Return-Path: XPUM04@prime-a.central-services.umist.ac.uk Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3) id AA13802; Fri, 1 Jun 90 11:27:30 -0400 Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5) id AA20535; Fri, 1 Jun 90 11:27:26 -0400 Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3) id AA00399; Fri, 1 Jun 90 11:26:56 -0400 Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK via Janet with NIFTP id aa23262; 1 Jun 90 16:04 BST From: Anthony Appleyard To: KRVW <@NSFnet-Relay.AC.UK:KRVW@sei.cmu.edu> Date: Fri, 01 Jun 90 16:05:48 BST Message-Id: <$TGTWCZCFFBQK at UMPA> Subject: Virus-L vol 0 issue #0504 Virus-L Digest Wed, 4 May 88, Volume 0 : Issue #0504 Today's Topics European viruses ERIC and VULT identified LaSalle talk files are now available PC security programs Viral Code COREWARS, the Scientific American game implemented on a macintosh Brain Virus info ------------------------------ Date: Wed, 4 May 88 09:57:00 URZ Reply-To: Virus Discussion List Sender: Virus Discussion List From: BG0@DHDURZ2 Subject: European viruses Hi folks, I am working on computer viruses (and protection) for 2 years now, so I hope that I can contribute some interesting facts on viruses to this list. Although the description of known computer viruses should not be the only topic of this list, I like to start with a quick summary on the viruses I know that are not mentioned here before. We here in Europe have our own "virus" culture :-) so it may be of interest for you to have a look across the atlantic: The first viruses I heard of two years ago are written to show the THREAT of computer viruses. The first one, VIRDEM.COM is a non-replacing (not overwriting), not memory-residend MS-DOS virus. It infects all .COM files on drive A: only. The damage ias to ask a user for a number between 0 and n (n is the generation of the virus) if he starts an infected program. If he was wrong, the program terminates, if he was right, the program starts its work. This program was distributed to all interested computer users, especially computer and software manufactures. The second one was written by myself. It only infects the file KEYBGR.COM (the device driver for a german keyboard of the MS-DOS version 2.11, loaded every time you boot your computer). After 15 min. it drives the internal speaker do emit noise every time a character is send to the screen (Therefore I called this virus RUSH HOUR :-) ). It was easily to be detected and removed - because it was for demonstration only. This two viruses were written in Summer 1986. Ralf Burger (the author of the first virus VIRDEM.COM) and I get contact in Aug. 1986 and we decided that it is time to inform the public (and not only professional computer users) of the *threatening* possibilities of computer viruses. In collaboration with the Hamburger CHAOS COMPUTER CLUB we organized a public forum on computer viruses on Dec. 27, 1986. That was the first time the topic of computer viruses was discussed in an open event here in Europe. We earned a lot of consolation from the press and all the people there. Four month later we had a meeting with all the folks again to see how the things are going. In the meantime the topic of viruses was discussed in nearly all german computer magazines. One magazine published a computer virus and a protection program for a 680x0 machine (Atari) called MILZBRAND. I dont know if it is good to publish a virus source code but it was not my decision. Ralf Burger started to write a virus protection program (that is available now, further comments on it see below) which should not be able *find* virus programs but to hinder the propagation of viruses on MS-DOS machines. I think he has done good work. In spring 1987 I started to think about viruses on mainframes. The result was a replacing virus for IBM/370 mainframes called VP/370 (No, I dont send you a copy of this exept you can state a *REAL* interest in it, e.g. you are a OWNER of such a machine! I dont want to be the one who is responsible for a damage I cant figure out.) Since that time I am working (nearly) exclusivly on virus protection methods. But now lets return to the viruses I know. The next virus was a virus written in high level language (TURBO PASCAL 3.xx) called NUMBER ONE. It only infects compiled Pascal programs because it needs the Pascal run time library. It is only 100 lines in size. In winter 1987 I heared of a new virus in Vienna(Austria) and has the possibility to analyse it. I wrote a flow chart generator for .COM files and was able to see how it works. Nothing special on it. Thats all I can say definitly, although a lot of rumors are out here. But I dont want to talk about rumors. Ralf edited a book about computer viruses ("Das grosse Computer- Viren Buch", will be available in English in the near future). He wrote a lot of demonstration viruses in different languages (MS-DOS Batch Language, Basic). The Internation Standard Book Number is ISBN 3-89011-200-5 for the first edition, but you better ask for the revised second edition. My next point is on protection methods. I think it is a unsatisfying work to write programs that can *detect* ALL kind of viruses. So I think it will be the best to catch viruses (that means hindering their propagation) by looking at their principles. All viruses have to *change* program code (in a file or on the disk) if they want to work the way they are designed. A straight forward method is to detect changes on files. Take a good checksum algorithm that cant be forged in a simple way. Run this program on all your files (and/or entire disk) every time you boot your machine. Make sure that the checking program is on a write protected disk (TAB!) and you can detect all changes in .COM and .EXE files. If a program has changed try to find out why. This is the method Ralf uses for his software- based protection program. An other method is to keep ALL executable files encipherd on mass storage devices, but make sure the ciphering algorithm is GOOD. GOOD means that it should be an algorithm that allows a quick decipher but a complicated encipher (trapdoor in the opposite direction, come on mathematicians: Find a good one!). Write a new program loader that deciphers loaded programs before execution. So the executable file only exists in RAM but never on storage devices. A virus program has to write its *executable* code to files on disk but this code cant be executed because it is *destroyed* by the program loader during deciphering. If the ciphering method is good (see above) a virus cant encipher itself before writing its own code to a file on disk. This method is just an idea of mine. A test version for MS-DOS machines works quite well, but I think my ciphering algorithm is not GOOD in the above sence. Of course the perfomance of loading programs slows down, so this will be satisfactory only on fast machines. The last method I want to mention is a hardware protection. It is based on optical disks (WORMs). Files on such a device cant be "overwritten" in common sence, you have to mark the old program "erased" or "unvalid" and have to store the new version somewhere else on the disk. If you have a (ROM-)program that checks where an executable file on the disk is located you are able to detect infections (or *other* changes in the software -> software revision!) because the forged program is located at the wrong place. This method is implemented in Ralf's last project and the results are encouraging. That's all for today. I hope all of you find it intersting to hear about the facts here in good ol' germany. If you are intersted in more you can have a look in a book on computer viruses (ed. by Ralf, with lot of programs and further information and a lot of articals from virus programmers, software and security managers and so on.) Its great to have a forum where the topic of computer viruses can be discussed in such an open way. Keep on the good work. All the best for you, Bernd Fix. -------------------- Date: Wed, 4 May 88 08:04:55 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List Comments: Resent-From: "Kenneth R. van Wyk" Comments: Originally-From: WHMurray@DOCKMASTER.ARPA From: "Kenneth R. van Wyk" Subject: ERIC and VULT identified Here's a forwarded submission: Ken - ---------------------------------------------------------------------- = Kenneth R. van Wyk = = = User Services Senior Consultant = I can't believe you fell for = = Lehigh University Computing Center = the oldest trick in the book = = Internet: = Lone Star! = = BITNET: = = - ---------------------------------------------------------------------- - --------------------------Original message---------------------------- "ERIC" and "VULT" Identified ERIC and VULT, the specific targets of the SCORES Apple MacIntosh virus, were internal projects at EDS in Dallas according to EDS spokesman Bill Wright. These labels identify proprietary trade secret programs that were once, but no longer used at EDS. While SCORES was specifically designed to destroy these applications, it would infect anything. All the above was gleaned from "Macintosh Today," May 2, 1988 which also contained a highly speculative article entitiled "Viruses: Nothing to sneeze at." If you believe this article, computers have seen their day. In the future, viruses will make them unuseable. William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 -------------------- Date: Wed, 4 May 88 08:46:38 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: LaSalle talk A few people have asked me about obtaining any written information on last week's virus talk at LaSalle College. I'm afraid that I don't have any written summaries; does anyone out there have anything more than what's already been sent to the list? If so, please forward it to the list - it'd be much appreciated! Thanks! Ken - ---------------------------------------------------------------------- = Kenneth R. van Wyk = = = User Services Senior Consultant = I can't believe you fell for = = Lehigh University Computing Center = the oldest trick in the book = = Internet: = Lone Star! = = BITNET: = = - ---------------------------------------------------------------------- -------------------- Date: Wed, 4 May 88 09:33:44 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: files are now available Well, after saying that I'd make uuencode/uudecode and Flu_Shot+ available, I got a whole lot of requests for them, so I've placed them here on the LISTSERV for public copying. The filenames are: UUENCODE PAS (note the space, *NOT* a period! This is CMS!) UUDECODE PAS FSP UUE PKX35A35 UUE FSP UUE is a uuencoded ARC file. PKX35A35 UUE is the PKARC package. PKXARC is required to unARC the files in FSP.ARC. The uuencode and uudecode files are in Turbo Pascal v 3.x. Both of these files are *shareware* and you are encouraged to send the authors the money that they request for the use of their programs - see the license agreements of each package for more information. Ok, now you probably want to try to get these files... Well, it's similar to signing onto or off of a LISTSERV group; you send a message to LISTSERV@LEHIIBM1. The message should say: GET filename filetype listname For example: GET PKX35A35 UUE VIRUS-L This would send you the PKARC package. Once you've gotten all the files that you want, you would do the following to uudecode and extract FSP: compile uudecode into a .COM file. UUDECODE PKX35A35 PKX35A35 (this step unarcs the self-extracting PKARC package.) UUDECODE FSP PKXARC FSP And after all that, you *should* have a working copy of Flu_Shot+ and PKARC. If you already have PKARC, this can be a whole lot simpler... I hope I haven't overly confused everyone. :-) By the way, you can always get a current list of all files available on VIRUS-L by sending an INDEX VIRUS-L command to LISTSERV@LEHIIBM1. Finally, please don't send any of these commands to the list itself! Enjoy, Ken - ---------------------------------------------------------------------- = Kenneth R. van Wyk = = = User Services Senior Consultant = I can't believe you fell for = = Lehigh University Computing Center = the oldest trick in the book = = Internet: = Lone Star! = = BITNET: = = - ---------------------------------------------------------------------- -------------------- Date: Wed, 4 May 88 10:46:53 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: PC security programs Here's another forwarded submission to the list: From: "Scott D. Green, Classroom Services" Return-path: GREEN@wharton.upenn.EDU Date: Wed, 4 May 88 10:10 EST From: "Scott D. Green, Classroom Services" Does anyone have any experience with hard disk security software? Two that we have for evaluation are "DiskManager PC" and "PC/DACS." Both claim to be able to prevent a drive or just directories and files from being tampered with. Out goal is to try to minimize software maintenance on public lab machines by limiting students' write privileges to the hard dirve, protecting batch files, etx. Both packages claim to superced DOS attrib commands and foil Norton Utilities. They also provide "boot lock": if you boot from a floppy, the hard drive does not exist for you. Though they don't specifically mention virus protection, it seems a reasonable side effect. [I've been evaluating PC/DACS, and it looks pretty nice, although it's not specifically targetted as being an anti-virus program. It gives a PC security much like on, for example, a VAX, whereby you can have separate users - each with different access to different drives/directories/files/resources. It includes boot protection and full disk encryption. If you don't install all the boot protection and encryption features, it's *VERY* easy to get around. This is not an endorsement of this product - merely a statement of its features. - Ken ] - ---------------------------------------------------------------------- = Kenneth R. van Wyk = = = User Services Senior Consultant = I can't believe you fell for = = Lehigh University Computing Center = the oldest trick in the book = = Internet: = Lone Star! = = BITNET: = = - ---------------------------------------------------------------------- -------------------- Date: Wed, 4 May 88 10:10:00 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: GREENY Subject: Viral Code Hi all.... I have recently been given the task of making sure that all of the software and/or data that we have in my department is clean and free of viruses. Due to the fact that I feel that I can't really trust anyone's outside applications anymore without source code (that I'm able to comprehend as well..), I ahve decided to write my own stuff. But what I need is the means to test it out. Copies of the SCORES and/or IDIOT viruses for the macintosh would be very helpful as we have a number of Macs here, viruses for the IBM PC would also be helpful as there are even more IBM's in the dept (much to my chagrin! :-> ) At any rate, I am willing to get copies of the virus(es) via EMAIL, US Mail, tape, or whatever, and once written I will post copies of my disinfectioon programs to the net -- along with the source code. Any help would be greatly appreciated. bye for now but not for long... David S. "Greeny" Greenberg Departmental Technician Department of Learning Resources Western Illinois University Bitnet: MISS026@ECNCDC Internet: MISS026%ECNCDC.BITNET@CUNYVM.CUNY.EDU Disclaimer: My department takes no responsibility for what I say....it's all supposed to be my opinions.... -------------------- Date: Wed, 4 May 88 12:12:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Dr. Woody" Subject: COREWARS, the Scientific American game implemented on a macintosh Greetings everyone, There was some inquiry into the Scientific American game "CoreWars". I've a version for the macintosh. The help manual gives a pretty good feel for what the game is about. The program is shareware, and the manual includes the authors name and address - I don't know if it is still current, but the author says he will send you the source code (in C) for $15. The file is a trifle long, so I will send it to the list moderator - he can then put in on the list or in the archives (or throw it away :-) ) as he sees fit. woody WWEAVER@DREW * This is not an endorsement of the product - I've never played it, except to verify that it ran (on a 512K mac with an old system). But if we ever succeed in getting viruses off of disk storage and force them to live in RAM, COREWARS is an interesting metaphor. * -------------------- Date: Wed, 4 May 88 18:10:15 PDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Joseph Sieczkowski Subject: Brain Virus info I have some specific information on the brain virus. I'd though that I'd share it with you by forwarding it to the list. Also, I'm sending the source code to programs called "nobrain.c" and "checkmem.c" to the owner of the list so he can make them publically avalible. Nobrain supposedly finds and kills the brain virus if present (memory and floppy). And checkmem is just a utility to see if its resident. Hope this is helpful, - ---------------------------------------------------------------------------- Comments on the "(c) Brain" Virus The virus is benign. All it does is propogate itself. The only way it can spread is by booting an infected diskette. Once booted, the virus installs itself in memory and will proceed to infect an DSDD floppies it can "find". Diskettes When infecting a diskette, the virus replaces the boot record (trk 0, side 0, sect 1) with its own boot record. This is the code that actually installs the virus into memory. It then locates 3 "free" clusters from the FAT, loads the actual virus code into those clusters along with a copy of the "real" boot record, and then marks those 3 clusters as "bad". Finally, it installs a diskette volume label of "(c) Brain" on the infected diskette. However, the volume label format isn't 100% correct so utilities such as Norton's will show it as a "bogus" directory entry format but DOS will display it. In the 3 custers (6 sectors), the "good" boot record is in the first sector and the virus itself is in sectors 2-6 of the 3 clusters. (Actually, the virus doesn't apprear to need all that space). Operation - looks to see if infected (1234H will be in 0004 & 0005 of record) - it will load itself into the last 7K of ram and then set the DOS available ram value down by 7... eg 640 will become 633, so that the virus in memory will be "safe". - changes the disk read/write vector (13 Hex) to point to his virus - stores the original 13H vector at a new vector (6D hex) which he invokes when a "real" read or write is needed. - the original boot record is moved to the 1st sector of the 3 bad clusters he as marked (so he can still boot the PC after he has done his "dirty work") - his boot code is installed in original boot record location (Trk Hd Sct = 0 0 1). - 3 free clusters found, virus and boot rec place here, and marked as bad. - while checking FAT, he checks ID byte to insure that this is a DSDD diskette... won't infect any other kind (which also precludes hard drives) - His "(c) Brain" label is written but he allows for the 2 hidden bios (he doesn't check if they are present). The result is, if a completely empty diskette is infected, the label doesn't show up until at least 2 files are on the diskette. At this point diskette is completely infected. His infection of new diskettes is sort of random or "haphazard". - If a disk write occurs, he allows it to proceed as usual. - After 32 disk reads, he will infect a diskette and then every 4 reads there after... UNLESS, it is a read of trk 0 side 0 (ie directory area, FAT, etc.). Then he immediately checks if infection is needed and does so if not already infected. He resets the 4-counter at this point. This results in the virus spreading rather quickly while somewhat reducing the noticable degradation from the virus' overhead... tho' it can be seen if you are looking for it) That's about it. If you are reading this, I hope it was of some use. Carl Fussell - ----------------------------------------------------------------------------