VIRUS-L Digest Wednesday, 17 Apr 1991 Volume 4 : Issue 63

VIRUS-L Digest Wednesday, 17 Apr 1991 Volume 4 : Issue 63

Today's Topics:

F-PROT version 1.15 available (PC)
Stoned and Dark Avenger mutations (PC)
New programs ob BEACH (PC)
Joshi virus fixed! (PC)
Re: AF/91 - John Gantz "joke" in Infoworld
RE: Norton's Antiviral program (PC)
Wasting my time
Malicious Code Responce Policy (ALL)
Re: UNIX & Viruses (UNIX)
Re: HyperCard anti-virus script bad (Mac)
Re: HyperCard anti-virus script bad (Mac)
Documented Cases of Viruses -- NOT on PCs or MACs
Re: Stoned 2 query (PC)
EMPIRE Virus (PC)
Re: Is virus infection by inserting floppy disk possible? (PC) (Mac)
Viraphobia (Re: AF/91 and April Foolism in general)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

----------------------------------------------------------------------

Date: Mon, 15 Apr 91 23:14:02 +0000
>From: [email protected] (Fridrik Skulason)
Subject: F-PROT version 1.15 available (PC)

Version 1.15 of the F-PROT anti-virus package is now available. There
are no major changes from version 1.14 - you have to wait for 2.0 to
see all the new features. I have uploaded the program to
beach.gal.utexas.edu, but several other FTP sites will probably have
the package in a couple of days or so.

Version 1.15 added the following features:

Detection, but not disinfection of

Akuku
Doom2
Mardi Bros
Microbes
MIX2
Ontario
Spyer
Swedish disaster
USSR-1594
X-boot

Detection and removal of

10 past 3
1575
1600 (Jerusalem variant)
403
4th Black Friday (Jerusalem variant)
Aircop
AntiCAD/Plastique-2576
AntiCAD/Plastique-3004 (COBOL)
Azusa
Burger-382
Cascade 1701-YAP
Christmas Violator
Dark Lord (variant of Terror)
Deicide
Dutch-555
Enigma
Fichv 2.1
Flip/Omicron-2153
The 4th Black Friday (Jerusalem variant)
Frere-2 (Jerusalem variant)
G-Virus, version 1.3 (731)
Gergana
Grither (Vienna variant)
HIV
Hybryd
Iraqui Warrior (Vienna variant)
Jeff (impossible to disinfect)
June 4th (Stoned variant)
Klaeren (impossible to disinfect)
Kylie (Jerusalem variant)
Leprosy-A
Leszop (Stoned variant)
Magnitogorsk
Michelangelo (Stoned variant)
Micro-128
Minimal-45
Mirror
MG-4
Monxla-B
Paris
Phantom
Plague
Rostov (Stoned variant)
September 18th-789 (first reported as "805")
September 18th-801 (first reported as "817")
Sexual revolution (Stoned variant)
South African-408
Spanish Telecom (boot-form)
Staf
SVC 3.1
Taiwan-C (752 byte variant)
Taiwan-D (677 byte variant)
Testvirus B
Vienna VHP-622 from Bulgaria
Vienna 822 from Hungary
Wolfman

Removal of the following viruses, which were detected in 1.14

905
Lovechild
Terror
Vienna-644

The "405" and "382" viruses have now been reclassified as
Burger-variants.

The names of some viruses have been changed, in most cases
because the viruses had only a temporary, numeric name.

1600 --> Happy New Year
417 --> F-word
Perfume --> G-Virus

/NOBOOT switch added to F-DRIVER to disable memory check at boot
time. Should only be used on computers with Network Boot ROMs,
where the standard F-DRIVER has caused problems.

/QUICK switch added to F-FCHK. Using it results in faster
scanning, but reduces the chances of detecting previously
unknown variants of "old" viruses.

/DELETE switch added to F-FCHK. If it is used, infected files
will be overwritten several times and then deleted.

The F-INOC and F-DIR programs are not included any more,
as they were practically useless.

F-FCHK will now indicate if a program has been compressed by
DIET, LZEXE or PKLITE. The programs will not be scanned - that
will be added in a later version.

A small program (F-TEST) has been added to determine if F-DRIVER
is installed and working properly. See USAGE.TXT for further
information.

The following bugs/problems have been fixed:

F-DISINF /MULTI did not work under all circumstances.

Conflicts between F-DRIVER and PC-NFS have been
eliminated.

Version 1.14 was not able to remove all variants of
Jerusalem, including some which 1.13 handled successfully.
This has been fixed.

------------------------------

Date: Mon, 15 Apr 91 22:00:00 -0300
>From: Raul Fernando Weber <[email protected]>
Subject: Stoned and Dark Avenger mutations (PC)

Three slightly different versions of the Stoned virus were detected
during the last months in Porto Alegre (Southern Brazil).

The first version contains the string "Your PC is now Stoned! <bell>
<cr> <lf> <lf> <null> LEGALISE MARIJUANA!". In the second version this
string now reads "Your PC is now Stoned! <bell> <cr> <lf> <lf> <null>
LEGALISEm disk or d". Curiously, the last part of the modified string
seems to be derived from the original boot sector, where the string
"Non-System disk or disk error" can be found at the same offset. I
wonder if this can happen due to a failure at the propagation routine?

The third version is quite different, and was first detected in a city
near Porto Alegre. The string now reads "Collor, um tiro basta! <cr>
<lf> <lf> Call John MacAFee? <space> <cr> <lf>". The first line is in
Portuguese and means "Collor, one shoot is enough!", a protest against
the economic plan of President Collor. There is another modification,
however, probably to protect this mutation against virus scanners.
Beginning at the offset 63, four bytes were changed from BE 04 00 57
to 57 BE 04 00. With this change, SCAN and CLEAN cannot detect the
virus anymore. The program F-BOOT from the FPROT114 package, however,
is still able to detect and remove the virus (Good work, Frisk!).

Another virus that also appeared in the last weeks was Dark Avenger.
The string "Eddie lives...somewhere in time!" can be detected at the
beginning of the virus body, but the final string was modified to
"This virus was created in Singapore (C) Copyright 1990-91 Data
Maniac". Both SCAN/CLEAN and F-FCHK (from FPROT114) are able to detect
and eliminate this virus.

Raul F. Weber
Institute of Informatic
Federal University of Rio Grande do Sul
Porto Alegre - RS
Brazil
e-mail: [email protected]
or weber%[email protected]

------------------------------

Date: Tue, 16 Apr 91 08:45:00 -0500
>From: John Perry KG5RG <[email protected]>
Subject: New programs ob BEACH (PC)

The anonymous FTP server at BEACH.GAL.UTEXAS.EDU has added the
following programs to the [anonymous.pub.virus.pc] directory:

FPROT115.ZIP
SCANV76C.ZIP
NETSCN76.ZIP
VSHLD76C.ZIP
INAZUSA.ZIP

John Perry KG5RG
University of Texas Medical Branch
Galveston, Texas 77550-2772

You can send mail to me at any of the following addresses:

DECnet : BEACH::PERRY
THEnet : BEACH::PERRY
Internet : [email protected]
Internet : [email protected]
BITNET : PERRY@UTMBEACH
SPAN : UTSPAN::UTADNX::BEACH::PERRY
FIDOnet : 1:106/365.0

------------------------------

Date: 16 Apr 91 04:36:52 +0000
>From: [email protected] (Tony Locke)
Subject: Joshi virus fixed! (PC)

Thanks to all those who replied to me with advice for fixing the Joshi
virus. I never actually got to see a program eliminate it on my
particlar machine, ever using Clean and Scan, I managed to eliminate
it using a low level format from the BIOS.

Thanks for all help

Tony Locke

------------------------------

Date: 16 Apr 91 15:03:32 +0000
>From: [email protected] (Chuck Hoffman)
Subject: Re: AF/91 - John Gantz "joke" in Infoworld

[email protected] (Malcolm Sharp) writes:
> I'm not laughing.

No, I guess you're not. It sounds like you went to a lot of trouble in
response to it.

> I'm searching for the adjectives to describe this irresponsible
> act.
>
> Anyone else spend time investigating this virus from the 4/1 columns?

"Thoughtless," maybe. "Irresponsible?" I don't think so. He's not
responsible for what you do on the basis of one, uncorroborated report. I
think I might have checked with this network first before spending a lot
of time.

> I'm *seriously* considering a class action suit for compensatory
> (small $) and punitive (BIG $$$) damages.
>
> Interested in hearing from others.

Maybe you should hear from John Gantz (privately). You didn't mention
whether or not you called him to discuss this before you put a lot of
effort in. I've called authors of professional articles and textbooks
several times, and they all have seemed pleased to get the call.
They've all had more to say than was actually in print. A call might
have helped, here. Or even a non-public exchange of e-mail, before
launching a difficult virus hunt.

I'm sorry that you went to such trouble. Maybe a little beforehand
communication with the net or the author will be helpful next time
something like this comes up, and it might save you a lot of effort.

- - Chuck Hoffman, GTE Laboratories, Inc. | I'm not sure why we're here,
[email protected] | but I am sure that while we're
Telephone (U.S.A.) 617-466-2131 | here, we're supposed to help
GTE VoiceNet: 679-2131 | each other.
GTE Telemail: C.HOFFMAN |

------------------------------

Date: 16 Apr 91 14:40:58 -0400
>From: "John D. Hopkins" <[email protected]>
Subject: RE: Norton's Antiviral program (PC)

> I have heard there was an article in a mag. comparing Norton's
> antiviral to McAfee's scan and that the Norton's program failed to
> identify the Stoned virus. Can anyone confirm or deny this?

I can absolutely guarantee you that this is false!! The Norton
Anivirus program found the bloody Stoned virus on one of our machines
and sucessfully removed it with no bother. I had trouble getting the
thing cleaned off a floppy, but McAfee didn't do any better.

So far we have no complaints with Norton.

+-------------------------------------------------------------------------+
| John D. Hopkins, Operational Support |Through the darkness of future |
| <[email protected]> |past, The magician longs to see|
| Col. of Business Admin. Computer Center |One chants out between two |
| University of Georgia ph. 2-3829 |worlds, Fire... walk with me. |
+-------------------------------------------------------------------------+

------------------------------

Date: Tue, 16 Apr 91 15:51:00 -0500
>From: [email protected]
Subject: Wasting my time

I am amusingly considering a classless action against
Malcolm Sharp et al for wasting my time on their hurt
pride.

"I'll have my computer get in touch with your computer"
- ----------------------------------------
Richard Howland-Bolton
Manager Publications Computing
Cornell University
Internet: [email protected]
Compuserve: 71041,2133
AppleLink: CUGURU
Voice: (607) 255-9455
FAX: (607) 255-5684
Post: Publications, East Hill Plaza
Ithaca, NY 14850
Etc, etc.
- ----------------------------------------

------------------------------

Date: Tue, 16 Apr 91 14:02:52 -0600
>From: [email protected]
Subject: Malicious Code Responce Policy (ALL)

The University of Alberta has recently been hit by a new PC virus
("Evil Empire"). As often happens in such cases, we were caught less
than fully prepared and have been scrambling (with much help from
various anti-viral experts on the net) to react to this threat. We are
now making progress and hope to soon announce a full recovery.

We have also over the past two years started seeing other examples of
malicious code on Macintosh and PC machines, both in our public labs
and on individual student and staff machines.

As a result, management here is now more sensitized to the problem and
we are in the process of developing a more formalized campus-wide
"Malicious Code Response Policy" that can be used as a starting point
for future responses. It will address all facets of the problem when
it is done: emergency response, prevention, escalation policies, who
to contact, how to do certain things, etc. I have been asked to
develop it, and have several ideas of my own with with which to start.

However, I am sure that other organizations have faced the same
situation and may have such policies already in place.

I would appreciated receiving advice, suggestions, or text of already
developed anti-viral policies from members of the net. In return, I
would be pleased to share our policy when developed with members of
the net.

If you can help, please forward materials to me either electronically
or by physical mail (machine readable if possible) to one of the
addresses below. The QuickMail address is not (yet!) quite as reliable
as the others.

If there are any special conditions that you wish attached to material
submitted (such as confidentiality), please so state and we will abide
by them. Thanks...

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Peter Johnston | Voice : 403/492-2462
University Comput Systems | FAX : 403/492-1729
352 GenSvcBldg, | BitNET : usergold@ualtamts
The University of Alberta | Internet : [email protected]
Edmonton, Alberta | QuickMail: Peter_Johnston@
Canada T6G 2H1 | : quest.ucs.ualberta.ca
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

------------------------------

Date: Tue, 16 Apr 91 21:00:20 +0100
>From: Paul <[email protected]>
Subject: Re: UNIX & Viruses (UNIX)

[email protected] ([email protected]) writes:
> The simplest form of a *NIX virus is :
> cp $0 .
> Now *every* *NIX platform I know of will run this "virus"
> P.S. **NOTE DO NOT RUN THIS VIRUS, SO I DON'T HAVE TO SAY "I TOLD YOU SO"**

Ooops, just ran it!

It said "No file for $0.".

Thats on Sun OS 4.1 running csh.

Just how is cp $0 . supposed to be a virus? Even if $0 was defined to
something valid all it would do is copy a file into your current directory.

Paul Sutton
Department of Computing, University of Bradford, Bradford, BD7 1DP, UK
[email protected]

------------------------------

Date: Tue, 16 Apr 91 15:47:34 +0800
>From: [email protected]
Subject: Re: HyperCard anti-virus script bad (Mac)

>Unfortunately, Bruce, if the script is going to spread, it has to get
>past the scripts in the HOME card of HC. Passing the message directly
>to HC does not bypass the HOME scripts.
>
>Mike
>Mac Admin
>WSOM CSG
>CWRU
>[email protected]

Of course sending to HyperCard bypasses the Home stack scripts, which
you could have easily verified if you had bothered to check. Here is
a simple example. There is a handler called "xy" in the stack script
of the Home stacks of both version 1 and 2 of HyperCard. Execute the
following handler from a button, or execute the statements
individually from the message box.

on mouseUp
xy
send "xy" to HyperCard
end mouseUp

The first xy executes the xy handler in the Home stack (which gives
you an updating mouseLoc in the message box). Click to exit the xy
handler. The send executes and you get a "Can't understand xy"
message because HyperCard doesn't know what to do with the "xy"
message. The handler is in the Home stack and has been bypassed by
the send. Or here is a more directly related example. Put the
following in your Home stack.

on set
answer "Tried to use set"
end set

This should prevent any set from being executed. It is easily
bypassed by using the send format.

Bruce Carter, Courseware Development Coordinator Lab: (208) 385-1859
Faculty Development Lab - Room 213 Office: (208) 385-1250
Simplot/Micron Technology Center CompuServe ID: 76666,511
Boise State University CREN (BITNET): duscarte@idbsu
1910 University Drive Internet: [email protected]
Boise, ID 83725 --> Preferred: [email protected]
===============================================================================

------------------------------

Date: Tue, 16 Apr 91 14:36:19 -0900
>From: "Jo Knox - UAF Academic Computing" <FXJWK@ALASKA>
Subject: Re: HyperCard anti-virus script bad (Mac)

> [email protected] (Michael Kerner)

writes:

> Unfortunately, Bruce, if the script is going to spread, it has to get
> past the scripts in the HOME card of HC. Passing the message directly
> to HC does not bypass the HOME scripts.

Untrue---sending the command to HyperCard DOES bypass the normal HyperCard
message inheritance path! (Course, I know nothing about 2.0...)
jo

------------------------------

Date: 16 Apr 91 22:38:13 +0000
>From: [email protected] (Gil Braunstein)
Subject: Documented Cases of Viruses -- NOT on PCs or MACs

I was wondering whether there are documented cases of viruses
infecting mainframes or minis (basically not PCs). So far all books
about viruses that I read do not document cases of viruses they simply
describe how it can be done. I'm a CS graduate student at USC and I'm
taking a course in information security (unfortunately not given by
the CS department), my instructor claims that there have not been any
documented cases of viruses infecting mainframes that he knows of. On
the other hand, another instructor claims to know about some cases but
one of the few sources that he pointed out was Fred Cohen's paper.
The Fred Cohen paper seems to be missing from the school's library so
I was wondering if any of you have access to that paper and can send
me a copy and also about any other documented cases of viruses
infecting non-Pcs.

Thanks in advance,
Gil.

------------------------------

Date: 16 Apr 91 23:17:18 +0000
>From: [email protected] (Malcolm Sharp)
Subject: Re: Stoned 2 query (PC)

According to my sources, Stoned 2 is a "shadow" of Stoned... if you
use the McAfee CLEAN [Stoned], Stoned 2 will go away.

------------------------------

Date: Wed, 17 Apr 91 12:30:00 +1200
>From: "Nick FitzGerald" <[email protected]>
Subject: EMPIRE Virus (PC)

In VIRUS-L Digest V4 #62 padgett%[email protected]
(A. Padgett Peterson) wrote:

> In my previous alert on the EMPIRE virus, I had not yet seen the
>second sector with the transposed text. Since then I have received
>this
>[deletions]
>Text of encrypted message follows:
>
>I'm becoming a little confused as to where the "evil empire" is these
>days.
>[rest of virus message deleted]

If it's not too late, I would respectfully suggest that "Evil Empire"
is a better name for this virus as it is more easily identified when
the beasty does trigger and display its message, _AND_ it is a "more
unique" name.

Tim also sent me a copy of this virus, and it has an interesting
feature when it infects a HD with a controller that writes to the MBR.

A week or so ago, it was mentioned that some XT HD controllers write
up to 17 bytes (yep, 17!) of guff to the MBR immediately before the 64
bytes reserved for the partition table. Well, my XT at home has just
such a controller and when that machine is infected with the Empire
virus (I'll use this name for now to avoid/prevent confusion) the HD
is rendered unbootable. This is because the HD controller seems to
always slip its mystery bytes into a write to 0,0,1, including the
viral infection write. As the Empire virus code requires all of the
MBR sector apart from the last 66 bytes, its code is corrupted by
these 17 mystery bytes, and it doesn't execute correctly, hanging the
machine at boot-up.

- ---------------------------------------------------------------------------
Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z.
Internet: [email protected] Phone: (64)(3) 642-337

------------------------------

Date: Tue, 16 Apr 91 22:24:00 -0500
>From: [email protected]
Subject: Re: Is virus infection by inserting floppy disk possible? (PC) (Mac)

[email protected] (Michael Kerner) writes:
> That's what WDEF viruses do on the Macintosh - they transfer from the
> "desktop" file of the infected floppy to the host. However, they are
> also extremely easy to kill, and don't do any real damage, so they are
> not (yet) seen as a big threat.

It may be easy to kill (rebuild your desktop!) but it also spreads
like wildfire. And it certainly does do "real damage" -- where I
work, people have lost papers because WDEF crashed their system and
corrupted their files. It causes printing problems, it crashes a Mac
II almost immediately, and God help you if you get it on a server!

In reply to the original question, CDEF (Mac) also works like this:
infecting the desktop file, usually on disk insertion. And since it
was written at Ithaca High School, it is _all_over_ Cornell. (Lucky
us.)

_____________________________________________
| / \ / \ |
| / You can't fight | | Mark Pilgrim \ |
| | in here -- this |\_______/| | |
\_____| is the WAR ROOM! |// \\| f8dy@cornella. |_____/
| (from Doctor /// \\\ cit.cornell.edu |
| Strangelove) /// \\\ |
\_______________/// \\\_______________/

My thoughts may not be my own, but they're certainly not my employer's.

------------------------------

Date: 17 Apr 91 02:27:05 +0000
>From: "Eric C. Pan" <[email protected]>
Subject: Viraphobia (Re: AF/91 and April Foolism in general)

I am getting tire of all the people whose hair stand on ends
at the mentioning of viruses. I think April Fool's Day is a nice way
to relax....
I believe some people are too easily paniced by any mentioning
of virus. I am beginning to wonder if you will believe me if I claim
that the human acquired immune deficiency syndrome, i.e. the HIV virus
is spreading to computer. Gosh, I am tired of all the people who ask
me to check their disks for viruses everytime they get a system error,
or their drive makes a funny sound.
Track Record so far? Out of 20 some people I helped, none of
them have ANY VIRAL INFECTION. NONE! And yet everyday, someone would
scream "Computer Virus" because they crashed their system, sometimes
because they pushed their reset button.
Is there someway we can stop this PARANOIA? I think sueing
anyone who bring up virus as a joke is definitely not a solution.

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 63]
*****************************************

Downloaded From P-80 International Information Systems 304-744-2253