VIRUS-L Digest Thursday, 9 May 1991 Volume 4 : Issue 78

VIRUS-L Digest Thursday, 9 May 1991 Volume 4 : Issue 78

Today's Topics:

The Shape of the World (PC)
Virii in Factory Software; Legal Stuff; "Eddie Lives"
Virii on Factory Software & Legal Issues
Far West is a BEACH mirror (PC)
The dangers of self-extraction (general)
F-PROT & FluShot+ problems 2 (PC)
SNEAK virus (Mac)
CLEAN77 for a network? (PC)
re: Viral or other problem? (Mac)
Re: F-PROT and FluShot problems (PC)
re: Original-Equipment Viruses
re: Diskette write protection.
RE: vanishing space on Mac hard disks (Mac)
re: help with mac "virus"? (Mac)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

----------------------------------------------------------------------

Date: 08 May 91 10:30:15 -0400
>From: "David.M.Chess" <[email protected]>
Subject: The Shape of the World (PC)

This is an open note to other folks in the anti-virus field, to see if
some (potentially significant) things that we've noticed about
(primarily PC-DOS) viruses look the same from other people's
perspectives. Some informal questions to individuals suggest that
these are reasonably common observations; is there anyone out there
who would disagree with them? (Or have other comments, for that
matter?)

1) Most viruses in the collections of anti-virus workers
have, as far as anyone knows, never been found on an
end-user system. (We, for instance, have a few hundred
viruses, but know of only about 50 that have ever
bothered an end user.)

2) When a virus shows up on an end-user system ("in the
wild", as we say) that has never been seen on an
end-user system before, it's usually a brand-new virus,
rather than a virus that's previously been in collectors'
collections. That is, it's very rare for a virus
from the "collectors only" category to move into
the "in the wild" category.

Do these two things match the experience of other anti-virus workers?
Can anyone give some examples of viruses that were at one time thought
to be "collector only", but later showed up in the wild? (Very
isolated incidents, such as the rather obvious direct 'seeding' of an
end-user machine with a stupid virus like the Whale, don't really
count.)

As a sort of a spot-check, has anyone ever seen any of the
"Anti-Pascal" viruses (AP-400, -440, -480, -529, -605, I think they
are; something like that) infecting an end-user machine? (I ask about
these just because they're sort of prototypical "collector-only"
viruses; rather stupid, and seemingly unlikely to spread.)

DC

------------------------------

Date: 08 May 91 10:22:00 -0600
>From: "William Walker C60223 x4570" <[email protected]>
Subject: Virii in Factory Software; Legal Stuff; "Eddie Lives"

I haven't yet read enough of the back issues of VIRUS-L, so please
excuse what duplication I may make.

I have just run across (and cleaned up) the MusicBug virus from the
factory-supplied SVGA disks for a Packard Bell computer. The virus
was on both disks of the set. Also, the virus was NOT on any of the
other disks which came with the computer. Fortunately, the user had
not used the disks yet. These disks were labelled simply "SVGA." I
have also checked the disks which came with another user's Packard
Bell computer, but found no virii. These disks were labelled "16 Bit
VGA Card" or "16 Bit VGA Board" (I forget which).

A. Padgett Peterson (padgett%[email protected]) writes:
> Bring in the lawyers ! We need some civil actions to force manufacturers
> to take due care (I'm amazed it hasn't happened before).

[Ed. See follow-up in the next message.]

It HAS happened before. Aldus (I believe - someone correct me if I'm
wrong) shipped a package which contained a virus, and when they
discovered this fact, recalled the shipped pieces and replaced them
with clean ones. Also, MSgt Chester Howes (of this base) discovered
an occurrence of Jerusalem B being shipped on a copy of BitCom
communications software included with an internal modem. The vendor
of the modem then sent clean copies of the software and said to
destroy the old copies. There are probably other examples.

In both of these instances, the manufacturers took full responsibility
and made efforts to remedy the situation, once they were informed of
the problem. No legal action was necessary. Should there be in this
case? Granted, the Music Bug virus has been reported on the SVGA
disks since December, and Azusa a couple of weeks ago, but has anyone
informed the manufacturer or distributors? Also, how do you know
they're NOT checking the disks? Suppose they're using VIRUSCAN V74,
which won't find Azusa. Or worse, suppose they're using Norton
Antivirus. While it is a good package, the Symantec Virus Newsline
recording, where one gets new virus descriptions, is pretty old (as of
yesterday, 7 May, it was dated mid- February), and doesn't include the
Azusa virus or (if memory serves correctly) the MusicBug virus.

They may indeed be looking, but the virii are getting by. While I
don't have a number for Packard Bell or Trident Microsystems, I am
calling Service Merchandise and Sam's Wholesale, distributors of
Packard Bell computers in this area. It costs less than a civil suit,
and will achieve the same results, probably in less time.

One unrelated comment: I had thought that the phrase, "Eddie lives...
somewhere in time" referred to the film "Eddie and the Cruisers," in
which the lead singer is thought to be dead, but no one is 100% sure.
Sorta like Elvis, huh? ;-)

Bill Walker ( [email protected] ) | "If you were locked in a room with
OAO Corporation | Saddam Hussein, the Ayatullah, and
Arnold Engineering Development Center | a lawyer, but you had only two
M.S. 120 | bullets, which would you shoot?"
Arnold Air Force Base, TN 37389-9998 | "I'd shoot the lawyer twice."

------------------------------

Date: 08 May 91 14:24:00 -0600
>From: "William Walker C60223 x4570" <[email protected]>
Subject: Virii on Factory Software & Legal Issues

In an earlier message I had written:
> A. Padgett Peterson (padgett%[email protected]) writes:
> > Bring in the lawyers ! We need some civil actions to force manufacturers
> > to take due care (I'm amazed it hasn't happened before).
> It HAS happened before.

In that message, I thought that Mr. Peterson was referring to
infections on factory diskettes not happening before. However, on
reading further back in the VIRUS-L archives, it would appear that he
is referring to the civil actions not happening before. I apologize
for the misunderstanding.

I still contend, though, that civil actions are not necessary right
now. The reason that virii are being distributed on factory diskettes
is most likely the same reason that virii spread in general: the lack
of education or information about virii. Admittedly, software
publishers should be more aware about the computing environment than
Joe Novice Computer User, but let's face it, it's difficult even for
virus experts to keep up with the new virii, much more for a
non-virus-related hardware company.

On the other hand, once informed about a virus problem with their
product, a vendor must be prompt to correct the problem, or it is
indeed time to bring in the lawyers.

Bill Walker ( [email protected] ) |
OAO Corporation | "I think, therefore I am.
Arnold Engineering Development Center | Nah, I think not."
M.S. 120 | *POOF*
Arnold Air Force Base, TN 37389-9998 |

------------------------------

Date: Wed, 08 May 91 06:02:38 -0500
>From: [email protected] (John Perry)
Subject: Far West is a BEACH mirror (PC)

Hello Everyone!

This is just a reminder that the Far West BBS (713)337-3289 is
a mirror for BEACH.GAL.UTEXAS.EDU concerning the PC anti-viral
software. This service is set up for those that do not have FTP
access.

John Perry KG5RG

You can send mail to me at any of the following addresses:

DECnet : BEACH::PERRY
THEnet : BEACH::PERRY
Internet : [email protected]
Internet : [email protected]
BITNET : PERRY@UTMBEACH
SPAN : UTSPAN::UTADNX::BEACH::PERRY
FIDOnet : 1:106/365
- --
John Perry - via FidoNet node 1:106/365
UUCP: uunet!nuchat!farwest!perry
INTERNET: [email protected]

------------------------------

Date: Wed, 08 May 91 17:15:49 -0700
>From: [email protected] (Rob Slade)
Subject: The dangers of self-extraction (general)

The perils of using self-extracting programs may be more potential
than real at the moment, but consider some of the following features:

LHARC (and now LHA) allow the inclusion of a batch file which allows
newly de-archived programs to be run automatically. Of course, being
a batch file, it doesn't have to be limited to that. What a wonderful
palce to put a trojan! Of course, you can just have it run an
infected program, before anyone has a chance to use a nasty old virus
scanner on the programs ...

ARJ has a nifty new feature that allows the archiver to state that all
queries are to be answered "yes". (At least, I think that is what it
means. The documentation isn't entirely clear.) This means that the
archivee doesn't have to worry about whether or not they want the
de-archiving to proceed, it just does.

"User-friendly" always seems to run counter to security. In this
case, the features that make self-extraction appealing, are the very
ones that you have to somehow circumvent in order to be safe.

=============
Vancouver [email protected] | "If you do buy a
Institute for [email protected] | computer, don't
Research into (SUZY) INtegrity | turn it on."
User Canada V7K 2G6 | Richards' 2nd Law
Security | of Data Security

------------------------------

Date: Thu, 09 May 91 04:49:47 +0000
>From: [email protected] (cs106132)
Subject: F-PROT & FluShot+ problems 2 (PC)

HI, This is a follow-up on my previous posting regarding a problem
with F-PROT & FluShot+ (1.81) packages and a variant of 4096 virus. I
have received messages from the developers of these products
requesting a sample of the mentioned virus so that they can update.
The previously described scenario happened on an isolated system
that is used solely for testing. The mentioned variant of 4096 was
modified for testing purposes. Neither developer needs to worry about
updates since this strain will not exist outside the test machine.
The point was, however, that such sophisticated viruses defeat the
"hunt-for-pattern" approach. Both developers are invited to improve
their techniques dealing with this variety of viruses instead of
trying to add just another pattern to search for.

Regards,
Tarkan

------------------------------

Date: Thu, 09 May 91 11:35:29 +0200
>From: shiekh%[email protected]
Subject: SNEAK virus (Mac)

Have just located a new virus for the Mac called SNEAK,
in Italy, Trieste may 1991.
Found with Interferon, having infected the system and TOPS. Can
anyone suggest a cure or inform us of how much damage this little
beast might do.

Thanks
Andy

[Ed. If memory serves me correctly, Sneak is a false alarm issued by
Interferon. Try Disinfectant or some other program - I think that
you'll find that there is indeed no virus present.]

------------------------------

Date: Thu, 09 May 91 13:42:44 +0000
>From: [email protected] (Roggie Boone)
Subject: CLEAN77 for a network? (PC)

I am installing a Local Area Network in our department that will be
running Novell Netware 386. I am thinking about using the McAffee
Netscan77 virus detection program. I am curious if there is a network
version of CLEAN77, or can CLEAN77 remove viruses from a network such
as described above? Any info would be appreciated.

Thanks in advance.

Roggie Boone
[email protected]

------------------------------

Date: Wed, 08 May 91 10:48:11 -0400
>From: [email protected] (Joe Kazura)
Subject: re: Viral or other problem? (Mac)

[email protected],

The problem you are encountering is not due to any problems with the
CPU's and the version of the System software. The problem is with
older versions of some software. I can tell you right now that
SuperPaint 1.1 is a major problem and if that MacPaint is one of the
original versions (vot 2.0) then it's just too old!

I use MacDraw II all the time on an SE/30 and a IIfx with 2 and 4mb
respectively and I have no problems at all with 6.0.7

I would suggest (STRONGLY) moving all fonts & DAs from your current
System version (esp. ones you don't have back-ups of) into a seperate
file on your HD.

Re-Boot the system with an original Sysytem 6.0.7 Tools disk, open the
system folder and remove the SYSTEM, FINDER & MULTIFINDER files, trash
'em!

Now run the Installer program from the System Tools Disk (make sure
that you have the other three disks handy ... Util. 1, Util. 2 and
Printing Tools). Select the CUSTOMIZE button, now select the items
you need while holding down the shift key. (i.e. for the IIfx: Sys
soft. for IIfx, etc.)

As a general rule, when you get system bombs: check to see that you
are using the current version of whatever software, check for Viruses,
and re-install the system software as I have outlined above! This
system works 99% of the time for me and the people I support here at
UNH.

If anyone needs more help E-Mail me directly!

Joe Kazura
Apple Student Rep.
University of New Hampshire
[[email protected]] or [[email protected]]

------------------------------

Date: 08 May 91 22:46:04 +0000
>From: [email protected] (Fridrik Skulason)
Subject: Re: F-PROT and FluShot problems (PC)

[email protected] (cs106132) writes:

>It happened when a variant of 4096 was active. Since F-PROT did not know
>this strain, it could not detect it. This is expected as the documentation
>hints. However, when I ran F-OSCHK, the virus infected the system files
>.....This is not a bug type of thing, it is a design flaw!

This problem is of course not unique to F-PROT - every other scanner
has this same problem. In fact, the DOS 'COPY' command can also cause
a similar effect - infection of files when they are read. Is it a
design flaw in DOS ?

The reason for the problem is as follows:

If a file is opened for reading, with a virus active in memory, the
file may become infected when it is read. A scanner may therfore
infect the entire system, just by scanning the files.

This is the major reason why one should generally only run a scanner
after having booted the computer from a write-protected system disk.

The problem is harder in the case of a "stealth" virus, like 4096, as
no change may be apparent after the files are infected. This can be
avoided by either scanning the memory for viruses before scanning the
files, or by running a resident virus-monitor which will prevent the
virus from ever being activated.

However, in the case of a brand new "stealth" virus, as in this case,
these methods are of no use. Memory scanning will not detect
anything, and file scanning will just help spreading the virus, and
will not pick up any infection.

So - with the current generation of scanners, this problem cannot be
avoided.

- -frisk

------------------------------

Date: Wed, 08 May 91 21:15:13 -0400
>From: padgett%[email protected] (A. Padgett Peterson)
Subject: re: Original-Equipment Viruses

>I would like to get more information on viruses originating from
>manufacturers, such as Packard Bell recently. Is this widespread with
>this particular company?

Reports concerning infected distribution disks (COMBASE, SVGA, & TVGA)
are still coming in, six months after the first discovery.

>What has been the remedy to this situation?

Floppies: Replace the boot record

Hard Disk:

MusicBug:
a) Format the disk - PB is said to be supplying a special version of DISK
MANAGER to people with IDE drives. Lose all data
or
b) Replace the boot sector (boot cold from floppy, SYS the HD, correct the
number of hidden sectors in the BPB)

Azusa:
a) Low level format the hard disk - see a) above
or
b) Boot cold from floppy then rebuild the partition table manually

Note that in every case I have seen, it has been possible to recover nearly
all of the information on a disk and formatting has not been necessary.

>Should purchasers scan new software for viruses before using?

I do & now have quite a collection of "master" disks containing
viruses, most came on distribution disks with hardware, not in
software packages. These include the STONED, AIRCOP, AZUSA, & MUSICBUG
(all so far have been boot sector and partition table infectors). Have
yet to contact a vendor who has shown any concern about distributing
viruses (subjective opinion) beyond offering to replace disks.
Warmly,
Padgett

------------------------------

Date: Thu, 09 May 91 10:30:36 +0100
>From: "Pete Lucas" <[email protected]>
Subject: re: Diskette write protection.

I have some 5.25 inch diskettes that do not have a 'write protect'
notch in them, yet i can still write to them in certain drives. The
jackets of these diskettes are a pale blue color, and partially
transparent (if you hold them against a strong light source you can
see the outline of the internal magnetic medium). If i put a sticky
tab on the disk where the notch would be, this cuts down the light
transmission enough to make the disk 'unwritable'. Most confusing!

Pete Lucas [email protected] [email protected]

------------------------------

Date: Wed, 08 May 91 10:17:15 -0400
>From: [email protected]
Subject: RE: vanishing space on Mac hard disks (Mac)

When space on a MacIntosh hard drive dissappears, it is likely that
some part of the the directory structure has been corrupted. This
happens frequently on software crashes. The 'Disk First Aid" program
which comes on the Utilities 1 disk with every MacIntosh usually will
do a good job of recovering the lost space, and appears to seldom, if
ever, cause additional damage. You do need to remember to boot your
Mac from the Utilities 1 disk before you can do this, however.

Paul DeBenedictis
Manager, Academic Computing

------------------------------

Date: 08 May 91 15:43:49 -0500
>From: [email protected]
Subject: re: help with mac "virus"? (Mac)

[email protected] (Christopher T. Anderson) writes:
>> recently, we've come across a problem with one of the macs in our lab.
>> we really don't know if it's a virus or not, but it does act something
>> like one. anyway, here are the symptoms:
>>
>> - - the mac has a 40 meg hard disk
>> - - there is only about 16 meg of software installed
>> - - both the finder and mactools report 38 meg used, 2 meg free
>> - - disinfectant can't find anything, and neither can virus detective
>> - - there are no hidden files anywhere on the disk (if there are, neither
>> mactools nor resedit can find them)
>> - - the "virus" hasn't spread to any of our other macs
>>
>> what we really want to know is: is this some sort of new virus, or is
>> our mac just confused?"
>
> This problem is not necessarilt indicative of a virus, but an
> otherwise corrupted Directory (or possibly Desktop). You could try
> rebuilding your Desktop, but probably should defrag/optimize the
> drive. This would rebuild your directory. For this I reccomend Disk
> Express II, it has always worked wonders for me.

It could also be damaged extents tree or some arcane part of the disk
like that. If rebuilding the desktop doesn't help, consider running
Norton's Disk Doctor (part of Norton Utilities for the Mac). This has
found problems with several of our drives which kept them from
optimizing (the damaged area said part of the disk was in use when it
wasn't really and so the optimizer couldn't find the file to pick up,
got confused and said the h*ll with it and woiuld quit).

|\ \\\\__ Tony Maimer __
| \_/ o \ / |
> _ (( <_ / |
| / \__+___/ [email protected] /o /_/|
|/ |/ < )) _ <
\ \ \|
\ |
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 78]
*****************************************

Downloaded From P-80 International Information Systems 304-744-2253