr. Ken Wong, BIS Applied Systems, UK

Subscription is restricted - only companies, universities and qualified
individuals. Price: US$ 350/year or UK pounds 195/year

Subscription enquiries:

Virus Bulletin Ltd,
Haddenham
Aylesbury
HP17 8JD
England

US subscriptions:

June Jordan
Virus Bulletin
P.O.BOX 875
454 Main Street
Ridgefield CT 06877
USA

- -------------------------------------------------------------------------
Fridrik Skulason - University of Iceland, Computing Services.
[email protected] Technical Editor, Virus Bulletin.

------------------------------

End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253