From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V3 #158 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Tuesday, 18 Sep 1990 Volume 3 : Issue 158 Today's Topics: Re: EEPROM BIOS (PC) Re: SCANRES (PC) The Telecomm Virus (PC) Re: OS/2 Viruses (OS/2) Measuring the Spread of Viruses Re: Who should get what viruses Re: Anti-virus viruses Re: Whale Virus Information (PC) 1559 virus, Drew U. has been hit (again) (PC) Whale virus (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: 17 Sep 90 14:22:03 +0000 From: sci34hub!gary@uunet.UU.NET (Gary Heston) Subject: Re: EEPROM BIOS (PC) I might point out that all systems using shadow ram can effectively update their BIOS upon boot-up, by simply overwriting the shadowed code. If the shadow areas are not write protected, any virus could infect them. The images on disc would be subject to corruption, although possibly not infection (being a BIOS image, it'd probably not have a .COM or .EXE extention, so a virus probably wouldn't recognize it as infectable). EEPROM might be a little safer, but not much. - -- Gary Heston { uunet!sci34hub!gary } System Mismanager SCI Technology, Inc. OEM Products Department (i.e., computers) "The esteemed gentlebeing says I called him a liar. It's true, and I regret that." Retief, in "Retiefs' Ransom" by Keith Laumer. ------------------------------ Date: Mon, 17 Sep 90 10:52:52 -0500 From: David Lemson Subject: Re: SCANRES (PC) In a message of Fri, 14 Sep 90 09:14:40 -0500, Jon Loux writes: >I can't seem to find a copy of McAfee's resident scanning program (SCANRES) >for evaluation. It is not on SIMTEL20. >Does anyone know if it is still available? And if so, from where? A few versions ago, John McAfee replaces SCANRES (which had some TSR conflicts and generally didn't do a wonderful job in some instances) with a new program called VSHIELD. Look for a VSHIELD with the same version as the current SCAN on SIMTEL20. As of about a week ago, the place to look on Simtel is: PD1:VSHLD66.ZIP That's the most current version last time I checked. Another plus about VSHIELD is that it will scan your system files on each bootup. It takes under 10K of RAM. David Lemson d-lemson@uiuc.edu ------------------------------ Date: 17 Sep 90 12:20:00 -0500 From: "55SRWLGS" <55srwlgs@sacemnet.af.mil> Subject: The Telecomm Virus (PC) Got an interesting ad in today's mail. The flyer, from 1st Defense Anti-Viral Systems of Broadview Heights, Ohio, announces the discovery of a virus which uses the modem on your PC to run up your phone bill. They call it the Telecomm Virus (V92), and remark that it "has not previously been eported in 'the literature'". Fortunately, it was discovered in Texas by tow individuals who, fortunately, had a copy of the 1st Defense package, available for just $59.95 (no doubt reduced from the list price of $60.00 :+} ), Ohio residents add 7%. Isn't it nice how the folks who discovered this new virus just happened to have the correct anti-viral program loaded? Anyone want to buy some underwater real estate in Florida? Alligators included at minimal extra cost. Frank Starr nomme de guerre: Godfrey Daniels 55srwlgs@sacemnet.af.mil ------------------------------ Date: 17 Sep 90 18:18:18 +0000 From: eli@smectos.gang.umass.edu (Eli Brandt) Subject: Re: OS/2 Viruses (OS/2) 0003158580@mcimail.com (William Hugh Murray) writes: >>Does anybody know something about OS/2 viruses ? > >I hope that there is nothing to know. I suspect that the population >of instances of OS/2 is still far too small to support sucessful >viruses. > >>Will there be new possibilities to transport and/or hide >>viruses? > >In all likelyhood. OS/2 is significantly richer and more complex >than DOS. For the moment it is also much more obscure. > >>Has anybody already proved that there are new mechanisms >>possible, > >Not to my knowledge, but nothing would surprise me. > >>and if so: What can be done against them ? > >A great deal. The 80386, which OS/2 requires, provides multiple >states of privilege. Thus, there can be mechanisms for fighting the >virus which the virus cannot see. Such mechanisms can be much more >effective than those that we have in the 808X based systems. The protection of "protected mode" could cut both ways, however. Although it would be harder for a virus to gain access to a system, it would also be harder to detect and kill. You can't scan memory for a virus if you get nailed by a segment violation whenever you look outside your own data. The only way to look for a virus would be to ask the OS about it, and if a virus has tinkered with the OS, you're in trouble. Hopefully manufacturers will make incompatible machines which look the same to legitimate programs (because the OS handles everything) and viruses will die out of sheer UN*X-style hardware-base fragmentation. [ sig deleted ] ------------------------------ Date: Mon, 17 Sep 90 17:30:05 +0000 From: yamauchi@heron.cs.rochester.edu (Brian Yamauchi) Subject: Measuring the Spread of Viruses Has anyone done any work on measuring the degree to which viruses (as a whole or as individual strains) have spread throughout the population of personal computers? This could be done either by collecting statistics on the number of reported cases or, more elaborately, sending out surveys to various sites (academic/commercial/government) and individual users (e.g. subscribers to various magazines). There is a tendency among naive users to blame every occurence of unusual system behavior on "a virus". I'm curious to what extent this is a reasonable response to the current level of virus infestation and to what extent this is just paranoia (or perhaps hypochondria). It would be interesting to track the growth in the number, type, and capabilities of viruses as a function of time. I can remember listening to a talk on viruses as an undergrad (circa 1985) in which viruses were basically academic curiousities as *potential* future threats to security -- for better or for worse, we've come a long way in a short time... _______________________________________________________________________________ Brian Yamauchi University of Rochester yamauchi@cs.rochester.edu Computer Science Department _______________________________________________________________________________ ------------------------------ Date: Mon, 17 Sep 90 16:46:35 -0400 From: David Barr Subject: Re: Who should get what viruses WHMurray@DOCKMASTER.NCSC.MIL says: >Given the number of existing copies of Jerusalem B, I would likely >give copy to almost anyone who asked for it. My giving a copy of such >a succesful virus to overtly and patently to someone who asks for it, >is not likely to have any substantial effect on the size of the >population of such copies, regardless of how they dealt with it. What are the criteria of an 'out of control' virus? Should one take the same point of view with the common cold? "It's out of control so I don't care who I give it to?" >I do not exercise any real control over Jerusalem B; it is out of >control. Who's to say Jerusulam B in particular is out of control? Many viruses are contained in a relatively small geographic area. Spreading them around, no matter how prevalent in that one area, seems foolish to me. Last year, our labs were had an epidemic of WDEF (Mac), and we had cases for months, until all the user's disks were cleaned out. Now we've been going for months now with very few re-infections. What is once a 'common' virus can be a rare one in months, with the right detection software. / David Barr | Penn State CAC Student Consultant | DSB100@psuvm.psu.edu | dsbarr@endor.cs.psu.edu | --- Trim that .sig!! --- | barr@barrstl.scol.pa.us ------------------------------ Date: 18 Sep 90 02:57:23 +0000 From: landman@hanami.Eng.Sun.COM (Howard A. Landman) Subject: Re: Anti-virus viruses I am not arguing in favor of AVVs, but have a few technical ideas to throw out for discussion: One method of limiting the risk of an AVV would be to make it spread more rapidly where there are other viruses than where there are not. For example, the virus could award itself "food points" every time it "eats" a bad virus, and require a certain number of points before it attempts to replicate. The copy, of course, starts life with no food points ... This way, the AVV would be almost unable to spread among systems which were apparently clean, but would spread rapidly in an obviously sick environment. This property could be quite useful in focusing the concentration of the AVV to where it was needed the most. Many variants of this scheme are possible. For example, the virus might split food points with its copy, but then lose a point every time it runs and there's nothing to disinfect. Eventually it could "starve" and remove itself. If the virus was on read-only media, and hence unable to accumulate food points, it could replicate with a low probability each time it ate something, giving much the same effect as saving up points. Another safety feature would be to publish all the information needed to recognize and disinfect the virus, a few months before releasing it. That way no one would have to have it that didn't want to and already had means for virus protection. A polite AVV might ask before committing suicide, so the user had the choice of some other software to do the job. - -- Howard A. Landman landman@eng.sun.com -or- sun!landman ------------------------------ Date: 18 Sep 90 03:32:35 +0000 From: landman@hanami.Eng.Sun.COM (Howard A. Landman) Subject: Re: Whale Virus Information (PC) portal!cup.portal.com!Alan_J_Roberts@Sun.COM writes: >This is a forward from John McAfee: > > I'm afraid this virus represents a new and nasty turn in the >evolution of viruses. Of the more than 9,000 bytes of code in the >virus, more than 7,000 bytes appear to be dedicated solely to avoiding >detection and removal. It seems fairly effective. Computer "organisms" have always had the potential to alter their own "genetic code" at will. Encryption is far easier than changing DNA to something else. How complicated and effective does a "virus" have to be before you call it a bacterium? And have we yet seen the computer equivalent of a multicellular organism (maybe the Internet worm?)? (Only in a multitasking OS, of course ...) Will the future bring a "social insect", identical programs operating cooperatively, ant-like, on multiple nodes of a large network, seeking storage space and CPU time for their own ends? I wonder what fraction of the human genetic code is "dedicated solely to avoiding detection and removal"? Perhaps as much as that dedicated to avoiding starvation, or failure to reproduce. - -- Howard A. Landman landman@eng.sun.com -or- sun!landman ------------------------------ Date: Mon, 17 Sep 90 20:58:00 -0400 From: Paul Coen Subject: 1559 virus, Drew U. has been hit (again) (PC) Yes, Drew University has had a problem with the 1559 (1554?) virus. We found it last March/April, and managed to get rid of some infected programs. Just today (Monday, 17-Sep), one of our freshpersons came down to the computer center. Her computer wouldn't boot off the hard drive. After a few minutes of realizing that there was some kind of very, very strange problem, I Viruscanned the drive. Of course, 1559 was found on it. She had been given the virus by an unwitting Sophomore, who had gotten it from his roommate, who might've picked it up from somewhere else. We've found at least four generations (of users) who have it. We have no idea how far it has spread. Our informal survey showed that only 25-30% of the campus bothered to check their disks for the virus. Part of that was the fact that users a) don't understand viruses -- they don't WANT to understand them and b) they're so amazingly apathetic. Right now we're trying to assess just how badly we were hit. One saving point, from a detection standpoint, is that if the virus is interfering with disk writes, it eventually nails the boot sector, making the hard drive unbootable, but accessable after a floppy boot. Zenith MS-DOS writes the current time and date to the boot sector every once in a while; I don't know if other DOS versions do this. Anyway, Academic Computing is now in the position of saying "I told you so," since others (other depts., administrators, etc.) thought the problem was gone. Hopefully, some of things that should have been done the first time will happen now. ------------------------ The preceeding may not even be my opinions, never mind Drew U.'s Paul Coen -- Drew University Academic Computer Center pcoen@drunivac.bitnet pcoen@drunivac.drew.edu ------------------------------ Date: Tue, 18 Sep 90 10:51:04 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Whale virus (PC) More about the 'Whale' virus.... John McAfee is correct in saying that the signature string I posted recently will not detect all infected files - it will only detect the first few generations, before the virus starts to mutate. I have not observed some of the more unusual things reported regarding this virus - the ability to modify other viruses for example. The virus may be related to the 'Fish' variant of 'Frodo', but as far as I know this relationship is only a speculation. One interesting item, though - hidden within the virus, under three levels of encryption, is the following string THE WHALE IN SEARCH OF THE 8 FISH I AM '~knzyvo}' IN HAMBURG addr error D9EB,02 The following (anonymous) note was posted on the VIRUS ECHO on Fidonet - - rather interesting.... If you have the motherfish, you are entitled to an explanation...when we discovered the motherfish, the decision was made to disavow its existence and any public comment on it was prohibited...the file was never made available through normal distribution based on two findings 1. the virus can not be detected by present methods 2. the virus is modularly constructed to allow it to "learn" the methods used to detect it, and then integrate this coded thought into its arsenal of defense mechanisms.........the motherfish is not just a virus, it is a virtual living, breathing entity that is capable of teaching itself its pursuers techniques and then increasing its code level sophistication as its environment becomes increasingly hostile...this characteristic made it imperative that distribution be kept at an absolute minimum...it would be appreciated if you kept that in mind. Saying that 'the virus can not be detected by present methods' is not 100% correct - McAfee has already announced a detector and disinfector and I am working on another myself - it will be included in version 1.14 of F-PROT. - -frisk ------------------------------ End of VIRUS-L Digest [Volume 3 Issue 158] ******************************************