VIRUS-L Digest Thursday, 18 Apr 1991 Volume 4 : Issue 64

VIRUS-L Digest Thursday, 18 Apr 1991 Volume 4 : Issue 64

Today's Topics:

Re: AF/91 and April Foolism in general
AF/91 and April Foolism in general
Re: HyperCard anti-virus script bad (Mac)
Norton's Antiviral program Question (PC)
Self-extracting files (PC, mostly, I guess)
Amiga Virus Listing (Amiga)
Stoned Problems (PC)
New virus at Oxford? (PC)
Re: Unix viruses (UNIX)
Norton Anti-Virus (PC)
Re: April Fool?
Re: Gantz' Infoworld Column
the MDEF series of viruses (Mac)
Documented mainframe viral attacks (mainframe)
Re: Is virus infection by inserting floppy disk possible? (PC) (Mac)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

----------------------------------------------------------------------

Date: 17 Apr 91 04:46:37 +0000
>From: [email protected] (Victoria Harkey)
Subject: Re: AF/91 and April Foolism in general

The problem with the joke is that I did run across a trojan horse that
did activate on 4/1. If the system clock was reset to a date prior to
4/1, no music played when the infected files were accessed... however,
any date =>4/1 caused numerous songs. It was not benign.. In trying to
trap and eradicate the virus, it hit the File Allocation Table and
wiped out all access to the drive. They were using DOS 4.01, and my
software tools couldn't salvage the disk.

I've devirused a number of systems and networks; this little sucker
was not a joking matter.

Victoria Harkey
Certified NetWare Engineer

------------------------------

Date: Wed, 17 Apr 91 14:48:59 -0500
>From: [email protected] (Paul Carapetis)
Subject: AF/91 and April Foolism in general

> Date: Fri, 12 Apr 91 09:46:16 +0100
> From: Anthony Appleyard <[email protected]>
>
> In reply to these, I say this. Jokes can only be allowed to go so far. Too
> often people try to cap each other's jokes and go too far and cause much
> unfunny nuisance. Ref what someone in my scubadiving club said after a bout

I agree that there should be a limit to "jokes" but it seems to me
that such articles are easily spotted if read in full and have their
own merit in the form of some relief from the serious and morbid
atmospheres in this industry with a small light-hearted beam of
joviality! I don't know about you, but I don't belive anything
written in journals, magazines, newspapers etc. without confirmation
from a reliable source (none of the previous fit into this category,
IMHO). To go off in a big flap over an obvious april fools joke is a
sign that a holiday/vacation should be the next course of action.

Have a laugh - you'd be surprised how good it can make you feel!

Yours with a smile :-)
Paul

| Paul Carapetis, Software Advisor (Unix, DOS) | Phone: 61 3 4200944 |
| Melbourne Development Centre | Fax: 61 3 4200445 |
| Bull HN Information Systems Australia Pty Ltd |-------------------------|
| Internet: [email protected] | What's said here is my |
| ACSnet : [email protected] | opinion (so I am told!) |

------------------------------

Date: Tue, 16 Apr 91 22:50:00 -0500
>From: [email protected]
Subject: Re: HyperCard anti-virus script bad (Mac)

[email protected] (Michael Kerner) writes:
> Unfortunately, Bruce, if the script is going to spread, it has to get
> past the scripts in the HOME card of HC. Passing the message directly
> to HC does not bypass the HOME scripts.

A direct quote from Hypertalk Reference stack (2.0): "If you send a
message directly to Hypercard, you ensure that no other objects will
handle the message." This includes the Home stack script, no matter
what kind of HyperGatekeeper you've installed in your Home stack. Not
only could the virus spread to your home stack, it could then spread
to any other stack w/o warning from your "on set" script.

_____________________________________________
| / \ / \ |
| / You can't fight | | Mark Pilgrim \ |
| | in here -- this |\_______/| | |
\_____| is the WAR ROOM! |// \\| f8dy@cornella. |_____/
| (from Doctor /// \\\ cit.cornell.edu |
| Strangelove) /// \\\ |
\_______________/// \\\_______________/

My thoughts may not be my own, but they're certainly not my employer's.

------------------------------

Date: Tue, 16 Apr 91 22:24:54 -0700
>From: [email protected] (Rob Slade)
Subject: Norton's Antiviral program Question (PC)

[email protected] (PIKEY TAM L) writes:

> I have heard there was an article in a mag. comparing Norton's
> antiviral to McAfee's scan and that the Norton's program failed to
> identify the Stoned virus. Can anyone confirm or deny this?

In my testing of the Norton Antivirus program (see the reviews in the
cert and MIBSRV archives) it identified 3 versions of the Stoned
virus. I do not have copies of the "Stoned II/Donald Duck" versions,
so I can't vouch for that.

=============
Vancouver [email protected] | "Don't buy a
Institute for [email protected] | computer."
Research into (SUZY) INtegrity | Richards' First
User Canada V7K 2G6 | Law of Data
Security | Security

------------------------------

Date: Tue, 16 Apr 91 22:54:46 -0700
>From: [email protected] (Rob Slade)
Subject: Self-extracting files (PC, mostly, I guess)

Since this got chopped up good, the first time ...

We've had various discussions on the merits of "archived" and "self-
extracting" files for virus protection. The following is from a local
bulletin board:

Original message from: Rene Blais, to: All --
RB> simple way to detect viruses without scan or any similar
RB> program, as long as the virus infects EXE files no
RB> self-extracting compressed files will work as the virus
RB> scrambles the code. just a friendly hint from your friendly
RB> neighborhood virus-hater

I'm afraid it isn't that simple, Rene.

If the virus is an "overwriting" type, then yes this procedure should
work. However, if the virus is a "prepender" then it will execute
*before* the code that decompresses the program. The self extraction
module then may or may not fail to successfully run the program,
depending upon how it deals with the additional code at the beginning
of the file. In any case, if the viral program is one that "goes
resident", then the machine's memory is infected.

If the virus is an "appender", most of the same applies. It will have
a "jump" placed at the beginning of the file to the virus code at the
end, and then a "jump" instruction to the beginning of the file and,
again, executes the virus before the self-extraction module starts to
work. As with the prepender, the extraction of the program may or may
not be affected by the presence of header and trailer information.

However, in the case of the newer "spawning" viral programs, this
procedure does nothing at all for detection, because "spawning" viri
never touch the original file, relying on MS-DOS's "execution order
preference" for .COM files, and creating a separate virus file. The
separate file may be hidden from detection in various ways, and still
be "infectious."

=============
Vancouver [email protected] | "Don't buy a
Institute for [email protected] | computer."
Research into (SUZY) INtegrity | Richards' First
User Canada V7K 2G6 | Law of Data
Security | Security

------------------------------

Date: Tue, 16 Apr 91 22:48:57 -0700
>From: [email protected] (Rob Slade)
Subject: Amiga Virus Listing (Amiga)

[email protected] writes:

> Does anybody have a list of AMIGA viruses and their actions? There is
> an excellent list available for the IBM PC. Any info would be
> appreciated.

Klaus Brunnstein's excellent Computer Virus Catalog covers all the
bases: MS-DOS, Mac, Atari and Amiga. I do recall some difficulties
they have had obtaining samples for Amiga viri, since Amiga users tend
to want to "swap", and CARO won't do that.

=============
Vancouver [email protected] | "Don't buy a
Institute for [email protected] | computer."
Research into (SUZY) INtegrity | Richards' First
User Canada V7K 2G6 | Law of Data
Security | Security

------------------------------

Date: Wed, 17 Apr 91 11:13:33 +0100
>From: [email protected]
Subject: Stoned Problems (PC)

We are having problems with STONED here at Teesside Polytechnic. We
can detect it on our hard disks using SCAN and then get rid of it
using CLEAN, although we can detect it on floppies CLEAN hangs when we
try to get rid of it and the floppy is subsequently unusable.

The weird thing is that the floppies don't have any programs on them,
the particular case I dealt with just had 3 disks of wordstar files.
Does STONED scramble the FAT? Can it "hang around" in memory so that
SCAN reports the A drive as being infected although it is not on the
floppy in the A drive? Can STONED scramble the FAT of a floppy in the
A drive from the C drive or from memory?

Any help gratefully received.

Rgds,

Iain Noble
- -----------------------------------------------------------------------------
Iain Noble |
[email protected] | Post: Main Site Library,
JANET: [email protected] | Teesside Polytechnic,
EARN/BITNET: LBA002%pa.tp.ac.uk@UKACRL | Middlesbrough,
INTERNET: LBA002%[email protected] | Cleveland, UK, TS1 3BA
UUCP: LBA002%[email protected] | Phone: +44 642 342121
- -----------------------------------------------------------------------------

------------------------------

Date: Wed, 17 Apr 91 11:32:00 +0000
>From: [email protected]
Subject: New virus at Oxford? (PC)

Can anyone help us please. We are seeing a lot of corrupt PC files
recently from various departments in the university. They all have the
same file header which includes a small capital e with an accent acute
followed by the characters MSDOS3.3 then a load of garbage. The
software that created the files is unable to read them. We've scanned
some of the machines that produced these file with McAfee's SCAN v76.
SCAN doesn't detect anything.

Has anyone any ideas. I'm stuck except to suggest to the people
affected to do a low-level format and restore their software from
known clean copies.

Could you please pass on my thanks to A. Padgett for his reply to my
last query about IDE drives. I've tried to mail him personally but
keep getting unhelpful messages at my end about "site unknown".

Thanks in advance.

Lynne Munro

------------------------------

Date: Wed, 17 Apr 91 03:23:00 -0700
>From: [email protected] (Morgan Schweers)
Subject: Re: Unix viruses (UNIX)

Some time ago padgett%[email protected] (A. Padgett
Peterson) happily mumbled:

>In the VAX world, use of version numbers in file calls (does anyone
>else ?) would make such script spoofs more difficult.
>
>Key here is that "good" multi-user systems (e.g. unix) already have
>good defense mechanisms built in but rarely used.

Greetings,
Beg to differ, but...
[Wherein I deleted, a description of a very successful VMS worm,
based on version numbers]
<Sigh> There really *ARE* some things a person shouldn't post.
Suffice it to say that a person I knew used the version number
facility of VMS to make 'script spoofs' easy. (As well as using MBX's
as a 'trapdoor' facility which trapped the System manager even.
Scary. Took less than a few days.)

The 'version numbering' of VMS makes it susceptible to worms and
such. DCL worms, also, have been around a while.

All these things require that people run things out of other's
accounts. However, in an educational environment this can be
considered to hold true. In many other environments as well.

The problem here is that *WORMS* are easy on almost any system,
but Viruses seem to be only 'easy' on PC's. (I consider a worm a
program of which there is an entirely *SEPERATE* program, and a
virus a program which incorporates itself into the main program.)

If you are running a Un*x system, work on the intricacies of
protections. Proper passwording, proper protection, make sure your
users are 'security aware'. Run COPS on your system occasionally.
For the most part, you won't need to worry about worms or viruses.
As Padgett says, you've got great protections available. Now *USE*
them!

Of course if you *DO* run into one, comp.virus/VIRUS-L would
probably be very interested in it.

-- Morgan Schweers
+----
I'm out of my company's field here, so they probably don't
care what I'm saying now. -- [email protected]
- ----+

------------------------------

Date: Wed, 17 Apr 91 11:50:00 -0400
>From: [email protected]
Subject: Norton Anti-Virus (PC)

In testing the Norton Anti-Virus product against a file with multiple
infections of the Jerusalem B virus, I found that it will remove only
one instance of the virus at a time. It reports that the virus has
been "successfully removed" even though the remaining copies of the
virus remain attached to the file. Other products I've tested will
remove all instances of a multiple infection automatically, without
user intervention. I consider this aspect of the Norton product to be
a serious defect and I would hope to see it corrected in a subsequent
release.

Gary Garb Unisys Corp. Blue Bell, PA (215) 986-4038

------------------------------

Date: Wed, 17 Apr 91 16:53:18 +0000
>From: [email protected] (Thomas Wong)
Subject: Re: April Fool?

[email protected] (Wes Boudville) writes:
> I read that Infoworld article. Like many readers, I'm sure,
>I got a chuckle out of it. A lot of us are aware that media
>articles dated 1 April should be regarded with a grain of salt
>[like the story one year about Big Ben going digital]. Personally, I
>regard such articles as a refreshing and harmless sign of creativity.
> As a non-American, I find your comment to be a classic
>glimpse into the litigious nature of US society.

I have to agree with you there. It seems that as the days goes by,
there are stranger and stranger cases in the Amermican courts. People
are being sued from anything to everything. There was a joke about
this I read somewhere (can't recall where). The relevant part of the
story goes something like this. A lady trips over a branch on the
sidewalk in front of a building. She sues the gardener of the building
for malpractice, sues the owner of the building for negligence, sues
the city for pollution, sues the county for lack of control over its
cities, sues the State for not increasing the city spending for the
purchase of one more street cleaner, and sues President Bush for not
buying that Nintendo Danny wants so that he can actually be doing
something.

>Go ahead with your lawsuit. I suspect it will be thrown out
>of court.

I'm not so sure about that. I have seen some strange decisions before.
You know what they say in the US, if you have enough money to pay for
a good lawyer, you can get away with murder (or seek refuge in
Canada). :)

But come now. A joke is a joke. We all know what April fools mean. I
thought Americans are supposed to be funloving, free spirited group of
fellows. Not to mention freedom of speech and all that jazz.

Thomas.

------------------------------

Date: 17 Apr 91 17:02:49 +0000
>From: [email protected] (Kevin Crocker)
Subject: Re: Gantz' Infoworld Column

ROsman%ASS%[email protected] writes:

>I'm almost amazed that you were so taken in by Gantz' article. I will
>admit to reading the article with some interest initially, but it
>became clear that it was a farce towards the end. I have a lot of
>respect for the folks at NSA, but they play by the same laws of
>physics and math that the rest of us do, and I seem to remember some
>claims toward the end of the article that grossly violated both. The
>final "nail in the coffin" was the date of the issue (April 1,1991).
>I wish I had the issue in front of me so I could quote chapter and
>verse, but I don't.

I've keep quite about this because I enjoy a good yuck as much as the
next person. However, there are a lot of people that read a variety
of magazines just for info and pleasure that do not have the
math/physics/computer background to understand the sillyness of what
was written.

There are a lot of neophytes running around making all kinds of
decisions about computers that affect entire companies. Articles like
this one do an incredible disservice and create more uneasiness about
computers and viruses. Computer viruses are NOT something to joke
about. Several years ago I lost an entire 40Mb hard disk to something
(probably a trojan but I could never find it) Even though I had
backups I lost quite a bit of work that cost me several months to
recreate.

Viruses and trojans are not something that should be joked about,
especially if there is the slightest chance that the "joke" could fall
into a novices lap.

Kevin
- --
Kevin "auric" Crocker Athabasca University
UUCP: ...!{alberta,ncc}!atha!kevinc
Inet: [email protected]

------------------------------

Date: 17 Apr 91 17:48:29 +0000
>From: [email protected] (Robert A Carlin)
Subject: the MDEF series of viruses (Mac)

Hi. I was wondering if someone could help me with a slight
problem I seem to be having. I'm a graduate student here at UB (SUNY
Buffalo), and I work in a laboratory that has 4 Macs (3 SE/30s and a
IIsi). Recently, we found that two of the SE/30s were infected with a
virus called MDEF C. We tried to use SAM on it, but the best we could
do was detect the infected files - SAM couldn't repair them. Only
applications and the desktop were infected by this virus.

Our solution was to simply delete the infected files, rebuild the
desktop, and reinstall new versions of the System, Finder, and other
infected applications. However, some of the other students aren't
sure whether SAM is going to be effective in detecting this again, as
it didn't notify any of us about the infected floppy disk in the first
place. Are there any free- or shareware virus protection/disinfection
programs available? I had copies of Binhex and Stuffit which I was
fiddling around with, and they got infected, so I can't readily go the
archives to get programs...

Also, how long has the MDEF series of viruses been circulating? I
would assume that MDEF 'C' is the third version detected...? What
does it do? And finally, if the desktop of a floppy has been infected
with this virus, can that desktop be repaired/rebuilt and the floppy
put back into service?

Thanks in advance for your time.

Please reply by email - this topic has (most likely) been brought
up before, and I don't want to waste space. Thanks!

Rob Carlin

-
-------------------------------------------------------------------------------
Robert Carlin, State University of New York at Buffalo
INTERNET: [email protected] OR [email protected]

It's is not, it isn't ain't, and it's it's, not its, if you mean it is. If
you don't, it's its. Then too, it's hers. It isn't her's. It isn't our's
either. It's ours, and likewise yours and theirs.
- Oxford University Press, Edpress News

------------------------------

Date: Wed, 17 Apr 91 17:05:32 -0400
>From: Arthur Gutowski <[email protected]>
Subject: Documented mainframe viral attacks (mainframe)

In Virus-L V4 #63:
>Date: 16 Apr 91 22:38:13 +0000
>From: [email protected] (Gil Braunstein)

>I was wondering whether there are documented cases of viruses
>infecting mainframes or minis (basically not PCs). ...
> my instructor claims that there have not been any
>documented cases of viruses infecting mainframes that he knows of. On
>the other hand, another instructor claims to know about some cases but
>one of the few sources that he pointed out was Fred Cohen's paper.

To my knowledge, there are no known mainframe viruses (documented).
Unless you count the VM Xmas EXEC (and others like it) viruses. I
think these have been classified by most as worms rather than viruses,
because they are stand-alone programs and not parasitic. Some time
ago (late last year) there was extensive discussion as to the
possibility and feasibility of mainframe viruses. As a starting
point, you may want to check the Virus-L archives on cert.sei.cmu.edu
for these mainframe discussions. As for the Cohen paper, that may too
be on the cert archives (if it's available in electronic form--
Ken??). I think the general consensus then was that viruses were
definitely possible, but not a huge concern given the complexity of
mainframe environments and the different culture associated with
mainframes.

For what it's worth,

[Ed. Sorry,the Cohen papers are not available on our archives; if they
are publicly available electronically, I would be happy to place them
there, though. If anyone has info on this, please drop me a note.]

Arthur Gutowski
MVS System Programmer
Wayne State University AGUTOWS@WAYNEST1 (BitNet)
1+1=10 [email protected] (InterNet)
-Murphy's Base Law of Addition

------------------------------

Date: 17 Apr 91 18:23:51 +0000
>From: ingoldsb%[email protected] (Terry Ingoldsby)
Subject: Re: Is virus infection by inserting floppy disk possible? (PC) (Mac)

[email protected] (Rob Slade) writes:
..
> On a PC: no. Or at least, not with standard machines. (I use an old NEC
> laptop for my comm sessions, and it growls at every disk insertion so it
> must be doing *something*. But most PC's don't.)

I recently installed a floppy disk drive on a non-PC computer
(actually a Radio Shack Color Computer). I bought the drive without
power supply or cabinet and assembled the unit myself. I discovered
that the drive would cycle the power on for about 5 seconds every time
a disk was inserted, even when the drive was not connected to a
computer. It appears to be a feature that makes certain the disk has
seated itself properly before any data operations take place. As far
as I could tell the computer is not advised of the insertion. Perhaps
this is what you are experiencing?

- --
Terry Ingoldsby ingoldsb%[email protected]
Land Information Services or
The City of Calgary ...{alberta,ubc-cs,utai}!calgary!ctycal!ingoldsb

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 64]
*****************************************

Downloaded From P-80 International Information Systems 304-744-2253