VIRUS-L Digest Friday, 26 Apr 1991 Volume 4 : Issue 70

VIRUS-L Digest Friday, 26 Apr 1991 Volume 4 : Issue 70

Today's Topics:

Initial Virus Protection (PC)
Re: HC virus (Mac)
Re: mac virus question from amateur radio packet (PC)
TSR Virus Detector (PC)
Disabling the floppy-drives. (PC)
what might "SERUM" be for? (PC)
Viruses & System 7.0 (Mac)
What's so bad about self-extracting archives?
Re: Zenith Dos Writes (PC)
F-PROT on any trickle servers? (PC)
Re: PREVENTION of Drive A: boots - Suggestions Please (PC)
FPROT115 and Kamikaze virus (PC)
Warning: BITNET worm on the loose... (IBM VM/CMS)
New VM/CMS intruder. (IBM VM/CMS)
Telefonica virus at Oxford (PC)
Virus Software Query (UNIX)
Re: AF/91 and April Foolism in general

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

----------------------------------------------------------------------

Date: Wed, 24 Apr 91 16:57:48 -0500
>From: "Chris Wagner" <[email protected]>
Subject: Initial Virus Protection (PC)

We've just identified the stoned virus on our campus. We would like to
get some virus protection out to the pc's asap. We are looking at
FPROT and McAfee's SCAN & CLEAN. There are about 1000 pc's on campus,
almost all stand-alone pc's. Currently, no protection software is in
use on the pc's at this time. Right now, cost is a real factor due to
a limited budget.

Since the virus was found on several write protected floppies used on
drives with good write protection circuitry, we suspect the virus
might have been planted intentionally. With that in mind and the
thought that a nastier virus might be waiting on a disk somewhere,
does anyone have recommendations as to how to initiate some sort of
protection and what software to use?

I get the impression that the only way to be sure we don't have a
virus is to periodically scan our disks with the latest scanning
software we can find. Is this true? Is there some software that can
"guard the front door" to stop a virus from getting on a disk rather
than "constantly checking the house" to see if a disk is already
infected.

Thanks in Advance.

Chris Wagner
Computer Technician
Microcomputer Maintenance Dept.
Northern Michigan University
Marquette, MI 49855

PHONE: 906-227-1961
BITNET: STCW@NMUMUS

------------------------------

Date: Thu, 25 Apr 91 00:44:27 +0000
>From: [email protected] (Michael Kerner)
Subject: Re: HC virus (Mac)

This bugger is essentially harmless - it just plays some German folk tunes.

Mikey.

------------------------------

Date: Wed, 24 Apr 91 21:08:00 -0500
>From: Big fish man on hippocampus <[email protected]>
Subject: Re: mac virus question from amateur radio packet (PC)

Brian Riley writes:
>>------------------------------msg------------------------------------
>>From: ka2bqe@ka2bqe.#nwvt.vt.usa.na (Brian Riley)
>>
>> That WDEF A is 'mostly benign' is questionable. I recently had a query
>>made to the network about an infestation of nVIR B. Upon recommendation, I
>>obtained Disinfectant 2.4 and went to work cleaning house in the corporate
>>tower at the Village of Smuggler's Notch Resort where I do some part time
>>computer work. Of some 14 machines I scanned and cleaned, every one was
>>infected with a nVIR B that came to us attached to a copy of Stuffit 1.5.1.
>>Moreover every single HD desktop was infected with WDEF A. 85% of the
>>floppies were infected. Most machines were SE's or Plus's and a few
>>Classics, no II's. All system were complaining of 'minor annoyances';
>>premature program terminations, a number of the Plus's had Europa 20
>>external HD's and all of them were 50-50 whether or not they would boot
>>from HD. There were anumber of other complaints that are hard to
>>categorize. ALL complaints stopped upon removal of WDEF A! I installed the
>>Protection INIT and everything has run smooth for several days with 0
>>complaints.
>>
>> I am sort of new to Macs (I have 8 years on PCs!) and its brand of virii,
>>but this experience would have to make me think that, while not maliciously
>>catastrophic, WDEF A is far from 'mostly benign!'

It seems to me that the effects can't be attributed to WDEF since nVIR
was also on the infected drives. It has been my experience that
although WDEF gets around quickly, that it is not much of a problem
with the older machines. On the other hand, nVIR (which has made its
rounds here) is more of a pain and interferes with proper oiperation
much more often than WDEF.

Also, benign doesn't neccessarily mean that it doesn't cause any
problems; it just means that it doesn't go out looking for trouble.
Think of a benign brain tumor; it doesn't eat up brain tissue, but it
does start putting pressure on the brain when it grows, eventually
destroying the tissue. Pretty yummy analogy, huh? =-)

|\ \\\\__ Tony Maimer __
| \_/ o \ / |
> _ (( <_ / |
| / \__+___/ [email protected] /o /_/|
|/ |/ < )) _ <
\ \ \|
\ |
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

------------------------------

Date: Wed, 24 Apr 91 21:09:45 -0500
>From: John Councill <[email protected]>
Subject: TSR Virus Detector (PC)

Hi. I'm sure that this question has been asked here before, but I'll
ask it again:

Can anyone reading this recommend a reliable program that will sit in
memory and warn against writes to .EXE and .COM files, as well as
other suspicious virus-like activity without degrading performance of
the machine too much? Are there products like this that you've had
bad experiences with?

And while I'm posting this, I'll comment that it would be a GOOD THING
if someone from IBM who reads this, and is affiliated with VIRSCAN,
could announce new releases of this program on VIRUS-L. Such
notification would help me out a lot, as our IBM rep is usually
ignorant about it. AND it would help avoid the kind of rumor
flurrying that surrounded the last release.

Thanks,

John A. Councill Bitnet: JXA5@MARISTB
Technical Assistant Voice: 914-758-7494
Henderson Computer Resources Center of
Bard College in Idyllic Annandale-on-Hudson NY

<Opinions expressed are not necessarily those of my humble leaders.>

------------------------------

Date: Thu, 25 Apr 91 10:19:44 +0100
>From: "Pete Lucas" <[email protected]>
Subject: Disabling the floppy-drives. (PC)

Andrew Turner (<[email protected]>) asks:-

>To minimise and manage virusses at our institution I wish to prevent
>PC's being booted off Drive A: and only permit booting off the Hard
>Disk. This of course immediately presents a management problem of
>what to do if the Hard Disk goes bad and I need to boot off a floppy.
>So ideally any solution needs to address this situation. Two
>possibilities spring to mind:
>
>a. Use of a ROM. This would sit in the appropriate address space and be
> detected during the BIOS boot. The code would need to at least
> prevent floppy boots and desirably check for a floppy with a particular
> label and if detected permit the floppy boot. This would overcome the
> problem of a clobbered hard disk.
>
>b. Use of hardware modifications connected to a key switch mounted on
> the case which would be used to enable/disable floppy boots. On our
> machines the keyboard lock could be used for this purpose.

Both these options require modification to the PC. This may mean
problems when it comes to getting your machines serviced, or when you
want to sell them. Try explaining to the repair-shop or maintenance
engineer the modifications you have made, then see him go pale as he
wonders if these modifications are the reason for the fault.....

A far easier way is what i have done; you can buy floppy-drive locks
that simply fit into the drive slot and prevents anyone putting any
diskettes in the slot. All you need to remove the thing (when you
*need* to boot from or read a floppy) is a twist of the key. You
could give 'trusted' users a copy of the key to their PC.

These things are also far cheaper than any hardware/BIOS mods. are
likely to be.

Question is, what are your users going to be better at? Hardware
hacking, or lock-picking......?

Pete Lucas [email protected] [email protected]

------------------------------

Date: Thu, 25 Apr 91 13:02:24 +0000
>From: David Hansen <[email protected]>
Subject: what might "SERUM" be for? (PC)

A bunch of students came to Memorial UNiversity from Indonesia and
they claim that they have inadvertently brought an Indonesian virus
with them. They brought a cure calle d SERUM, which is an executable
file which only works on drive A. Can anyone help us? One colleague
of mine claimed to be getting flashing funny faces.

What might this virus actually BE? Is there really an Indonesian
virus?? How are we going to clean up our hard disks since SERUM only
works on drive A. PLEASE HELP.

[email protected]

------------------------------

Date: Thu, 25 Apr 91 09:23:40 -0400
>From: Dave Martin <[email protected]>
Subject: Viruses & System 7.0 (Mac)

The report on GateKeeper 1.2 made me start wondering about how viruses
would behave under System 7.0 (one of the feature points said that
GK1.2 had better compatibility with Sys7, adding that users & viruses
shouldn't notice any differences). Has anyone experienced a virus
under System 7.0 (beta, FC, etc.), and if so, did they behave any
differently. Are any of them completely incompatible in that they
simply crash the machine when they try to do their dirty work, or do
they work just as they always have. Anyone looked at the code enough
even to tell what they'd do?

Of course, compatibility of old viruses aside, I get this gut feeling
that Sys7 will open the doors for more viruses, and make old ones
spread more easily. How will SAM react to an infected file run from a
FileShare folder? Or if someone puts a disk with WDEF into a drive
while a shared folder is open. Will SAM or any of the other active
detectors warn you when a virus tries to get in from the back door?
Does the AppleEvent manager have any built-in precautions to prevent
viri from sending events out to programs? Or from interfering with VM?
I know, lots of questions. Maybe they've been discussed before, I
don't know -- just signed on a week or so ago. As semi-official
manager of a small (~20) network, and someone who has had to clean
Scores, nVir, & WDEF from most of them many times, I'm curious how
much more trouble to expect from System 7.0

Thanks.
Dave Martin, Geochemical & Environmental Research Group, Texas A&M University
[email protected] [email protected] [email protected] AOL: DBM

------------------------------

Date: Thu, 25 Apr 91 13:49:10 +0000
>From: magnus%[email protected] (Magnus Olsson)
Subject: What's so bad about self-extracting archives?

I'm sorry if this question seems a bit naive, but why are people so
concerned about the risk of virus-infected self-extracting archive
files?

Can't you just first run the archive file through your favourite virus
checker, and if it passes the test extract it, and then test the
individual files that were inside it? Or have I missed something?

Magnus Olsson | \e+ /_
Dept. of Theoretical Physics | \ Z / q
University of Lund, Sweden | >----<
Internet: [email protected] | / \===== g
Bitnet: THEPMO@SELDC52 | /e- \q

------------------------------

Date: 25 Apr 91 13:38:32 +0000
>From: [email protected] (Malcolm Sharp)
Subject: Re: Zenith Dos Writes (PC)

Add Zenith models 150/151 to that list. SCANs of diskettes that are
known to be infected with Stoned have not been detected on these
machines. However, F-PROT picks them up. We have a 151 that recently
had its hard drive trashed due to Stoned. Had been using VSHIELD and
SCAN (first ver64, then 76, 76C). ???

------------------------------

Date: Thu, 25 Apr 91 17:22:19 -0500
>From: Juan Jose Perez <[email protected]>
Subject: F-PROT on any trickle servers? (PC)

Hi,
How and where can I get F-PROT 1.15?
Can I get it from any trickle?

Thanks.....

************************************************
* ___________ Juan Jose Perez Bueno *
* |_ | Servicio de Informatica *
* | | Universidad Autonoma de Madrid *
* | 0 / Ctra de Colmenar Km. 15 *
* < | 28049 Madrid (SPAIN) *
* |_ ___/ Phone: +34 1 397 51 44 *
* / E-Mail: <[email protected]> *
* <JJPEREZ@EMDUAM11> *
************************************************

------------------------------

Date: 25 Apr 91 17:40:12 +0000
>From: [email protected] (Wm E Davidsen Jr)
Subject: Re: PREVENTION of Drive A: boots - Suggestions Please (PC)

| >b. Use of hardware modifications connected to a key switch mounted on
| > the case which would be used to enable/disable floppy boots.
|
| Don't think this would work since all that is required to boot is for the
| disk to be read. I do not think a switch could prevent selective reads witho
ut
| disbling any read. (unless you have a use for a write-only floppy).

All you need is a switch the BIOS can read to disable trying the
boot on A:.

I mailed this to the original poster, but here's my idea. I suggested
it to a vendor, but they haven't used it, or at least not yet.

Have in the CMOS a "boot path" which works like the PATH variable, and
specifies which devices are to be tried, in what order. This allows
disable of floppy boot, as well as boot from B: if A: fails or if you
have one 5-1/4 and one 3-1/2, etc.

Use a password to allow access to change the configuration. If the
password takes too much room, save three bytes of CRC20 plus a value
for length range 1-15 characters. Length zero could mean "no
password."
- --
bill davidsen ([email protected] -or- uunet!crdgw1!crdos1!davidsen)
"Most of the VAX instructions are in microcode,
but halt and no-op are in hardware for efficiency"

------------------------------

Date: Thu, 25 Apr 91 19:28:10 -0400
>From: Ernest Crvich <[email protected]>
Subject: FPROT115 and Kamikaze virus (PC)

I apparently have run across the Kamikaze virus... I downloaded a
file called UUEXE.ZIP at FTP location MSDOS.ARCHIVE.UMICH.EDU in the
directory /archive/msdos/unix. When I ran F-FCHK on the two .EXE
files that were in the archive, the file UUDECODE.EXE caused the
message 'This file is infected with Kamikaze' to appear. I could find
no desc. of this virus in any of the three virus description files
included with F-PROT. Does this FTP location *NOT* check its files
for viruses?
Any info on this virus would be appreciated (was it a fluke?)...

Ernest Crvich
Bitnet : GENERAL@VTVM1
Internet : [email protected]

------------------------------

Date: Thu, 25 Apr 91 22:25:19 -0400
>From: Valdis Kletnieks <[email protected]>
Subject: Warning: BITNET worm on the loose... (IBM VM/CMS)

Sorry for the cross-posting, but...

There is a worm loose on bitnet. I've gotten hit by 3 copies so far,
all coming out of PSUVM. I have not determined the origin node yet.

The important characteristics:

Name: ZT EXEC
Language: Rexx
Size: 68 lines.

It sends a copy of itself to everybody in your NAMES file, using
rather poor parsing, and the PUNCH command rather than SENDFILE. The
inducement to run it is that it claims to be a 'zebra tell', sending
multi-color messages (actually does 3270 extended attribute chars for
bright/normal).

I suggest that the core nodes put it in their filters.

Valdis Kletnieks
Computer Systems Engineer
Virginia Polytechnic Institute

------------------------------

Date: 25 Apr 91 22:37:27 -0500
>From: "Tim Eisler (312) 996-7143" <[email protected]>
Subject: New VM/CMS intruder. (IBM VM/CMS)

ZT EXEC has appeared at UICVM, the University of Illinois at Chicago.
It reads the names file and sends itself to everyone. It does issue
the 'TELL' before sending itself. It has been added to the list of
intruders filtered out by the RSCS selective file filter. Below are
the comments from the beginning of the exec:

Tim Eisler Research Programmer
University of Illinois at Chicago

/*********************************************************************

ZT : The Zebra-Tell

Another product by HackerSoft, the masters of REXX Language

Purpose:
o Send a message in different colors
o Amaze your friends!
o Enhace your messages, with a later version of this program

Syntaxis:
ZT UserId <at node> Message

Zebra Tell will use alternating colors in your message, it -
won't work on systems running CHAT subsystem. This is due --
the use of Special Characters unavailable for CHAT.

***********************************************************************
** **
** ZebraTell (C) 1991 HackerSoft, the masters of REXX Language **
** **
***********************************************************************/

------------------------------

Date: Fri, 26 Apr 91 10:49:00 +0000
>From: [email protected]
Subject: Telefonica virus at Oxford (PC)

Just to let you know that the virus plaguing Oxford turned out to be
Telefonica. We've had nine departments infected. I wanted to thank
everyone who mailed me with help on my query. Andy Holt at City,
Brighton, provided the fix we so desperately needed.

Thanks everyone for being so helpful.

Lynne

------------------------------

Date: Fri, 26 Apr 91 11:49:07 -0700
>From: BOB STRINGFIELD <[email protected]>
Subject: Virus Software Query (UNIX)

Does anyone know of any virus software compatible with Sperry
5000/80/95, Unix operating system>

Thanks

***********************************************************************
Robert (Bob) L. Stringfield, Computer Systems Analyst
Mainz Army Depot
Directorate, Management Information Systems (D/MIS)
ATTN: SDSMZ-I
APO NY 09185
COML (No ETS or Autovon available): 06131-696328 (Germany)
FAX: 06131-696467
Electronic Mail: [email protected]
Alternative: bstring%[email protected]
Slogan: IGNORANCE hates knowledge....

------------------------------

Date: 24 Apr 91 21:06:52 +0000
>From: [email protected] (Era Eriksson)
Subject: Re: AF/91 and April Foolism in general

* Quoting [email protected] (Dan King) to [email protected] (Jyrki Kuoppala):

> Come on, don't pick on the users. Attack, instead, the virus authors.
> If these people would write useful code instead of malignant code,
> then life would be grand.

I've been following this thread from the beginning, and I actually don't
have anything to add. Just wish to point out that REAL programmers,
APPLICATION programmers, have a huge responsibility for system security.

Somebody mentioned MS Word as an example of a program which overwrites its
own code occasionally. Your mistake, I say. Don't buy a word processor from
the company which produced the insecure operating system we're talking about
if you're concerned about viruses and security in general. ;-)

LAN operators should be particularly picky about the programs they choose to
offer the users. If a program can't behave, scratch it! There are going to
be virus attacks on any LAN at one time or another, so be prepared.

/* era */

[email protected]
If you want to see a disclaimer, that can be arranged.

- --
Era Eriksson - via FidoNet node 2:220/801
UUCP: ...!fuug!casino!59!Era.Eriksson
INTERNET: [email protected]

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 70]
*****************************************

Downloaded From P-80 International Information Systems 304-744-2253