VIRUS-L Digest Friday, 20 Dec 1991 Volume 4 : Issue 238

VIRUS-L Digest Friday, 20 Dec 1991 Volume 4 : Issue 238

Today's Topics:

Voice Trojan (PC)
virus outbreak in central Virginia (PC)
New Virus Alert: Happy Halloween (PC)
Re: "Happy Halloween" (PC)
Virus writing contest
Re: Washburn and ethics; VIRUS-L Digest V4 #237
MICHAELANGEO (PC)
Re: PC problem - possible virus? (PC)
Re: Booting from a clean floppy (PC)
Re: Mac virus?: system crash (HELP!) (Mac)
programs from New Zealand (PC)
Thunderbyte anti-virus updates on SIMTEL20 (PC)
McAfee 85 suite is on BEACH (PC)
Merry Christmas

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

----------------------------------------------------------------------

Date: Tue, 17 Dec 91 16:07:32 -0500
>From: padgett%[email protected] (A. Padgett Peterson)
Subject: Voice Trojan (PC)

Must apologise for not posting this sooner but was sure someone
else was going to...

The following describes a trojan (does not apper to be a virus)
found on a BBS in Virginia, USA. At this time it is not known
what the source was.

This is a dangerous trojan which will attempt to overwrite the
Boot Record, both FATs and a portion of the root directory on all
disks using Interrupt 26. At this time I do not know if this will
occur on each activation or if their is a discriminator in use
(disassembly is 54 pages long).

This was received as a .ZIP file containing the executable and a
document file. The following are excerpts from the documentation:

>VOICE MASTER v1.0, Written by Storm Shadow, Dec. 2nd 1990
>__________________________________________________________

> (Last update June 1990)

> Voice Master is a program that uses the IBM internal
>speaker to record voices and playback the recorded voices. If
>you have an Adlib or Soundblaster card the sounds will be
>better.

> You are encouraged to distribute this program. All I ask
>if you are using it is to leave a message to me on my board to
>let me know that you are using it. That way, if I write
>other versions of it, and if I can reach you somewhere, you
>will have the opportunity to receive a copy of it faster than
>if you wait for it to be uploaded to a bbs.

Since the IBM-PC speaker could make a very poor microphone but the
system electronics is designed only for sound output, the
program's claims are (IMHO) evidence of malicious purpose.

The funny thing is that I seem to remember hearing of such a
trojan several years ago (the absurd claim is what sticks in my
mind) but cannot place it. Certainly the program's date (2-90)
does not match the .DOC's (same date) "June" or "December"
statement and is fairly old. This just goes to reiforce the
statement made by several other researchers (I haven't - yet)
that malicious software never dies out so long as there it is
still on a disk somewhere - the recent destruction of a disk
overseas by the DataCrime is certainly ample proof of that.

In any event, just remember the old chestnut "if is sounds too
good to be true, it probably is."

Happy Holidays,

Padgett
<padgett%[email protected]>

------------------------------

Date: Thu, 19 Dec 91 06:12:00 -0500
>From: [email protected]
Subject: virus outbreak in central Virginia (PC)

Hi. Following are two messages reporting two virus outbreaks in the
Richmond VA. area. They were posted on a local BBS (the Blue Ridge
Express).

It is interesting to note that a military institution got hit; very
seldom one can read/hear reports from these institutions.

- ----- begin forwarded messages --

Msg #: 3000 MAIN
From: ROBERT LIAS Sent: 12-18-91 21:55
To: ALL Rcvd: 12-19-91 05:23
Re: FORT LEE GOT "STONED"

I had the great honor to identify the "Stoned" virus on 4 of my units
PC's today. This has not be a severe virus; however, I do have to
check ALL of my disks for the virus as well. McAfee's VirusScan and
Clean had no problem with the detection and elimination. If you work
at Fort Lee you may want to notify someone and have them check out
your systems too. I hope you find all is well.
***Rob***

=====

Msg #: 3005 MAIN
From: TOM HUFFMAN Sent: 12-18-91 22:23
To: ALL Rcvd: 12-19-91 05:23
Re: DIR-2 WARNING!!!

We have had a "slight" attack of the DIR-2 virus in the School of
Business at VCU. We found the virus on almost 10-15 computers... two
of them being the machines that are used by the lab
monitors/consultants to scan students diskettes as they come into the
lab. With the monitors machines being infected, this virus WILL be on
all the diskettes which have been checked on these machines!

We have McAfee's VSHIELD v84 on all the machines, but they never
detected the infections! The virus was however found with version 85.

This virus has already trashed several hard disks, which need to be
formatted because they're beyond help!! Since this virus is
incredibly infectious, I would advise EVERYONE who has used any of the
machines at VCU to check their PC's and diskettes using SCAN v85 or
F-Prot v2.01. Thanks!!

Tom Huffman

- ----- end forwarded messages --

Best, Claude

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET)
University of Richmond [email protected] (Bitnet or Internet)
Richmond, VA 23173

------------------------------

Date: Thu, 19 Dec 91 09:44:57 -0700
>From: [email protected] (Tim Martin; FSO; Soil Sciences)
Subject: New Virus Alert: Happy Halloween (PC)

(from Padgett)
> Tim: You can have the honor of making the Virus-L alert. Just let
> me know by noon that it is happening. More details after I take
> it apart at home. - Padgett

Thanks, Padgett. I added a line or two to what follows.

Tim.

- --------------------------------------------
New Virus: Happy Halloween

First pass preliminary estimates (not yet disassembled)
Non-Resident
Requires minimum file size to infect (have not yet determined
requirements).

Discovery: December 1991 in British Columbia, Canada

Charactoristics:

File infects on execution - appears to seek out single file
for infection of length greater than xxxx bytes. Infected
files grow by 10,000 (decimal) bytes. Virus infects all
files as if .EXE - Infected .COM files will not execute
properly. Virus may have at one time been compressed with
LZEXE. Embedded string ("All Gone") indicates file deletion
or destruction may occur on unknown trigger. COMMAND.COM
infection will make floopy boot necessary.

Detection:

This virus is not found by the common scanners tested. Notably,
the FPROT "analyse" option finds "no virus-like activity".

Copy the following line (including quotation marks) to a file
"Hallowee.ext"

"6c6c6f7765656e55" Happy Halloween

Utilize with McAfee's Scan as follows SCAN /EXT HALLOWEE.EXT
- may also be used with other scanners that accept external
strings.

-------------------------------------------------------------
Tim Martin *
Soil Science * These opinions are my own:
University of Alberta * My employer has none!
[email protected] *
-------------------------------------------------------------

------------------------------

Date: Thu, 19 Dec 91 15:08:24 -0500
>From: padgett%[email protected] (A. Padgett Peterson)
Subject: Re: "Happy Halloween" (PC)

A couple of other things noticed since the Viralert went out thanks to
efforts by Tim Martin, David Chess, Fridrick Skulasson, & Vesselin
Bontchev. (isn't the net wonderful)

1) Virus triggers on October 31 of any year after 1991 (at least 92 & 93
work). then: All executable files in current directory are truncated to
666 bytes and the message "ALL GONE Happy Halloween" appears. Message
is found near the start of infected files in plain ASCII.
2) Virus only infects files of 10,000 bytes and larger. File size increases
by exactly 10,000 bytes. Dates/times are changed to match infection or
trigger date.
3) Virus does not use any "stealth" not does it seem to go resident
4) Simple .COM files may still execute properly - more complex ones do not.
5) Appears to have been written in Turbo-Pascal (honest).
6) As number of infected files in directory increases, so does amount of
"disk thrashing" - particularly noticable on floppies.

IMHO - this virus will probably not become common without help.

Will update if anything more of importance is learned.

(and I thought it was going to be a quiet week) - Padgett

<padgett%[email protected]>

------------------------------

Date: Fri, 20 Dec 91 11:55:47 -0500
>From: [email protected]
Subject: Virus writing contest

Hi everybody,
a German computer magazine called 64'er by Markt & Technik has just
published an article on viruses. One part of the article is an announcement
of a virus writing contest. Two quotes:

The most sophisticated virus will be awarded generously! The virus will
be published.

Send in your killers to:
<address>

A paragraph below they tell about the German computer crime laws and
also state that these laws are no threat because its very hard to proof
the intention.

WE ALL JUMPED ONTO THEM!!!

Siemens Nixdorf told Markt & Technik that they would cancel all
advertisements in all of their magazines!!!

One of the staff members said that they will withdraw the offer in the
next issue.

Christoph Fischer
Micro-BIT Virus Center
University of Karlsruhe
Zirkel 2
W-7500 KARLSRUHE 1
Germany
+49 721 376422 Phone
+49 721 32550 FAX
email: [email protected]

------------------------------

Date: Wed, 18 Dec 91 06:49:43 -0800
>From: [email protected]
Subject: Re: Washburn and ethics; VIRUS-L Digest V4 #237

Frisk in #237:

>>>tolerated. It stands to reason that anyone who knows enough about
>computers to create a virus, does other 'above board' programming.<

Eh..I must disagree. Most viruses are probably not written by
programming geniuses, or even by professional programmers - many known
virus authors are just teenagers, doing this "for fun"...<<

OK, Granted that many are. However, I would ask how many of them also
have somewhat more useful code in the PD and SHAREWARE pipes? (I guess
the question should be, how much that we /know of/, since as has been
pointed out, anyone in that position would be less than excited about
admitting it.)

And even given that what you say is totally true, you further my last
point: That a strong reaction to a Washburn would send a message to
impressionable minds that such behavior isn't tollerated, thereby
lowering the amount of virus code generated.
Consider, if you will; what happens when the kiddle crew wants to
make use out of their computer skills to earn their daily stale bread.

IF actions like what we were discussing against Washburn, for example,
were taken, and made public, perhaps the kiddie crew out to have 'fun'
(? The idea of fun is not universal, I guess) would think twice about
their actions.

Happy Holiday all...
E

------------------------------

Date: Wed, 18 Dec 91 15:36:20 -0700
>From: [email protected] (Kevin Hemsley)
Subject: MICHAELANGEO (PC)

I recently cleaned a machine infected with Michaelangeo. Before I scanned
the machine I ran CHKDSK. This is when I suspected a problem because
there was over 3000 bytes missing from conventional memory. SCAN V85
reported Michaelangeo. Using Diskedit I looked around and found a copy of
the original MBR at cylinder 0, track 0, sector 7. After taking a sample
and cleaning the MBR, I rebooted the machine and ran SCAN again, which
reported everything was clean. Out of habit, I ran CHKDSK again and found
exactly 1K still missing from conventional memory. When the computer was
booted from a clean disk, CHKDSK reported a full 640K. I did rename
AUTOEXEC.BAT AND CONFIG.SYS to make sure it was not a driver or other TSR
stealing memory. I was able to correct the problem with a SYS, but I'm
not quite sure what was using the 1024 bytes. It was either the DOS boot
record, or the two hidden system files or COMMAND.COM. My question is
did Michaelangeo alter one of the above system areas, or was it another
problem. I thought that Michaelangeo only altered the Partition Table.
Any Ideas?

-
-------------------------------------------------------------------------------
Kevin Hemsley |
Information & Technical Security | If you think that you have someone
Idaho National Engineering Laboratory | eating out of your hand, it's a
(208) 526-9322 | good idea to count your fingers!
[email protected] |
-
-------------------------------------------------------------------------------

------------------------------

Date: Wed, 18 Dec 91 16:44:47 -0500
>From: [email protected] (Ogden Dumas)
Subject: Re: PC problem - possible virus? (PC)

Just a quick note. I have heard from a few close sources that what
you have is a virus. I will contact them and forward your address.
Now i have a question for you. Can you forward this message to
the moderator of Comp. Virus. Thanx in advance

Question for all: Is there a virus that can infect BOTH PCs and
Mainframes? The place where I am working is networking and I am trying to
find out what possible threats can arise from this. Thanx.

************************************************************************
[email protected](Ogden Dumas) The few, the proud,
(716)723-0991 No job too small The Nice Guy.
MYopinionandNOoneelsePERIOD

Rape is Rape PERIOD. With or without Violence!
Apt. 812 1100 English Rd. Rochester, NY 14616
whatIhaveNOopinionIhaveJUSTmyMEAGERmind...aPOSTRONbrain
*************************************************************************

------------------------------

Date: 19 Dec 91 10:11:34 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: Booting from a clean floppy (PC)

[email protected] (Nick Hilliard) writes:

> Writing virus scanners which have to cope with the problem of
> already-resident viri is an unnecessary complication. It could be
> done, of course, but it just means more work for the programmers,
> *and* it would not be fail-safe. Remember just how many viri there
> actually _are_ out there [no comments about names and classification,
> please ;-)]. Writing the code to disable each one of them, restore all
> the interrupts they hook, reclaim memory, etc. is superfluous when all

I agree, in general, with your point, but just to add my two cents
worth... In ma Lab in Sofia we began to develop a programmable memory
disinfector. It takes a text file, which contains strings to scan for
(wildcards accepted), offsets (from a paragraph boundary) at which
they must be found, and (if the string is found) sequences of "look
for" and "patch to" bytes. And a virus name, of course.

If the string is found, an additional check is made for the "look for"
bytes (at the appropriate offsets). If they are not present, the virus
is assumed as already deactivated and nothing is done. Otherwise, the
virus name is reported and the bytes are patched to the "patch to"
values. The virus is just patched in memory, in order to stop it from
infecting/triggering, no attempt is made to restore the original
interrupt vectors or to free the used memory, since this cannot be
always done, and is too dangerous anyway.

There are almost no false positives, since the string must be at
a fixed paragraph boundary; there are other restrictions as well -
like looking only in the low memory (below the current PSP), or in the
high memory (above the current PSP), or at fixed address (say, in the
interrupt vector table, in the video memory, etc.

As a conclusion, I agree that it is unsafe to -rely- on such a program
- - it's much better to boot from a clean disk; but to you know how many
dumb users of anti-virus software don't do this? So, it's better to
have such (unreliable) protection, than none...

> All PC's with hard drives have floppy drives, and if they don't,
> they should.

Hm, I tend to disagree... If there were no floppies (say, a PC
attached to a LAN), it would be much more difficult to infect the
computers... Especially with boot sector infectors... :-)

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -246 Vogt-Koeln-Strasse 30, D-2000, Hamburg 54

------------------------------

Date: Thu, 19 Dec 91 08:08:47 +0000
>From: [email protected] (Phaedrus)
Subject: Re: Mac virus?: system crash (HELP!) (Mac)

[email protected] writes:
>Does anyone have any information about a Mac virus that causes
>programs to frequently "unexpectedly quit due to error type 1"
>
>It happens under both system 7 & system 6, on various machines.

If Disinfectant doesn't flag any viruses, then the odds of a
virus being the cause of this are negligably small. "System error 01"
or "Unexpectedly quit (1)" simply mean that the program crashed;
either the program is just buggy (Microsoft programs are good at this
:) ), or it's not compatible with the version of the system software
you're using, or there's a conflict between the program and an INIT
("Startup document") or cdev ("Control Panel document") that you have
in your System Folder. Try dragging all of these Startup documents
and Control Panel documents out of the System Folder (or out of the
Extensions and Control Panels subfolders of a System 7 System Folder),
restarting the machine, and seeing if the crashes stop. If they
don't, the program you're using probably just won't work with that
system software version. If the crashes do stop, then try adding the
startup and control panel documents back into the System Folder one at
a time, restarting the Mac after each addition and testing again to
see if the crashes start up again. If they do, then the last startup
or control panel document you added is probably the culprit.
- --
Internet: [email protected] (University of Washington, Seattle)
"If you can keep your head while those about you are losing theirs,
consider an exciting career as a guillotine operator!"
Hi! I'm an anti-virus utility! Install me in your .signature right away!

------------------------------

Date: Tue, 17 Dec 91 18:05:00 -0500
>From: [email protected]
Subject: programs from New Zealand (PC)

Hi. After reading virus-l 4.236, I went to the site mentionned by
"[email protected]" "Mark Aitchison, U of Canty; Physics",
and fetched the two programs, BOOTID and CHECKOUT. The original files
were in .ZOO archive format, and I repackaged them in .ZIP format for
the sake of compatibility with users here.

So now are available for FTP processing:

BOOTID .ZIP Identify a diskette's boot sector type ("hashcode").
Use BOOTID to check the boot sector of DOS diskettes, to
produce a 12-byte hashed identifier string based on the
contents of the diskette's first sector.
Copyrighted Freeware from New Zeland

CHECKOUT.ZIP Display or check a diskette or Hascode.
Use CHECKOUT to check the boot sector of DOS diskettes, to
produce a 12-byte hashed identifier string based on the
contents of the diskette's first sector, identical to the
BOOTID program, but with better descriptions and more options.
You can also use it to explain a hashcode created elsewhere.
The program only works with diskettes.
Copyrighted Freeware from New Zeland

Site address: urvax.urich.edu IP# 141.166.1.6
system: vax/vms 5.4-2, running Multinet for FTP processes
login: anonymous
password: your_email_address
directory: When logged in the user is in the anonymous directory.
type: cd msdos.antivirus<ret> to enter the directory where
these two programs (and the rest of the "antivirus" collection)
reside.

Happy hollidays to all!

Claude

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET)
University of Richmond [email protected] (Bitnet or Internet)
Richmond, VA 23173

------------------------------

Date: 17 Dec 91 23:36:37 +0000
>From: [email protected] (Jeroen W. Pluimers)
Subject: Thunderbyte anti-virus updates on SIMTEL20 (PC)

I have uploaded to SIMTEL20:

pd1:<msdos.trojan-pro>
TBRESC15.ZIP Thunderbyte Anti-Virus Resque Boot Sector v1.5
TBSCAN30.ZIP Thunderbyte Virus Scan 3.0; needs VSyymmdd.ZIP
VS911114.ZIP Virus signatures for HTSCAN/TBSCAN date 911114

These files replace:
TBRESC12.ZIP; TBSCAN28.ZIP, VS911009.ZIP

o _ _ _ _ _ voice: +31-2522-11809 (19:00-22:00 UTC)
/ (_' | (_) (_' | | snail: P.S.O.
__/ attn. Jeroen W. Pluimers
P.O. Box 266
[email protected] 2170 AG Sassenheim
[email protected] The Netherlands

Please note: phone number will change to +31-2522-20908 at december 16th

------------------------------

Date: Thu, 19 Dec 91 09:50:04 -0600
>From: [email protected] (John Perry KG5RG)
Subject: McAfee 85 suite is on BEACH (PC)

Hello Everyone!

I apologize for taking so long to post the new McAfee suite of
anti-viral software on beach.gal.utexas.edu. The system manager
changed the password to my maintenance account and then went on
vacation! Anyway it is there now for anyone with FTP capabilities.

John Perry KG5RG | [email protected] - Internet
University of Texas Medical Branch | PERRY@UTMBEACH - BITnet
Galveston, Texas 77550-2772

------------------------------

Date: 14 Dec 91 01:02:26 +0000
>From: [email protected] (Greg Montgomery)
Subject: Merry Christmas

"The Worm Before Christmas"
by Clement C. Morris

(a.k.a. David Bradley, Betty Cheng, Hal Render,
Greg Rogers, and Dan LaLiberte)

Twas the night before finals, and all through the lab
Not a student was sleeping, not even McNabb.
Their projects were finished, completed with care
In hopes that the grades would be easy (and fair).

The students were wired with caffeine in their veins
While visions of quals nearly drove them insane.
With piles of books and a brand new highlighter,
I had just settled down for another all nighter ---

When out from our gateways arose such a clatter,
I sprang from my desk to see what was the matter;
Away to the console I flew like a flash,
And logged in as root to fend off a crash.

The windows displayed on my brand new Sun-3,
Gave oodles of info --- some in 3-D.
When, what to my burning red eyes should appear
But dozens of "nobody" jobs. Oh dear!

With a blitzkrieg invasion, so virulent and firm,
I knew in a moment, it was Morris's Worm!
More rapid than eagles his processes came,
And they forked and exec'ed and they copied by name:

"Now Dasher! Now Dancer! Now, Prancer and Vixen!
On Comet! On Cupid! On Donner and Blitzen!
To the sites in .rhosts and host.equiv
Now, dash away! dash away! dash away all!"

And then in a twinkling, I heard on the phone,
The complaints of the users. (Thought I was alone!)
"The load is too high!" "I can't read my files!"
"I can't send my mail over miles and miles!"

I unplugged the net, and was turning around,
When the worm-ridden system went down with a bound.
I fretted. I frittered. I sweated. I wept.
Then finally I core dumped the worm in /tmp.

It was smart and pervasive, a right jolly old stealth,
And I laughed, when I saw it, in spite of myself.
A look at the dump of that invasive thread
Soon gave me to know we had nothing to dread.

The next day was slow with no network connections,
For we wanted no more of those pesky infections.
But in spite of the news and the noise and the clatter,
Soon all became normal, as if naught were the matter.

Then later that month while all were away,
A virus came calling and then went away.
The system then told us, when we logged in one night:
"Happy Christmas to all! (You guys aren't so bright.)"

[ Note: The machines dasher.cs.uiuc.edu,
dancer.cs.uiuc.ed, prancer.cs.uiuc.edu, etc. have
been renamed deer1, deer2, deer3, etc. so as not
to confuse the already burdened students who use
those machines. We regret that this poem reflects
the older naming scheme and hope it does not confuse
the network adminstrator at your site. -Ed.]

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 238]
******************************************

Downloaded From P-80 International Information Systems 304-744-2253