From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V3 #124 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Friday, 13 Jul 1990 Volume 3 : Issue 124 Today's Topics: WARNING Jerusalem B on Novell LANs (PC) Need Info on Novell & Viruses (PC) "Invisible Virus Cruncher" (PC) Virsuses on Novell (PC) Ping-Pong Virus Crashing Hard Drives (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Thu, 12 Jul 90 15:09:24 -0400 From: "Kenneth R. van Wyk" Subject: WARNING Jerusalem B on Novell LANs (PC) VALERT-L/VIRUS-L Readers: CERT/CC received the following email message from Jon David, an independent security consultant in the New York area. The message details a PC virus which apparently infects Novell LANs - regardless of Novell file protections. The virus has a trigger date of Friday the 13th. Also included here is a (typed in) FAX message from Novell Vice President, Richard King, which presents Novell's official stance on this issue at this time. Mr. King's message was sent over Novell's NetWire messaging system. Please read both messages, as they present differing viewpoints, and then draw your own conclusions. IT IS IMPORTANT TO NOTE THAT THE EXTENT OF THIS VIRUS IS AS YET UNKNOWN. Therefore caution, not panic, is advisable. Scanners that detect the Jerusalem B virus may be effective at finding infections of this virus. Infected files should be deleted and restored from trusted backups (such as original write-protected distribution disks). Regards, Ken Kenneth R. van Wyk Technical Coordinator, Computer Emergency Response Team Software Engineering Institute Carnegie Mellon University cert@CERT.SEI.CMU.EDU (monitored during business hours) (412) 268-7090 (answers 24 hour a day) ===== Date: Thu, 12 Jul 90 From: Jon David Subject: LAN virus!!! I received a call recently from an authorized Novell distributor about what looked to them like a LAN virus. It sounded to me like a Jerusalem B, and I gave them what help I could over the phone regarding proper treatment. They, in turn, send me diskettes with infected files. Of 14 files, all .EXE, 1 was a DOS utility, 3 were Norton Utility programs and the remaining 10 were NetWare programs which shouldn't have been open to public access. The infected system was running NetWare 2.15. All 14 of the files were identified as 1813 by IBM's scanner, and as Friday the 13th - Version 1 by DDI's VIRHUNT. In cooperation with Jay Nickson, author of Quarantine (a LAN anti-virus product) and Greg Drusdow (president on NUI - NetWare Users International), I today started testing the virus under NetWare 2.15C. (The system, and a ton of support, was provided by Novell.) The virus infects both EXE and COM files, adding a bit more than 1800 hundred bytes to their length. It will reinfect both types. (One file on the disks I received had been infected 56 times.) It is a TSR that hooks INT 21 if loaded before the LAN TSRs, and both 21 and 08 if loaded after. It will Alter date-time stamps locally or on the server, even if rights to do so have not been granted. Increase file lengths locally or on the server, even if rights to do so have not been granted. Delete, on being triggered, any EXE or COM invoked for execution before execution (Bad Command of file name message ... Note upper case "C" in Command) locally or on the server, even if rights to do so have not been granted. THE VIRUS WILL TRIGGER ON FRIDAY, 7/13/90 !!!!! No testing has been done on NetWare versions other than 2.15C. It is a pure guess as to the virus having the same effect on other versions. ALL USERS OF ALL NETWARE VERSIONS ARE URGED TO ADVANCE THEIR SYSTEM DATE TO 7/14/90 AT THE END OF SYSTEM USAGE - BOTH SERVERS AND NODES - ON 7/12/90. CHKDSK can be used at nodes after booting and before and after program execution to indicate loss of available RAM or disk space (on dates other than 7/13/90); on 7/13 (A DATE WHICH SHOULD NOT BE THERE FOR ANY NETWARE SYSTEMS!!!) the Bad Command or file name message should have you calling for immediate help/shutting your system down/notifying other LAN users/etc. Novell technical personnel and all levels of management are completely involved in the further analysis and treatment of this problem. Both NUI and Novell will be sending out appropriate notices on this matter today, and both are doing everything I could think of in both technical and administrative areas. While Jay, Greg and I are, and for some time will be involved in further analyses and treatments, I hope further information will be forthcoming from official/proper channels. (As I can't say other NetWare versions are likely targets or are exempt, neither can I say either for other network operating systems. I personally urge all LAN and stand-alone PC users to advance their system dates on 7/12 - today - to 7/14; it's not nice having a virus do your disk cleanup for you.) Jon David ===== NetWire Message July 12, 1990 NetWare Users International (NUI) with the support of Novell has conducted tests that have concluded that a variant f a Jerusalem B computer virus has been discovered in at least one NetWare user site. The virus infects DOS executable files. In order to be exposed to the virus one must import an infected DOS program from the outside. NETWARE FILES ARE NOT INFECTED AS THEY SHIP IN THE RED BOX FROM NOVELL. The virus operates as a TSR. Once an infected program is run at a DOS PC, the virus takes residence in the PC memory as a TSR. Subsequently, the virus, upon executing any other DOS program on the PC, will attempt to infect the disk resident copy of that program. The infection can occur on local drives as well as network drives provided the workstation has appropriate acess rights to write and modify the file. Files on network operating systems other than NetWare could also be infected by this virus. Files infected with the virus will show an increase in size of about 1800 bytes. The real negative effects of the virus will not show itself until certain preprogrammed dates. One confirmed date is July 13, 1990. There is a risk that an infected workstation will delete program images on disk that are requested for execution on that date. A "Bad command or file name" message will result. Under NetWare, the SALVAGE command will restore a deleted file if executed properly. If infection is suspect, it is recommended that you advance the server system date at the close of the working day of July 12, 1990 to July 14, 1990. It is also recommended that professional assistance be consulted. These facts and report were prompted by a report to NUI. Novell and NUI in their concern for responsible leadership felt it necessary to verify these conditions and notify its users so they could act accordingly. Richard King Vice President Novell, Inc. ------------------------------ Date: 11 Jul 90 16:31:49 -0400 From: Steve Albrecht <70033.1271@CompuServe.COM> Subject: Need Info on Novell & Viruses (PC) Can anyone assist me on where to find or who to contact for the following information: Viruses which infect the Novell Operating System and/or files located on a Netware file server. Circumstances under which an MSDOS virus (PC virus) can transfer to a Novell file server. Can this happen? How and under what circumstances? Utilities to monitor and/or scan for viruses on a Netware file server. Any help will be most appreciated. Steve Albrecht PLAN International [Ed. Funny you should ask...] ------------------------------ Date: Thu, 12 Jul 90 15:41:08 +0100 From: DEL2@phoenix.cambridge.ac.uk Subject: "Invisible Virus Cruncher" (PC) PC Business World for 3 July 1990 has an article entitled "Invisible Virus Cruncher". The text includes the following: "...the product, Immunizer, can stop all known viruses and even ones that have yet to be dreamed up. ...Immunizer is the only anti-virus product capable of actually defending itself against attack from the new strain of killer viruses...because it has several defence mechanisms, including the ability to reload itself from disc." It costs 98pounds; nothing is said about site licences. Phone no is +44-274-610503. Anyone know anything about it beyond this hype? Douglas de Lacey. ------------------------------ Date: Thu, 12 Jul 90 18:08:46 +0100 From: rick@wiau.medical-biophysics.manchester.ac.uk Subject: Virsuses on Novell (PC) This subject may have been flloged to death previusly, if so could someone send me a resume, otherwise:- Are files held on a novell fileserver as executae-only liable to be infected by virsuses. I use "scan" to check them before switching on the execute only mode, so feel reasonably sure they are ok when installed. I wish to stop users copying off the software, and this appears to be a very effective way of doing it. Netscan will not check these files becasue it does not have permission to open the files for reading. This prevents a problem in checking them further in the future. These files can not have the execute only mode removed, but can be overwritten by anybody with permission (which is set to only the supervisor). I feel this may generate much discussion, please send me a copy of any comments I will write a summary when a consensus had been reached. Thanks RICK DIPPER, Wolfson Image Analysis Unit, rick@uk.ac.man.mb.wiau Department of Medical Bio-Physics, University of Manchester 061-275-5158 ------------------------------ Date: Thu, 12 Jul 90 14:41:53 -0500 From: Lynne Meeks Subject: Ping-Pong Virus Crashing Hard Drives (PC) We have a version of the Ping Pong virus which infects Hard Disks, spreads via non-bootable as well as bootable disks, and cannot be successfully removed by the Sys command. Issuing a sys command results in a corrupted hard disk, in one case the FAT was completely mangled, in a second case the files appear to be intact but the hard drive will not boot- gives a "non-system disk or disk error". Reissuing Sys doesn't correct the situation, although it appears to have been successful.... The system with the corrupt files was identified as having the Ping Pong virus by Scan, the other system was not tested with any scanning software but appeared to at least emulate the symptoms of ping Pong. Anybody else heard of this bad Ping-pong? Any suggestions (short of reformatting the drives) for either prevention or cure? Thanks in advance for any ideas! Lynne Meeks University Computing Services University of Vermont lzm@uvmvm ------------------------------ Date: Fri, 13 Jul 90 11:56:18 +0100 From: "Pete Lucas" Subject: Changed checksums on boot sector? (PC) Hi. One of my colleagues has found that the checksum of the boot sector on his PC's hard-disk has changed...! None of the usual virus detecting programs report anything unusual, neither does there appear to be any change to any of the sizes of any of his other files, nor are there bad sectors on the hard disk. He suspects a boot-sector virus even though he has seen no symptoms of anything. Floppy disks used with his system are likewise apparently clean with no obvious infections/lost sectors. I suspect that someone may have done a SYS to his disk, with a different version of DOS. I guess there will be differences between 'Generic' MS-DOS and 'proprietary' IBM PC-dos even though they are functionally the same, and both DOS3.3's. Does this make sense, or should i start crawling through his boot sector and looking for nasties? Pete Lucas PJML@UK.AC.NERC-WALLINGFORD.IBMA 0793411613 ------------------------------ End of VIRUS-L Digest [Volume 3 Issue 124] ******************************************