From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V3 #159 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Wednesday, 19 Sep 1990 Volume 3 : Issue 159 Today's Topics: Emulation? redistribution of viruses. V&S anti-virus viruses (AVV's) Stoned virus (PC) Re: Measuring the Spread of Viruses a long time ago (PC) Mac misbehavior (Mac) The Problem With Self-Limiting Viruses (was Re: Anti-virus viruses) New viruses? (MAC) Is there a LaserWriter attacking virus? (Mac) Mac Anomolies with AppleShare & Ethernet (Mac) AUTOEXEC.BAT (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: 18 Sep 90 20:24:21 +1000 From: c8847468@cc.nu.oz.au Subject: Emulation? Just a small area for discussion, I don't know if it has been discussed before, but what are the possibilities of a virus being emulated? For example, if I have an IBM emulator on a Macintosh, could the emulator on the Mac generate code for the equivalent interrupts? I know this would be more cumbersome than the IBM equivalent, but still is it possible? Jonathan Coombes jcoombes@nucs.nu.oz.au University of Newcastle Australia ------------------------------ Date: Mon, 17 Sep 90 15:49:47 From: (Steven W. Smith) Subject: redistribution of viruses. On September 13, James Ford asked: > ... > What should the policy be regarding sending (old) viruses to other people > and sites? ... The "known virus-busters" notion has always been somewhat of a pet peeve of mine. I'm at a location that has a steady flow of Macintosh viruses (read: frequent reinfection) but has been blissfully free of the PC variety - possibly due to our network and lab strategy. I'm interested in the development of virus removal programs (PC), but I'm not willing to undergo the sort of hassle that seems to follow a request for samples (note: I haven't tried to get samples, I'm just judging by what I've read here, particularly statements that requests for virus samples won't be considered or forwarded). It is my belief that a person or organization should be able to obtain "live" samples, detection, and removal information for research - - provided that person can be reasonably assumed to be responsible, ie a programmer or network administrator at a site. It's not that I believe accountability = 100% reliability, rather, that it's more likely that someone with a reputation on the line would not carelessly redistribute viruses. It is also my belief that being a "recognized virus buster" doesn't really equate to the ultimate in security. In this vein, I present the following rehash (slightly edited for brevity): > Date: Wed, 27 Dec 89 12:47:52 +0000 > From: frisk@rhi.hi.is (Fridrik Skulason) > Subject: Two serious cases (PC) > > Most virus researchers exchange/distribute viruses only on a strict > need-to-know basis, in order to limit the spread of viruses. However, this > does not work as well as intended. There are now two known cases where > untrustworthy people seem to have obtained viruses from researchers. > > Case #1: Icelandic-1/Saratoga > > I discovered the Icelandic-1 virus here in Iceland in June this year. > When I had disassembled it, I sent a disassembly of an infected file > to several experts in the USA, UK and Israel, including the HomeBase > folks (McAfee). Before I sent out the disassembly, I made one small > change to it. This change had no effect on the operation of the virus, > but it would make it possible to determine if a copy of this virus found > outside of Iceland was based on my disassembly or not. ... > Three days after the virus was made available on the HomeBase bulletin > board, in a restricted area that only a few people had access to, a new > virus was discovered in Saratoga and uploaded to the HomeBase BBS. Some > people thought for a while that Saratoga was an older variant of > Icelandic-1, because it was at first said to have been found "a few > months earlier", but this turned out to be a misunderstanding. > > Saratoga was just a minor variant of Icelandic-1, but the change I made > was present in the virus, so it was obviously based on my disassembly. > When Saratoga was found, I had only sent Icelandic-1 to three or four > persons in the US - and, as far a I know, it had only been made availabl e > to other persons in one place (HomeBase). They believe that the person > responsible for the creating "Saratoga" has now been found, and his > access to the restricted area has been terminated. > > Case #2: Dbase > > The dBase virus was discovered by Ross Greenberg. It seems to have been > planted at only a single site, because no other reports appeared for > several months. Recently Ross made the virus available to a number of > virus researchers. Within two weeks the first infection reports had > started to arrive - the virus had escaped. > > We know that at least some of the reported infections were based on the > copy from Ross, because he made one small change to the virus, before it > was distributed. One instruction was overwritten by two "harmless" > instructions, in order to disable the most harmful effect of the virus - > the disk trashing part. This change is also present in some of the > infected files that have been found recently. (In other cases the > original instruction is present) > > As I said before, I do not consider it a very good idea to make changes to > viruses, but it paid off in the two cases described above. Who knows how > many other cases of virus infections are (indirectly) the result of virus > collection/distribution by virus experts. > > At least it is certain that we have to be a lot more careful in the future. > > - -frisk I'd personally like to see a standard criteria applied to the distribution of viruses and related information, rather than presuming that the current crew are the only ones with any legitimate interest in the field. It also seems as though marginal changes in code to identify the source of an "escaped" virus could help keep people on their toes. _,_/| \o.O; Steven W. Smith, Programmer/Analyst {& PCSA network administrator} =(___)= Glendale Community College, Glendale Az. USA U SMITH_S@GC.BITNET If you believe that I represent the views of GCC, you're mad, quite mad... ------------------------------ Date: 18 September, 1990 From: Padgett Peterson Subject: V&S >The protection of "protected mode" could cut both ways, however. >Although it would be harder for a virus to gain access to a system, it >would also be harder to detect and kill. You can't scan memory for a >virus if you get nailed by a segment violation whenever you look >outside your own data. Must disagree on this one. I "own" my PC. As on mainframes, most of the time my processes are denied access to "privileges" - this does not mean that privilege is not available when requested, just that 99% of the time it is unnecessary, and, for many years I have had the habit of only taking on those privileges I need - that way programs requireing privileges not available to most users are identified early. Point is that just because you choose to protect the O/S from your "accidents", this does not mean that you are permanently locked out, nor that a virus is either. Already, in some cases, booting from a protected floppy is the only recourse for recovery (though EVERY virus I have seen so far, including 4096 and Joshi, are easily detectable in memory. - ---------------------------------------------------------------------------- > Our informal survey showed >that only 25-30% of the campus bothered to check their disks for the >virus. Part of that was the fact that users a) don't understand >viruses -- they don't WANT to understand them and b) they're so >amazingly apathetic. I have found that a small dose of education plus an easy, effective means of screening software does wonders. For too many years we just pointed people at a PC and expected them to use it like a typewriter or calculator. If users of systems in our care do not understand viruses or are apathetic about precautions, that is our fault, not theirs. - ------------------------------------------------------------------------------ (except from FidoNet posting provided by Frisk) > when we discovered the motherfish, the > decision was made to disavow its existence and any > public comment on it was prohibited...the file was > never made available through normal distribution based > on two findings 1. the virus can not be detected by > present methods 2. the virus is modularly constructed > to allow it to "learn" the methods used to detect it, > and then integrate this coded thought into its arsenal > of defense mechanisms This is pure B.S. and sounds like a politician. I know, am going out on a limb again since have not seen the "mother fish"/"whale"/"Gordius" as yet but am relying on the fact that by definition a virus must change things and ANY change is detectable. If the change is hidden then the mechanism used to hide the change is detectable, etc. 1st, any virus is detectable if not resident since it cannot hide itself from observation. If it is resident, then it must be resident somewhere. This is not to say that there are not some very tricky possibilities for residency, but even these are detectable. In the last few months my old three-byte test has grown to six-bytes (Joshi is easier to find when resident than when dormant unless you look specifically for the 1fh signature and I do not like signature tests - not that they are not effective, but that they require constant updates) Of course, my job is made much easier in that I do not have to identify infections, John McAfee and Morton and Frisk do an excellent job, all I need to know is that SOMETHING has happened & then reel out the arsenal. Similarly, this should be the attitude of users / generic detection software: determine that something has happened & call for help. This can be done with virtually no impact. To provide this environment is our responsibility. Padgett ------------------------------ Date: Tue, 18 Sep 90 08:27:08 -0700 From: attain!RATVAX.DNET!ROBERTS@apple.com (I'm working on it...) Subject: anti-virus viruses (AVV's) Howard A. Landman writes about potential anti-virus viruses (AVV's) >Another safety feature would be to publish all the information needed >to recognize and disinfect the virus, a few months before releasing >it. A good idea, and you would want to publish anonymously. >A polite AVV might ask before committing suicide, so the user had the >choice of some other software to do the job. I don't think a "polite" AVV would spread. Noone would say "yes". A "considerate" AVV would kill itself if it detected any form of anti-viral software known to be able to detect the virus(es) that the AVV is hunting. I think Howard's idea of food points is clever and would not significantly reduce the AVV's effectiveness. another note: Is it true that the destructive viruses are less contagious because they are more likely to be noticed? - -George Roberts ...decwrl.dec.com!teda!ratvax.dnet!roberts ------------------------------ Date: Tue, 18 Sep 90 16:42:09 -0100 From: Joaquim de Oliveira Vasconcelos Subject: Stoned virus (PC) We have noticed a "stoned virus" infection on a hard disk in our lab. Unfortunately i couldn't find enough information on this kind of virus in past issues. Would anyone in the list please send me answers to the following questions ? - How does the virus replicate? - What kind of damage does it cause on the hard disk ? - How can one get rid of it ? Thanks in advance. Joaquim de Oliveira Vasconcelos Systems Analyst COPPE/Universidade Federal do Rio de Janeiro P.S.: Sorry for possible English language errors ... ------------------------------ Date: 18 Sep 90 16:26:14 +0000 From: ropg@ooc.uva.nl (Rop Gonggrijp) Subject: Re: Measuring the Spread of Viruses yamauchi@heron.cs.rochester.edu (Brian Yamauchi) writes: >Has anyone done any work on measuring the degree to which viruses (as >a whole or as individual strains) have spread throughout the >population of personal computers? This could be done either by >collecting statistics on the number of reported cases or, more >elaborately, sending out surveys to various sites >(academic/commercial/government) and individual users (e.g. >subscribers to various magazines). I know of a case where the speed virus propagation was measured. The virus we now call 'The Internet Worm' and the researcher was Robert T. Morris [Jr.]. (Yeah, I know, it was a worm and not a virus). Whether you like it or not, the best way to measure propagation is by letting out a relatively harmless 'test virus' ------------------------------ Date: 19 Sep 90 02:51:03 +0000 From: woody@chinacat.Unicom.COM (Woody Baker @ Eagle Signal) Subject: a long time ago (PC) About a year and a half ago, one of the guys at work had been playing Lesiure Suit Larry a lot. One day, he mistyped the date, to somthing like the next year, and up popped a colored picture of a computer with a jagged break down the middle. We never did find what it was, but did suspect a virus. We have not been able to find it since. Has anyone ever seen this before? Secondarily, it seems to me that there is a class of viruses that we fortunatly have not seen yet. Application specific viruses. Consider a virus written by someone who is POed at LOTUS for thier recent court victory (really a sad chapter in computer history). This virus would infect and spread, but only corrupt a program that had a lotus copyright on it. I seem to remember a note about a bulgarian virus that looked for an anti viral product and trashed it. Has anyone encountered a virus that exhibits the above behaviors? Cheers Woody ------------------------------ Date: Tue, 18 Sep 90 18:53:03 -0400 From: pro-angmar!achilles@alphalpha.com (David Holland) Subject: Mac misbehavior (Mac) Recently a Mac which I am basically responsible for the general health of (it is the office computer in the fine arts department at my high school) has come down with some strange symptoms. A week or so ago I installed some new stuff, mostly PD and shareware picked up from a friend. All of these were things he had used on his system for the last several months without any problem. Well, problems cropped up immediately. Soundmaster installed and ran perfectly - except it adamantly refused to play anything on startup. All the other options worked fine. The more puzzling thing is that Disinfectant, when run, produced a bomb box. The error ID was consistently 03, which, according to the table of system errors I have, is a bad instruction. This happened consistently, regardless of removing INITs and desk accessories and everything else I could think of. At first I thought it was probably an incompatibility with the System, which was only version 6.0; I said I'd see if I could get hold of an update, and left it at that. But yesterday, Microsoft Works data files started refusing to automatically load Works when opened from the Finder, much to the confusion of the music teachers. It turned out that Works itself ran fine and the documents could be loaded fine from within it (fortunately) - but something was rather amiss. I ran Disinfectant from the floppy disk I'd copied it from my friend on; somewhat to my surprise, it ran properly. A scan of the hard disk uncovered no viruses, but did determine that the hard disk copy of Disinfectant had a damaged resource fork. All very well: throw out that copy and make a fresh one from the floppy. Done. Guess what: the problem recurred - without, indeed, running anything else in the meantime. Today I further discovered that when I duplicated Disinfectant on a floppy, renamed it "fubar", and copied both to the hard disk, one worked and the other didn't... and that Apple's disk-doctor program did NOT work from the original system-utilities disk (write-protected, of course) though it DID when copied to the hard disk. (It generated a bomb box with an error 02 - illegal address.) The system in question is a rather vanilla Mac SE - 20 meg HD, 720K floppy, 1 meg memory, no particular expansions. System version 6.0. The version of Disinfectant I have is 1.7; I know that's not the highest, but the computer isn't connected to anything and getting stuff is extremely difficult. :( My apologies for the excessive length, but since I really don't know a thing about the inner workings of Macs I thought I'd better add everything in case someone who does know can help. The obvious question, of course: does this look like any particular known virus? It's not impossible that the whole thing is a symptom of a decaying hard drive, or something, after all... Disinfectant didn't detect anything, and I don't think Gatekeeper has; but whatever it is, if it is a virus, could be able to go around them. I tried to borrow a copy of SAM-Intercept from someone to check further, but it decided I was violating its copyright and wouldn't let me. Thanks... David A. Holland Internet: pro-angmar!achilles@alphalpha.com | There is no great aeneas@blade.mind.org (slower) | talent without a Citadel: blade!aeneas@{undermind, overmind} | mixture of madness. Fidonet: David Holland @ 1:322/337 (not preferred) | -Seneca ------------------------------ Date: Wed, 19 Sep 90 02:30:13 +0000 From: yamauchi@granite.cs.rochester.edu (Brian Yamauchi) Subject: The Problem With Self-Limiting Viruses (was Re: Anti-virus viruses) landman@hanami.Eng.Sun.COM (Howard A. Landman) writes: > I am not arguing in favor of AVVs, but have a few technical ideas to > throw out for discussion: > > One method of limiting the risk of an AVV would be to make it spread > more rapidly where there are other viruses than where there are not. > For example, the virus could award itself "food points" every time it > "eats" a bad virus, and require a certain number of points before it > attempts to replicate. The copy, of course, starts life with no food > points ... > > This way, the AVV would be almost unable to spread among systems which > were apparently clean, but would spread rapidly in an obviously sick > environment. This property could be quite useful in focusing the > concentration of the AVV to where it was needed the most. > > Many variants of this scheme are possible. For example, the virus > might split food points with its copy, but then lose a point every > time it runs and there's nothing to disinfect. Eventually it could > "starve" and remove itself. The problem with "food points", and other self-limiting strategies in general, is that from an evolutionary perspective these limitations are *flaws*, and the evolutionary pressure will be to remove these. For an example: suppose you have a virus with a mutation that prevents it from losing food points when it runs or reproduces. This mutant will constantly accumulate food points and replicate faster and faster until it eventually becomes a dominant subspecies of this virus. Of course, you could introduce AAVVs to hunt down and kill the mutant strain of AVV, but if you try to limit the reproduction of the AAVVs then they will be under the same evolutionary pressure to eliminate those limitations. Another option might be a "genetic purity" behavior for the AVVs where they scan any other AVVs of the same species they encounter and kill them if the others' code differs from its own. But in the long run, the mutant AVVs will have the upper hand since they can reproduce faster and exterminate any members of the unmutated strain that they encounter. Mike Travers at the MIT Media Lab performed some interesting experiments with simulated creatures that evolved to take advantage of bugs in the simulator. Like the AVVs above, these creatures could forage for food and reproduce by giving a certain amount of its food to its offspring. One species evolved which was able to reproduce at the clock rate of the simulation -- it did this by giving its offspring more food than the parent. The parent dies immediately, but not before generating a child (who dies on the next clock tick, after producing another child, and so on). If AVVs ever become necessary, it will probably be futile to attempt to hobble them with a software ball-and-chain. They should probably be designed as viable (i.e. non-self-destructive / rapidly reproducing) but benign organisms from the start. Of course, some will mutate to become destructive, but at least there won't be any evolutionary pressure toward destructiveness. If anything, there will be a pressure towards benignity, since a harmful virus that mutates into a nondestructive form will be less likely to be detected and destroyed. I don't consider AVVs either necessary or beneficial now, but if the virus population even expands to the level where the majority of systems carry some sort of virus, then at least AVVs could increase the probability of having a benign population on your system. _______________________________________________________________________________ Brian Yamauchi University of Rochester yamauchi@cs.rochester.edu Computer Science Department _______________________________________________________________________________ ------------------------------ Date: 19 Sep 90 10:00:00 -0400 From: "WARTHMAN" Subject: New viruses? (MAC) I've been told about a recent CNN report, supposedly dealing with 2 new Macintosh viruses. The person who told me about this could not remember the names of either, but said that one of them had "DEF" as part of its name. He said it was *not* MDEF or WDEF. He could not remember if it was CDEF, but said he did *not* think it was. He said that the report indicated that there was no "cure" for one of the viruses, and that Symantec (he mentioned this company by name) was "feverishly" working on countermeasures to combat that virus. Has anyone on VIRUS-L heard this CNN report? Can you fill in the blanks? I wonder if this person misunderstood, and CNN was actually referring to the "Whale" virus (DOS)? Also, I've recently heard about a variant of nVIR called "prod". Does anyone have information about this one? Will the current set of anti-viral tools handle it, since it's supposed to be just another clone? Will it even be tracked separately? Thanks for whatever insight can be added. - -- Jim Warthman Warthman@SOFTVAX.RADC.AF.MIL (Internet) AFC JimW (America Online) ------------------------------ Date: 19 Sep 90 12:53:42 +0000 From: farmer@ecs.umass.edu (THE MAD MUSKRAT) Subject: Is there a LaserWriter attacking virus? (Mac) Hi, I have been hearing strange rumors recently, and wanted to see if they were real. Has anyone heard of a Macintosh virus that attacks LaserWriters?? I have heard that one exists which causes damage to the logic board. I doubt the truth of this, but I don't know for sure. Has anyone seen this virus? Has anyone else heard this rumor? Am I a babling on aimlessly?? I would appreciate any replies, as I know of a pair (or possibly 3) LaserWriters which have all developed a problem recently. This may just be a false alarm, but I really don't know! Thanks in advance. Sincerely, Matt Farmer - -------------------------------------------- internet: farmer@umaecs bitnet: mfarmer@umass ------------------------------ Date: Wed, 19 Sep 90 12:55:27 -0400 From: azavatone@ldbvax.dnet.lotus.com Subject: Mac Anomolies with AppleShare & Ethernet (Mac) Food for thought. I would LOVE to find out if anyone else has come across this problem. Occasionally, (3 times in the past 5 months) I have noticed that AppleShare will not load (hang in fact) when I boot my machine. Often, about 10 other people have this problem. Fixing it is a pain. If I disable AppleShare with init 2.0, the machine boots and loads in its 40 billion inits and everything else works well, inculding QuickMail. Therefore, I assume that it is an AppleShare problem, not a network/ethertalk one. So I reinstall AppleShare 2.0.1. Same problem, AppleShare hangs on startup. So, I reinstall the network software (ethertalk 2.0.1 and 1.2 - we only use 1.2) by installing 2.0.1 and dragging the previous version 1.2 into the system folder. Restart. SAME PROBLEM!! So, I remove AppleSare, AppleShare Prep and Network. In the following order, I install AppleShare from the AppleShare workstation Install disk (running 6.0.5 so it will boot our machines) - Ethertalk 2.0.1 from the ethernet installation disk (I made a 6.0.5 installer from the standard installation disk) - then drag the pervious version (1.2) from the same disk into the system. Reboot. Use Init 2.0 to make sure AppleShare is not disabled. Go to network from the control panel and select the version of ethertalk we currently use and VIOLA! IT WORKS! But why? I have NO clue. This is reproducable, in fact I am going to reproduce it at least 4 more times today to get the rest of our machines up again. The funny thing is that only about 10 of our 100+ machines got nuked. They were mac II's, cx's, ci's Fx's and one Se. My hypothesis is that someone is sending out packets to our Fastpath and they are hitting other macs running AppleShare. One of our employees got hit around 3pm on tuesday, I got hit between 6 and 7pm tuesday. Is this rouge ethernet board behavior or am I just doomed to suffer working on Macs in a predominantly IBM company? We may never know. Any Ideas/insights are welcome, but I would prefer a solution.B-] If it is an AppleShare virus let's name it after me ok? B-[ mail 2 me or the list at Azavatone@ldbvax.dnet.lotus.com" Alex "Zav" Zavatone Mac Wizard in Training 123 Mac dev team - Lotus Zav B!-> ps: HELP! My brain is fried! ------------------------------ Date: Tue, 18 Sep 90 23:53:33 -0500 From: "Kenneth P. Russell" Subject: AUTOEXEC.BAT (PC) What would cause the autoexec.bat to not run when the computer is booted? It can be excuted from the command line. Thanks, Ken ------------------------------ End of VIRUS-L Digest [Volume 3 Issue 159] ******************************************