From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V3 #121 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Monday, 9 Jul 1990 Volume 3 : Issue 121 Today's Topics: Re: Virus on Startup Screen? (Mac) False alarm using scan v62 (PC) virus definitions new virus 1022 (PC) Troubles with CLEAN from McAfee (PC) Disinfectant 2.0 (Mac) UNIX checksums (UNIX) new virus (PC) A Revised Computer Espionage Law? re: mainframe attacks (a correction) Problems with McAfee's VSHIELD and MS Word (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: 05 Jul 90 21:23:31 +0000 From: barnett@grymoire.crd.ge.com (Bruce Barnett) Subject: Re: Virus on Startup Screen? (Mac) I wrote: > We have been having problems with MacIIci and Microsoft mail. > I suspect a new type of virus. There is a conflict with Sam 2.0.0, MS Mail, and a start-up screen. Either 1) Upgrade to SAM 2.0.2b 2) Rename MS Mail and/or SAM so MS Mail INIT's before SAM 3) delete the start-up screen 4) Patch the WDEF on MS Mail so that the WDEF (#16) has the system Heap check box on (Use Get Info and ResEdit) Microsoft Mail also has a problkem with MacMainframe from Avatar. A rename of INIT's fixes this also. Sam also reacts to MacPassword in a fashion similar to MS Mail. Thanks to all, and esp. Paul "Mr. SAM" Cozza. - -- Bruce G. Barnett barnett@crd.ge.com uunet!crdgw1!barnett ------------------------------ Date: Sun, 08 Jul 90 19:19:11 -0500 From: Martin Zejma <8326442@AWIWUW11.BITNET> Subject: False alarm using scan v62 (PC) When i start scan from the command line of the Norton Commander V2.0 , i get an alarm that the 1701/1704 Virus is active in memory, but scanning all files on my harddisk, there is no infected file . I'm using a NEAT 286 Motherboard running at 10 MHz , a Seagate ST-225 20 Mb Har ddisk, a Tseng EVA/1024 8 Bit VGA card with 512 kb memory, all that stuff under PC-DOS 4.00. When i use an earlier version of scan , fe. V48 , no alarm comes up. Anyone out there in the wild, wild world knowing what's going on ? Awaiting good ideas, Sincerly yours, Martin Zejma +-----------------------------------------------------------------------+ | Martin Zejma 8326442 @ AWIWUW11.BITNET | | | | Wirtschaftsuniversitaet Wien --- Univ. of Economics Vienna/Austria | +-----------------------------------------------------------------------+ ------------------------------ Date: Thu, 05 Jul 90 17:19:22 -0700 From: teda!RATVAX.DNET!ROBERTS@decwrl.dec.com (George Roberts) Subject: virus definitions Jerry J. Anderson writes: >Here are my definitions of virus, worm and Trojan horse: > > virus - a dependent self-replicating program. > > worm - an independent self-replicating program. > > Trojan horse - a program with a hidden agenda. > >By dependent, I mean that a virus "lives" within another program. > >I do not believe that the definition of a worm has anything to do with >networks. I think that association has risen due to the infamy of the >Internet worm. I agree with what you are saying, but is there a better way to word these definitions? What happened to the word "autonomous" instead of independent? autonomous - adjective: Independent; self-contained. - American Heritage dictionary. Here is my attempt at more accurate definitions: Virus - A section of code which has the ability to attach copies of itself to other programs in a manner which when these infected programs are executed, the virus code is executed as well as the original program. Worm - An autonomous program which has the ability to copy itself to a new physical location and then execute this new copy as a separate concurrent process. Trojan horse - an autonomous program with a hidden agenda disguised as a program to do something desirable. notes: 'program' may mean a set of integrated programs with a common purpose. 'new physical location' may or may not be on a different cpu. - -George Roberts ..decwrl.dec.com!teda!ratvax.dnet!roberts ------------------------------ Date: Mon, 02 Jul 90 11:28:02 -0500 From: ddavidso@mqccsunc.mqcc.mq.OZ.AU (Dean Davidson) Subject: new virus 1022 (PC) New Virus "1022" One of our networks has been infected by a virus. It is not detectable by SCAN V63. Symptoms: Only infects .EXE files, adding 1022 bytes to them Infects files even if they are r/o Changes the date on the files it infects to the current system date. It appears that after running the first infected .EXE it starts up a TSR that carries out further infection Detection: running STRINGS on an infected file reveals : This message is dedicated to $ all fellow PC users on Earth $ Towards A Better Tomorrow $ And A Better Place To Live In $ 03/03/90 KV KL MAL [There is no CR/LF after the $ character - I added this so that the message is readable] Also detection might be done by looking at the date/time change on the infected files To scan all your files (until a version of SCAN is produced which detects this virus): GREP -d+ dedicated *.EXE [The GREP I used is the one that comes with Turbo Pascal] [I chose "dedicated" for the search string as it is the most unique word in the message] Damage: Unknown at this stage Removal : Restore the .EXE from backup Dean Davidson Microcomputer Support Office of Computing Services Macquarie University NSW 2109 Australia 61 2 805 7436 ------------------------------ Date: Sun, 08 Jul 90 18:51:02 -0500 From: Martin Zejma <8326442@AWIWUW11.BITNET> Subject: Troubles with CLEAN from McAfee (PC) During the summer I'm working at a big computer software development company here in Vienna. Like everytime I came there detecting viruses all over our office's PC. It's allways the same old foe, the 1704 Virus (Cascade , Falling Letters,etc). It is almost impossible to detect it without scanning for viruses, because the trigger date of the versions floating around in Austria has never been changed from a unfriendly hacker( original it is 1980 , or Oct to Dec 1988), so the virus only infects everything as much as it can , but never starts its 'work'. Allways up to date , i decided to remove it with CLEAN from John McAffee, because i thought it would do the job quick and clean. Fortunately, I copied all of the infected files to a floppy disc, to have a 'backup' if problems would appear. And they did ||| 1)On bigger COM-files , the original jump instruction has not been restaurated correctly, some junk like (20,18,32) stood there, so naturally the computer hanged up, 2) or about 3 quarters of the files were simply deleted , for example the COM-file of Microsoft Chart 4.0 cut down from about 56 Kb to 9 Kb. Expecting a possible error only in this version of CLEAN (V58), i tried a newer one (V61) , the same junk appeared after the 'cleaning'. In February i had to remove the same virus , but at that time i only had good old M-1704 (also from John McAffee) , which changed the date of all files th actual date / time , but worked well. 3) also CLEAN ended its run after cleaning 15 files, to heal 40 files i had to start it 3 times. Has anybody detected the same problems ? Sincerly yours, Martin Zejma +-----------------------------------------------------------------------+ | Martin Zejma 8326442 @ AWIWUW11.BITNET | | | | Wirtschaftsuniversitaet Wien --- Univ. of Economics Vienna/Austria | +-----------------------------------------------------------------------+ ------------------------------ Date: Sun, 08 Jul 90 22:33:59 -0400 From: jln@acns.nwu.edu Subject: Disinfectant 2.0 (Mac) Disinfectant 2.0 ================ July 8, 1990 Disinfectant 2.0 is a major new release of our free Macintosh anti-viral utility. The main goal of version 2.0 is to provide a complete and free solution to the Macintosh virus problem in a single package (in fact, in a single file). Version 2.0 addresses all four aspects of the virus problem: detection, repair, protection, and education. Version 2.0 includes a new virus protection startup document (INIT). The INIT is designed for use by novices and others who find existing protection INITs to be too complicated and obtrusive. Version 2.0 has a much-improved online manual, with pictures, printing, a context-sensitive help system, and many new sections of information. Version 2.0 is a non-modal application with standard windows and menus. It supports desk accessories, printing, MultiFinder application switching, and scanning in the background. There is a new Preferences window which can be used to specify miscellaneous options and parameters. Other new features include more scan and disinfect options, new counters in the main window, and a much-improved scanning station feature. Version 2.0 also recognizes the Frankie virus. Frankie only affects some kinds of Macintosh emulators running on Atari computers. Disinfectant 2.0 is available now via anonymous FTP from site acns.nwu.edu [129.105.49.1]. It will also be available soon on sumex-aim.stanford.edu, rascal.ics.utexas.edu, comp.binaries.mac, CompuServe, GEnie, Delphi, BIX, MacNet, America Online, Calvacom, AppleLink, and other popular sources of free and shareware software. Macintosh users who do not have access to electronic sources of free and shareware software may obtain a copy of Disinfectant by sending a self-addressed stamped envelope and an 800K floppy disk to the author at the address below. People outside the US should send an international postal reply coupon instead of US stamps (available from any post office). Please use sturdy envelopes, preferably cardboard disk mailers. John Norstad Academic Computing and Network Services Northwestern University 2129 Sheridan Road Evanston, IL 60208 Bitnet: jln@nuacc Internet: jln@acns.nwu.edu CompuServe: 76666,573 AppleLink: A0173 ------------------------------ Date: Mon, 09 Jul 90 09:50:16 -0500 From: m19940@mwvm.mitre.org (Emily H. Lonsford) Subject: UNIX checksums (UNIX) Does anyone know of a shareware or commercial product that can be used to generate checksums on UNIX files? Similar to McAfee's VALIDATE program? * Emily H. Lonsford * MITRE - Houston W123 (713) 333-0922 [Ed. Most UNIX flavors come with a simple checksum called "sum". In addition, Ralph Merkle at PARC has a program called Snefru (I believe it's in a testing stage, but is readily obtainable), and RSA has a signature program called MD4. I'm sure that there are others also.] ------------------------------ Date: 09 Jul 90 09:43:02 -0400 From: "David.M.Chess" Subject: new virus (PC) > Fools debuggers to prevent reverse engineering. One small nit, just in case this list is being read by someone in the media! *8) The virus contains some code that's designed to cause a branch to a nasty place in BIOS if one single-steps through a particular early part of the virus. But anyone skillful enough to use a debugger is almost certainly skillful enough to detect what the virus is trying to do, and prevent it. A more accurate description, to avoid giving the virus more credit than it deserves, might be: Contains easily-avoidable code that's intended to make analysis more difficult, but in fact has no particular effect. DC ------------------------------ Date: 06 Jul 90 18:01:00 -0400 From: "zmudzinski, thomas" Subject: A Revised Computer Espionage Law? >From The Washington Post, 5 July 1990: A Revised Computer Espionage Law? Change Would Allow Prosecution of Whistle-Blowers and Journalists By George Lardner Jr., Washington Post Staff Writer The Bush administration is seeking a change in the federal computer espionage law that would open the door to prosecution and conviction of whistle-blowers and journalists as well as spies. The Justice Department said the proposal would make the espionage law "more useful." It would eliminate a provision in current law requiring proof of espionage and make it a crime simply to use -- or cause the use of -- a computer to obtain classified information without authorization. The penalties would be the same as they are now. Violators would be subject to ten years in prison for a first offense, or "an attempt to commit such an offense." Second offenders could be sent away for twenty years. The proposal was submitted to Congress last month by Acting Assistant Attorney General Bruce C. Navarro as part of a package of changes in the computer fraud and abuse statute of 1986. It has drawn a frosty reception from lawmakers with jurisdiction over the issue. "It seems they want to make far more people spies than actually are," said Rep. Charles E. Schumer (D-N.Y.), chairman of the House Judiciary subcommittee on criminal justice. Under the current computer espionage law, it is a felony for anyone knowingly to gain unauthorized access to a computer and obtain classified information "with the intent or reason to believe that such information so obtained is to be used to the injury of the United States, or to the advantage of any foreign nation." The Justice Department wants to drop the "intent or reason to believe" clause. Although the clause is a staple of traditional espionage laws dating back to 1917, the Justice Department contends that it "has so narrowed the application of the computer espionage provision as to render it virtually useless." Taking it out, Justice officials said in a section-by-section analysis, would establish a "new computer crime offense, which merely requires proof that the person obtained certain information, and not that he delivered it or transmitted it to any other person or government." Prosecutors would then have "another weapon for combating the increasing number of espionage cases." Another part of the Justice Department package that drew criticism was a provision that would define information in a computer, as well as processing time, as "property." "The thrust of that is to say that is if you take information, that's property and you can be accused of stealing," Schumer said. "I think that's very dangerous. We need a law more finely honed than that." Morton Halperin, Washington director of the American Civil Liberties Union (ACLU), said the proposals call to mind the controversial 1985 prosecution of former naval intelligence analyst Samuel Loring Morison, the first person convicted under espionage laws for leaking documents "relating to the national defense" to the news media. Morison was found guilty of espionage and of theft of government property for leaking three spy satellite photographs that were classified secret to a British magazine. He also was convicted on separate espionage and theft charges for taking portions of two other Navy documents, also classified secret, and keeping them in an envelope at his Crofton, Md., apartment. Morison's lawyers contended that the sections of espionage law used in the case were meant to apply only in a clandestine setting, to spies and saboteurs, and not to disclosures to the news media. As for the theft charges, they protested that making the law applicable to government "information" would give the executive branch unbridled discretion to control what the public may be told. An advocate of bigger defense budgets and a supporter of president Ronald Reagan, Morison contended that he sent the magazine satellite photos, which showed the first Soviet nuclear aircraft carrier under construction at a Black Sea shipyard, primarily because he was interested in publicizing the Soviet threat. He was sentenced to two years in prison. Under the Justice Department's computer espionage proposal, it could be even more dangerous to take the secrets from a computer than to get them on paper. The bill would make it a crime to pluck from a computer any "classified" information, even items stamped secret, because disclosure would be embarassing. That is a much broader category than documents "relating to the national defense." Halperin said that the ACLU would strongly oppose any such change in the law. "Given the amount of information that is classified and the degree to which debate in the United States depends on that information, we have consistantly oppsed criminalizing access to classified information by private citizens, except where it involves transfer to foreign powers," Halperin said. Justice Department official acknowledged that their proposal would cover whistle-blowers and journalists. "No one considered that in the drafting of it," said Grace L. Mastalli, special counsel in Justice's Office of Policy Development. But she said it was "probably not possible to narrow it without destroying the purpose of the bill." - -*-*-*-*-*-*-*-*-*-*-*-*-*-*- "Posterity, you will never know how much it cost... ...to preserve your freedom! I hope you make good use of it" -- John Adams "Punish the guilty ... and keep the innocent nervous" -- Judge Dread, 2000AD ------------------------------ Date: Mon, 09 Jul 90 10:08:00 -0400 From: Arthur Gutowski Subject: re: mainframe attacks (a correction) The quote I posted in V3 #120 is actually from Gene Spafford, and goes: "The only truly secure system is one that is powered off, cast in a block of concrete, and sealed in a lead-lined vault with armed guards -- and even then I have my doubts." Rollo Rogers sends me another gem: "100% system security = 100% non production." It's a rough world out there. Regards, Art ------------------------------ Date: 09 Jul 90 16:53:48 +0000 From: Leila Burrell-Davis Subject: Problems with McAfee's VSHIELD and MS Word (PC) I have experienced problems with PS/2-50's running VSHIELD versions 62B and 64 when using Microsoft Word v5 and the PS/2 mouse. The machine frequently hangs up. Sometimes the mouse cursor continues to move and CAPSLOCK, etc., lights go on working, in which case the machine can be reset using CTL/ALT/DEL. On other occasions, there is no keyboard or mouse response and the machine has to be turned off. The problem can be made to occur quite quickly by using the mouse to control Word. This happens with no other TSRs loaded other than VSHIELD and does not happen when it isn't loaded. Has anyone else experienced these problems? - -- Leila Burrell-Davis, Computing Service, University of Sussex, Brighton, UK Tel: +44 273 678390 Fax: +44 273 678470 Email: leilabd@syma.sussex.ac.uk (JANET: leilabd@uk.ac.sussex.syma) ------------------------------ End of VIRUS-L Digest [Volume 3 Issue 121] ******************************************