From: Kenneth R. van Wyk (The Moderator) <
[email protected]>
Errors-To:
[email protected]
To:
[email protected]
Path: cert.sei.cmu.edu!krvw
Subject: VIRUS-L Digest V5 #15
Reply-To:
[email protected]
--------
VIRUS-L Digest Monday, 27 Jan 1992 Volume 5 : Issue 15
Today's Topics:
Leading Edge distributes Michaelangelo virus (PC)
New virus????? (PC)
Re: 1575/1591 Virus (PC)
Re: i/o ports (was re: Iraqi virus) (PC)
Pentagon and Keypress virus found (PC)
Trojan program collects passwords
vsum info... (PC)
Green Caterpillar Virus (PC)
Total memory available to DOS less than 655360 (PC)
Re: Reviews and request (PC + Amiga)
FAQ: benign use of viri...
Re: Signature viruses
Re: Signature viruses
Re: Signature viruses
Iraqi Virus Question?
CCC91.ZIP on risc (text)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions
with your real name. Send contributions to
[email protected]
(that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks).
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
[email protected].
Ken van Wyk
----------------------------------------------------------------------
Date: Mon, 27 Jan 92 07:42:00 -0600
From: Ken De Cruyenaere <
[email protected]>
Subject: Leading Edge distributes Michaelangelo virus (PC)
This is from the latest RISKS digest:
- ------------------------------
Date: Sat, 25 Jan 92 14:14:47 PST
From: "Peter G. Neumann" <
[email protected]>
Subject: Leading Edge distributes Michaelangelo virus
Between 10 and 27 December 1991, Leading Edge Products shipped up to 6000
IBM-compatible personal computer systems each of which included among the
hard-disk software the Michaelangelo virus -- which wipes the hard disk on the
artist's 6 March birthday, although it also has some earlier destructive
effects as well. [See San Francisco Chronicle, 25 Jan 1992, p. B1]
------------------------------
Date: Thu, 23 Jan 92 21:51:22 +0000
From:
[email protected] (Kathy Diaz)
Subject: New virus????? (PC)
I have a question it seems that I have come across some sort of virus.
My Dos Machine has in every directory a file called aux. It seems also
that you can't find it by normal means. I guess the best way to find
it is to use any editor(edlin, edit, vi, etc..) to look at it, but
what you actually get is a computer freeze.
You could also try to rename a file to aux and you will some sort of
duplicate file error.
Each aux file is about 112 bytes long.
It doesn't seem to be malicious aside from taking up space but I can't
even look in the file and try to dump the contents onto a file or
something. And scanv85 doesn't find it. Same thing with CPAV. If
anybody knows something about this all your help will be greatly
appreciated.
[email protected]
Katherine Salas Diaz
------------------------------
Date: 24 Jan 92 13:55:58 +0000
From:
[email protected] (Vesselin Bontchev)
Subject: Re: 1575/1591 Virus (PC)
[email protected] (Fridrik Skulason) writes:
> >There are 6-7 variants of this virus, but they are essentially the
> >same.
> Eh, no...Alan Solomon discovered he was wrong - he included one variable
> byte in his checksumming range. There seem to be at most two variants.
We sorted this out with him yesterday. The final result is: 3
different variants.
In my original posting I also forgot to say that the virus does not
infect files with 8-character names, due to a bug...
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: 24 Jan 92 14:51:45 +0000
From:
[email protected] (Vesselin Bontchev)
Subject: Re: i/o ports (was re: Iraqi virus) (PC)
[email protected] (Kevin Stussman) writes:
> >Nonsense, complete nonsense. If it is in the printer, it cannot force
^^^^^
> >you to execute it. It cannot copy itself to the computer. It cannot
> >exist. Period.
> This brings up an interesting problem. Can it happen via a
> serial / parallel port? This would mean there has to be direct control
No. And for the same reason.
> over the CPU from a device attached to the port. Usually there is
> software driving the IO of the port, but can an device sieze control
> and send instructions without driving software? Now if this isn't
No, it can't. Actually, data can be transmitted in both direction
through both ports (serial and paralel), but an external device has no
way to -FORCE- the computer to accept any data the latter is not
willing to. It would be possible, if a special program already runs on
the computer. Say, a software device driver for the printer, which
secretly downloads a virus from the printer's ROM. This is possible,
but just useless - why not imbedding the virus in the device driver in
the first place? No, there is no way an external device to force your
computer to accept data, unless there it a program already running,
which plays the active part.
> possible then I can see that it would be impossible. But just saying
> NO because it's on a chip is nonsense. There is nothing saying I cant
I didn't say NO because it's on a chip. I said NO, because it is
introduced by an external device.
> place an EPROM in a strategic place that will place a virus of my
> choice on a hard drive or floppy, OR DO ANYTHING without even striking
> a key. If that chip has code to blank the screen, it will be blank
> before any control is given the user. (how do you think a PC knows
Right. You just don't have a way to make the computer download all
this nasty code. No way from the printer, that is.
> Where is this article? And it seems strange to me that CNN wouldn't
> have known this. Then again, don't believe everything you hear.
As several people already mentioned, it has been published in the
Aprit 1st issue of InfoWorld (1991). Even the virus there is called
AF/91, that is April's Fool / 1991. As you can see, even CNN can get
cought... And it was not alone in this case, believe me... :-)
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: Fri, 24 Jan 92 11:51:55 -0500
From: Eric Carlson <
[email protected]>
Subject: Pentagon and Keypress virus found (PC)
Pentagon and Keypress viruses were found on floppys in one of our labs.
Pentagon virus was NOT FOUND by SCANv84, but it was found with SCANv69.
This could be a problem. We did not allow that person to use his disk in
the lab.
I wasn't there, so I didn't analize it further.
- Eric Carlson - Microcomputer Software Support -
- Northern Virginia Community College System -
- NOVA BBS 703-323-3321 - 14,400 BPS -
------------------------------
Date: Fri, 24 Jan 92 17:55:38 -0600
From: Ellen Brewer <
[email protected]>
Subject: Trojan program collects passwords
A program that collects logins and passwords by masquerading as a
telnet connection to either of two local computers was found this
week at the University of Illinois on PCs at sites used by large
numbers of students. The information below was posted by the CCSO
Site Manager to a local newsgroup and is forwarded to VALERT-L
with his consent.
> Date: Mon, 20 Jan 1992 13:43:15 -0600
> From: "Declan J. Fleming" <
[email protected]>
> Subject: Trojan Horse - Your uxa & ux1 password may be known
>
> One of my Site Consultants found a program at the Illini Union
> Site that looks just like Telnet (the software used to access
> mainframes) BUT is actually a password and login recorder.
> It will prompt you for your login: and Password: then tell you
> that the host is unreachable.
>
> So far this has only been found on DOS machines.
>
> What to look for:
>
> REAL Telnet doesn't leave a login screen up on the screen for an
> extended period of time - it will time out back to the menu screen.
> If you sit down at the computer and see a login screen already
> present, contact a Site Consultant right away! We'd like to track
> this software and see how far it gets. DO NOT try logging in until
> the Site Consultant has been notified and you have re-booted your
> machine with the Control-Alt-Delete keys.
>
> We have no idea how long this software has been around, so your
> present password may already be known. It is advised that you
> change it right away.
>
> We've seen the software in two versions - one that looks like a
> uxa login screen and one that looks like a ux1 login screen.
> There may be others.
Ellen Brewer (
[email protected])
"Non ignara mali, miseris succurrere disco."
------------------------------
Date: Sat, 25 Jan 92 19:29:32 -0800
From:
[email protected] (Rob Slade)
Subject: vsum info... (PC)
[email protected] (*Hobbit*) writes:
> there a plaintext version of vsumx.h! that is readable by humans
Unfortunately, VSUM is not longer provided in this form. You may,
however, wish to get the Brunnstein Virus Catalogue, the various files of
which are ftpable from cert.sei.cmu.edu.
==============
Vancouver
[email protected] | "A ship in a harbour
Institute for
[email protected] | is safe, but that is
Research into CyberStore Dpac 85301030 | not what ships are
User
[email protected] | built for."
Security Canada V7K 2G6 | John Parks
------------------------------
Date: Sun, 26 Jan 92 18:38:56 +0000
From: Crispi <
[email protected]>
Subject: Green Caterpillar Virus (PC)
Dear all,
I have just found the Green Caterpillar virus (1575/1591), and would like
some information about it.
Firstly, which machines are vulnerable to infection, and on which machines
does the payload work? How many strains are there?
Secondly, and more generally, I tried to activate the virus on a PC running
DR-DOS 6 (with a compressed disk). I wasn't able to infect any files. I know
the virus spreads via the Findfirst and Findnext calls. Is DR-DOS immune in
some way?
Many thanks,
Christopher J. Wells.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%
[email protected] | disclaimer: Since UKC do not represent my views, %
% University of Kent | I do not represent theirs. %
%------------------------------------------------------------------------------%
% "I seem to be having this tremendous difficulty with MY lifestyle" - A. Dent %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
------------------------------
Date: Mon, 27 Jan 92 09:27:20 +0700
From: Josep Fortiana Gregori <
[email protected]>
Subject: Total memory available to DOS less than 655360 (PC)
After reading the note by Padgett Peterson about the
Michelangelo virus, I checked my machines and found
that one of them (a 486/33MHz clone AT with 8M ram)
reports total memory = 654336 = 655360 - 1024 when
booted from drive C: and 655360 when booted from A:
No other symptom of infection can be observed. (and
SCAN '85 reports "no viruses found")
Does someone know if there is a possible cause of this
behaviour, other than infection?
Josep
.....................................................................
Josep Fortiana
Departament d'Estadistica
(Facultat de Biologia) Phone : 34 - 3 - 4021561
Universitat de Barcelona E-mail:
[email protected]
Av. Diagonal 645
08028 - Barcelona (also
[email protected])
SPAIN
------------------------------
Date: Sat, 25 Jan 92 16:40:03 +0000
From:
[email protected] (Maarten Berggren)
Subject: Re: Reviews and request (PC + Amiga)
[email protected] (Rob Slade) writes:
>per recent requests for reviews, the following is my current list (in
>order):
>EliaShim's ViruSafe
>Worldwide's Vaccine
>Solomon AntiVirus Toolkit
>Sophos Vaccine
>Fifth Generation's Untouchable
>
>(Of course, any more rumours like this past week, and this could be
>delayed a long time.)
>
>Now, a request. We haven't heard much from the Amiga people lately. Can
>I get some feedback on the top Amiga antiviral shareware of recent date?
I more or less write this to prove that Amiga-owners read this channel,
although there isn't much amiga-related stuff here.
I havn't had much problems with viruses recently. The only virus got last
year was a lamer-exterminator, and I think I used BootX to remove it.
I think that more Amiga-owner ought to write to this channel, to share
the latest info. about viruses.
Merten Berggren (
[email protected])
------------------------------
Date: Fri, 24 Jan 92 19:11:08 +0000
From: euzebio%
[email protected] (Marcos J. C. Euzebio)
Subject: FAQ: benign use of viri...
Does anybody have any experience/references/etc. on
the use of viri/worms as a paradigm for distributed applications?
Thanks,
Marcos Euzebio.
- --
[email protected]
------------------------------
Date: Sat, 25 Jan 92 19:26:00 -0800
From:
[email protected] (Rob Slade)
Subject: Re: Signature viruses
[email protected] (alastair gavi williams) writes:
> So, what's a signature virus? Does it require the file to be
> written to an acc before it will infect it?
After having sent my last response to this, I had second thoughts. I am
still not sure that I understand the question, but the poster may be
referring to virus signatures, the specific sections of code used to
identify a virus or infection.
==============
Vancouver
[email protected] | "A ship in a harbour
Institute for
[email protected] | is safe, but that is
Research into CyberStore Dpac 85301030 | not what ships are
User
[email protected] | built for."
Security Canada V7K 2G6 | John Parks
------------------------------
Date: Sat, 25 Jan 92 23:05:19 +0700
From:
[email protected] (Morton Swimmer)
Subject: Re: Signature viruses
[email protected] (alastair gavi williams) writes:
>
> So, what's a signature virus? Does it require the file to be
> written to an acc before it will infect it?
Was this meant as a joke? I was missing the ":-)"
Just in case this was not a joke, the "signature" virus is nothing
but a joke. Many people are putting a text like "This is a .signature
virus. Please copy me into your .signature file" or the likes. A
signature file is of course the signature that is appended to e-mail.
BTW, as a joke I devised an anti-signature-virus: "rm -i .signature".
It's just about as intellegent as doing a low-level format to cure
a file virus.
Cheers, Morton
PS: :-)
.............................................................................
morton swimmer..odenwaldstr.9..2000 hamburg 20..germany..tel: +49 40 4910247.
internet:
[email protected] or
[email protected].
.............to leave only footprints, and take only memories................
------------------------------
Date: Fri, 24 Jan 92 00:32:38 +0000
From:
[email protected] (Morgan Schweers)
Subject: Re: Signature viruses
Some time ago
[email protected] (alastair gavi williams) happily mumbled:
>
> So, what's a signature virus? Does it require the file to be
>written to an acc before it will infect it?
Greetings!
A .signature virus is a voluntary self-inflicted virus, requiring
the consent of the to-be-infected to spread.
It's a Usenet joke. (IMHO, a pretty funny one.) After all, it's
non-destructive, clearly announced, and requires user intervention to
become "infected". It's easy to scan for, as well! *grin*
Removal of a .signature virus under Unix requires the use of an
extensively technical Unix virus-removal program, such as 'emacs' or
'vi'. Less technical methods may be used ('ed', or 'ex'), and in the
worst case a low level format of your .signature file may be required.
('cat > .signature').
.signature viruses are unique in that they can spread to
non-similar file systems. (The only requirement for spreading is a
similar user mindset, across which the virus has ease spreading.)
Removal under other file systems may require different techniques than
under Unix. For example, VMS comes with a easy-to-use .signature
virus removal program named EDIT. Even old MS-DOS systems have the
easy capacity to remove this virus through the use of the arcane
'EDLIN' command. Modern versions of the MS-DOS .signature virus
remover contain a full screen visual interface.
I'm not certain as to its efficacy spreading to non-text-oriented
brainsets (such as Amiga and Mac users), but I'm sure that with a
sufficiently interested and consenting user, something could be
arranged...
Enjoy!
-- Morgan Schweers
- --
Hacker, Furry, SF reader, gamer, art collector, writer. 24 hours isn't enough.
[email protected] | I'm a practicing furry! Some day I hope all the practice
Freela @ Furry | will pay off, and I'll grow fur! -- me
K_Balore @ Furry |___________________ CLEAN C:\USR\SPOOL\*.* [SigVir] /SUB
Hi! I'm a .signature virus! Add me to your .signature and join in the fun!
------------------------------
Date: 25 Jan 92 19:48:00 -0600
From: "379BMWMASQ" <
[email protected]>
Subject: Iraqi Virus Question?
Hello All
I have been watching in the list the message treads on the Iraqi printer
virus, and I have a question to pose to the group.
1. Postscript printers receive printouts in the form of Postscript
Program Code, which is in turn run by the printer to printout
the Page. Now if that Postscript printer is on a Network and
is capable of sending information to the network, then could
the printer CPU be programmed to access the well known and
some not so well known security features of the network to
plant code or overload the system with bogus traffic.
I know that this requires the information on the type of network and
the types of computing platforms in use, but seems to me that they
bought most of thier computers from us, over the last 10 years and it
would only be smart for one of the watchers (CIA, FBI, NSA, DIS) to
keep track of this.
This is of course is my own ideas, guesses, or what ever.
Chris Cohen
[email protected]
------------------------------
Date: Sun, 26 Jan 92 14:24:34 -0600
From: James Ford <
[email protected]>
Subject: CCC91.ZIP on risc (text)
The file CCC91.ZIP has been placed on risc.ua.edu for anonymous ftp. This
zip file contains various (German?) text mentioned in earlier issues of
Virus-L. (Thanks to the anonymous FTPer who uploaded it!)
File Size
--------------------------- -----
pub/ibm-antivirus/ccc91.zip 74085
If someone would like to tackle the translation, I will be more than
interested in posting the resulting files on risc.
Uploading a file:
- -----------------
If you want to upload a file to risc.ua.edu, you must place the file
in /pub/00uploads. You will not be able to see your uploaded file
when you finish.
I have only one rule that I follow when posting a file on risc.ua.edu:
If the zip contains any sort of executable (COM, EXE, SYS, BIN, etc),
the uploader *MUST* send a message to
[email protected] or the address
[email protected]. I h
Downloaded From P-80 International Information Systems 304-744-2253
