VIRUS-L Digest Monday, 29 Apr 1991 Volume 4 : Issue 71
Today's Topics:
Info wanted on Plastique (PC)
Viruses and Database Systems
Help! Casper/1260 virus (PC)
IBM Scanner Updates (was: TSR Virus Detector (PC))
AIRCOP alert (PC)
Stoned Again (PC)
Disabling the floppy-drives. (PC)
Re: PREVENTION of Drive A: boots - Suggestions Please (PC)
Version 1.15A of F-PROT (PC)
HyperCard virus --should I wait to script? (Mac)
F-PROT 1.15A anti-virus package uploaded to SIMTEL20 (PC)
Yankee Doodle virus (PC)
Malicious Program Definitions
Re: Virucide query (PC)
can we trust diskette write-protection? (PC)
F-FCHK 1.15 & Casper Virus (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to
[email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at:
[email protected].
Ken van Wyk
----------------------------------------------------------------------
Date: 26 Apr 91 10:20:29 +0000
>From:
[email protected] (Tim Bouwer)
Subject: Info wanted on Plastique (PC)
Hi
We have been infected with the Plastique virus and the Jerusalem virus
as reported by McAfee's SCAN program (Ver74).
The virus infected files on our Novell 386 server and was inhibited in
it's spread by a program we use which prohibits users from running
files that have been modified in any way.
We have some people working on disassembling the code, but have become
concerned that we are in for more trouble from it before this is
complete.
Could any kind soul send us some more info on this - an anonymous FTP
site, or some live info that you may have gathered.
Thanks
Tim
- --
| Tim Bouwer Computing Centre Tel: 27 [0]461 22023 ext 288 |
| Rhodes University Grahamstown FAX: 27 [0]461 25049 |
| 6140 South Africa Internet:
[email protected]|
- -----------------------------------------------------------------------
------------------------------
Date: 26 Apr 91 16:15:07 +0000
>From:
[email protected] (Ramzi A. Haraty)
Subject: Viruses and Database Systems
Greetings,
Does anybody know how to handle viruses in a database system?
In a database environment there would certainly be a lot of updates
and I was wondering how could one limit the infection of viruses into
data items. In other words, how do we guarantee that untrusted users
or processes won't infect our database with viruses?
P.S. I am talking at the system level here.
Thanks is advance
Ramzi Haraty
email:
[email protected]
------------------------------
Date: 26 Apr 91 16:33:31 +0000
>From:
[email protected] (HAWKINS, WILLIAM DARYL)
Subject: Help! Casper/1260 virus (PC)
I have just recently scanned my harddrive with F-PROT115. During
the scan, it returned the message - possible virus found: casper/1260.
The file which it says is infected is vaxlink.exe. As the name
implies, I use it to upload and download files to and from the vax.
When I tried to disinfect the file, F-FCHK still reported a possible
infection, but would not... or could not disinfect the file. I have
also scanned the same file with McAfee's SCANV76C, and it does not
report an infection. The question: Do I have an infection? (or is
F-FCHK interpreting a piece of code in the vaxlink program as the
signature of the casper/1260 virus...) If I do have an infection, why
won't F-PROT disinfect the file?
Any help would be greatly appreciated...... Thanks in advance.
------------------------------
Date: 26 Apr 91 13:29:09 -0400
>From: "David.M.Chess" <
[email protected]>
Subject: IBM Scanner Updates (was: TSR Virus Detector (PC))
John Councill <
[email protected]>:
> it would be a GOOD THING if someone from IBM who reads this, and is
> affiliated with VIRSCAN, could announce new releases of this program
> on VIRUS-L.
Mea probably Culpa. I certainly agree it would be good if we (I) did
this regularly. We did it informally for the first couple, and only
after-the-fact for 2.00.01; my only excuse is that I (HICL's official
Network Junkie) was out of town when it was released, and we don't
have it down anywhere as an official Thing To Do. We'll correct that!
Dave Chess
High Integrity Computing Lab
IBM Watson Research
------------------------------
Date: Fri, 26 Apr 91 15:23:33 -0400
>From: padgett%
[email protected] (A. Padgett Peterson)
Subject: AIRCOP alert (PC)
Recently, one of our users brought a laptop in for screening. The
AIRCOP boot sector infector was found on two of the 3 1/2 utility
disks furnished with the machine & we have reason to believe that
the virus was on the disk prior to the utility files.
The disks are professionally labeled MS-DOS V4.01 utility/diag printed
by CAF Computer Corp. under license from MircroSoft Corp.
The virus appears to conform to published reports and contains the
"RED STATE" message in encrypted form. The virus also appears to
expect 360k floppies since the location the original boot sector is
stored in would be in the middle of any larger capacity disk.
Since the disk conforms to most Microsoft boot sector specifications,
automatic routines may not pick it up however SCAN v66 and later will
detect it as should any routine looking for memory size information
manipulation.
The virus when active does not employ any stealth and will take 1k
bytes from the top of memory. Infected disks may be identified by the
lack of the normal error messages in the boot sector except for the
ASCII "NON-SYSTEM" found at the end of the boot sector just prior to
the MS signature.
------------------------------
Date: Fri, 26 Apr 91 15:23:33 -0400
>From: padgett%
[email protected] (A. Padgett Peterson)
Subject: Stoned Again (PC)
>From: "Chris Wagner" <
[email protected]>
>Subject: Initial Virus Protection (PC)
>Right now, cost is a real factor due to a limited budget.
>I get the impression that the only way to be sure we don't have a
>virus is to periodically scan our disks with the latest scanning
>software we can find.
>From: John Councill <
[email protected]>
>Subject: TSR Virus Detector (PC)
>Can anyone reading this recommend a reliable program that will sit in
>memory and warn against writes to .EXE and .COM files, as well as
>other suspicious virus-like activity without degrading performance of
>the machine too much?
On the PC, a virus must be executed to have any effect & there are
three ways for this to occur: cold boot from floppy, warm boot from
floppy, user request. The last two can be controlled by software (e.g.
McAfee V-Shield), the first only with hardware (but can be detected
immediately by software). Full system scanning is only necessary if
an infection is suspected and the extent is to be determined.
Once malicious software is present on a system, it can hide in many
ways, the key is to detect such activity before it becomes resident.
I am constantly surprised that, considering the simplicity of the PC
architecture, more schools have not developed their own protection
software rather than relying on outsiders, certainly it is more
difficult to write a functional operating system, something most CS
schools require.
How about an annual intermural anti-virus competition - anyone
interested ?
------------------------------
Date: Fri, 26 Apr 91 15:23:33 -0400
>From: padgett%
[email protected] (A. Padgett Peterson)
Subject: Disabling the floppy-drives. (PC)
>From: "Pete Lucas" <
[email protected]>
>A far easier way is what i have done; you can buy floppy-drive locks
>that simply fit into the drive slot and prevents anyone putting any
>diskettes in the slot.
If you can make the users use the keylock that is - most BSI
infections occur from "accidental" floppy boots, not intruders. A more
effective way is to simply unplug the floppy drive. A keylock just
keeps unauthorized people out but someone must administrate it.
------------------------------
Date: Fri, 26 Apr 91 15:23:33 -0400
>From: padgett%
[email protected] (A. Padgett Peterson)
Subject: Re: PREVENTION of Drive A: boots - Suggestions Please (PC)
>From:
[email protected] (Wm E Davidsen Jr)
> All you need is a switch the BIOS can read to disable trying the
>boot on A:.
First you need a BIOS that will read the switch (hardware again - best
but most expensive answer). The programming is trivial but production
is the hard part (ps a ROM extention is easy & uses the stock BIOS,
for maintenance/resale, just remove it & you have a "normal" PC.
Warmly, Padgett
------------------------------
Date: Fri, 26 Apr 91 19:21:04 +0000
>From:
[email protected] (Fridrik Skulason)
Subject: Version 1.15A of F-PROT (PC)
I have just finished version 1.15A of F-PROT, where some "bugs" in
1.15 are corrected. The bugs were:
Occasional false alarms reporting "10 past 3", "Kamikaze" and
"1260/Casper" infections.
F-DRIVER would (incorrectly) report a "Yankee" infection in
the anti-virus programs from Central Point.
F-DISINF was unable to detect and disinfect one common variant
of "Stoned", and would only report..
"...this diskette is infected with an unknown virus."
The name of the new file is FP-115A.ZIP, and it should be available on
SIMTEL-20 and beach.gal.utexas.edu shortly.
- -frisk
------------------------------
Date: 26 Apr 91 14:07:19 -0500
>From: Pat Ralston <
[email protected]>
Subject: HyperCard virus --should I wait to script? (Mac)
I use HyperCard frequently and am not happy to see that there is a
HyperCard viurs on the loose.
Since there have been several comments on the HyperCard anti-virus
script recently which say in general ..."this won't/may not work", I
am not confident that I want to enter this script in my Home Stack.
In fact I have more than one Home Stack because I have customized
several Home Stacks for the specific uses I make of my stacks.
I have found John Norstad to be very responsive in the past when new
Mac viruses developed. John, are you working on this one too? Or
does anyone else know if the Disinfectant virus checking software is
being updated to include the HyperCard virus?
If that is the case I'll wait rather than script something into my
Home Stack that I may not really want there.
I do appreciate the work that Mike went to in trying to give us all a
script to defend against the virus. And I am sure that many Mac users
are grateful for the work that has been done to give us Disinfectant.
Pat Ralston
IUPUI Indiana University - Purdue University at Indianapolis
------------------------------
Date: Fri, 26 Apr 91 19:15:14 +0000
>From:
[email protected] (Fridrik Skulason)
Subject: F-PROT 1.15A anti-virus package uploaded to SIMTEL20 (PC)
I uploaded version 1.15A of my F-PROT anti-virus package to SIMTEL20:
pd1:<msdos.trojan-pro>
FP-115A.ZIP Virus detection/removal/prevention/information
- -frisk
- - -
Fridrik Skulason
[email protected]
------------------------------
Date: 27 Apr 91 10:59:00 -0600
>From: "William Walker C60223 x4570" <
[email protected]>
Subject: Yankee Doodle virus (PC)
Hello, people. Glad to be part of this discussion.
Jim Schank (
[email protected]) write:
> Does anyone out there have information on the Yankee Doodle virus?
A little bit: Yankee Doodle is a variant of a virus called Vacsina,
both of which, along with Yankee Doodle-B, belong to the "TP" family
of about 48 viruses (last time I checked). The second to the last
byte of an infected file is believed to be the "version number" of the
virus. In the most common Yankee Doodle virus, this number is 2C hex,
or 44 decimal, therefore the name "TP-44." The viruses from about 25
(19 hex) earlier are called Vacsina, while the later ones are called
Yankee Doodle.
I'm not 100% sure when the infection takes place, but I believe that
it occurs when a .COM or .EXE file is run. As for playing "Yankee
Doodle" on the speaker, TP-44 does indeed play it. I know because
I've just removed that version from a machine here. However, when you
test it, don't set the clock exactly at 5:00, set it for 4:59, because
it starts a few seconds early. Also, be sure that the time is 4:59 PM
(not AM), or 16:59.
For additional information, the best source (besides this forum) is
the VIRUSSUM document by Patricia M. Hoffman, which is available on
many BBSs and FTP servers which have anti-virus software. Oh, by the
way, some versions of Yankee Doodle hunt down other some other
viruses, such as Ping and Cascade. Who knows, with this kind of
in-fighting, maybe they'll wipe each other out completely! ;-)
Bill Walker
OAO Corporation
Arnold Engineering Development Center
M.S. 100
Arnold Air Force Base, TN 37389-9998
------------------------------
Date: 27 Apr 91 18:44:00 -0600
>From: "William Walker C60223 x4570" <
[email protected]>
Subject: Malicious Program Definitions
There's enough confusion in the anti-virus community already, without
the confusion resulting from the differences in terminology. I'm sure
there's nothing new in that statement. Eldar A. Musaev has a good
start at eliminating the confusion in the terminology, and he's going
about it in a good way: defining differences in function and
classifying by function. However, his using "Christmas Tree" (I
assume the BITNET CHRISTMAS EXEC) as an example of a Network Worm
doesn't seem quite right to me. Even if he didn't mean the CHRISTMAS
EXEC, it still doesn't fit neatly into his classifications (see
Virus-L V4 I60).
The CHRISTMAS EXEC on BITNET would, in my opinion, be a Trojan Horse
rather than a Worm. The definitions of a Trojan Horse that I have
seen state that a Trojan Horse is a [standalone] program which
purports to do one thing (and may in fact do it), but covertly does
another, malicious thing. CHRISTMAS fits this description; however,
CHRISTMAS also replicates. So, where's the distinction?
Perhaps the function of replication could be divided into independent
and dependent. Independent replication would be that, once started,
the replication process would continue without outside assistance.
Dependent replication would be that the replication process would
occur only while the parent/host/whatever program is running. In this
way, CHRISTMAS EXEC could be separated from, say, the Internet worm:
CHRISTMAS is a dependent replicator, while the Internet worm is an
independent replicator.
However, with this addition, a new problem arises. How does one
classify NON-resident malicious programs such as Amstrad, Vienna, or
405? They're dependent replicators as well. Would they be separated
from resident malicious programs such as Stoned, Jerusalem, or Yankee
Doodle?
Another distinction which should be made is the difference between a
standalone program, an overwriting program, and a parasitic program.
Eldar Musaev separates parasitic by saying it attaches itself to
another file, but he lumps the other two under "non-parasitic." I
believe that they should be kept separate. A standalone program is
just that, and requires no other program to help it run and/or spread.
An overwriting program, though it doesn't attach itself to a file and
is itself a complete program, requires that a host/"victim" file be
present for it to replace. Similarly, a "spawning" program requires
that a host/victim file be present for it to spawn to. A boot-sector
virus could be classified similarly, depending on how it treats the
original boot sector.
Using these further separations, the functional criteria could now become:
I. Replication
1. Non-replicator
2. Dependent Replicator
3. Independent Replicator
II. Host Basis
1. Standalone (non-host-based)
2. Host-based
a. Spawning
b. Overwriting
c. Parasitic
If the term "bacterium" (plural "bacteria") is used for host-based
dependent replicators, and "virus" ("virii") is used for host-based
independent replicators ( for lack of better terms to separate the two
), the resulting classifications could now become:
I. Standalone Non-replicators
Trojan Horses Example: ARC 5.13
II. Spawning Non-replicators
Spawning Trojans
III. Overwriting Non-replicators
Overwriting Trojans Example: Twelve Tricks
IV. Parasitic Non-Replicators
Parasitic Trojans
V. Standalone Dependent Replicators
Replicating Trojans Example: CHRISTMAS EXEC
VI. Standalone Independent Replicators
Worms Example: Internet Worm
VII. Spawning Dependent Replicators
Spawning Bacteria Example: Aids II
VIII.Overwriting Dependent Replicators
Overwriting Bacteria Example: 382 Recovery
IX. Parasitic Dependent Replicators
Bacteria Example: Vienna
X. Spawning Independent Replicators
Spawning Virii
XI. Overwriting Independent Replicators
Overwriting Virii
XII. Parasitic Independent Replicators
Virii Example: Jerusalem
Some of the resulting combinations don't have examples at this time,
and some of those (such as a parasitic non-replicator) are not likely.
Also, some people may say that the Lehigh virus is an overwriting
virus. I would call it parasitic, since it is not a complete program
by itself, but attaches itself to COMMAND.COM, even though it
overwrites the stack space.
Well, that's my two cents worth. I hope it can be of some help. The
names given for the different combinations are just suggestions; they
don't have to be used ( For that matter, NONE of this HAS to be used
:-) ). In fact, I'm sure that someone could come up with better names
for some of these.
Bill Walker |
OAO Corporation |
Arnold Engineering Development Center | "I'd like to solve the puzzle, Pat"
M.S. 120 |
Arnold Air Force Base, TN 37389-9998 |
------------------------------
Date: Sun, 28 Apr 91 06:48:54 +0000
>From:
[email protected] (Igor Grebert)
Subject: Re: Virucide query (PC)
[email protected] (Ramon Bartschat) writes:
>Hi there....
>
> I have the following question:
>
> A friend of mine was using the VIRUCIDE program, so I copied it
>to try it out, but when I got home and scanned it with SCAN V67 the
>program told me that VIRUCIDE was compressed with LZEXE and that it
>was infected internally with the Kennedy Virus and with the 12 Tricks
>Troyan Horse. I could never find out any unusual behaviour in
>VIRUCIDE. So what's wrong with VIRUCIDE ???? Right now I got a
>secured copy of VIRUCIDE, in case it's really infected with Kennedy &
>12 Tricks.
This problem only appears on the very first version of VIRUCIDE, when
checked with SCAN. It was a false alarm generated by SCAN. The problem
has been solved, and the version you have works perfectly, even though
it is a little outdated: Parson's Technology upgrades VIRUCIDE quite
often, every two to three month, I believe. The current version number
is 2.10, and a next release is due soon.
Igor Grebert.
------------------------------
Date: Sun, 28 Apr 91 19:20:07 +0000
>From:
[email protected] (Jim Bradley)
Subject: can we trust diskette write-protection? (PC)
I am completely baffled by the following experience.
Someone sent me eight (green) 360K 5.25-inch floppy diskettes containing
pkzip archive files.
I write-protected each with a silver sticker from another box of diskettes.
I subsequently discovered that I could *freely* write or erase files from
any of these "write-protected" diskettes in the 1.2M half-height floppy drive
of an AT-clone or in the retro-fit 360K half-height floppy drive of an IBM XT.
Both machines are located in a computer lab I manage.
(I have not tested other machines, since I am so spooked by this experience.)
When I performed the same test with the same silver stickers with the same
floppy drives, but this time using diskettes from my own collection,
the write-protection worked correctly.
Two issues:
1) My experience (whatever the cause) suggests that write-protecting cannot
be assumed to provide protection against virus infection if you stick
Brand-Y diskette into Brand-X machine.
2) What is going on here? How is it possible for a diskette drive
to write on one brand of protected diskette, and not on another brand.
The mind boggles.
Jim Bradley, CNR Computer Facility, UC Berkeley
[email protected]
------------------------------
Date: 29 Apr 91 05:16:22 +0000
>From:
[email protected] (Graham Jose)
Subject: F-FCHK 1.15 & Casper Virus (PC)
I have just started using the latest version (1.15) of F-FCHK and it
has started reporting the possibility of infection by the Casper/1260
virus in a number of data files on my system, and others around the
company, most notably the keyboard.sys file. The previous version of
F-FCHK I have been using (1.13) did not report this warning. Could
someone (FRISK?) please explain whether I actually have an infection
or whether the checking introduced with 1.15 is simply more sensitive.
Thanks,
Graham Jose
---------------------------------------------------------------------------
| Graham Jose, Snr Software Engineer (EFTPOS,Comms) | Phone: 61 3 4200450 |
| Melbourne Development Centre | Fax: 61 3 4200445 |
| Bull HN Information Systems Australia Pty Ltd |-----------------------|
| ACSnet :
[email protected] | Who wants my opinion |
| Internet:
[email protected] | anyway? |
---------------------------------------------------------------------------
------------------------------
End of VIRUS-L Digest [Volume 4 Issue 71]
*****************************************
Downloaded From P-80 International Information Systems 304-744-2253
