Return-Path: XPUM04@prime-a.central-services.umist.ac.uk Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3) id AA19364; Wed, 6 Jun 90 10:07:58 -0400 Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5) id AA02715; Wed, 6 Jun 90 10:07:54 -0400 Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3) id AA13546; Wed, 6 Jun 90 10:06:52 -0400 Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK via Janet with NIFTP id aa16842; 6 Jun 90 14:26 BST From: Anthony Appleyard To: KRVW <@NSFnet-Relay.AC.UK:KRVW@sei.cmu.edu> Date: Tue, 05 Jun 90 14:05:04 BST Message-Id: <$TGVGDBVHCNXV at UMPA> Subject: Virus-L vol 0 issue #0615 Virus-L Digest Wed, 15 Jun 88, Volume 0 : Issue #0615 Today's Topics Another way to delay propagation (ATs and PS/2s) virii on large(r) machines NYPC meeting summary Re: virii on large(r) machines Re: virii on large(r) machines mainframe virii a few points The Intruder Versus the Hacker hidden files on VM/CMS CMS netdata files forwarded report on VACCINE from J.D. Abolins Mac Vaccine RE: NYPC meeting summary Re: virii on large(r) machines Re: NYPC meeting summary WordPerfect virus (?) and Brain Re: hidden files on VM/CMS Re: virii on large(r) machines ------------------------------ Date: Wed, 15 Jun 88 03:33:59 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Amanda B Rosen Subject: Another way to delay propagation (ATs and PS/2s) In a previous message I pointed out that Macintosh PRAMs could be used to hold a counter to implement a delay mechanism for a virus. This technique could also be used on ATs and PS/2's (and clones therof) since they also have configuration RAM, or whatever IBM calls it this week. This method would not rely on the ability to write to disks. (One more nasty thought from the source of the great Mac battery wars... :-) /a -------------------- Date: Wed, 15 Jun 88 15:02:03 BST Reply-To: Virus Discussion List Sender: Virus Discussion List From: O'Brien Subject: virii on large(r) machines So far this distribution list seems to have concentrated on micros - are there any instances of virus attacks on mainframes/minis/supermicros (ie multi-user machines bigger than PC-AT's) It strikes me that since so many of these machines (especially in the academic community) are networked there is definitely a distribution medium for virii. The only incidents I've heard of have all required huming beans to help "propogate" (?) the virus from one machine to another (XMAS EXEC?) Ian - - JANET: cs_iob@uk.ac.bath.ux63 Ian O'Brien, Systems Programmer, OTHER: cs_iob@ux63.bath.ac.uk Bath University Computing Services USENET: ..!mcvax!ukc!bath63!cs_iob -------------------- Date: Wed, 15 Jun 88 10:05:24 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: NYPC meeting summary Last night (June 14, 1988...), I attended an invitation-only meeting of the New York PC users' group. Among the attendees were several representatives from some of the major corporations in the NYC area as well as a few anti-virus program vendors, and myself. The people from the corporations wanted to get some facts about viruses without any media hype. The meeting was set up as a forum discussion, and touched on most of the major points in current virus technology and jargon. Basically, the vendors (and myself) described what known viruses do (by citing several examples) and answered several questions presented by the corporations. Among the questions were "What is the difference between a virus and a trojan horse?", "Can a virus do hardware damage to my PCs?", etc. Hopefully, some common misconceptions were cleared up. Each of the vendors then got a chance to discuss and demonstrate their wares. That brings me to my next topic (finally :-). I'd like to hear from people who've used commercial (and non-commercial) anti-virus packages. Hopefully, we can generate some objective discussions on the various packages here on VIRUS-L. Any takers? Some of the currently available packages are, in no particular order: (a thousand pardons to any which I neglect!) Data Physician Flu Shot Disk Watcher Vaccine (there are a number of products under this name!) Vaccinate Checkup Disk Defender Panda ...the list goes on So, let's hear from people who've used these (or others). Ken Kenneth R. van Wyk User Services Senior Consultant Steve Dallas: Who's driving?! Lehigh University Computing Center Opus: Oh keep your pants on, Internet: I pressed cruise control. BITNET: -------------------- Date: Wed, 15 Jun 88 10:30:33 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: Re: virii on large(r) machines In-Reply-To: Message of Wed, 15 Jun 88 15:02:03 BST from > are there any instances >of virus attacks on mainframes/minis/supermicros Much (if not all?) of Fred Cohen's Phd work was done on minis and mainframes. Indeed, the possibilities here seem to be even more limitless than those on micros. Particularly with things like international networks to aid in the distribution of a virus. Ken Kenneth R. van Wyk User Services Senior Consultant Steve Dallas: Who's driving?! Lehigh University Computing Center Opus: Oh keep your pants on, Internet: I pressed cruise control. BITNET: -------------------- Date: Wed, 15 Jun 88 16:47:00 LCL Reply-To: Virus Discussion List Sender: Virus Discussion List From: Michael Wagner +49 228 8199645 Subject: Re: virii on large(r) machines > The only incidents I've heard of have all required huming beans to > help "propogate" (?) the virus from one machine to another (XMAS > EXEC?) This isn't only true of larger machines. The micros also needed a 'huming bean' to search out and obtain the infected boot disk. XMAS EXEC was different only because it is unusual in the mainframe world to just run a strange program you picked up on the network (unlike the PC world, where such things are not only run, they are booted from). XMAS EXEC required not just a 'huming bean' but a gullible one, and not just one but many. What was truly amazing was how many it found. Perhaps if they'd been thinking instead of huming the damage would have been smaller. :-) Michael -------------------- Date: Wed, 15 Jun 88 11:27:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Jim Shaffer, Jr." Subject: mainframe virii Here at Bucknell University, rumors abound about a virus called TAPEWORM that was allegedly run on one of our mainframes some years ago. Unforunately, all the rumors are so vague that I can't even determine what OS it was running on. As for a time frame, I would have to say probably within the past 5 years. The virus supposedly singled out individual users accounts at random when they logged in (how it was supposed to do this I have no idea) and copied itself to them. The users couldn't erase it, and each time they logged in after the initial infection all of the copies of TAPEWORM in their account generated one new copy, so the population grew exponentially until soon the user's disk quota was exceeded. Has anyone heard of this, or is it just a wild story that got started somehow? (Of course, even if it did happen here it doesn't mean that it happened elsewhere. We've never been a part of any DECnet, UUCP, or any TCP network, so spreading it would have been difficult.) --Jim Shaffer, Jr. (shafferj@bknlvms) P.S. According to the stories, the last person to ever see our virus graduated in 1987, so nobody knows if it's still around or who started it. The computing center staff refuses to give out any information that's even remotely security-related, so I've never asked them. They get suspicious if people start inquiring into possible system bugs. I know this from experience. -------------------- Date: Wed, 15 Jun 88 11:57:09 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: me! Jefferson Ogata Subject: a few points Tell me about XMAS EXEC; I've never heard of it. One possible infection mode I've seen for VM/370 mainframes is an EXEC I've seen that spools two punch files together to some user. Only the first file appears in the header information, and there is only one spool file. The result is that a user can transmit an innocuous file to another person with some other file tacked on the end. When the innocuous file is received, the other file is received also. Don't ask me how it works; I just know it works -- I've seen it in action. In every way I was able to determine, there appeared to be only one file, yet when I received that file, it wrote two files to my disk. It only notified me of the first file. This EXEC could easily be used to infect other mainframes with viruses -- send something like XEDIT EXEC on the back of some other file; the next time the victim XEDITs something, the virus is acti- vated. Unless the victim examines his disk everytime he receives a file, he probably won't notice. There is a curious virus said to exist in the C compiler AT&T uses at their research locations. This virus was added by a compiler hacker some time ago, and performs the simple function of printing a happy birthday message for that hacker every time the compiler is run on his birthday. This virus is particularly curious because it is virtually impossible to find where in the C compiler it is located. This was done by taking advantage of the fact that the C compiler is used to compile itself every time it is updated. For example, suppose you write a piece of code that can reproduce itself (typical self-printing program). This code performs the following function: if you see some piece of code in the C compiler, print yourself along with a replacement for that code, and code to print out a happy birth- day message on my birthday. This code is triggered at one particular place in the C compiler code. Whenever that code is scanned, it is replaced by all the virus code. The trigger code can be completely innocuous; it need only be in a place where code can filter the scanner output. Now as soon as the C compiler has compiled the new version of itself, the virus code can be removed from the source code. Each time the compiler is run on itself it will insert the virus code at some point. But the virus code is only alive in the executable version, not in the source code. According to legend, to this day no one has discovered where the trigger code is, nor has anyone been able to disable the virus. This is the way I've heard it. - Jeff Ogata -------------------- Date: Wed, 15 Jun 88 14:15:35 EDT Reply-To: Malcolm Ray Sender: Virus Discussion List Comments: Warning -- original Sender: tag was malcolm@JVAX.CLP.AC.UK From: MALCOLM@JVAX.CLP.AC.UK Subject: The Intruder Versus the Hacker Apropos the discussion about teaching virus-writing, I thought I'd toss in the following quote, which I think has some relevance. It's from 'Stalking the Wily Hacker', a very interesting article in the May 1988 issue of the Communications of the ACM, describing how staff at LBL traced a hacker. Copied with the implicit permission of the ACM: > The Intruder versus the Tracker > > Skills and techniques to break into systems are quite different > from those to detect and trace an intruder. The intruder may not > even realize the route chosen; the tracker, however, must understand > this route thoroughly. Although both must be aware of weaknesses in > systems and networks, the former may work alone, whereas the latter > must forge links with technical and law-enforcement people. The intruder > is likely to ignore concepts of privacy and trust during a criminal trespass; > in contrast, the tracker must know and respect delicate legal and ethical > restrictions. > > Despite occasional reports to the contrary, rumors of intruders building > careers in computer security are exaggerated. Apart from the different > skills required, it is a rare company that trusts someone with such ethics > and personal conduct. Banks, for example, do not hire embezzlers as > consultants. Donn Parker, of SRI International, reports (personal > communication, September 1987) that job applications of several intruders > have been rejected due to suspicions of their character and trustworthiness. > On March 16th, the Washington Post reported the arrest of a member of the > German Chaos computer club, prior to his giving a talk on computer security > in Paris. Others who have broken into computers have met with physical > violence and have been ostracized from network activities. A discipline > that relies on trust and responsibility has no place for someone technically > competent yet devoid of ethics. [Stalking the Wily Hacker; Clifford Stoll, Communications of the ACM May 1988 Copyright 1988 ACM 0001-0782/88/0500-0484 $1.50 Permission to copy without fee all or part of this material is granted provided that the copies are not made or distributed for direct commercial advantage, the ACM copyright notice and the title of the publication and its date appear, and notice is given that copying is by permission of the Association for Computing Machinery. To copy otherwise, or to republish, requires a fee and/or specific permission.] Well, he's got a point. Once someone's got a taste of the havoc they can cause with their very own virus, would *you* trust them to look after your systems? - ---------------------------------------------------------------------- Malcolm Ray JANET: malcolm@uk.ac.clp.jvax Senior Systems Officer BitNet: malcolm@jvax.clp.ac.uk City of London Polytechnic No other routes please! Quis custodiat ipsos custodes, or something like that -------------------- Date: Wed, 15 Jun 88 14:17:57 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Kenneth Ng Subject: hidden files on VM/CMS >From: me! Jefferson Ogata >One possible infection mode I've seen for VM/370 mainframes is an >EXEC I've seen that spools two punch files together to some user. >Only the first file appears in the header information, and there >is only one spool file. The result is that a user can transmit an >innocuous file to another person with some other file tacked on the >end. When the innocuous file is received, the other file is >received also. Don't ask me how it works; I just know it works -- >I've seen it in action. In every way I was able to determine, there >appeared to be only one file, yet when I received that file, it >wrote two files to my disk. It only notified me of the first file. >This EXEC could easily be used to infect other mainframes with >viruses -- send something like XEDIT EXEC on the back of some other >file; the next time the victim XEDITs something, the virus is acti- >vated. Unless the victim examines his disk everytime he receives a >file, he probably won't notice. I'm not sure how this works, but look at sendfile with the acknowledge option. When a receive is performed, a file 'Acknowl dgement' is sent back to the host. Therefore my bet is that it has something to do with the 'netdata' format. -------------------- Date: Wed, 15 Jun 88 16:26:52 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Kenneth Ng Subject: CMS netdata files >From: Kenneth Ng >>From: me! Jefferson Ogata :edited query on reader files with several files in it: >I'm not sure how this works, but look at sendfile with the acknowledge >option. When a receive is performed, a file 'Acknowl dgement' is >sent back to the host. Therefore my bet is that it has something >to do with the 'netdata' format. Naturally after I send the message out I remember how to look at a file to see if there are more than one file. Get the number of records off the 'q rdr all' command, then do a 'PEEK X (FOR Y' where 'X' is the spoolid, and 'Y' is the number of records minus 1. You'll see all kinds of funky stuff there, which is the NETDATA format. -------------------- Date: Wed, 15 Jun 88 16:29:21 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: forwarded report on VACCINE from J.D. Abolins Software Review by J.D. Abolins (first submittal: ASCIIRIBER) VACCINE, VERSION 2.0 (not to be confused with FoundationWare's VACCINE, VERSION 1.2 or several other programs by the same name.) WorldWide Data Corporation 17 Battery Place New York, NY 10004 1-800-643-3000 ext. 123 for all credit card and COD orders from individuals. 1-212-422-4100 for other calls and orders. 1-212-809-7206 for FAXed Corporate Purchase Orders. For IBM and IBM compatible computers (including PC, XT, AT (286 & 386), and PS/2 - 30,50,60, or 80) using DOS 2.0 or later. Sold on a 5.25" 360K floppy diskette only. Not copy-protected. 3.5" diskette version copies will be provided on exchange basis to REGISTERED USERS ONLY. Price: $79.95 (Discount prices available for large orders.) WorldWide Data's VACCINE is one of the many "anti-viral" software packages on the market now. These programs offer to guard computers from malicious computer programs, known as "Trojan Horses" and "viruses". Many of these programs emphasize the parallels between computer "viruses" and biological viruses. VACCINE is no exception; its very name has a medical connotation. Its packaging displays pictures of hypodermics, forceps, Kelly clamps, and other medical instruments. The medical analogy was so strong, I felt I had to sterilize my hands before loading the program into the XT. The VACCINE package includes one 5.25" diskette, a nine-page instruction book, registration card, and a couple of information sheets. The diskette itself included three main programs- VACCINE, ANTIDOTE, and CHECKUP. The are several utility and sample files files included, as well as a README file for additional documentation. The instructions were clear, concise, and simple. ANTIDOTE, which is the first program to be run when installing VACCINE, scans executable files on one's hard disk, looking for signs of program code to any of the various "viruses" known to WorldWide Data. ANTIDOTE can run periodically to check for suspicious code. CHECKUP examines the executable files on one's hard drive, derives checksums, checks the files' sizes, and compares the information against a file of values from an earlier CHECKUP run. If the file of previous values doesn't exist, CHECKUP will create a new one. It will give a status report telling one which files have been changed, deleted, or added. VACCINE is a memory-resident program which detects programs that change memory tables or they to become memory-resident. To prevent continual false alarms when running legitimate programs, one must prepare a configuration file which lists the names of legitimate program which may trigger off VACCINE's warnings. This is quite simple. The documentation suggests that VACCINE be invoked by the AUTOEXEC.BAT so that it is always in the background. When it detects a program attempting to change the memory tables or become memory- resident, VACCINE sounds off rapid pulsing tones and flashes a warning at the bottom of the screen. It gives one three options- "Y" to continue the program, "R" to reboot the system, or "A, Alt-A, or Control-A" to add the detected program's name to the configuration file. Simple enough. The option to update the configuration file is excellent; the update can be done with one keystroke. As mentioned several times above, VACCINE is simple to install and to use. But a major question remains- "how effective is it against destructive programs?". Since I don't have samples of "virus" program, I could not run a full "live ammo" test. Yet from examining and using the package, I have found several indicators of its capabilities and weaknesses. The package does a good overall checkup of the EXECUTABLE FILES. This will detect most of the "viruses" which infect executable files. VACCINE will not detect anything that infects other files, such as overlay files. For moment, most of the "viruses" that I have heard about would be detected by VACCINE since they, at some point, will affect executable files. There are no such assurances for the future. A major precaution that must be taken with this software was with any other "anti-virus" software- one's system must be "clean" before installing the software. Otherwise, the software may consider the destructive software as a part of the normal environment. This is why the VACCINE documention specifies that one uses ANTIDOTE first. But if ANTIDOTE misses bogus code, it may be a while before CHECKUP of VACCINE detect the code. While running CHECKUP several times, I have noticed a quirk that can cause problems for some users. I use a subdirectory with a high-order ASCII character in its name. The first time I ran CHECKUP, it worked well since it was creating a new checksum/size file. But when I ran CHECKUP again, it gave me an error message, saying that the program found an invalid character in the checksum/size file. After experimenting with renaming of the unusual subdirectory, my suspicions were confirmed. CHECKUP can be thrown off by high- order ASCII (ASCII 128-255) in filenames or directory names. This quirk makes it impossible to effectively use CHECKUP on the whole hard disk or on the root directory; CHECKUP can still used with subdirectories that don't have the high-order ASCII codes. This should be no problem for most users, but some users should be aware of this quirk. I know no solution to this quirk other than changing the filenames or directory names. VACCINE was simple to install and to use. It seems to offer a good amount of protection against the most of the common types of malicious programs. But will only scan executable files, so other files are still vulnerable. Then there is the matter of CHECKUP's quirk regarding non-standard filenames. Then considering the price of VACCINE ($79.00), I would recommend for the average home PC user to check out some of the other "anti-virus" software before deciding which one to buy. Some have options that VACCINE does not and many offer a bit more for less cost. VACCINE will definitely do the job of providing some protection for one's system. But there is no 100% effective "anti-virus" program. So whatever software, one uses, one must still compute wisely. [Thanks, J.D. Anyone else have any similar reports on other products? Ken] Kenneth R. van Wyk User Services Senior Consultant Steve Dallas: Who's driving?! Lehigh University Computing Center Opus: Oh keep your pants on, Internet: I pressed cruise control. BITNET: -------------------- Date: Wed, 15 Jun 88 17:42:45 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Joe McMahon Subject: Mac Vaccine Vaccine for the Macintosh Author: Don Brown, CE Software Price: Free Type of program: Virus blocker (INIT file) Installation: Copy file into System folder Action: Vaccine blocks attempts to write code resources of various types (including FKEYs, MDEFs, WDEFS, and INITs) and displays a modal dialog alerting the user as to the attempt. The user may choose to allow or disallow the access. Vaccine has an "expert mode" which places a tiny icon in the upper right-hand corner of the screen which can be clicked to allow or disallow the access. Some users have reported trouble with the Font/DA Mover and Vaccine, but I have not had any problems. Vaccine is quiet, unobtrusive, and should stop any virus which does not completely avoid using the Toolbox to modify the resource fork of files. -------------------- Date: Wed, 15 Jun 88 14:57:00 PDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: DBUERGER@SCU Subject: RE: NYPC meeting summary Re: Ken van Wyk's request for people who use anti-virus software: I use several programs as part of a general plan to protect myself. I recognize that this plan isn't perfect, but what else can one do? I run Data Physician's DATAMD program, which checks pre-tagged .exe and .com files upon each boot-up. I used to run a similar program they sell, which does the same thing at user-specified intervals automatically while my AT is on. So far the software has not detected viral attack against these file. It has detected changes when I've modified the files, so I know the detection system is active. When I get new .com or .exe files, especially binaries off the net or from bulletin boards, I run CHK4BOMB on each one to look for ascii text that suggests the possibility of a Trojan, as well as to see if the program might generate disk write activity. I then use Data Physician's DISKLOCK program that isolates my hard disk from the floppies. I switch to a floppy and execute the program a specified number of times. On the floppy is a copy of Sophco's CANARY program that tells you if it's been infected by a virus. If that passes, I then change the system date and run the program several more times. If everything checks out, I presume that the program is safe and proceed to use it. Granted, none of this is fail-safe, yet I feel some responsibility to check this stuff, especially since I usually end up passing it out to interested users here at the University. If I can get source code, we often regenerate the binaries from that. Hope this might be of interest.... David J. Buerger Santa Clara University dbuerger@scu.bitnet -------------------- Date: Wed, 15 Jun 88 16:49:43 CST Reply-To: Virus Discussion List Sender: Virus Discussion List From: David Camp Subject: Re: virii on large(r) machines In-Reply-To: Message of Wed, 15 Jun 88 15:02:03 BST from >So far this distribution list seems to have >concentrated on micros - are there any instances >of virus attacks on mainframes/minis/supermicros >(ie multi-user machines bigger than PC-AT's) Within the last year there was a major infection of .BITNET by the program XMAS EXEC. Since most .BITNET nodes are running VM/CMS, it was able to take advantage of a common environment. It required the gullibility of the receiving user to propagate. Once run, it displayed a Christmas Tree (as promised) on the screen, but then proceeded to redistribute (SENDFILE) itself to every user in ones NAMES file (the CMS equivalent of a Rolodex). I read one message that said it also consulted your NETLOG for prospective destinations. An international effort commenced to eradicate the virus and to identify the originator. The last word was the user was identified and stripped of his network access privileges. Supposedly large portions of .BITNET were overloaded by this virus, and had to be temporarily disconnected. -David- > >It strikes me that since so many of these machines >(especially in the academic community) are networked >there is definitely a distribution medium for >virii. The only incidents I've heard of have all >required huming beans to help "propogate" (?) >the virus from one machine to another (XMAS EXEC?) > >Ian >--- >JANET: cs_iob@uk.ac.bath.ux63 Ian O'Brien, Systems Programmer, >OTHER: cs_iob@ux63.bath.ac.uk Bath University Computing Services >USENET: ..!mcvax!ukc!bath63!cs_iob *----------------------------------------------------------------------* | (314) 362-3635 Mr. David J. Camp | | ~ Division of Biostatistics, Box 8067 | | Room 1108D < * > Washington University Medical School | | 706 South Euclid v 660 South Euclid | | Saint Louis, MO 63110 | | Bitnet: C04661DC@WUVMD.BITNET | | Internet: C04661DC%WUVMD.BITNET@CUNYVM.CUNY.EDU | | or: david@wubios.wustl.edu | *----------------------------------------------------------------------* -------------------- Date: Wed, 15 Jun 88 17:04:56 CST Reply-To: Virus Discussion List Sender: Virus Discussion List From: David Camp Subject: Re: NYPC meeting summary In-Reply-To: Message of Wed, 15 Jun 88 10:05:24 EDT from > > >That brings me to my next topic (finally :-). I'd like to hear from >people who've used commercial (and non-commercial) anti-virus packages. >Hopefully, we can generate some objective discussions on the various >packages here on VIRUS-L. Any takers? Some of the currently available >packages are, in no particular order: (a thousand pardons to any >which I neglect!) > >Data Physician >Flu Shot I have had a limited experience with an early version of FLUSHOT. I downloaded it to my PC and installed it as instructed. I then proceeded to use my favorite software. I quickly realized that this program was being over-protective. I could not get any normal work done because of the incessant interrupts. I suppose it would be useful when you are trying out a new program. Since it prevented many correct programs from working, I doubt it could identify a rogue. Remember, this was an early version. I do not know what improvements have been made since then, but with the dopplegangers on the market, I am afraid to pursue it any further. -David- >Disk Watcher >Vaccine (there are a number of products under this name!) >Vaccinate >Checkup >Disk Defender >Panda >...the list goes on > >So, let's hear from people who've used these (or others). > >Ken > >Kenneth R. van Wyk >User Services Senior Consultant Steve Dallas: Who's driving?! >Lehigh University Computing Center Opus: Oh keep your pants on, >Internet: I pressed cruise control. >BITNET: *----------------------------------------------------------------------* | (314) 362-3635 Mr. David J. Camp | | ~ Division of Biostatistics, Box 8067 | | Room 1108D < * > Washington University Medical School | | 706 South Euclid v 660 South Euclid | | Saint Louis, MO 63110 | | Bitnet: C04661DC@WUVMD.BITNET | | Internet: C04661DC%WUVMD.BITNET@CUNYVM.CUNY.EDU | | or: david@wubios.wustl.edu | *----------------------------------------------------------------------* -------------------- Date: Wed, 15 Jun 88 18:39:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Loren J. Miller, WCIT" Subject: WordPerfect virus (?) and Brain Hello Virus Fighters, Recently we have been having some problems with WordPerfect, which is the Word Processor installed in the computer labs of the Wharton School. One of our people sent out a message which briefly described the problem as she saw it. The message is at the bottom, below my notes. Note that sometimes the floppy disks of those people who are bitten by this virus have a volume name "(C) Brain". We know that Brain is "supposed" to be a malign virus, but every time we have examined the code written by Brain to the floppy to propogate itself, it looks pretty harmless, and when we boot on a Brain diskette it doesn't progressively chomp up the disk with bad sectors. It looks like it alters the boot sector and makes a copy of itself in another sector which it marks as bad, then stops, awakening only to copy itself to a new disk (the Brain we have been able to isolate can't propogate itself on a HP Vectra, which is our most common PC clone). This particular Brain cannot infect hard disks (at least on a HP Vectra), it only gets DS/DD floppies, and the only way it gets in our labs is by people coming in and running an infected program off their own floppy. One of the problems with identifying this virus (we've been calling it the Error 31 Virus) is that any time it strikes, demolishing the FAT, the computer (in our labs HP Vectras) hangs up and won't respond to any keyboard commands. When the computer is restarted all signs of the virus executable are gone. While this is an excellent prophylactic measure against infection, the users of our lab do not turn computers off and on before they start working on them, instead they gravitate to the computers that are already on. Linda's description of the problem follows here. >From: FRED::BOHNSACK "Linda Bohnsack" 9-JUN-1988 16:18 >To: CONSULTANT >Subj: What to do when someone reports a possible virus or you suspect a virus! > >Recently we have seen the Disk Error 31 problem in WordPerfect. We suspect >that this is a virus which attaches itself to the WordPerfect program. We have >no idea where it comes from, but we know that it is invoked when saving a >file. > >This particular suspected virus erases both FATs (File Allocation Tables), and >the information cannot always be recovered from the disk afterwards. > >So what do we do? > >IF IT IS A KNOWN VIRUS: (We should have a brief explanation on how to fix > the disk AND/OR recover the information.) > > (c) Brain is a known virus which is known to have no damaging effect > on the files of the disk. It modifies the boot area and marks a few > sectors as bad. A disk can probably also become infected with a > damaging virus to create damage on a disk making it appear as if > it is a (c) Brain damaged disk. > > If anyone does discover beyond a shadow of a doubt, a (c) Brain > virus that is damaging - bring it to me.....I've got to see it before > I'll believe it. > > >IF IT IS A SUSPECTED VIRUS: (We need to collect information on it.) > > 1. Alert the user not to reboot the machine, if possible. > > 2. Take down the machine number (or position in the lab). > > 3. Have the user put a sign on the machine - DO NOT USE - VIRUS. > (If the user is desparate about his file, reboot to recover > a WP backup file {WP}BACK.1 in the public directory.) > > 4. Attempt to recover the disk information for the user with > NORTON UTILITIES in MAINTENANCE mode (if you don't know how to > do this have them wait for Michael or a more experienced PC > consultant). > > 5. If you have the machine unrebooted, alert Linda to take a look > at it. (to collect more info on it). (If Linda is not available, > please leave a message with Lisa or the receptionist in 315. > Phone : 898-1395) > > 6. Send MAIL to Linda, Michael, Loren and Carol so that we can track > the problem machines for the code or to replace the software if > it repeats the problem within the week. > >ALSO be kind to our user. Appear concerned, empathetic, and calm. > >PLEASE do not get excited. An excited consultant creates a panicked user. >(This theory is akin to being calm during fire alarms, and air raids.) > >The user is probably near hysteria already because they just lost x hours >of work on our computers. If anybody else has seen something similar to this situation, or has otherwise pertinent information, please comment to me via the list. * * * * * * * * * * * * * Thanks! * * * * * * Loren J. Miller * * * * Senior Large Systems Consultant * * * Computing and Instructional Technology * * The Wharton School * * University of Pennsylvania * (215) 898-1837 U.S. Mail: Internet: -------------------------------- ------------------------- 301 Steinberg Hall-Dietrich Hall MILLERL@WHARTON.UPENN.EDU 3620 Locust Walk -or- Philadelphia, PA 19104 MILLERL@WHARTON "He has the right to criticize who has the heart to help" - Abraham Lincoln -------------------- Date: Wed, 15 Jun 88 20:43:37 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: me! Jefferson Ogata Subject: Re: hidden files on VM/CMS > From: Kenneth Ng > I'm not sure how this works, but look at sendfile with the acknowledge > option. When a receive is performed, a file 'Acknowl dgement' is > sent back to the host. Therefore my bet is that it has something > to do with the 'netdata' format. Actually it has nothing to do with acknowledge or Netdata format. It uses disk dump format through your virtual punch. It first spools your punch continuous, then disk dumps various files to it and closes the punch file. The only file that shows up to RDRLIST or Q RDR is the first disk dump. It IS possible to check whether the number of lines in the file matches with what a Q RDR says, but how many people do that? - Jeff Ogata -------------------- Date: Wed, 15 Jun 88 22:44:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: WHMurray@DOCKMASTER.ARPA Subject: Re: virii on large(r) machines In-Reply-To: Message of 15 Jun 88 10:02 EDT from O'Brien It is true that most of the network viruses have depended on duping the target into executing the virus. The XMASCARD EXEC simply demonstrates how easy that is to do. The demonstration is even more powerful because many of the victims of that virus have been specifically warned not to execute unsolicited programs. They have even been specifically warned about Christmas greetings. VM, Unix, Multics and VMS are particularly vulnerable because they employ the same name space for programs and data. VM and Multics are slightly less vulnerable to the extent that executables do have specific file types. However, one should always be careful regardless of the name or type. In his Turing Award paper, Ken Thompson demonstrates that one man's data is another man's program. Both Thompson and Cohen point out conditions under which application data can be employed as the vector to distribute a virus. A problem for any virus designer is to get his code executed. The PC viruses have demonstrated a number of solutions to this problem. It would not be appropriate to discuss any further solutions to that problem here. Suffice it to say that good computer hygiene requires that you not accept any unsolicited mail and be careful even with data from known sources. Note that the XMASCARD appeared to come from a friend. Good hygiene also requires that you not execute untrusted code while connected to the environment. VM offers a solution to this problem; that is to run VM under VM. In this event you will own all of the products of the execution, since you own the virtual punch/network. Of course this assumes that you have access to a copy of VN/CP and sufficient resource to execute it. As I have pointed out before, although the author of a virus can predict how it will behave in the target execution environment, he cannot predict very well how it will behave in a population. If you introduce a virus into the population of which you are a member, then you will likely be one of its victims. Since you cannot predict how it will behave in the population, you can still be the victim even if you yourself are immune. Note that the author of the XAMSCARD was immune since he would recognize it and not be duped. However, he was still a victim of the saturated net. Note that the XMASCARD was benign in the execution environment. However, in the net, it was far more destructive than the author himself could have expected or predicted. -------------------- *** end of Virus-L issue ***