VIRUS-L Digest Monday, 21 Oct 1991 Volume 4 : Issue 195

VIRUS-L Digest Monday, 21 Oct 1991 Volume 4 : Issue 195

Today's Topics:

Administrivia
Re: is vshield working? (PC)
Miles 1986 (PC)
Re: Virus on Mac (Mac)
Format problem (PC)
Seeking Info on stoned virus (PC)
Disinfectant 2.x (Mac)
Re: Variations
Form virus (PC)
SF virus - "When Harlie Was One"
Help wanted (PC)
Re: SF Worms/Viruses (Re: HW not a solution)
Re: Computer "Anamolies" in books
Anti-Viral Techniques for Networks
Re: More hardware!
Re: Computer Anamolies in books
Stoned (Michaelangelo) infection (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

----------------------------------------------------------------------

Date: Mon, 21 Oct 91 11:02:03 -0400
>From: Kenneth R. van Wyk <[email protected]>
Subject: Administrivia

I'm going to be traveling this week, but I should have some limited
e-mail access from time to time, so I will *try* to send a couple
VIRUS-Ls out. Otherwise, see y'all next week.

Cheers,

Ken

Kenneth R. van Wyk
Moderator VIRUS-L/comp.virus
Technical Coordinator, Computer Emergency Response Team
Software Engineering Institute
Carnegie Mellon University
[email protected]
(412) 268-7090 (CERT 24 hour hotline)

------------------------------

Date: Thu, 17 Oct 91 19:28:40 +0000
>From: [email protected] (Peter H. Lemieux)
Subject: Re: is vshield working? (PC)

Hmm... Did the student try to boot the machine from the floppy, or run
a program on the floppy? If the floppy had only data and no programs,
how would vshield know that Stoned was there? On a Macintosh,
Disinfectant knows to scan every diskette because of the motor drive,
but on a DOS machine I don't understand how VSHIELD would know to
examine the diskette.

Peter H. Lemieux
Dept of Political Science
MIT, Cambridge, MA 02139
[email protected]

------------------------------

Date: Thu, 17 Oct 91 16:21:01 -0400
>From: Libbie Counselman <[email protected]>
Subject: Miles 1986 (PC)

Does anyone have any information about the Miles 1986 virus?

I have received this question third-hand, and at this time I
do not even know what type of machine is infected. However,
my sources believe it is a PC or PC-clone.

- -Libbie Counselman
Princeton University

------------------------------

Date: Thu, 17 Oct 91 15:56:01 -1812
>From: [email protected] (Dave Martin)
Subject: Re: Virus on Mac (Mac)

[email protected] writes:

>[nVIR] (like most Mac viruses) are wimpy...

Hey, don't encourage anyone. I happen to prefer the fact that Mac
viruses are far less destructive than most MS-DOS-based viruses,
whatever the reason. I'd much rather have a "hefty" machine with wimpy
viruses than vice versa <grin>.

I have always wondered something about nVIR, though, which someone may
have an explanation for. A few years back - when I first "acquired"
the responsibility for our Mac network here - we had a brief attack of
nVIR on one Mac (yes, only one, amazingly enough). I booted from a
clean, locked System floppy and used ResEdit to clean out the nVIR
resources and correct the CODE resources. I copied rather than cut or
cleared the nVIR resources so I could move them to a separate disk to
examine them later. Immediately an alert popped up saying that it
couldn't write to the System file (disk locked). It seems that simply
by copying the nVIR resources was enough to activate it. Anyone know
if this is possible (copy enabling code execution)? Now remember this
was a couple years ago, so I can't recall everything that occurred,
but I'm still curious as to whether that was enough to get nVIR to try
and spread.
- Dave Martin - TAMU/GERG - [email protected] - [email protected] -

------------------------------

Date: Thu, 17 Oct 91 18:54:46 -0300
>From: [email protected] (Fred Bulger)
Subject: Format problem (PC)

I am having a problem formatting disks in my b: drive. It is a
1.44 M 3.5 floppy, but I am not able to format it to 720K; that is,
when I try to format a double density disk as such : format b:/f:720 ,
it says that the parameters are incompatible. This worries me because
when I type format b: , the system says Formatting disk at 1.2 M .
Obviously, in the case of a 1.44 M drive, when size is not specified
it should attempt to format to its maximum capacity. Incidentally, I
am able to format a DD disk at 360K, which makes me think that the
system has my B drive confused with my A drive (1.2 M) - at least on a
command line viewpoint.
At first I thought I had forgotten how to format ( it's been a
while ) but I looked it up and I was doing it properly according to
DOS 4.01. Then I had another problem at the same time - I booted up
my computer and it said "ERROR - Run CMOS Setup" - so I did, and
noticed that somehow my hard drive was listed as "not installed". I
fixed that up no problem, but it made me think tha I had become
infected with a virus. From there I decided to do a virus scan, using
scanv84.exe - no viruses found. So I resorted to reinstalling DOS,
and the formatting problem still persists.

Is there a virus which meets my description? Or is there some other
possibilty which I am overlooking. Any suggestions are GREATLY appreci-
ted.
Thanks ....
-Fred.

------------------------------

Date: Thu, 17 Oct 91 21:42:20 +0000
>From: [email protected] (Anne L. Scism)
Subject: Seeking Info on stoned virus (PC)

If anyone has information on how the stoned virus works, where it
lives, how it finds its home on a PC, I would be grateful for any
information you could pass on to me. Thanks for your help!

Anne

email [email protected]

------------------------------

Date: Thu, 17 Oct 91 17:12:42 -0400
>From: RAY <[email protected]>
Subject: Disinfectant 2.x (Mac)

I have Disinfectant 2.4 I have not installed System 7 yet. Is 2.4
compatiable with System 7. If not, can someone send me the latest
release of Disinfectant!

===============================================================
Ray Drake [email protected]
Microcomputer Consultant (919)757-6401
East Carolina University Greenville, NC 27858
===============================================================

------------------------------

Date: Thu, 17 Oct 91 17:23:14 -0400
>From: [email protected]
Subject: Re: Variations

[email protected] (Fred Waller) writes:

| Yes, a single virus would be unwieldy. But should we expect that?
| Shouldn't we rather expect the prompt appearance of many viruses,
| each one capable of attacking one of those systems? The net result
| would be similar to having one virus capable of attacking all of them.
| Worse actually, since it would require many times the effort to guard
| against.

I think not. The reason a PC virus can spread is that it attacks a
feature common to all machines. By having a set of environments the
virus is less likely to come in contact with a viable host.

In disease terms, if you vaccinate enough people so that an infected
person is unlikely to come in contact with a vulnerable person, the
disease will die. You don't have to protect everyone.
- --
bill davidsen ([email protected] -or- uunet!crdgw1!crdos1!davidsen)
GE Corp R&D Center, Information Systems Operation, tech support group
Moderator comp.binaries.ibm.pc and 386-users digest.
"Stupidity, like virtue, is its own reward" -me

------------------------------

Date: Fri, 18 Oct 91 09:47:27 +0700
>From: "Espen Lyngaas (Dr. Outtasight)" <[email protected]>
Subject: Form virus (PC)

I discovered something strange the other day when removing the "Form"
virus from 60+ machines in our PC labs.

I was using the McAffe SCAN/CLEAN V84 booting from a clean DOS
diskette. I manage to remove the virus from all machines except two.
I found out that these two machines had been booted from a infected
diskette. I SCANned the diskette and found a Form virus. The two
machines did not have a Form virus, but Stoned, Stoned II and Stoned
Related virus (that's what SCAN told me) But the strange thing is that
it was active in MEMORY even when I booted the machine from a clean
dos diskette| Stranger than truth.. (Except that it's true..)

So what I did was to infect a clean machine by booting it from a
diskette with a Form virus. Usually, if you boot a machine from a dos
disk, it blinks the hard drive led checking/reading something. This
time I did not manage to boot it, and I removed the diskette (knowing
that the virus had jumped over to the hard drive). I then CLEAN'ed the
hard drive booting from a clean dos diskette, but this didn't work.
CLEAN stopped with a fatal message, namely that three versions of the
Stoned virus was present in memory.

Phew. So what I was wondering was does the Form virus "unpack" itself
to a Stoned look-a-like virus in some cases ?

Espen Lyngaas
Systems Consultant
Norwegain School of Managment, Computer Center

------------------------------

Date: Fri, 18 Oct 91 08:36:57 -0400
>From: [email protected] (David Alan Bozak)
Subject: SF virus - "When Harlie Was One"

I don't recall where I found this information, but the book by
David Gerrold, was based on combining and expanding his short stories.
Only a subplot in the book dealt with a scheme where a program called
VIRUS was created which randomly dialed the phone til it found a
computer, then break in and infect it with a copy of VIRUS, slowing
the computer down until it was unusable. The inventor had plans to
market a program called VACCINE, to cure the virus. The problem was
that VIRUS mutated during transmission due to phone line noise and
VACCINE was no longer effective.
Interestingly, only the 1st edition (Ballentine Books, 1972) had
this subplot.

- -dab
/\ David Alan Bozak, Computer Science Department
/ \ SUNY Oswego, Oswego, NY 13126 (315) 341-2347
_____/____\_____ Internet: [email protected]
/ / \ \ or dab%[email protected]
/____/ \____\ UUCP: {cornell!devvax,rutgers!sunybcs}!oswego!moxie!dab

------------------------------

Date: Fri, 18 Oct 91 14:25:44 +0100
>From: [email protected] (Antonio Ruiz Cantera)
Subject: Help wanted (PC)

A friend of mine has got virus, PROBABLY from garbo.uwasa.fi; inside
the program HYDK421.ZIP.

Please, May anybody from garbo check if this program is infected ?

Characteristics of this virus:

- - It's not detected by McAfee's SCAN82 and CLEAN82.
It's only possible to detect when a write protection TSR program
is active, like TSAFE from TNTVIRUS (Carmel).
This antivirus informs of Brain/Ashar virus.

- - It infects hard drive: boot, partition table and FAT.
The virus is installed in the FAT, it's impossible to edit the part
of the FAT where the virus is stored.

- - It intercepts hard drive write interruption.

- - It infects the EXE programs without changing their size.

- - The virus is loaded into memory although the computer is booted with
a clean floppy. This is the reason for supposing that it's in the
partition table.

- - After the low-level format of the hard drive ( with FXPREP ), the virus
continues in the hard drive.

The computer is a 386/25 with two hard drives (40 and 120 Mb), and DOS 5.0.
( the two hard drives are infected )

Suggestions will be welcome.

Thanks in advance.

Antonio Ruiz

Polythecnic University of Madrid (Spain)
e-mail: [email protected]

------------------------------

Date: Fri, 18 Oct 91 09:41:36 -0500
>From: [email protected] (Rick Smith)
Subject: Re: SF Worms/Viruses (Re: HW not a solution)

>I wrote:

>|.... There's "Adolescence of P1" (a Morris-like worm) which I
>|read in the mid-late 70s, but I don't remember the author.

and [email protected] (Gary Heston) writes:

>... I have it and "The Adolescence of
>P1" at home; I'll check on it. I don't know if I would quite classify
>"P1" as a virus; more of a haywire AI project.

Pardon me while I clarify my use of terms. I said "worm" instead of
"virus" assuming that a virus spreads infection via shared storage
media and a worm spreads via network connections. Clearly, there are
cases that combine both (ie spreading via network-mounted media like
Appleshare or TOPS).

As I recall, P1 would enter a computer over a phone connection, infect
the operating system, and then propagate itself via phone connections
to other computers. The author had some stuff about P1 "learning" how
to infect an operating system once it was inside, but infection
clearly spread in a worm-like manner. I think the author added the
stuff about "AI" because he didn't know how feasible such an infection
might become. This follows the popular fictional device to use the
"AI" label on things that are otherwise hard to explain technically.

Rick.
[email protected] Arden Hills, Minnesota.

------------------------------

Date: Fri, 18 Oct 91 09:59:47 -0500
>From: [email protected] (Rick Smith)
Subject: Re: Computer "Anamolies" in books

padgett%[email protected] (A. Padgett Peterson) writes:

>While "Shockwave Rider", "When Harlie was 1", and "The Adolesence of P1"
>were all works treating self aware computers and worms, the earliest
>reference I know of computers (programs) taking over other computers
>goes back to Heinlein's "The Moon is a Harsh Mistress" ...

I think Mycroft Holmes/Adam Selene represent a different situation.
There was no "taking over" involved, really. Mike was installed as
"the computer in charge" of the local computer complex and there
wasn't any "infection" involved. You could say the system just didn't
operate exactly as the designers intended, (making jokes wasn't part
of the original spec, I suppose). Mike's unusual behavior is more of
an intrinsic "bug" or "feature," sort of like the homicidal behavior
of HAL 9000.

One might be able to make a similar argument about HARLIE. I don't
remember offhand whether he found his way into computers outside his
company. He was clearly authorized to take control of stuff inside the
company and he exploited this to the limit. I remember he surprised
people with the extent of his control, but I don't know whether he
ever really exceeded his authority.

Rick.
[email protected] Arden Hills, Minnesota

------------------------------

Date: Fri, 18 Oct 91 12:14:27 -0400
>From: padgett%[email protected] (A. Padgett Peterson)
Subject: Anti-Viral Techniques for Networks

There is one major missing link to the anti-viral
authentication method with most of the current commercial products.
The problem has been mentioned a few times as concerned users have
asked "How do I know that xxxx is working without trying to infect
myself ?" The same question holds true for networks: "How does the
server know that xxxx is working on the client ?"

The answer is simple, but it is going to be up to the vendors to
impliment it (I have mentioned it to McAfee, Enigma-Logic, and Leprechaun
already simply because I happened to speak to them after thinking of it).
What we need is a simple algorithmic method to verify that the antiviral
product is actually resident, its configuration, and the version number.

This does not have to be complicated: a simple .COM file
stored on the server and invoked with the login script can interrogate
the system for residency, perform a checksum that will also validate
the version number, (which can return the number as an errorlevel) and
set an environmental variable to reflect the installed configuration
(invoking command line switches would be adequate).

I use a rudimentary form of this to do similar checking of
DiskSecure from a server so it can be done relatively easily, how
would be up to the vendors> However, I would suggest that this matter be
discussed at the vendors meeting in Washington next month (doubt that
I will be able to go).

The key here is to tame the network and make it start working
for its own defense rather than the traditional method of relying on
the clients. Is it a perfect defense ? No, but a whole lot better
than what we have now. It might even be *enough*.

Cooly (way down to the low sixties),
Padgett

------------------------------

Date: Fri, 18 Oct 91 17:31:31 +0000
>From: [email protected] (TEE LUNS)
Subject: Re: More hardware!

[email protected] (David.M.Chess) writes:
>>From: [email protected] (Fred Waller)
>is, there are both hardware and software solutions that can completely
>protect any given machine against the Stoned. And they've both failed
>(in the global sense) for the same reason: not enough people are using
>them.

>P.S. The 1813 (Jerusalem) is still up there near the Stoned;
> I think we'd have to stop both of them before we could
> claim to have the great majority! *8)

The catch with hardware is that it costs more money than some people
may be willing to pay. An idea I've been toying with lately has been
to write a dummy partition table which Stoned will recognize as being
itself. This would defer infection. For $5 a shot, do you think
anybody would go for it?

I just got my hands on a copy of Jerusalem strain B. Perhaps a
similar fix would be possible for this.

------------------------------

Date: Fri, 18 Oct 91 16:17:44 -0400
>From: "Darryl O. (Doc) Cottle" <[email protected]>
Subject: Re: Computer Anamolies in books

As a long time SF fan (fiend) I've been following this discussion with
great interest! When Shockwave Rider got mentioned re virus (and long
before I subscribed to this network) I went out, found it, and read it
with great interest. When "When Harlie Was One" was mentioned same-o-same
and enjoyed them both. Now I need to find The Adolescence of P-1. I'd
been aware of The Moon is a Harsh Mistress since HS (class of '64) so I
enjoyed Padgett's little piece on it. No one yet has mentioned what was
probably the most terrifying set of books about computers run amok that
I've ever seen - D. F. Jones - "Colossus", "The Fall of Colossus", and
"Colossus and the Crab." For those who may've seen the movie based on
the first one, it pales in comparison to the book. I've been watching
my PC's like a hawk for anomalous behavior! They _do_ seem to develope
a personality after a while. I call both of them "Harvey." Any Jimmy
Stewart fans will understand why!
Doc Cottle
U. of KY
ps The only viral type infections this
subscriber has experienced was "stoned" so I now boot from a write pro-
tected floppy if I've read _any_ "strange" diskettes.
+- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -+
| Darryl O. (DOC) Cottle | Looking for |"I don't know what I'm doin'! |
| Ag. Econ./Univ of KY | "Viri" and | If I ever DO figure it out, |
| Bitnet [email protected] | I hope I | I'll prob'ly go hide!!" |
| E-Mail [email protected]| don't find'm!| "Brother" Dave Gardner |
|- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -|
| Greetings from Lexington, Kentucky, "in the heart of the Bluegrass" |
+- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -+

------------------------------

Date: Fri, 18 Oct 91 16:08:51 -0700
>From: [email protected] (arthur rubin)
Subject: Stoned (Michaelangelo) infection (PC)

I have a problem here. A newly installed hard disk was infected with
a Stoned variant. _My_ machine is fine. How do I convince the
administrators here that this is a __serious__ problem and that most
of the inhouse (and possibly some of the customer) machines should be
scanned and disinfected.

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 195]
******************************************

Downloaded From P-80 International Information Systems 304-744-2253