VIRUS-L Digest Friday, 27 Apr 1990 Volume 3 : Issue 82
Today's Topics:
Re: WDEF-A on Current-Contents-on-Diskette (Mac)
Write-access to Executables
New Virus? (PC)
Re: Exposure in Formatter (was IBM VM/CMS, now UNIX)
*really* fail-safe virus protection
Anti-virus cleaning programs that are shareware (PC)
Kennedy Virus
Writable Executables
Writable Executables
Possible virus? (Mac)
CMOS attackers (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to
[email protected] (that's equivalent to
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at:
[email protected].
Ken van Wyk
---------------------------------------------------------------------------
Date: 25 Apr 90 13:25:56 +0000
From: phillips <
[email protected]>
Subject: Re: WDEF-A on Current-Contents-on-Diskette (Mac)
[email protected] writes:
> I just installed Life Sciences Issue 16 of Volume 33 (April 16,
> 1990) of Current-Contents on Diskette for Apple Macintosh Plus, SE and
> II. Upon installation, Gatekeeper Aid popped up and informed me that
> it had discovered and removed WDEF-A virus.
>
> The diskette had just been removed from the (intact) mailing
> envelope from the Institute for Scientific Information. Unfortunately,
> I had forgotten to move the write-protect tab, so the evidence of
> infection is gone. Naturally, I cannot conclude that the disk was
> actually infected (as opposed to a glitch in my Gatekeeper Aid), but
> if you subscribe to this information service, please use Issue 16 with
> caution.
>
[stuff deleted]
>
> - --Mike Tyo, TYO@MITWCCF (BITNET)
ISI just re-sent Issue 16 with Issue 17 this week, and threw in
Disinfectant 1.6. They enclosed a letter warning users not to "load"
the infected issue 16, explaining generally what WDEF is, and
expressing their regrets.
In the letter, ISI claims that they are 'making every effort to detect
and prevent the spread of computer viruses.' Over the phone, tech
support at ISI claimed that they availed themselves of the 'latest
virus detection software.' Obviously, neither of those claims are
true, and the fact that they are using an older version of
Disinfectant makes it clear that they are not aggressively searching
out tools to fight viruses. Further, the letter makes the mistake of
warning users not to 'load' the issue (a process which involves
decompressing the files and placing them in a folder) instead of
warning users not to place the diskette in the drive at all, and
leaves the impression that if you didn't go through the issue loading
process, you would not be infected. So either they don't really know
what they are talking about, or they don't care to make it clear to
the people they have sent this virus to.
Subscribers to the Current Contents on Diskette [Mac] service should
use extreme caution when using their software.
- --Mark Phillips (
[email protected])
------------------------------
Date: Wed, 25 Apr 90 14:38:13 -0000
From: "Pete Lucas" <PJML%
[email protected]>
Subject: Write-access to Executables
I followed the discussion about writable executables with interest: Am
i missing something? It seems to me that *no* executables should be
'writable' by *any* program under normal circumstances.!.! Consider a
simple program development cycle:
Program source (readable and writable by its owner...)
!
!
Compiler (a program with no write permission on itself)
!
!
Object file (with no write permission...)
!
Libraries ! (Libraries have no write-access either...)
! !
! !
-------Linker (a program with no write permission on itself)
!
!
Executable (an executable with no write access).
Now when you make a change to the source, you recompile and re-link,
and if you know what you are doing, *ERASE AND RECREATE* the executable
module. It will probably be a different length in any case, so the
file-system may have to do this to fit it in.
If the resultant executable has no write access (but, for your sake i
hope it has execute permission!) then you can be reasonably sure that
if the source code is kosher, and the object/libraries are clean, then
the resultant executable can be OK too.
(There is always the danger that someone could, of course, write a
bootleg, trojan-library or compiler that generated executables 'not
quite' like what the source code intended.....)
The risks arise when people have 'write-enabled' executables (so they
can use SUPERZAP or some similar patching tool to hack the executable,
and they leave the thing 'write enabled' afterwards.
Viruses can then patch their way in later...
OK i admit that such tools that patch the executable (and also things
like UPDATE/MAKE mechanisms for source maintenance) can be damned useful
at times, but as in all these things, a powerful tool can make a big
mess very quickly! I hope that those of you involved in SOURCE CODE
maintenance realise the risks! I could easily forsee a trojan 'make' file
that added an extra few routines for its own nefarious purposes, and
patched in wormholes for future subsequent malicious usages.
Likewise for text-formatter input.
(the .sy command also exists in IBM's SCRIPT, and, yes, it works!)
Pete Lucas
[email protected] 0793-411613
------------------------------
Date: Wed, 25 Apr 90 11:40:00 -0400
From: Don Kazem <
[email protected]>
Subject: New Virus? (PC)
I received a call today from one of the local chain food stores about
what could be a new virus. Since they have no connection to the
network, I offered to post this.
A user was running Lotus (by invoking 123.exe), and after a file
retrieve, the virus was triggered. The following message was
displayed: (The spelling errors are the same as they appeared).
IMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM;
: :
: CONGRADULATIONS -- YOU HAVE JUST WON THE RAMDOM SELECTION :
: :
: AS A SPECIAL PRIZE YOU WILL RECEIVE ONE :
: IMMMMMMM; :
: : HARD : :
: : : :
: : DISK : :
: : : :
: : FORMAT: :
: HMMMMMMM< :
: STARTING NOW :
: :
: BREAK WILL NIT HELP! :
HMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM<
Formatting drive: C
Cylinder: 733
Head: 6
Sector: 25
Status: 0
WARNING: TURNING OFF COMPUTER MAY DAMAGE HEADS!
After a while, the words "JUST KIDDING" appeared, and everything went
back to normal. Although, it appeared as though there was no damage,
they ran Wipedisk, and installed everything from the original disks.
They ran SCAN61 both before and after reinstalling the software, and
SCAN did not find anything.
The have a backup of the hard disk, before they ran Wipedisk, and are
willing to forward copies of their executables to researchers (lawyers
permitting).
Has anyone heard of this?
Don Kazem
National Academy of Sciences
[email protected]
DISCLAIMER: I am merely acting as a messenger, I have not seen the
virus, nor have any connection with the infected party.
------------------------------
Date: 25 Apr 90 17:11:52 +0000
From:
[email protected] (Ralph A. Shaw)
Subject: Re: Exposure in Formatter (was IBM VM/CMS, now UNIX)
[email protected] writes:
>>Viruses certainly ought to be possible under VM, using the Waterloo
>>Script text formatter. This formatter has a .sy command that lets you
>>execute VM/CMS commands while your text file is being formatted. It
>>is handy for running EXECs to allocate files your document has to
>>include text from, but it could easily be put to more sinister uses.
Now that you mention it, there is a similar function in the UNIX text
formatter nroff, whereby programs may be specified to be executed via
the ".pi" request. This has existed back as far as '78, although I
have never seen any uses of it, malicious or otherwise. It would be a
totally unexpected source of mischief, but quite functional.
------------------------------
Date: Wed, 25 Apr 90 15:59:00 -0400
From:
[email protected] (*Hobbit*)
Subject: *really* fail-safe virus protection
Finally someone else comes up with the *correct* solution!
Stephan Joest and friends
... changed the keyboard key lock in that way that it now
controls the writing electricity cables of one hard disk so that no
writing operation can be done on this (bootable) hard disk.
I.e. the write gate. This is an active-low line from the controller to
the hard drive which when disabled "floats" high. Simply opening this
line prevents any writes to the hard drive. I believe it's pin 6 of the
larger ST506 interface; your disk may vary. If you install a switch, the
extra wiring should probably be made as short as possible to avoid timing
problems. This is the first thing I did when I bought my PC clone.
The neat thing about this is that due to disk buffering you can write a
file to the hard drive and MS-Dos thinks the file is really there until
the next time you do a directory, a side effect of which is that the disk
buffers get flushed. Note that since it's possible to confuse MS-Dos
thusly, it is HIGHLY RECOMMENDED that before you do anything like "chkdsk"
you reboot the machine and come up with clean buffers.
So you can hand me the nastiest virus-ridden kracked-by-kaptain-k00l game
disk and I can run it with impunity, because I have a write-protect switch
*and* a hard-reset button. And you can bet that I use both when checking
out any unknown software. Comments upon how this scheme could fail for
any *one-time* run of infected software are solicited.
_H*
------------------------------
Date: Wed, 25 Apr 90 16:30:43 -0400
From: Elizabeth Caruso <
[email protected]>
Subject: Anti-virus cleaning programs that are shareware (PC)
Can you inform me of good shareware products that clean IBM pc
viruses? McAfee's Clean-up is too expensive for a university site
license. Thank you!
------------------------------
Date: Wed, 25 Apr 90 00:00:00 -0500
From: "Richard Budd" <
[email protected]>
Subject: Kennedy Virus
A note to F. Skulason's 4/19/90 description of the Kennedy virus.
There was a punk rock group out of San Francisco called the Dead
Kennedys. Though their peak came around 1980, they still enjoy a cult
following today. This may explain the type of person who dreamed up
this virus but may also indicate it will probably show up in other
countries as well.
Richard Budd
Marist College
Poughkeepsie, NY KLUB@MARISTB
------------------------------
Date: Thu, 26 Apr 90 10:43:00 -0400
From:
[email protected]
Subject: Writable Executables
Of course Aiken was at Harvard, not MIT. My apologies to fair Harvard
(and those from MIT perverse enough to take offense).
To the little boy from Louisiana who still resides in me, all those big
Yankee schools look alike.
William Hugh Murray, Executive Consultant, Information System Security
21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840
203 966 4769, WHMurray at DOCKMASTER.NCSC.MIL
------------------------------
Date: Thu, 26 Apr 90 11:33:00 -0400
From:
[email protected]
Subject: Writable Executables
>What's an executable?
>
>Oh, something that the computer executes. You don't want programs to be able
>to write into executable files. Sorry, it'll never happen.
Agreed.
>I'm sure, in fact, that given a little time I could infect your AS400
>(or whatever), at least with a REXX script (or equivalent).
I concede. Nonetheless, it is interesting to note that a command
language script on an AS/400 is a typed object. (I do not believe that
the REXX interpreter for the AS/400 has been shipped yet.)
>Yep. Command scripts. A fertile breeding ground for viruses. And how about
>Postscript files? You want to turn off write permission on all your
>fonts?
All too true.
William Hugh Murray, Executive Consultant, Information System Security
21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840
203 966 4769, WHMurray at DOCKMASTER.NCSC.MIL
------------------------------
Date: 26 Apr 90 17:00:31 +0000
From: cchui%
[email protected] (Chung Chui)
Subject: Possible virus? (Mac)
This is for all you mac gurus (guri) out there. We havea mac se that
is doing some strange things. When we are at the desktop opening a folder
the name would be wipe out and if we are lucky enough to get to an application,
such as MS-word it would not respond to the typing. Instead it would type
repeated characters that it first acknowledges. I've tried using Virex 2.5 and
other anti-viral applications on the harddisk but onthing showed up. Could
someone please tell me what's going on. Thank you in advance.
------------------------------
Date: Thu, 26 Apr 90 22:48:00 -0400
From: <
[email protected]>
Subject: CMOS attackers (PC)
I just had a chat with the SYSOP of a local BBS here and he told me
about a file that was recently uploaded to his system. All this
information was provided to me from the SYSOP, so I haven't had the
chance to verify it yet. This is what the SYSOP discovered:
The file was archived with PKPAK or PKARC, and the resulting ARC file
was modified in some way. This modification was designed to somehow
attack a PC's CMOS memory when PKUNPAK was run on it. Of courese this
would only happen on PC's with CMOS memory. The SYSOP discovered this
by using a number of programs, including CHK4BOMB, on the archived
file. He has already sent a copy of the program to a company (I
forget the name) for analysis.
Personally, I am a little skeptical about these claims. I admit that
I don't know much about Phil Katz's archiving programs, but I would
think that modifications to ARC files wouldn't make PKUNPAK suddenly
start going after CMOS memory... I'll be getting a copy of this file
in a few days however, and will be taking a look at it myself. If any
of the "experts" (David Chess, John McAfee, etc.) would like to take a
look at this thing I'll be more than glad to send out copies when I
get it. Just e-mail me at one of the addresses below.
Bruce Pennypacker
[email protected]
[email protected]
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253
