From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V3 #132 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Friday, 27 Jul 1990 Volume 3 : Issue 132 Today's Topics: Magazine Spreads Killer (PC) Netware and Viruses (PC) PCToday/40K Copies of Disk Killer (PC) Source vs. Binary (UNIX & general) Re: Fooling checksums Removal of Stoned Virus (PC) NetWare and Virus (PC) Periodic infection reports on VALERT-L VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Thu, 26 Jul 90 17:06:29 +0100 From: Robin Becker Subject: Magazine Spreads Killer (PC) The Independant Newspaper reported on 24'th. that a giveaway disk distributed with the August issue of PC Today magazine was infected with a virus called OGRE. Suppliers and publisher were said to be `concerned' and trying to recall the issue. Sure enough I chanced to find a copy today. I warned the store. Using scan reveals that the giveaway is infected with killer virus, (a boot infector). I find that the June issue gave away scan or something similar so the publishers probably don't use their own freebies. Old adage "Beware of Greeks bringing gifts". Robin Becker ------------------------------ Date: Thu, 26 Jul 90 15:28:00 -0400 From: WHMurray@DOCKMASTER.NCSC.MIL Subject: Netware and Viruses (PC) It is clear that a virus executed on a net connected workstation can infect the workstation. It is clear that a virus executed on a server can infect the both the server and the attached workstations. It is clear that a virus executed on a workstation with privileges to write to programs on the server can infect those programs and thus other workstations. It is UNLIKELY that a virus executing on the workstation BUT without privileges to write to the server can infect the server. Jon David seems to suggest that this happened (otherwise why would this be interesting). It sounds as though he has evidence that files on the server were infected. It sounds as though netware was infected. Since no one on a workstation should have the privilege of writing to netware, this suggests that the virus may have executed on the server. What evidence is there that the server was infected by a virus executing on a workstation and without the privilege to write to the server? William Hugh Murray, Executive Consultant, Information System Security 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 203 966 4769, WHMurray at DOCKMASTER.NCSC.MIL [Ed. See followup below.] ------------------------------ Date: Thu, 26 Jul 90 15:33:00 -0400 From: WHMurray@DOCKMASTER.NCSC.MIL Subject: PCToday/40K Copies of Disk Killer (PC) Viruses are succesful enough spreading under their own power from one machine to another, thank you very much. They do not need any help. People who intend to ship tens of thousands of copies of the same floppy have a SPECIAL OBLIGATION to ensure that they are clean. William Hugh Murray, Executive Consultant, Information System Security 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 203 966 4769, WHMurray at DOCKMASTER.NCSC.MIL ------------------------------ Date: Thu, 26 Jul 90 15:21:30 -0500 From: m19940@mwvm.mitre.org (Emily H. Lonsford) Subject: Source vs. Binary (UNIX & general) The source code attack described by Vladis Kletnieks in V3 #130 was the subject of a lecture and article by Ken Thompson. It was titled "Reflections on Trusting Trust," the 1983 Turing Award Lecture, and was printed in the CACM in August 1984. It was reprinted this year in UNIX Review, but I forget which issue. It should be required reading for everyone on this list. K.T. called it "the cutest program I ever wrote." It's interesting that it first appeared in 1983... seven years ago. "Those who cannot remember history are condemned to repeat it." G. Santayana * Emily H. Lonsford * MITRE - Houston W123 (713) 333-0922 ------------------------------ Date: Thu, 26 Jul 90 17:06:15 -0400 From: Dmitri Schoeman Subject: Re: Fooling checksums I have certainly learned my lesson about leaving ambigious messages...What I was responding to was an idea for a virus checker which performs checksums, or other like tests to make sure it has correctly identified a virus. I was saying that a virus could fool the virus tester into not being able to definitivly identify it because it would change one (or more) of its non executing code, thus "outsmarting" the virus checker. However this would also make the virus easier to detect because the crc of the file would change each time you ran the program (or on a preset date...) When people always talk about an anti-virus program restoring the first few bytes of the program in order to restore it, what if a virus also infects a random (or predefined for that matter) part of the code by overwriting it with killer code? - -----Dmitri Schoeman ------------------------------ Date: 27 Jul 90 08:44:46 -0400 From: Steve Albrecht <70033.1271@CompuServe.COM> Subject: Removal of Stoned Virus (PC) > From: Yavuz Selim KOMUR > Subject: Stoned Virus Clear (PC) > > Hello Virus networker. > We have Stoned virus in PC. How I clear virus it from partion > table. I tried to format hard disk two times, but I couldn't > successfull. Thank for your comments. > > Yavuz. Yavuz, In response to an occurrence of the Stoned virus in India and at our headquarters here in Rhode Island, the following are procedures which we directed our MIS personnel to use to remove the Stoned virus. The Stoned virus (or the New Zealand virus) resides in the partition table (reference: The PC Virus Control Handbook, p. 48, International Security Technology, Inc. p. 48). If an infected floppy diskette is used to boot a machine, the virus will copy itself into the partition table on the hard disk of the computer, regardless of whether or not the floppy diskette is a system diskette or not. If a hard disk is infected with this virus, the partition table of any DOS formatted diskette will be subsequently infected if it is accessed after a normal hard drive boot. The virus sits in the first physical sector on the hard disk and the first physical sector on a floppy disk. The text strings "Your PC is now Stoned" and "LEGALISE MARIJUANA" will reside in the partition table. Use a utility such as NORTON UTILITIES, ADVANCED EDITION, to search for the text strings in Side 0, Cylinder 0, Sector 1 (in Absolute Sector mode) of the hard disk, or a floppy disk. On a floppy disk the first physical sector is also the first logical sector, which is also occupied by the boot track. The partition table and the boot track on a floppy disk are effectively the same thing. On a hard disk, the first physical sector (occupied by the partition table) and the first logical sector (occupied by the boot track) are two very different sectors. Because the virus resides in the first physical sector of a hard disk, DOS FORMAT.COM will not destroy it. FORMAT.COM works on the logical drive, not the physical drive. Furthermore, DOS FDISK.COM will not remove the virus in all cases. I experienced one case where FDISK did overwrite the virus, but two cases where it did not. USE DISK MANAGER TO LOW-LEVEL FORMAT, RE-PARTITION, AND HIGH-LEVEL FORMAT THE HARD DISK. Low-level formatting the hard disk and re- writing the partition table will remove the virus. SPINRITE may be equally effective, but I have not yet tested it. (Note: There may be other equally effective utilities for a low-level format, and for writing a new partition, but these are the tools which our MIS personnel have.) It is also possible to repartition the hard disk with DISK MANAGER, overwriting the partition table and the virus with a new partition table WITHOUT destroying the contents of the hard disk. I have done this only once, and I cannot say that this operation will work in every case or will overwrite the virus in every case, but it is certainly worth a try. However, YOU MUST HAVE a current backup available in case this fails AND YOU MUST BE ABLE to check the partition table after the operation to make certain that the repartitioning alone overwrites the virus. Because the virus resides in the first logical sector on a floppy disk, it is important that you not backup the hard disk with DOS. A DOS backup disk will have a DOS format, meaning that the partition table and boot track are created by DOS. If this format is created from a computer where the hard disk is infected with this virus, the partition table and the boot track on the diskettes will be infected. Thus, if one of these diskettes is used to boot a machine by accident, the partition table on the hard disk will be reinfected. It is unlikely that the partition table on the hard disk will be reinfected by a restore operation alone, but DO NOT TAKE THE CHANCE WITH DOS UNLESS IT IS THE ONLY BACKUP METHOD AVAILABLE. Making a backup with FASTBACK will not create infected diskettes, because FASTBACK does not use a DOS format. Thus, restoring a hard disk backup, created with FASTBACK while the partition table was infected, presents no danger of reinfecting the hard disk. I hope that this has been helpful, and I also welcome comments from others concerning procedures to remove the Stoned virus. Steve Albrecht MIS Field Services PLAN International 70033,1271@compuserve.com ------------------------------ Date: Fri, 27 Jul 90 10:36:00 -0400 From: WHMurray@DOCKMASTER.NCSC.MIL Subject: NetWare and Virus (PC) Well, we seem to have a problem here. The posting by Jon David suggests that the virus executes on the workstation, has no WRITE privilege to the server, but infects programs on the server. By private email to me, Jon confirms that that is what he intended to say. He describes to me the test that he conducted; it sounds convincing. He asserts that Novell representatives have seen the demonstration. On the other hand, the posting to this list by Novell clearly states that the the workstation must have rights to write and modify the file. It seems to me that someone is in error. If David is correct, then, not only do we have a small virus problem, but we have a very large NetWare security problem. It would be interesting to know whether the virus simply writes to the server, or whether it contains some overt mechanism to disable, subvert, or otherwise bypass NetWare security. William Hugh Murray, Executive Consultant, Information System Security 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 203 966 4769, WHMurray at DOCKMASTER.NCSC.MIL ------------------------------ Date: Thu, 26 Jul 90 15:47:49 -0400 From: Kenneth R. van Wyk Subject: Periodic infection reports on VALERT-L After my posting about whether or not to post infection reports and how much to report, I got a lot of feedback from quite a few people. First of all, thanks to all those who took the time to write! Based on the feedback, here's what I propose to do, bearing in mind that all of this is subject to my time constraints (i.e., I don't have the luxury of being able to devote a whole lot of time to this) - and the approval of the readers: In addition to the virus infection reports that we currently receive on VALERT-L (which will continue, moderated on demand), I receive a fair number of infection reports. I will log these reports and periodically (once a week or so, as demand dictates) put out a summary of recent infections to VALERT-L. The reports will contain the names of the specific virus(es) and the geographic location of the infections. However, the postings will only contain reports that are "new" - meaning, for example, new sightings of viruses in places where they have not yet appeared. The information that I receive will be verified by telephone whenever possible (or noted that verification was not possible) and will ONLY be reported by permission. A number of people indicated that this sort of information would be useful to system administrators to serve as a warning of infections in their area, as well as to researchers who are doing statistical analyses, etc. As always, your comments and suggestions are welcomed. Ken van Wyk ------------------------------ End of VIRUS-L Digest [Volume 3 Issue 132] ******************************************