Return-Path: XPUM04@prime-a.central-services.umist.ac.uk Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3) id AA13740; Fri, 1 Jun 90 11:16:30 -0400 Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5) id AA20342; Fri, 1 Jun 90 11:16:26 -0400 Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3) id AA29595; Fri, 1 Jun 90 11:16:13 -0400 Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK via Janet with NIFTP id aa22892; 1 Jun 90 15:55 BST From: Anthony Appleyard To: KRVW <@NSFnet-Relay.AC.UK:KRVW@sei.cmu.edu> Date: Fri, 01 Jun 90 16:03:16 BST Message-Id: <$TGTWCZCFFBNR at UMPA> Subject: Virus-L vol 0 issue #0425 Virus-L Digest Mon, 25 Apr 88 Volume 0 : Issue #0425 Today's Topics Virus seminar at local University Anti-viral agents spread Anti-virus programs Re: Anti-viral agents spread Re: Anti-viral agents spread Virus at Miami University Re: Virus at Miami University ** no subject, date = Mon, 25 Apr 88 17:49:20 EDT Bad PKARC ** no subject, date = Mon, 25 Apr 88 18:19:00 EST RE: Bad PKARC RE: Bad PKARC ** no subject, date = Mon, 25 Apr 88 19:15:07 EDT ** no subject, date = Mon, 25 Apr 88 23:50:00 EDT -------------------- Date: Mon, 25 Apr 88 10:47:44 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: Virus seminar at local University I don't have real good details on this (I saw a flyer on it, but don't remember all the details), but there's going to be a free virus seminar (that is, open to the public...) at LaSalle University in Philadelphia, PA on either April 27 or 28. Perhaps someone out there on the net has better descriptions and could let us all know? I'm not sure of the agenda either, but it could be worth attending for anyone that's interested. On another matter, we're up to 92 subscribers on the list, and growing rapidly! Hopefully, this will turn into a worthwhile discussion group once people start using it. Let's see some participation... How about a discussion on the "Brain" virus to start things off? I have reports of it getting as far as Miami now. How about someone out there sending to the list some details on how it works so that we can try to contain it a bit better? Ken - ---------------------------------------------------------------------- = Kenneth R. van Wyk = If found wandering aimlessly, = = User Services Senior Consultant = please feed and return... = = Lehigh University Computing Center =-------------------------------= = Internet: = This just in: = = BITNET: = Humptey Dumptey was pushed! = - ---------------------------------------------------------------------- -------------------- Date: Mon, 25 Apr 88 11:25:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: GILL@QUCDNAST Subject: Anti-viral agents spread I joined this discussion as I got a message through the HZ-110 internet discussion, and started thinking hard about viruses as I was playing around with FLUSHOT on the weekend. Queen's University is dedicated to IBM-PCs (well actually Zeniths and PS/2s) as the micro of choice for undergrad engineers. With the sale of a machine, the students are given a comprehensive software package that they will be using during the year in their classes. However, there are no anti-virus programs included in this package! At a time when virus programs are beginning to proliferate, this seems to me to be a major oversight. Hence, I am giving Computing Services copies of all of the anti- virus programs that I have obtained over the last few months, and promoting the inclusion of these programs in the engineer's software package (if not in the operating system package so everyone has it). Since these are all public domain, if not completely free, similar steps should be taken at all universities cross North America that support some type of microcomputer for student usage. Since this is a virus forum, I would suggest that everyone attempt to introduce a similar program at their affiliated institution. For access to these anti-viral programms, I suggest you check out the SIMTEL20 public domain libraries (MSDOS only as far as I know). These can be reached through the LISTSERVer at RPICICGE (on a BITNET node). I am not sure what the ARPANET location is, but I believe that it may actually be SIMTEL20 itself. (The LISTSERV@RPICICGE just has a copy of the library for BITNET users.) For those in the know about ARPANET, perhaps they could supply the missing information. In case anyone is wondering, the programs that I will be pushing are BOMBSQAD, FLUSHOT+, and CHK4BOMB. I am in no way affiliated with the authors of any of these programs, but they are all I got! Arnold Gill Queen's University at Kingston -------------------- Date: Mon, 25 Apr 88 12:32:30 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: -=*REB*=- Subject: Anti-virus programs > In case anyone is wondering, the programs that I will be pushing >re BOMBSQAD, FLUSHOT+, and CHK4BOMB. I am in no way affiliated with >he authors of any of these programs, but they are all I got! As far as I know, BombSqad and Chk4Bomb are *NOT* public domain or ShareWare programs! There was an unathorized release of them a while back. I believe the programmer released them without the consent of his employer. Also, these two programs are not designed to squash the spread of viruses. They are aimed at programs (viruses or not) which intentionally try to wipe out data. BombSqad traps disk writes. Chk4Bomb checks a program to see if it contains code to do absolute disk writes. Richard Baum _______________________________________________________________ / From: -=*REB*=- ", /FoneNet: (0010 0001 0101) 1000 0110 0111-1000 0100 0011 0011 BCD ", /InterNet: kREBaum@Vax1.CC.Lehigh.EDU BitNet: RB00@Lehigh.Bitnet ", / SlowNet: 508 E 4th St. (positively) Suite #1, Bethlehem, PA 18015 ", !----------------------------------------------------------------------! ! The Brent Z*ne! ! "----------------------------------------------------------------------" -------------------- Date: Mon, 25 Apr 88 13:11:53 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: Re: Anti-viral agents spread In-Reply-To: Message of Mon, 25 Apr 88 11:25:00 EST from > Hence, I am giving Computing Services copies of all of the anti- >virus programs that I have obtained over the last few months, and >promoting the inclusion of these programs in the engineer's software >package (if not in the operating system package so everyone has it). >Since these are all public domain, if not completely free, similar steps >should be taken at all universities cross North America that support >some type of microcomputer for student usage. Not completely true. Only a few of the anti-virus packages, to date, are in the public domain; most of them are relatively simple. Some of the more thorough packages, like Data Physician, cost money (!) and may or may not meet your needs. Dr. Fred Cohen feels that no anti-virus software could work 100% of the time; they merely reduce the risk of virus infection. > Since this is a virus forum, I would suggest that everyone attempt >to introduce a similar program at their affiliated institution. For >access to these anti-viral programms, I suggest you check out the >SIMTEL20 public domain libraries (MSDOS only as far as I know). These >can be reached through the LISTSERVer at RPICICGE (on a BITNET node). I >am not sure what the ARPANET location is, but I believe that it may >actually be SIMTEL20 itself. (The LISTSERV@RPICICGE just has a copy of >the library for BITNET users.) For those in the know about ARPANET, >perhaps they could supply the missing information. The LISTSERV up there is great for BITNET only sites to get files from SIMTEL20, but it's very slow, and not very reliable. Still, it's worth looking into. > In case anyone is wondering, the programs that I will be pushing >are BOMBSQAD, FLUSHOT+, and CHK4BOMB. I am in no way affiliated with >the authors of any of these programs, but they are all I got! BOMBSQAD and CHK4BOMB are actually unauthorized public domain releases of non-public domain programs written by Panda Systems, Inc. Both are quite easy to fool. Look out for FLUSHOT 4 - it is a TROJAN! The last official release of FLUSHOT is 3! The ideas here are great - certainly more care must be taken at different sites in protecting against viruses. But, I'm not sure whether public domain programs - particularly when distributed without source code - is the answer. You get what you pay for! Ken - ---------------------------------------------------------------------- = Kenneth R. van Wyk = If found wandering aimlessly, = = User Services Senior Consultant = please feed and return... = = Lehigh University Computing Center =-------------------------------= = Internet: = This just in: = = BITNET: = Humptey Dumptey was pushed! = - ---------------------------------------------------------------------- -------------------- Date: Mon, 25 Apr 88 14:05:23 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: msmith@topaz.rutgers.edu Subject: Re: Anti-viral agents spread In-Reply-To: <8804251734.AA14073@topaz.rutgers.edu> (LUKEN@lehiibm1.bitnet) Actually, the newest release of FLUSHOT is FLUSHOT+. FLUSHOT4 is a TROJAN! He renamed it especially to avoid the trojan. Mark Smith - -- Mark Smith (alias Smitty) "Be careful when looking into the distance, RPO 1604, CN 5063 that you do not miss what is right under your nose." New Brunswick, NJ 08903 {backbone}!rutgers!topaz.rutgers.edu!msmith msmith@topaz.rutgers.edu -------------------- Date: Mon, 25 Apr 88 15:27:50 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Mark Powers Subject: Virus at Miami University As someone noted earlier, Miami University has been infected by the BRAIN virus. We have also noticed a Macintosh virus on campus. We have experienced some data loss. We are still looking in to the situation and will report back to the list when we have more concrete information. Mark Powers Miami University Academic Computer Service -------------------- Date: Mon, 25 Apr 88 15:51:46 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: Re: Virus at Miami University In-Reply-To: Message of Mon, 25 Apr 88 15:27:50 EST from >We have also noticed a Macintosh virus on campus. What are the symptoms of the Mac virus; perhaps there's a Mac expert (certainly not me!) out there who might be able to help out? The Brain virus hides in the boot tracks of your disk. Perhaps someone on the list has a program that'll remove the Brain virus without having to re-format the infected floppy? If not, the only thing that other places have done so far is to re-format any infected disk(s). FYI, the authors' names, addresses, and phone numbers are stored in ASCII within the virus code itself - you can use Norton (or another disk utility program) to look at it... Also, the Brain virus can only infect a 5 1/4" floppy; it currently won't affect a 3 1/2" or a hard drive. Has anyone disassembled the Brain virus? If so, what system interrupts does it use to propogate? Chances are fairly good that even one of the simpler anti-virus packages would be able to stop it - if anyone has tested FLUSHOT+, or another program, against it, let's hear about it! > Mark Powers Ken - ---------------------------------------------------------------------- = Kenneth R. van Wyk = If found wandering aimlessly, = = User Services Senior Consultant = please feed and return... = = Lehigh University Computing Center =-------------------------------= = Internet: = This just in: = = BITNET: = Humptey Dumptey was pushed! = - ---------------------------------------------------------------------- -------------------- Date: Mon, 25 Apr 88 17:49:20 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Well Folks, There have been quite a few comments made to start off the list, let me try to reply to a few of them, answer a few questions and correct a few statements made so far. Definitions Department: Virus: Some program which attaches itself to other programs generally to do some sort of damage later on. Its a program which replicates itself. Trojan Horse: A program which pretends to have some useful function, and usually just destroys your hard drive or files somehow. Time Bomb: A program which runs several times before "blowing up" and taking something with it. Although these are simple definitions, for people who didn't understand, I think they are necessary. Commercially available anti-viral programs: There are MANY! The problem is that most of the public domain programs are very limited in ability and aren't going to protect your files against all of the present damaging viruses. Flushot is not bad, but it does not take care of most viruses. It does a nice job wiping the Lehigh Virus and several others, but I don't believe it is general enough to take care of most viruses. Testing it, I've found a few problems. There are two public domain programs being circulated called Vaccine. One of them isn't bad. The name is in trouble though. A company called "FoundationWare" out of Ohio has the name Trademarked. There are a few good packages for sale. The aforementioned Vaccine package by FoundationWare is quite good. I would never use it however. It is indicative of most anti-viral packages. What they do is lock up the system so that no executable or command file can change. Whether they do it by CRC check or some other check, they keep the user from editing programs. You cannot write programs in such an environment. Although this is great for businesses. We of Lehigh Valley Innovative Technologies have been working for several months on the 'perfect' anti-virus design. We should be releasing it in the next 2 - 3 weeks. We would like feedback on it when it is released. We will have versions for MS-DOS and Macintosh's as well. Comments: I'd like to explain the quote of Fred Cohen made by Ken. Fred, incidently, is the premier name in viruses. He has fashioned his career on working on them. I knew him when he used to teach at Lehigh University. A brilliant man, although I never got along with him. What he was saying was that you may be able to create a package which wipes out all present viruses, but someone will always be able to find a way around it if they spend enough time working on it. That brings my next point up. Its our job to create a virus busting program which will stop every currently known virus, AND be as hard as possible to crack or to find a way around. Which brings up my third point: I read your comment, Ken, about ten times, and I still don't understand it. I don't believe public domain programs are the answer at all. I believe we should use commercially available fixes. But, likewise, you mention that public domain virus-fixes should be given with source code. If we want to make the perfect fix... one that will take the virus writer infinitely long to break, then we do NOT want source code EVER given out, or even the details of how the system works! Viruses: Let me go over some existing viruses, so people know what to watch out for: Lehigh Virus: The Lehigh Virus injects itself into MS-DOS Command.Com. I, along with Chris Bracy, Joe Sieczkowski, and Mitchel Ludwig solved this particular virus for Lehigh University. The virus will copy itself 4 times into other command.com files, and after the fourth, will explode, taking with it any files on any disks in the drives and your hard disk too. What to watch for? Watch the write date on command.com, it changes when the Lehigh Virus goes. To protect against it, attrib +r your command files, and you won't have a problem. Israeli Virus: Not much is known. It apparently attaches itself to all executable files, appending itself to the end of the file. Watch for growing files. Brain Virus: The brain virus has hit everywhere. We have seen examples of it out at UCSF and UCB, as well as the east coast. All the brain virus does is change the label of the disk to (C) Brain, and mark floppy sectors as bad (unused sectors). It is not incredibly destructive but very annoying. PKArc: There is a bad version of PKArc floating around that wipes your hard disk. MacKiller: Is a nasty little virus that was apparently written by an MS-DOS lover. The problem isn't yet widespread, but its a Mac virus we have now encountered. And many others. BE CAREFUL! Loren K Keim .----------------------------------------------------------------------------. | Loren K Keim | |----------------------------------------------------------------------------| | Keim Enterprises - Consulting / Programming | | Lehigh Valley Innovative Technologies - Software and Hardware | | Century 21 Loren Keim - Commercial / Industrial / Residential | | Lehigh University - Consulting / Programming | |----------------------------------------------------------------------------| | Virus Busting Team: Loren Keim, Chris Bracy, Joe Sieczkowski, Mitch Ludwig | |____________________________________________________________________________| -------------------- Date: Mon, 25 Apr 88 18:17:46 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: David.Slonosky@QueensU.CA Subject: Bad PKARC In-Reply-To: How can you tell if you have a bad PKARC? I just got one from and, although I'm sure it's reputable, was just wondering if there was any obvious way to tell the difference. -------------------- Date: Mon, 25 Apr 88 18:19:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Mitchel Ludwig Loren Keim writes : > I'd like to explain the quote of Fred Cohen made by Ken. Fred, > incidently, is the premier name in viruses. He has fashioned > his career on working on them. I knew him when he used to teach > at Lehigh University. A brilliant man, although I never got > along with him. What he was saying was that you may be able > to create a package which wipes out all present viruses, but someone > will always be able to find a way around it if they spend enough > time working on it. I was unaware of this. From what I have heard concerning this, I thought Fred's main point was that there was *NO* way to wipe out all present viruses. To do so, he said, would require one hell of a computer and one hell of alot of time. From knowing him, and the way he taught his courses, and the things he told me, his biggest push was in the very area you seem to put down, that of preventative maintenence. It was always (In class) a stressed point that the best offense against these things was a good defense. I took a course with him one semester where he would daily express his distastes for us to hear. His biggest was that the Lehigh software loan out system was the way it was, so vulnerable. Had we defended against a virus beforehand, perhaps the problem would never have occurred. > That brings my next point up. Its our job to create a virus > busting program which will stop every currently known virus, AND > be as hard as possible to crack or to find a way around. Go for it. You'll never do it though. Don't mean to sound the pessimest, but you'll never do it. An hour after you release your program there will be 100 ways around it. It's the nature of things. Look at copy protection. Have the increased efforts of the software manufacturing companies done any good? No, all they have done is bring rise to a better class of pirates. The challenge is just too great to be ignored. > Which brings up my third point: I read your comment, Ken, about > ten times, and I still don't understand it. I don't believe > public domain programs are the answer at all. I believe we should > use commercially available fixes. But, likewise, you mention > that public domain virus-fixes should be given with source code. > If we want to make the perfect fix... one that will take the > virus writer infinitely long to break, then we do NOT want source > code EVER given out, or even the details of how the system works! Granted (Sorry Ken, but he *HAS* got a point :-) Tag... You're it ____________ ____/--\____ //-n-\\ \______ ___) ( _ ____) _____---=======---_____ __\ \____/ / `--' ====____\ /.. ..\ /____==== ) `|=(- - - - - - - - - - -*// ---\__O__/--- \\ \------------' \_\ /_/ BITnet : MFL1@lehigh.bitnet Phonet : 215-758-1381 INTnet : KMFLUDW@vax1.cc.lehigh.edu Slonet : Box 72 Lehigh Univ. Bethlehem, PA 18015 -------------------- Date: Mon, 25 Apr 88 18:25:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Mitchel Ludwig Subject: RE: Bad PKARC >How can you tell if you have a bad PKARC? I just got one from >and, although I'm sure it's reputable, was just wondering if there >was any obvious way to tell the difference. You could run it... But seriously, try it on a machine without a hard drive, that won't cause problems for your whole world if it *is* a bad boy. No other way except is you had a good copy and did a compare. >From what I know, the bad copy is exactly the same size and stuff so that wont be of any help... Mitch Tag... You're it ____________ ____/--\____ //-n-\\ \______ ___) ( _ ____) _____---=======---_____ __\ \____/ / `--' ====____\ /.. ..\ /____==== ) `|=(- - - - - - - - - - -*// ---\__O__/--- \\ \------------' \_\ /_/ BITnet : MFL1@lehigh.bitnet Phonet : 215-758-1381 INTnet : KMFLUDW@vax1.cc.lehigh.edu Slonet : Box 72 Lehigh Univ. Bethlehem, PA 18015 -------------------- Date: Mon, 25 Apr 88 18:37:17 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: msmith@topaz.rutgers.edu Subject: RE: Bad PKARC In-Reply-To: <8804252233.AA01772@topaz.rutgers.edu> (KMFLUDW@vax1.cc.lehigh.edu) >From what I know, the bad version of PKARC is called PKX35B35.EXE, while the real PKARC is PKX35A35.EXE. X stands for Xtract, and A for Archive, so the person who made this thought A was a revision mark, and named his B. Mark - -- Mark Smith (alias Smitty) "Be careful when looking into the distance, RPO 1604, CN 5063 that you do not miss what is right under your nose." New Brunswick, NJ 08903 {backbone}!rutgers!topaz.rutgers.edu!msmith msmith@topaz.rutgers.edu -------------------- Date: Mon, 25 Apr 88 19:15:07 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University I think you misunderstood some of my point Mitch, I agree that it is very hard, if not impossible, to eliminate all existing viruses. I do think that its possible to stop all viruses I have encountered to date with one package. It is not possible, as Fred Cohen has pointed out, to stop viruses as a genre. The reason is that a virus can always be written to get around any program. If was make a good enough program, however, it will stop most (I hope) of those people out there from writing them, simply because we'll make it too difficult for some people to figure out ways around those viruses. The reason we cannot stop viruses is, according to Fred, because any string indeterminably carries a virus. What this means is that any data string could carry a virus, we do not know whether or not it does because a computer interprets everything to be data. The only way to stop viruses is to deal with the ways they effect the system, and stop them from happening. That is why most anti-viral programs lock up your system and don't allow you to develop. We have a few alternatives that we've been working on for a while, and hopefully, they will slow down the spread of viruses. Any comments I make here concerning Fred are either from my memory or from his text on Computer Security. If I misquote him in any way, I apologize, but I don't believe I have. Loren Keim -------------------- Date: Mon, 25 Apr 88 23:50:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Roger Gonzalez In-Reply-To: Your message of Mon 25 Apr 88 19:15:07 EDT Hello. I am a virus writer. I have never unleashed any of my nasties into the public, and don't intend to either. I'm willing to share some of my knowledge of my MS-DOS (Zenith, specifically) viruses, although I'm sure that my methods are pretty common. First: The motivation of this particular programmer My viruses don't destroy, they annoy. I wrote the programs as a challenge to myself, and to get back at a friend who played a practical joke on me. My 3 viruses: 1st: Spam Quite a simple program. It hooks into the disk read interrupt. When the code runs, it checks the length of command.com and copies itself onto the end. After generating 5 times, it prints "spam" at a random location on the screen. Programs like this are nastry, because when you do even a simple directory, the virus spreads. WHAT TO WATCH FOR IN THIS TYPE OF VIRUS: Abnormally long disk reads. If your instincts (you have to develop them) say that the light is on too long, watch out! 2nd: Cookie Monster The idea was stolen from probably the very first virus. Same as Spam, with the following exceptions: It hooks into the FAT, it generates 10 times, and prints out "Gimme cookie" at random intervals. If you don't type OREO or CHOCOLATE CHIP it changes the name of command.com to "munched" and prints "never mind. found cookie". My first version deleted it, but this seemed cruel. 3rd: Pac Man This little gem gets appended to MSDOS.SYS. It watches the vertical sync interrupt, and makes a pac-man come out and eat a character off the screen. The character reappears if you scroll the screen, but its highly irritating. Some points: Many viruses attach themselves to system files (IO.SYS, MSDOS.SYS, COMMAND.COM) Record the lengths of these files each time you upgrade. Its difficult to detect viruses attached to a normal program, but these are less dangerous because they don't appear until you run that specific program. Disk read interrupts are probably the most common way to "activate" the code. These are also rarely changed by programs. The disk read is ideal for viruses because they can sneak a check to see if there already is a virus on the disk. Vertical sync, the timer, and the keyboard interrupts are all good activation candidates so it seems to me that a vaccine program could be made for each version of DOS to check that the interrupts are pointing where they ought to. Of course, if you use TSR's, this would foul it all up, so you would have to run it on a "unchanged" system. Also, watch for bad sectors. If you think that they look suspicious, get a clean disk. I recommend using a clean disk rather than trying to simply innoculate the old. I feel fairly confident that I could hide a virus in such a way that it either could not be found by a program, or would fool the program into thinking that it was important. Oh, one last thing. This is pretty simple, but watch for invisible files. They are easy to detect using many methods. I hope this stuff helps a little. Yeesh, I must be growing up or something :-) -rg- PS anyone want to hire me? Return-Path: XPUM04@prime-a.central-services.umist.ac.uk Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3) id AA13761; Fri, 1 Jun 90 11:24:55 -0400 Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5) id AA20500; Fri, 1 Jun 90 11:24:50 -0400 Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3) id AA00218; Fri, 1 Jun 90 11:24:00 -0400 Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK via Janet with NIFTP id aa22979; 1 Jun 90 15:58 BST From: Anthony Appleyard To: KRVW <@NSFnet-Relay.AC.UK:KRVW@sei.cmu.edu> Date: Fri, 01 Jun 90 16:04:44 BST Message-Id: <$TGTWCZCFFBQB at UMPA> Subject: Virus-L vol 0 issue #0425 Virus-L Digest Mon, 25 Apr 88 Volume 0 : Issue #0425 Today's Topics Virus seminar at local University Anti-viral agents spread Anti-virus programs Re: Anti-viral agents spread Re: Anti-viral agents spread Virus at Miami University Re: Virus at Miami University ** no subject, date = Mon, 25 Apr 88 17:49:20 EDT Bad PKARC ** no subject, date = Mon, 25 Apr 88 18:19:00 EST RE: Bad PKARC RE: Bad PKARC ** no subject, date = Mon, 25 Apr 88 19:15:07 EDT ** no subject, date = Mon, 25 Apr 88 23:50:00 EDT -------------------- Date: Mon, 25 Apr 88 10:47:44 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: Virus seminar at local University I don't have real good details on this (I saw a flyer on it, but don't remember all the details), but there's going to be a free virus seminar (that is, open to the public...) at LaSalle University in Philadelphia, PA on either April 27 or 28. Perhaps someone out there on the net has better descriptions and could let us all know? I'm not sure of the agenda either, but it could be worth attending for anyone that's interested. On another matter, we're up to 92 subscribers on the list, and growing rapidly! Hopefully, this will turn into a worthwhile discussion group once people start using it. Let's see some participation... How about a discussion on the "Brain" virus to start things off? I have reports of it getting as far as Miami now. How about someone out there sending to the list some details on how it works so that we can try to contain it a bit better? Ken - ---------------------------------------------------------------------- = Kenneth R. van Wyk = If found wandering aimlessly, = = User Services Senior Consultant = please feed and return... = = Lehigh University Computing Center =-------------------------------= = Internet: = This just in: = = BITNET: = Humptey Dumptey was pushed! = - ---------------------------------------------------------------------- -------------------- Date: Mon, 25 Apr 88 11:25:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: GILL@QUCDNAST Subject: Anti-viral agents spread I joined this discussion as I got a message through the HZ-110 internet discussion, and started thinking hard about viruses as I was playing around with FLUSHOT on the weekend. Queen's University is dedicated to IBM-PCs (well actually Zeniths and PS/2s) as the micro of choice for undergrad engineers. With the sale of a machine, the students are given a comprehensive software package that they will be using during the year in their classes. However, there are no anti-virus programs included in this package! At a time when virus programs are beginning to proliferate, this seems to me to be a major oversight. Hence, I am giving Computing Services copies of all of the anti- virus programs that I have obtained over the last few months, and promoting the inclusion of these programs in the engineer's software package (if not in the operating system package so everyone has it). Since these are all public domain, if not completely free, similar steps should be taken at all universities cross North America that support some type of microcomputer for student usage. Since this is a virus forum, I would suggest that everyone attempt to introduce a similar program at their affiliated institution. For access to these anti-viral programms, I suggest you check out the SIMTEL20 public domain libraries (MSDOS only as far as I know). These can be reached through the LISTSERVer at RPICICGE (on a BITNET node). I am not sure what the ARPANET location is, but I believe that it may actually be SIMTEL20 itself. (The LISTSERV@RPICICGE just has a copy of the library for BITNET users.) For those in the know about ARPANET, perhaps they could supply the missing information. In case anyone is wondering, the programs that I will be pushing are BOMBSQAD, FLUSHOT+, and CHK4BOMB. I am in no way affiliated with the authors of any of these programs, but they are all I got! Arnold Gill Queen's University at Kingston -------------------- Date: Mon, 25 Apr 88 12:32:30 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: -=*REB*=- Subject: Anti-virus programs > In case anyone is wondering, the programs that I will be pushing >re BOMBSQAD, FLUSHOT+, and CHK4BOMB. I am in no way affiliated with >he authors of any of these programs, but they are all I got! As far as I know, BombSqad and Chk4Bomb are *NOT* public domain or ShareWare programs! There was an unathorized release of them a while back. I believe the programmer released them without the consent of his employer. Also, these two programs are not designed to squash the spread of viruses. They are aimed at programs (viruses or not) which intentionally try to wipe out data. BombSqad traps disk writes. Chk4Bomb checks a program to see if it contains code to do absolute disk writes. Richard Baum _______________________________________________________________ / From: -=*REB*=- ", /FoneNet: (0010 0001 0101) 1000 0110 0111-1000 0100 0011 0011 BCD ", /InterNet: kREBaum@Vax1.CC.Lehigh.EDU BitNet: RB00@Lehigh.Bitnet ", / SlowNet: 508 E 4th St. (positively) Suite #1, Bethlehem, PA 18015 ", !----------------------------------------------------------------------! ! The Brent Z*ne! ! "----------------------------------------------------------------------" -------------------- Date: Mon, 25 Apr 88 13:11:53 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: Re: Anti-viral agents spread In-Reply-To: Message of Mon, 25 Apr 88 11:25:00 EST from > Hence, I am giving Computing Services copies of all of the anti- >virus programs that I have obtained over the last few months, and >promoting the inclusion of these programs in the engineer's software >package (if not in the operating system package so everyone has it). >Since these are all public domain, if not completely free, similar steps >should be taken at all universities cross North America that support >some type of microcomputer for student usage. Not completely true. Only a few of the anti-virus packages, to date, are in the public domain; most of them are relatively simple. Some of the more thorough packages, like Data Physician, cost money (!) and may or may not meet your needs. Dr. Fred Cohen feels that no anti-virus software could work 100% of the time; they merely reduce the risk of virus infection. > Since this is a virus forum, I would suggest that everyone attempt >to introduce a similar program at their affiliated institution. For >access to these anti-viral programms, I suggest you check out the >SIMTEL20 public domain libraries (MSDOS only as far as I know). These >can be reached through the LISTSERVer at RPICICGE (on a BITNET node). I >am not sure what the ARPANET location is, but I believe that it may >actually be SIMTEL20 itself. (The LISTSERV@RPICICGE just has a copy of >the library for BITNET users.) For those in the know about ARPANET, >perhaps they could supply the missing information. The LISTSERV up there is great for BITNET only sites to get files from SIMTEL20, but it's very slow, and not very reliable. Still, it's worth looking into. > In case anyone is wondering, the programs that I will be pushing >are BOMBSQAD, FLUSHOT+, and CHK4BOMB. I am in no way affiliated with >the authors of any of these programs, but they are all I got! BOMBSQAD and CHK4BOMB are actually unauthorized public domain releases of non-public domain programs written by Panda Systems, Inc. Both are quite easy to fool. Look out for FLUSHOT 4 - it is a TROJAN! The last official release of FLUSHOT is 3! The ideas here are great - certainly more care must be taken at different sites in protecting against viruses. But, I'm not sure whether public domain programs - particularly when distributed without source code - is the answer. You get what you pay for! Ken - ---------------------------------------------------------------------- = Kenneth R. van Wyk = If found wandering aimlessly, = = User Services Senior Consultant = please feed and return... = = Lehigh University Computing Center =-------------------------------= = Internet: = This just in: = = BITNET: = Humptey Dumptey was pushed! = - ---------------------------------------------------------------------- -------------------- Date: Mon, 25 Apr 88 14:05:23 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: msmith@topaz.rutgers.edu Subject: Re: Anti-viral agents spread In-Reply-To: <8804251734.AA14073@topaz.rutgers.edu> (LUKEN@lehiibm1.bitnet) Actually, the newest release of FLUSHOT is FLUSHOT+. FLUSHOT4 is a TROJAN! He renamed it especially to avoid the trojan. Mark Smith - -- Mark Smith (alias Smitty) "Be careful when looking into the distance, RPO 1604, CN 5063 that you do not miss what is right under your nose." New Brunswick, NJ 08903 {backbone}!rutgers!topaz.rutgers.edu!msmith msmith@topaz.rutgers.edu -------------------- Date: Mon, 25 Apr 88 15:27:50 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Mark Powers Subject: Virus at Miami University As someone noted earlier, Miami University has been infected by the BRAIN virus. We have also noticed a Macintosh virus on campus. We have experienced some data loss. We are still looking in to the situation and will report back to the list when we have more concrete information. Mark Powers Miami University Academic Computer Service -------------------- Date: Mon, 25 Apr 88 15:51:46 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: Re: Virus at Miami University In-Reply-To: Message of Mon, 25 Apr 88 15:27:50 EST from >We have also noticed a Macintosh virus on campus. What are the symptoms of the Mac virus; perhaps there's a Mac expert (certainly not me!) out there who might be able to help out? The Brain virus hides in the boot tracks of your disk. Perhaps someone on the list has a program that'll remove the Brain virus without having to re-format the infected floppy? If not, the only thing that other places have done so far is to re-format any infected disk(s). FYI, the authors' names, addresses, and phone numbers are stored in ASCII within the virus code itself - you can use Norton (or another disk utility program) to look at it... Also, the Brain virus can only infect a 5 1/4" floppy; it currently won't affect a 3 1/2" or a hard drive. Has anyone disassembled the Brain virus? If so, what system interrupts does it use to propogate? Chances are fairly good that even one of the simpler anti-virus packages would be able to stop it - if anyone has tested FLUSHOT+, or another program, against it, let's hear about it! > Mark Powers Ken - ---------------------------------------------------------------------- = Kenneth R. van Wyk = If found wandering aimlessly, = = User Services Senior Consultant = please feed and return... = = Lehigh University Computing Center =-------------------------------= = Internet: = This just in: = = BITNET: = Humptey Dumptey was pushed! = - ---------------------------------------------------------------------- -------------------- Date: Mon, 25 Apr 88 17:49:20 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Well Folks, There have been quite a few comments made to start off the list, let me try to reply to a few of them, answer a few questions and correct a few statements made so far. Definitions Department: Virus: Some program which attaches itself to other programs generally to do some sort of damage later on. Its a program which replicates itself. Trojan Horse: A program which pretends to have some useful function, and usually just destroys your hard drive or files somehow. Time Bomb: A program which runs several times before "blowing up" and taking something with it. Although these are simple definitions, for people who didn't understand, I think they are necessary. Commercially available anti-viral programs: There are MANY! The problem is that most of the public domain programs are very limited in ability and aren't going to protect your files against all of the present damaging viruses. Flushot is not bad, but it does not take care of most viruses. It does a nice job wiping the Lehigh Virus and several others, but I don't believe it is general enough to take care of most viruses. Testing it, I've found a few problems. There are two public domain programs being circulated called Vaccine. One of them isn't bad. The name is in trouble though. A company called "FoundationWare" out of Ohio has the name Trademarked. There are a few good packages for sale. The aforementioned Vaccine package by FoundationWare is quite good. I would never use it however. It is indicative of most anti-viral packages. What they do is lock up the system so that no executable or command file can change. Whether they do it by CRC check or some other check, they keep the user from editing programs. You cannot write programs in such an environment. Although this is great for businesses. We of Lehigh Valley Innovative Technologies have been working for several months on the 'perfect' anti-virus design. We should be releasing it in the next 2 - 3 weeks. We would like feedback on it when it is released. We will have versions for MS-DOS and Macintosh's as well. Comments: I'd like to explain the quote of Fred Cohen made by Ken. Fred, incidently, is the premier name in viruses. He has fashioned his career on working on them. I knew him when he used to teach at Lehigh University. A brilliant man, although I never got along with him. What he was saying was that you may be able to create a package which wipes out all present viruses, but someone will always be able to find a way around it if they spend enough time working on it. That brings my next point up. Its our job to create a virus busting program which will stop every currently known virus, AND be as hard as possible to crack or to find a way around. Which brings up my third point: I read your comment, Ken, about ten times, and I still don't understand it. I don't believe public domain programs are the answer at all. I believe we should use commercially available fixes. But, likewise, you mention that public domain virus-fixes should be given with source code. If we want to make the perfect fix... one that will take the virus writer infinitely long to break, then we do NOT want source code EVER given out, or even the details of how the system works! Viruses: Let me go over some existing viruses, so people know what to watch out for: Lehigh Virus: The Lehigh Virus injects itself into MS-DOS Command.Com. I, along with Chris Bracy, Joe Sieczkowski, and Mitchel Ludwig solved this particular virus for Lehigh University. The virus will copy itself 4 times into other command.com files, and after the fourth, will explode, taking with it any files on any disks in the drives and your hard disk too. What to watch for? Watch the write date on command.com, it changes when the Lehigh Virus goes. To protect against it, attrib +r your command files, and you won't have a problem. Israeli Virus: Not much is known. It apparently attaches itself to all executable files, appending itself to the end of the file. Watch for growing files. Brain Virus: The brain virus has hit everywhere. We have seen examples of it out at UCSF and UCB, as well as the east coast. All the brain virus does is change the label of the disk to (C) Brain, and mark floppy sectors as bad (unused sectors). It is not incredibly destructive but very annoying. PKArc: There is a bad version of PKArc floating around that wipes your hard disk. MacKiller: Is a nasty little virus that was apparently written by an MS-DOS lover. The problem isn't yet widespread, but its a Mac virus we have now encountered. And many others. BE CAREFUL! Loren K Keim .----------------------------------------------------------------------------. | Loren K Keim | |----------------------------------------------------------------------------| | Keim Enterprises - Consulting / Programming | | Lehigh Valley Innovative Technologies - Software and Hardware | | Century 21 Loren Keim - Commercial / Industrial / Residential | | Lehigh University - Consulting / Programming | |----------------------------------------------------------------------------| | Virus Busting Team: Loren Keim, Chris Bracy, Joe Sieczkowski, Mitch Ludwig | |____________________________________________________________________________| -------------------- Date: Mon, 25 Apr 88 18:17:46 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: David.Slonosky@QueensU.CA Subject: Bad PKARC In-Reply-To: How can you tell if you have a bad PKARC? I just got one from and, although I'm sure it's reputable, was just wondering if there was any obvious way to tell the difference. -------------------- Date: Mon, 25 Apr 88 18:19:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Mitchel Ludwig Loren Keim writes : > I'd like to explain the quote of Fred Cohen made by Ken. Fred, > incidently, is the premier name in viruses. He has fashioned > his career on working on them. I knew him when he used to teach > at Lehigh University. A brilliant man, although I never got > along with him. What he was saying was that you may be able > to create a package which wipes out all present viruses, but someone > will always be able to find a way around it if they spend enough > time working on it. I was unaware of this. From what I have heard concerning this, I thought Fred's main point was that there was *NO* way to wipe out all present viruses. To do so, he said, would require one hell of a computer and one hell of alot of time. From knowing him, and the way he taught his courses, and the things he told me, his biggest push was in the very area you seem to put down, that of preventative maintenence. It was always (In class) a stressed point that the best offense against these things was a good defense. I took a course with him one semester where he would daily express his distastes for us to hear. His biggest was that the Lehigh software loan out system was the way it was, so vulnerable. Had we defended against a virus beforehand, perhaps the problem would never have occurred. > That brings my next point up. Its our job to create a virus > busting program which will stop every currently known virus, AND > be as hard as possible to crack or to find a way around. Go for it. You'll never do it though. Don't mean to sound the pessimest, but you'll never do it. An hour after you release your program there will be 100 ways around it. It's the nature of things. Look at copy protection. Have the increased efforts of the software manufacturing companies done any good? No, all they have done is bring rise to a better class of pirates. The challenge is just too great to be ignored. > Which brings up my third point: I read your comment, Ken, about > ten times, and I still don't understand it. I don't believe > public domain programs are the answer at all. I believe we should > use commercially available fixes. But, likewise, you mention > that public domain virus-fixes should be given with source code. > If we want to make the perfect fix... one that will take the > virus writer infinitely long to break, then we do NOT want source > code EVER given out, or even the details of how the system works! Granted (Sorry Ken, but he *HAS* got a point :-) Tag... You're it ____________ ____/--\____ //-n-\\ \______ ___) ( _ ____) _____---=======---_____ __\ \____/ / `--' ====____\ /.. ..\ /____==== ) `|=(- - - - - - - - - - -*// ---\__O__/--- \\ \------------' \_\ /_/ BITnet : MFL1@lehigh.bitnet Phonet : 215-758-1381 INTnet : KMFLUDW@vax1.cc.lehigh.edu Slonet : Box 72 Lehigh Univ. Bethlehem, PA 18015 -------------------- Date: Mon, 25 Apr 88 18:25:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Mitchel Ludwig Subject: RE: Bad PKARC >How can you tell if you have a bad PKARC? I just got one from >and, although I'm sure it's reputable, was just wondering if there >was any obvious way to tell the difference. You could run it... But seriously, try it on a machine without a hard drive, that won't cause problems for your whole world if it *is* a bad boy. No other way except is you had a good copy and did a compare. >From what I know, the bad copy is exactly the same size and stuff so that wont be of any help... Mitch Tag... You're it ____________ ____/--\____ //-n-\\ \______ ___) ( _ ____) _____---=======---_____ __\ \____/ / `--' ====____\ /.. ..\ /____==== ) `|=(- - - - - - - - - - -*// ---\__O__/--- \\ \------------' \_\ /_/ BITnet : MFL1@lehigh.bitnet Phonet : 215-758-1381 INTnet : KMFLUDW@vax1.cc.lehigh.edu Slonet : Box 72 Lehigh Univ. Bethlehem, PA 18015 -------------------- Date: Mon, 25 Apr 88 18:37:17 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: msmith@topaz.rutgers.edu Subject: RE: Bad PKARC In-Reply-To: <8804252233.AA01772@topaz.rutgers.edu> (KMFLUDW@vax1.cc.lehigh.edu) >From what I know, the bad version of PKARC is called PKX35B35.EXE, while the real PKARC is PKX35A35.EXE. X stands for Xtract, and A for Archive, so the person who made this thought A was a revision mark, and named his B. Mark - -- Mark Smith (alias Smitty) "Be careful when looking into the distance, RPO 1604, CN 5063 that you do not miss what is right under your nose." New Brunswick, NJ 08903 {backbone}!rutgers!topaz.rutgers.edu!msmith msmith@topaz.rutgers.edu -------------------- Date: Mon, 25 Apr 88 19:15:07 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University I think you misunderstood some of my point Mitch, I agree that it is very hard, if not impossible, to eliminate all existing viruses. I do think that its possible to stop all viruses I have encountered to date with one package. It is not possible, as Fred Cohen has pointed out, to stop viruses as a genre. The reason is that a virus can always be written to get around any program. If was make a good enough program, however, it will stop most (I hope) of those people out there from writing them, simply because we'll make it too difficult for some people to figure out ways around those viruses. The reason we cannot stop viruses is, according to Fred, because any string indeterminably carries a virus. What this means is that any data string could carry a virus, we do not know whether or not it does because a computer interprets everything to be data. The only way to stop viruses is to deal with the ways they effect the system, and stop them from happening. That is why most anti-viral programs lock up your system and don't allow you to develop. We have a few alternatives that we've been working on for a while, and hopefully, they will slow down the spread of viruses. Any comments I make here concerning Fred are either from my memory or from his text on Computer Security. If I misquote him in any way, I apologize, but I don't believe I have. Loren Keim -------------------- Date: Mon, 25 Apr 88 23:50:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Roger Gonzalez In-Reply-To: Your message of Mon 25 Apr 88 19:15:07 EDT Hello. I am a virus writer. I have never unleashed any of my nasties into the public, and don't intend to either. I'm willing to share some of my knowledge of my MS-DOS (Zenith, specifically) viruses, although I'm sure that my methods are pretty common. First: The motivation of this particular programmer My viruses don't destroy, they annoy. I wrote the programs as a challenge to myself, and to get back at a friend who played a practical joke on me. My 3 viruses: 1st: Spam Quite a simple program. It hooks into the disk read interrupt. When the code runs, it checks the length of command.com and copies itself onto the end. After generating 5 times, it prints "spam" at a random location on the screen. Programs like this are nastry, because when you do even a simple directory, the virus spreads. WHAT TO WATCH FOR IN THIS TYPE OF VIRUS: Abnormally long disk reads. If your instincts (you have to develop them) say that the light is on too long, watch out! 2nd: Cookie Monster The idea was stolen from probably the very first virus. Same as Spam, with the following exceptions: It hooks into the FAT, it generates 10 times, and prints out "Gimme cookie" at random intervals. If you don't type OREO or CHOCOLATE CHIP it changes the name of command.com to "munched" and prints "never mind. found cookie". My first version deleted it, but this seemed cruel. 3rd: Pac Man This little gem gets appended to MSDOS.SYS. It watches the vertical sync interrupt, and makes a pac-man come out and eat a character off the screen. The character reappears if you scroll the screen, but its highly irritating. Some points: Many viruses attach themselves to system files (IO.SYS, MSDOS.SYS, COMMAND.COM) Record the lengths of these files each time you upgrade. Its difficult to detect viruses attached to a normal program, but these are less dangerous because they don't appear until you run that specific program. Disk read interrupts are probably the most common way to "activate" the code. These are also rarely changed by programs. The disk read is ideal for viruses because they can sneak a check to see if there already is a virus on the disk. Vertical sync, the timer, and the keyboard interrupts are all good activation candidates so it seems to me that a vaccine program could be made for each version of DOS to check that the interrupts are pointing where they ought to. Of course, if you use TSR's, this would foul it all up, so you would have to run it on a "unchanged" system. Also, watch for bad sectors. If you think that they look suspicious, get a clean disk. I recommend using a clean disk rather than trying to simply innoculate the old. I feel fairly confident that I could hide a virus in such a way that it either could not be found by a program, or would fool the program into thinking that it was important. Oh, one last thing. This is pretty simple, but watch for invisible files. They are easy to detect using many methods. I hope this stuff helps a little. Yeesh, I must be growing up or something :-) -rg- PS anyone want to hire me?