VIRUS-L Digest Friday, 8 Feb 1991 Volume 4 : Issue 24
Today's Topics:
Yet another virus! (PC)
Re: Boot Sector/Partition Table Protection (PC)
Re: Hardware damage?
Apologies to Sim (Mac)
Re: Hardware damage? (PC)
Re: Write-protecting 3.5 inch disks
Virus Protection and Universities
VAX/VMS and Viruses
Re: Compressors
Using UUENCODE to send samples.
Re: Boot sector self-check (PC)
4th Annual Ides-of-March Virus & Security Conference
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to
[email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at:
[email protected].
Ken van Wyk
---------------------------------------------------------------------------
Date: Wed, 06 Feb 91 16:34:07 -0400
>From: "Michael J. MacDonald I.S.P." <
[email protected]>
Subject: Yet another virus! (PC)
I recieved a call on Jan 29, 91 from a local pc retailer.
They seemed to have a virus.
This is what I was told:
1) it ``appeared'' about a week ago.
2) any access of an uninfected disk infects it.
3) infects any version of dos, he said that ``4.01 was worse''
4) infects a 386
5) warm boot infects.
6) infects all disks 1.2M, 5 1/4, 3.5, and hard disks.
7) formating a 1.2M disk on an infected machine will format the
full disk 100% complete, and then returns a Invalid Media or Track
0 bad. Formating the exact same disk with an uninfected system
the format completes successfully with no errors.
8) McAfee's(sp) scan V72 does not detect it
9) f-disinf version 1.12 July 90 says:
``This boot sector is infected with a new version of the virus.''
(no name).
What I have done and ``know to be true''
1) A fresh copy of Scan V72 and AVSearch 2.21 from the wuarchive
does not detect it.
2) I watched them do 7, 8 and 9 and I duplicated 8 on my own equipment.
3) If I try to boot an IBM PC Portable (lugable) (8086) 2 floppy) no
hard disk. The drive light comes on to do the boot and it never goes
off. A ctrl-alt-del does not do anything.
4) If I try to boot an IBM PC (original) (8086 ) 2 floppy) no
hard disk. The drive light comes on to do the boot and it goes
off, no boot, no error message. If I then stick in an clean
bootable floppy and ctrl-alt-del it will boot and not infect the
clean floppy.
5) The person said that the disk I had could boot a clone, but it would
not boot a true blue IBM 8086, it might boot a 386 didn't try.
6) f-disinf version 1.13 says:
``This boot sector is infected with a new version of the Stoned virus.''
7) f-disinf version 1.14 says: (not a quote)
This is not a typical boot sector and could be a virus.
I contacted Kenneth van Wyk and after exchanging a few notes etc
I recieved a confirmation that it was a new virus.
Fortunately the mdisk suite of utilities appears to clean up this
virus.
Anyway to make a long story short. We appear to have a brand new
boot sector virus. As far as a name, I suggest 910129 as the
date of first appearence. There is no ascii text in the boot
sector. An ugly name and if anyone has a better suggestion thats
ok. I do not have a machine that I can get an active virus to run on
such that I can test it.
I just recieved the following note from Ken
> Mike,
>
> Our technical contacts said that you should feel free to give the virus a
> name and send a write-up to VIRUS-L about it. They also added that,
> it'll eventually write junk over the master boot record of the first
> hard disk (causing not-too-hard-to-reverse loss of access to C: etc).
>
> Hope this helps.
>
> Cheers,
>
> Ken
I would like to express my thanks to Kenneth van Wyk
for his assistance in tracking this down and also for VIRUS-L
Thanks all .
mikemac...
P.S. if you want to contact me about this please feel free but NOTE
1) I will not send a copy of the virus to people who ask unless first
oked by ken.
2) I will be on vacation for the next two weeks.
========================================================================
Michael MacDonald, I.S.P.
Senior Systems Specialist,
Faculty of Computer Science It is wrong to assume that because
University of New Brunswick a computer can calculate PI to
Po. Box 4400 several thousand digits in a blink
Fredericton, New Brunswick of an eye that it is any more
CANADA E3B 5A3 intelligent than your average toaster.
(506) 453-4566
Netnorth/BITNET:
[email protected]
========================================================================
------------------------------
Date: Thu, 07 Feb 91 09:30:00 +0100
>From: "Mark Aitchison, U of Canty; Physics" <
[email protected]>
Subject: Re: Boot Sector/Partition Table Protection (PC)
padgett%
[email protected] (Padgett Peterson) writes:
>>>... what would be the possibility of 'delibrately' infecting ones boot-secto
r
with a piece of code ...
..
> allow such intrusion to be detected prior to the load of the OS and can block
> any such infection thereafter...
If anybody's interested, there is such a program avaliable, i.e. stops
hard disk boot viruses early in the start-up sequence. If anyone is
interested, I can e-mail further details. It's a companion product to
an automatic diskette boot sector scanner.
Mark Aitchison, Physics, University of Canterbury, New Zealand.
------------------------------
Date: 07 Feb 91 08:05:30 +0000
>From:
[email protected] (Larry Nathanson)
Subject: Re: Hardware damage?
While the existance of the HCF assembly command (Halt and Catch Fire)
has been debated, :-) I seem to remember a discussion similar to this.
I believe the basic conclusion was that it is impossible to damage the
CPU itself through programming.
However, peripherals remain very vulnerable- if you take a standard
hard drive, and drag the R/W head across the media 4 or 5 thousand
times, it can't be good. While it is unlikely that any user would
allow the machine to sit there grinding for several hours, it is
possible to write to virus to add 2 or 3 full head sweeps to each disk
access. This would slightly slow up the response time of the drive,
and might make it wear out much faster.
I saw a computer anecdote about some guys who had access to a printer
where imprints of the letters were layed out sequentially along a
linked chain. The chain spun laterally in front of 80 hammers, which
would strike, when the right character was in the right position.
These fellows found out the sequence of the letters, and attempted to
send that string to this printer to see what would happen. They said
that there were finding parts of the printer in the corners for many
months.
If one were to come up with a well sequenced access drive request,
timed with the drive speed, and in sync with the sector interleave, a
similar effect might be possible. However, as in the story, much
advance knowledge about the hardware is necessary. Unless the
hardware configuration is VERY public, it would almost have to be an
inside job. Writing enough code to screw with every HD, and every
printer around would make the virus big enough to be easily detected.
I think there may be ways to screw with the refresh rate of certain
brand monitors, but again- that requires inside knowledge- then there
is no reason to use viral propagation- a trojan horse will do fine.
- --Larry
- --
// Larry Nathanson . 726 Comm Av #5J . Boston, MA 02215 . 617 266 7419 \\
I've heard they just built a tunnel from England to France. The French
drive on the right hand side, the English on the left. Can they save
money by building only one lane?
------------------------------
Date: Thu, 07 Feb 91 08:14:43 -0600
>From: THE GAR <
[email protected]>
Subject: Apologies to Sim (Mac)
I would like to make a public apology to Simware, and especially to
Greg Bisaillon at Simware, regarding the note that I posted previously
on this list.
I fear that I have caused his company some damage by the posting, an
excerpt of which follows:
**************************************************************************
Date: Mon, 28 Jan 91 16:52:31 CST
>From: THE GAR <GLWARNER@SAMFORD>
Organization: Samford University Computer Services
Subject: SimWare 3.1
BUT . . . SIMWARE's "SimMac 3.1 Application Disk" (Master Program), which
I received on or about Jan 11 was infected! SAM reports that it was last
altered on 12/21/90 at 12:55 PM. This INFURIATES me, as I had up until
today always trusted the programs that come straight from the manufacturer
sealed in the "Read Carefully BEFORE Opening" license envelope!
************************************************************************
Greg Bisaillon contacted me from Simware, and together we checked our
respective shipping logs. It seems that the package WAS at Samford on
Dec 21! The first time that I used the disk on my machine was not
until early January, however it was used in ANOTHER Mac before it came
to mine.
This Mac must have been the infector, NOT Simware.
I was unaware that this had occurred, as the disk was in its envelope
when I received the disk. All my packages are opened by the person in
charge of our purchase orders, so it did not bother me, I had assumed
it was open so the shipping invoice could be removed.
Having spoken with Greg, I have come to understand what a thorough and
outstanding job of quality assurance they provide at Simware, with
each disk being checked with SAM and Disinfectant some four times
before leaving the premises.
I again would like to apologize, and hope that Chris Radziminski, and
the MacWeek people are still reading this list, as both had expressed
concerns to Simware. I have always despised the rumors that went
along with the software business, and now I have unwittingly started
one!
[Ed. Thanks for setting the record straight, Gary!]
/++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\
! Later + Systems Programmer !
! Gary Warner + Samford University Computer Services !
! + II TIMOTHY 2:15 !
\+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++/
------------------------------
Date: Thu, 07 Feb 91 14:55:21 +0000
>From:
[email protected] (Gregory A. Jackson)
Subject: Re: Hardware damage? (PC)
Not strictly a virus, but as to software damaging hardware it was true
under Windows 2.1 and WordPerfect 5.0 that running grab.com to capture
an Paint image from the screen caused VGA monitors to snap, arc,
oscillate, and (if you didn't shut it off immediately) burn out.
- --
Greg Jackson
20B-140/MIT/Cambridge MA 02139
(617) 253-3712
------------------------------
Date: Thu, 07 Feb 91 17:22:13 -0500
>From:
[email protected]
Subject: Re: Write-protecting 3.5 inch disks
Write protecting 3.5 inchers. (disks) Very simple. All you need
is a pocket knife or a push pin. Pry up on the corner of the disk
with the write protect tab till you hear a snap. Then, with the knife
or whatever, push out the write protect tab. Finally if the edge of
the disk is still seperated, squeeze it untill it snaps togeather
again. Viola! Write protected disk. However, if you want to be able
to write to it again, place a small strip of tape (even scotch tape)
across the back of the write protect hole and write to your heart's
content. I know this works for the mac.
Alex Zavatone
123 Mac - Lotus
Zav B!-]
My opinions do not represent those of my employer, but they should.
------------------------------
Date: Thu, 07 Feb 91 16:41:02 -0500
>From: RAY <
[email protected]>
Subject: Virus Protection and Universities
I would like to know what other universities are doing about buying
virus protection packages. We have a copy of Virex for our use but
would like to implement something in the labs. We have look at SCAN
but McAfee shareware site licences prices are exceptionally high. The
minimum purchase is for use on 100 machines for $3250. We would
probably be better off buying just a few copies and putting them on
machines set aside for virus checking only.
Any thoughts from other university labs?
===============================================================
Ray Drake
[email protected]
Microcomputer Consultant (919)757-6401
East Carolina University Greenville, NC 27858
===============================================================
------------------------------
Date: Thu, 07 Feb 91 20:05:51 +0000
>From:
[email protected] (Bert Medley)
Subject: VAX/VMS and Viruses
Does anyone know of any virus protection software for VAX/VMS or UNIX
(Sun, DG Aviion, DEC ULTRIX)? Please e-mail to
[email protected]
or post. I will summarize and repost if there are answers. I NEED
any answers you might can give. Thanks in advance.
- --
Bert Medley | UUCP:
[email protected]
Synercom Technology | or ..uhnix1!hounix!bmedley
2500 City West Blvd., Suite 1100 | Internet: bmedley%
[email protected]
Houston TX 77042 | "My opinions are my own ..."
------------------------------
Date: 08 Feb 91 10:05:49 +0000
>From:
[email protected] (Fridrik Skulason)
Subject: Re: Compressors
[email protected] (Jun Guo) writes:
> We know that signature based scanner will not search into compressed
>EXE/COM file.
Not 100% correct - some scanners will scan some types of compressed
files simply by uncompressing them first - for example my F-PROT, and
(I think) McAfee's SCAN will scan a LZEXE-packed file.
Of course I want to make my scanner be able to scan all the different
types of compressed files - the problem is just that I don't have a
copy of all the compressors - in fact, I only have LZEXE and EXEPACK.
I know some of the compressors are available on SIMTEL20 and
elsewhere, but not all. So, could somebody mail me information on the
status of the programs below - are they shareware/freeware/commercial,
and where are they available ?
No need to increase the traffic on Virus-L too much...I will post a
summary of the replies I receive.
> PKlite PKlite -x
> Diet 1.0 Diet -r
> LEXEM
> TinyProg
> AXE
> Shrink
> SCRNCH
> ICE ICE breaker
> CRUNCH
> I'd like to hear from you of other compressors and decompressors.
I know of one program from Bulgaria - perhaps Vesselin Bontchev could
provide some information on it - the problem is just that he does not
have a computer any more, as he was just promoted.
> And one more thing: how are device drivers loaded? Can they be
>compressed also? If yes, how can we decompress that?
I know of no method to compress device drivers, which allows them to
be uncompressed dynamically on loading - it could be written, of
course, but I don't think it is worth the effort - device drivers are
usually so small (less than 50 Kbytes) one does not gain much in space
or loading time.
------------------------------
Date: Fri, 08 Feb 91 09:30:33 +0000
>From:
[email protected] (Fridrik Skulason)
Subject: Using UUENCODE to send samples.
I often receive samples containing new viruses by E-mail, or programs
suspected of being viruses or Trojans. To get the samples across, the
files are encoded into printable form, often by the UUENCODE program.
However, if the person sending the file is at a BITNET site, the UUencoded
file will arrive corrupted. So, if you are sending binary files between
Internet and Bitnet machines and want to make sure they arrive OK - please
don't use UUencode - it is useless - use XXencode instead.
If anyone does not have xxencode.c or xxdecode.c, I will be happy to send out
copies of the programs.
- -frisk
Fridrik Skulason University of Iceland |
Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion
E-Mail:
[email protected] Fax: 354-1-28801 |
------------------------------
Date: Wed, 06 Feb 91 07:35:57 -0500
>From: Padgett Peterson <padgett%
[email protected]>
Subject: Re: Boot sector self-check (PC)
>From: Steve Albrecht <
[email protected]>
>
>While waiting for the same type of self-check in the boot sector, we
>have developed a small program (so far only intended to protect
>ourselves against reinfection by the Stoned virus) which does the
>following:
(lengthy description follows)
This method will detect the Stoned however "stealth" type
viruses (Brain, Joshi) will return the original boot sector
(floppy-Brain) or partition table (hard disk-Joshi) when an Int 13
request is processed since these viruses (as well as others) trap the
Int 13 call. A proven technigue is to first perform an Int 12 call
(returns # of k in hex to AX) and check for either 280h (640k) or 200h
(512k). Successful BSI/PTI viruses (Brain, Stoned, Joshi) go resident
at the TOM and change this value to some lower number.
Padgett
------------------------------
Date: Fri, 08 Feb 91 08:54:41 -0500
>From:
[email protected] (Judy S. Brand)
Subject: 4th Annual Ides-of-March Virus & Security Conference
Who SHOULD attend this year's Ides-of-March
Fourth Annual Computer VIRUS & SECURITY Conference
at the New York World Trade Center?
MIS Directors, Security Analysts, Software Engineers, Operations
Managers, Academic Researchers, Technical Writers, Criminal
Investigators, Hardware Manufacturers, Lead Programmers who are
interested in:
WORLD-RENOWNED SECURITY EXPERTS: CRIMINAL JUSTICE LEADERS:
Dorothy Denning - DEC Bill Cook - US Justice Dept
Harold Highland - Comp & Security Donn Parker - SRI Intl
Bill Murray - Deloitte & Touche Steve Purdy - US Secret Service
Dennis Steinauer - NIST Gail Thackeray - AZ Attorney
UNIVERSITY RESEARCH LEADERS: LEGAL/SOCIAL ISSUES EXPERTS:
Klaus Brunnstein - Hamburg Mike Godwin & Mitch Kapor - EFF
Lance Hoffman - GWU Emmanuel Goldstein - 2600 Magazine
Eugene Spafford - SERC/Purdue Tom Guidoboni - (R.Morris' lawyer)
Ken van Wyk - CERT/CMU Marc Rotenberg - CPSR
PLUS Fred Cohen, Ross (FluShot) Greenberg, Andy (DrPanda) Hopkins, and
over 40 MORE!
Over 35 PRODUCT DEMOS including: include Candle's Deltamon, HJC's
Virex, McAfeeSCAN, Symantec's SAM, ASP 3.0, DDI's Physician,
Gilmore's FICHEK, Certus, FluShot Plus, Iris's Virus Free, 5D/Mace's
Vaccine, Norton Utilities, PC Tools, Quarantine, Viruscan, Panda's
Bear Trap, Disk Defender, Top Secret, Omni, ACF2, RACF and OTHERS AS
REGISTRANTS REQUEST.
FIFTY PRESENTATIONS INCLUDE:
Security on UNIX Platforms, Tips for Investigators, HURRICANE Recovery,
Dissecting/Disassembling Viruses, 6 Bytes for Detection, LAN Recovery,
ISDN/X.25/VOICE Security, Encryption, Apple's Security, EARTHQUAKE Recovery,
IBM's High-Integrity Computing Lab, US/Export Issues, 22-ALARM Fire Recovery,
Publicly Available Help, Adding 66% More Security, NETWARE VIRUS Recovery,
Next Generation of Computer Creatures, THE WALL STREET BLACKOUT Recovery,
Mini Course in Computer Crime, Great Hacker Debate, REDUCING Recovery Costs,
S&L Crisis: Missing DP Controls, OSI and the Security Standard, Virus Myths,
Viruses in Electronic Warfare, US Armed Forces Contracts for New Ideas....
INTERESTED? ONLY $275 one day (Thurs 3/14 - Fri 3/15) or $375 both days:
* Bound, 600-page Proceedings containing ALL materials - no loose paper!
* Eight meal breaks, including Meet-the-Experts cocktail party 107th Floor
* 2-day track of product demo's * 2-day course for ICCP Security exam
* Full-day Legal & Justice Track * Full-day disaster Recoveries Track
There is a $25 discount for ACM/IEEE/DPMA members.
Fourth member in each group gets in for no charge!
To register by mail, send check payable to DPMA, credit card number
(VISA/MC/AMEX), or purchase order to:
Virus Conference
DPMA
Financial Industries Chapter
Box 894
New York, NY 10268
or FAX to (202) 728-0884. Be sure to include your member number if
requesting the discounted rate. Registrations received after 2/28/91
are $375/$395, so register now!
For registration information/assistance, call (202) 371-1013
Discounted rates available at the Penta Hotel. $89 per night. Call
(212) 736-5000, code "VIRUS"
Discounted airfares on Continental Airlines, call (800) 468-7022, code EZ3P71
Sponsored by DPMA Financial Industries Chapter, in cooperation with
ACM SIGSAC and IEEE-CS.
------------------------------
End of VIRUS-L Digest [Volume 4 Issue 24]
*****************************************
Downloaded From P-80 International Information Systems 304-744-2253
