Return-Path: XPUM04@prime-a.central-services.umist.ac.uk Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3) id AA19353; Wed, 6 Jun 90 10:00:45 -0400 Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5) id AA02536; Wed, 6 Jun 90 10:00:42 -0400 Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3) id AA13310; Wed, 6 Jun 90 10:00:10 -0400 Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK via Janet with NIFTP id aa16311; 6 Jun 90 14:19 BST From: Anthony Appleyard To: KRVW <@NSFnet-Relay.AC.UK:KRVW@sei.cmu.edu> Date: Tue, 05 Jun 90 14:04:24 BST Message-Id: <$TGVGDBVHCNXR at UMPA> Subject: Virus-L vol 0 issue #0613 Virus-L Digest Mon, 13 Jun 88, Volume 0 : Issue #0613 Today's Topics Re: Zapping Prams shorting batteries Shorting batteries... I *KNOW* it's dangerous... alternative to shorting batteries Article on virus protection ------------------------------ Date: Mon, 13 Jun 88 01:38:16 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Amanda B Rosen Subject: Re: Zapping Prams Recently, in response to my previous message, riacs!ames!hc!csed-1!csed-47!roskos@rutgers.edu (name unknown) wrote: >> The long and the short of it is that a truly nasty virus _might_ be able to >> render your Mac II logic board useless (until you short your battery). >> In any event, DON'T short your battery unless you WELL know EXACTLY >> what you are doing! > >Don't short your battery anyway. > >I have forgotten the procedure, but I remember that there is a way >(by holding down a combination of keys, or the mouse and some keys, >but I don't recall) that will cause the parameter RAM to be reinitialized >during system startup (the ROM checks for this combination and resets >the RAM before it looks to see what is in the RAM, so prior contents >don't affect it). This was added specifically for the models of Macintosh >that had nonremovable batteries, and was put in before the ones with >the nonremovable batteries even came out. > >I remember this from when I was working for one of the Mac applications >software developers over a year ago; it was in the pre-release technical >documentation. But since I don't program Macintoshes any more I don't >remember the procedure; does anybody else know what it is? I believe that you are referring to the standard PRAM-zapping procedure for both the SE and II: Hold down the command, option, and shift keys while selecting the control panel from the apple menu. In any event, there is no other user procedure to do this that is documented *anywhere* (of course you can write your own code to do it...) At any rate, this does not cover the circumstances I was describing. That situation was extremely unusual. I did not say that the Hard Disk wouldn't boot. I said that the WHOLE MAC II wouldn't boot- even from floppies. Thus there was no way to zap the PRAMS. I also didn't say that I believe this story. I simply find it likely since it comes from what I believe to be a reliable source. On the other hand, I don't understand how the PRAM settings can affect a floppy boot-up, so for now, it's a confirmed maybe... > I guess it >is remotely possible that they removed it from the startup code, but I >kind of doubt it; Apple engineers aren't that forgetful, that they would >not provide a way to reinitialize the PRAM. For one thing, they have >to initialize it when they first assemble the machines... Not so. The ROM checksums the PRAMS, and if it sees that they don't have some correct value, it resets them to some known state. Zapping the PRAMs simply writes garbage (zeros?) to them so that the next time you boot, they get reset. /a -------------------- Date: Mon, 13 Jun 88 02:25:15 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: me! Jefferson Ogata Subject: shorting batteries Short your battery? That's dangerous advice...many batteries explode when shorted, some of them violently. In addition, it is likely you will give your PRAMs a mild shock from static electricity, and possibly damage them majorly. You might try removing the battery and shorting the terminals on the battery socket or whatever. This also may zap your PRAMs. Safest would be to take the battery out and wait a minute or so for the PRAMs to forget stuff. It may take longer than this, depending on the capacitance of the power supply; there might be bypass caps sitting on it, and the PRAMs are probably LP devices. The point is: don't short batteries, if you value your computer. - Jeff Ogata -------------------- Date: Mon, 13 Jun 88 05:04:09 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Amanda B Rosen Subject: Shorting batteries... I *KNOW* it's dangerous... Please read the entire message. 1) Mac II's don't have battery sockets. They are soldered in. 2) I know that this is dangerous. The alternative was to trash a Mac II's motherboard. The point is: don't short batteries, unless your computer is already dead... /a -------------------- Date: Mon, 13 Jun 88 15:11:17 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: me! Jefferson Ogata Subject: alternative to shorting batteries The proper alternative to shorting a soldered battery is to desolder it and wait. - Jeff Ogata -------------------- Date: Mon, 13 Jun 88 16:01:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ted Shapin Subject: Article on virus protection [The company that wrote this article has a BBS and also sells "C-4", a TSR program for IBM-PC's. I think FLU_SHOT+ is better and it has the advantage of being shareware and is available from Ross Greenberg's BBS (212) 889-6438 and Compuserve.] - - - - ANTI-VIRUS MEASURES Copyright InterPath Corporation 1988 All rights reserved 408 988 3832 4423 Cheeney Street, Santa Clara CA 95054 PURPOSE: This document outlines the various types of commonly found viruses and suggests measures that can be taken to minimize the risks of infection and procedures that may be used to recover from infected systems. TYPES OF VIRUSES: There are currently three classes of viruses: Boot infectors, system infectors and general executable program infectors. Their characteristics are: Boot Infectors: Boot infectors attach themselves to sector 0 of floppy disks and, occasionally, hard disks. They gain control when the system is initially booted and remain in control at all times. Many have the capability to trap warm boot requests ( ) and remain in control even if booted from a non-infected floppy, with the result that the clean floppy becomes instantly infected. Boot infectors typically create bad disk sectors to which the original boot sector is copied, along with the remainder of the virus code. Boot infectors may be from 2 to 7 sectors in length. Boot infectors can be benign or malignant. The Pakistani Brain virus, for instance, is a benign boot infector virus in its original form. It has been hacked however into a very malignant form which can infect hard disks and which destroys FAT entries, deletes files, and performs other malicious activities. System Infectors: A number of viruses attach themselves to command.com and other system files that remain memory resident. They gain control after system boot and infect hard disks or other bootable floppies that contain the appropriate system files. System infectors may activate after a given period of time or they may instantly begin subtle modifications in system processing - including increasing the time to perform system functions, subtle scrambling of data or modification of system error messages or informational messages. The Jerusalem (Israeli) virus is an example of such a virus. (The Israeli virus is also able to act as a general .com and .exe infector as well as being a system infector). Activation may take place after a specified period of time has elapsed or after a specific number of invocations. Activation may include scrambling the FAT, erasure of specific files, low level disk format or modification of non-executable files containing numeric or other ascii data. General .COM and .EXE infectors. This class of virus is the most dangerous from an infection standpoint since these viruses can spread to almost any program in any system. They infect in two generic ways: 1. By gaining control each time the infected program is executed and copying itself to other .com or .exe files on the fixed or floppy disk prior to passing control to the host program. This is the most common infection technique. 2. By remaining memory resident and infecting each program that is loaded for execution. This technique is used by the Jerusalem virus but is less common than the above method. Some of these viruses attach themselves externally to .com or .exe files and thus change the file size. They may or may not modify the creation date and time. Others insert themselves internally in the executable host program's dead space and are thus "invisible" to anything other than a binary compare routine. Some viruses continue to infect the same program multiple times until the program becomes too large to fit into memory. Most, however, check to see if the host has already been infected and pass over previously infected files. PREVENTION TECHNIQUES: Prevention can be divided into two areas: 1) safe user practices and 2) anti-viral tools. 90% of all virus infections can be easily prevented by following safe usage guidelines. Most of the other 10% of infections can be avoided by the use of anti-viral software or hardware tools. Safe user practices: 1. !! NEVER BOOT FROM ANY FLOPPY OTHER THAN !! !! THE ORIGINAL WRITE PROTECTED DISKETTE !! !! FROM THE ORIGINAL DISTRIBUTION PACKAGE !! The above recommendation is extremely important. Most of the boot sector infector viruses can ONLY infect your system if you boot from an infected floppy diskette. Booting from borrowed, unknown or multiple diskettes greatly increases the opportunity for infection. 2. One and only one boot diskette should be assigned to each and every floppy based PC (systems without a fixed disk), and that diskette should be CLEARLY labeled as the boot diskette for that system. 3. If you have a system with a fixed disk - NEVER boot from a floppy drive. The only exceptions to this involve recovering from a viral infection as described in the section below. 4. Treat public domain and shareware software with caution. Viruses are difficult to detect and usually do not modify the operation of the infected program in any way prior to activation. Thus a friend or acquaintance might in all good faith recommend a program that is infected without their knowledge of its infection. If possible, limit use of such programs to systems without fixed disks. If you do use them on fixed disks, allocate separate subdirectories for the public domain programs. This will limit exposure since some viruses limit their replication activities to the current subdirectory. You should not place public domain or shareware software in the root directory. 5. Create meaningful volume labels on all fixed and floppy disks at format time. Develop a habit of checking volume labels each time a DIR command is executed. Keep a look out for changes in the volume labels. 6. Watch for changes in the pattern of your system's activities. Do program loads take longer than normal? Do disk accesses seem excessive for simple tasks? Do unusual error messages occur with regularity? Do access lights on any of the system devices turn on when there should be no activity on that device? Do you have less system memory available than usual? Do programs or files disappear mysteriously? Do you suddenly notice a reduction in available disk space? Any of these signs can be indicative of viral infections. 7. If you are in a corporate or multi-system environment, minimize the exchange of executable code between systems wherever feasible. When using resources on someone else's PC (a laser printer, for example), transfer the necessary data on a diskette that contains no executable code. Also, do not use diskettes that are bootable or that contain system files. 8. If operating in a network environment, do not place public domain or shareware programs in a common file server directory that could be accessible to any other PC on the network. 9. If operating in a network environment, allow no-one other than the system administrator to use the file server node. 10. If using 3270 emulators connected to mainframe systems, keep all 3270 emulation software together in a separate subdirectory and do not include ANY executable code in the subdirectory that is not part of the emulator suite. If possible, limit such terminals to 3270 emulation only, and remove all other software from the disk. 3270 emulators are the major gateways through which viruses jump from PCs to mainframes. Anti Viral Tools: Hardware: Write protect tabs go a long way toward limiting viral spread. All boot floppies should be write protected as a matter of course. For certain high security environments, you can even purchase write protect systems for hard disks. Some flexibility may be lost, but the protection factor is high. In addition to write protection, you should consider removing floppies from drive slots and storing them in filing cases when they are not being actively referenced. We have yet to hear of a virus jumping direct from system memory to a diskette that was not inserted. Software: Software protection falls into two general categories: programs that help prevent the virus from initially infecting your system, and programs that help identify that your system has been infected after the infection has occurred. Both types of protection have their pros and cons. Programs that help prevent initial infection: These programs are TSR (terminate and stay resident) programs that monitor system activity and watch for characteristic viral replication activities. They check all disk I/O and cause a warning to be displayed when unauthorized activities are attempted. Such activities are: writes to executable programs, system device drivers, the boot sector, etc. They typically re- direct the operating system's interrupt vectors and thus intercept requests from all other programs. This type of protection has the advantage of stopping viruses before they enter the system, thus avoiding the difficult and time consuming tasks associated with removing viruses. The disadvantage, however, is that viruses can be written to avoid detection using this system. Also, no software technique can prevent initial infection from a boot sector virus. (Another reason to follow the above procedures to avoid boot sector infections). Programs that are available that help prevent initial infection are: Antidote, from Quaid Software 416 961 8243 C-4, from InterPath 408 988 3832 Dr. Panda Utilities, from Panda Systems 302 764 4722 Flu-Shot, from Ross Greenberg 212 889 6431 Viru-Safe, from ComNetco 201 953 0322 Programs that Identify infections after the fact: First, as a note of explanation, these programs only work if the system they are running on HAS NOT BEEN INFECTED prior to installation. They cannot tell you whether you system has already been infected. They all assume that the system is clean. They work by looking at key information on the system disks (file sizes, dates, checksums, etc.) and periodically re-checking this information to see if it has changed.. The advantage of this approach is that it is much more difficult for viruses to avoid detection. The disadvantage is that the system must become infected in order to detect the virus. Thus the user runs the risk that the virus may activate before it can be detected. Activation usually implies loss of data or entire disks. If activation does not occur prior to detection, the user still faces the task of removing the virus, which, as can be seen in the following section, is a tricky task. The following are programs which provide this type of protection: Dr. Panda Utilities, from Panda Systems 302 764 4722 Retro-V, from InterPath 408 988 3832 Vaccinate, from Sophco 800 922 3001 RECOVERY FROM INFECTION It is much more difficult to recover from an infection than it is to initially prevent the infection. Nevertheless, if strict procedures are followed, recovery can be achieved with minimum loss of data. The main problem in recovering from a virus is not the loss of data (which may indeed be considerable), but the near certainty of re-infection if the proper procedures are not followed. Nine out of ten installations that get infected experience a relapse within a week of "cleaning out" the virus. Some organizations have "eradicated" a virus as many as a dozen times, only to have it re-occur shortly after each eradication. The causes of these re-appearances can be traced to two things: 1). Many viruses do not go away after a warm boot. The Pakistani Brain virus is a good example of such a virus. In many organizations, the PC is seldom turned off and the prevailing assumption is that a will clean out system memory - an incorrect assumption. 2). Viruses initially infect fixed disk systems by way of a floppy diskette. After infection, every floppy that has been placed in the system is also likely to be infected. In large organizations, this can amount to thousands of infected diskettes that can re-infect systems if not de-activated. Understanding the above issues goes a long way toward a successful recovery from a virus infection. Recovery: When an infection is detected the following procedures should be followed: 1. Determine the extent of infection. If the virus has not attacked any fixed disks go to step - 12. If the virus has infected the boot sector only, go to addendum. 2. Power down the infected system. 3. Retrieve the original DOS diskette from the distribution package. Write protect it. Place it in the floppy boot drive and power up the system. 4. Ensure that the system has booted properly. 5. Backup all non-executable files from all directories onto newly formatted floppy diskettes or to a tape backup unit. If backing up to another fixed disk, ensure that the disk has not been infected. (if there are any doubts, assume that it is infected). DO NOT USE THE BACKUP UTILITY ON THE FIXED DISK. Use a utility from the original package. NOTE - At no point in these procedures should you execute ANY program from the infected fixed disk! 6. List all batch files on the infected disk. If any line within any of the batch files seems unusual or unfamiliar do not back-up. Otherwise, include the batch files with the back-up. 7. Perform a low level format of the infected disk. Recover the initial disk configuration using FDISK and FORMAT. 8. Execute the SYS command for the fixed disk. 9. Re-structure your directories. 10. Replace all executable programs from the original distribution packages. 11. Restore the files that had been backed up. 12. Locate all floppy diskettes that may have been inserted in the infected system within the past two years. (We know it sounds EXTREME, but if this and subsequent steps is not followed, you can be guaranteed to be re-infected within a short period of time). 13. At your discretion either: A). Destroy them all -or- B). Continue with the following steps 14. Backup all non executable files onto newly formatted floppy diskettes. 15. Format the suspect diskettes. Addendum: If the virus is a boot sector infector, the recovery process is somewhat simplified. Since boot infectors do not infect executable programs, they can be removed by doing a SYS command on the affected drive. The procedures are: 1). Power down the affected system. 2). Boot from the original DOS write protected distribution diskette. 3. Perform the SYS command on all affected devices. The above procedures will leave the virus intact on the additional bad sectors originally allocated by the virus, but these viral segments will be de-activated. This document is available on InterPath/National BBS bulletin board - 408 988 4004. - ----- -------------------- *** end of Virus-L issue ***