From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V3 #170 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Monday, 15 Oct 1990 Volume 3 : Issue 170 Today's Topics: re:Help with Jerusalem virus (PC) Otto Stoltz Posting, Oct. 10, 1990 Slightly clearer translation Alleged Postscript Virus Re: Alleged PostScript virus. virus outbreak in Richmond, VA Author name correction OHIO virus found at UTMB (PC) re: Jerusalem B (PC) Help with Jerusalem B (PC) Re: mac virus(?) in school machines (Mac) Re: Request for Article/ ? Procedures Scan v67 and killer.com (PC) VIRUS-L indices and misc administrivia VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Wed, 10 Oct 90 20:36:55 +0700 From: Paolo Mattiangeli Subject: re:Help with Jerusalem virus (PC) > One day i found jeruslem virus at one of files > I removed the virus by CLEAN software but my file > > did,nt worke again. when i run my file the computer Halt. > any help appreciation > >Taisir >CCA3607 @sakaau03 This could not be due to the virus action. I myself experienced that, if the virus infected an .EXE file, sometimes CLEAN software fails to recover the file. I am not sure of this, but since Jerusalem often produces multiple copies of itself in a single .EXE file (a bug, I guess), the malfunction of CLEAN software could be due to this. These are my guesses, based on my limited personal experience. Anyway, in the CLEAN documentation, users are made aware of the possibility of bad recover of .EXE files. Somewhere out SIMTEL there is a software called VKILL, which works very well against Jerusalem virus. regards P. ************************************************************ * * * Paolo Mattiangeli * * Universit{ di Roma "La Sapienza" * * Dipartimento di Fisica N.E. * * P.le Aldo Moro, 4 - 00185 Roma Italy * * E-mail: MERCEDES@IRMUNISA.BITNET * * "My words are mine" * ************************************************************ ------------------------------ Date: 11 Oct. 1990 From: Padgett Peterson Subject: Otto Stoltz Posting, Oct. 10, 1990 Have now had a chance to do a bitwise compare of the boot record submitted by Mr. Stoltz and it matches that of a disk formatted using Peter Norton's Advanced Utilities 4.5 Safe Format (dump below). This is often found in mass-duplicated disks. Since it is an exact match, I do not believe that the problem is here, however the disk may still contain malicious software elsewhere. Just as a technical note, after retrieval of the original ALERT, it was massaged by WordStar 5.0 and passed through DOS DEBUG to create a binary file to create the listing below. This permitted a DOS COMP (compare) of the record with a dump of a disk formmatted using Safe Format. Incidently, the PNCI stands for Peter Norton Computing Inc. Padgett Diskette boot record - -d100 2ff 572F:0100 EB 28 90 49 42 4D 20 50-4E 43 49 00 02 02 01 00 .(.IBM PNCI..... 572F:0110 02 70 00 D0 02 FD 02 00-09 00 02 00 00 00 00 00 .p.............. 572F:0120 00 00 00 00 00 00 00 00-00 00 FA 33 C0 8E D0 BC ...........3.... 572F:0130 F0 7B FB B8 C0 07 8E D8-BE 5B 00 90 FC AC 0A C0 .{.......[...... 572F:0140 74 0B 56 B4 0E BB 07 00-CD 10 5E EB F0 32 E4 CD t.V.......^..2.. 572F:0150 16 B4 0F CD 10 32 E4 CD-10 CD 19 0D 0A 0D 0A 0D .....2.......... 572F:0160 0A 0D 0A 0D 0A 0D 0A 0D-0A 0D 0A 20 20 20 20 54 ........... T 572F:0170 68 69 73 20 64 69 73 6B-20 69 73 20 6E 6F 74 20 his disk is not 572F:0180 62 6F 6F 74 61 62 6C 65-0D 0A 0D 0A 20 49 66 20 bootable.... If 572F:0190 79 6F 75 20 77 69 73 68-20 74 6F 20 6D 61 6B 65 you wish to make 572F:01A0 20 69 74 20 62 6F 6F 74-61 62 6C 65 2C 0D 0A 72 it bootable,..r 572F:01B0 75 6E 20 74 68 65 20 44-4F 53 20 70 72 6F 67 72 un the DOS progr 572F:01C0 61 6D 20 53 59 53 20 61-66 74 65 72 20 74 68 65 am SYS after the 572F:01D0 0D 0A 20 20 20 20 20 73-79 73 74 65 6D 20 68 61 .. system ha 572F:01E0 73 20 62 65 65 6E 20 6C-6F 61 64 65 64 0D 0A 0D s been loaded... 572F:01F0 0A 50 6C 65 61 73 65 20-69 6E 73 65 72 74 20 61 .Please insert a 572F:0200 20 44 4F 53 20 64 69 73-6B 65 74 74 65 20 69 6E DOS diskette in 572F:0210 74 6F 0D 0A 20 74 68 65-20 64 72 69 76 65 20 61 to.. the drive a 572F:0220 6E 64 20 73 74 72 69 6B-65 20 61 6E 79 20 6B 65 nd strike any ke 572F:0230 79 2E 2E 2E 00 00 00 00-00 00 00 00 00 00 00 00 y............... 572F:0240 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 572F:0250 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 572F:0260 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 572F:0270 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 572F:0280 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 572F:0290 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 572F:02A0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 572F:02B0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 572F:02C0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 572F:02D0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 572F:02E0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 572F:02F0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 55 AA ..............U. - -q ------------------------------ Date: Thu, 11 Oct 90 12:42:12 -0400 From: AZX@NIHCU.BITNET Subject: Slightly clearer translation There may be no need for yet another translation of the German text, but I offer this as possibly the easiest for Americans to understand. It was written by a group of computer-literate graduate students here at the National Institutes of Health and then edited by myself. Help against camouflage virus: The infamous 4096 virus, alias Frodo, which loads itself into main memory and makes itself invisible to most currently-used utilities (see the German publication: Computerwoche of 8/10/90, p. 10), has an Achilles' heel: precisly its own invisibility. Copying an infected program may, if done correctly, lead to a virus-free program. To accomplish this, the virus must be resident in main memory. Choose a name for the destination file that does not have an executable file suffix; that is, avoid COM, .EXE, .OVL, and .SYS extensions. When the copy is made the virus will actually delete its own virus code from the copied file in its usual attempt to hide itself. The destination file will therefore consist of the original program file before infection. The best way to make the copy is by using a compression program like PKARC. It is still unclear if the same method will work with DOS's COPY or XCOPY programs. Once the copy is made, the infected programs have to be deleted, the system must be rebooted from a guaranteed 'clean' disk, and the copied files need to be decompressed (or renamed) back to their original file names. Virus experts caution against the approach outlined above: this method is more tricky than it appears. It is recommended only to those experienced computer users who understand their machines at the machine code level. The preferred method is to use a professionally-written antivirus program designed to handle this virus, like those of Solomon (Findviru), McAfee (Scan), or Skulason (F-Fehler). EPG Internationals Turbo Anti Virus is also supposed to be able to remove this virus. Two additional tips: 1. Signature programs and virus scanners should only be started from a guaranteed clean disk, and only after the PC has been booted from a clean disk. 2. When the virus becomes active it does not print the message 'Frodo lives' owing to a programming error in the virus. Instead, the computer will just crash. - ------------------------------------------------------------------------ Andrew Mitz || Animal research saves lives. NIH Animal Center || AZX@NIHCU || - ------------------------------------------------------------------------- ------------------------------ Date: Fri, 12 Oct 90 08:27:33 -0400 From: dmg@lid.mitre.org (David Gursky) Subject: Alleged Postscript Virus In response to Fred Bals message about the "Postscript virus" there has not been (to the best of my knowledge) any documented instance of this Postscript virus. There are several utilities in the public domain that alleged they defend against it though. ------------------------------ Date: Fri, 12 Oct 90 09:44:56 -0500 From: "Kincy, Chuck P." Subject: Re: Alleged PostScript virus. >From the last Virus-L: > Recently both MacWorld and MacUser magazines have had short articles > about a PostScript printer virus which apparently is a Trojan Horse > hidden within some public domain clip art. According to the articles, > the virus, when down-loaded into a PostScript printer, resets a chip > password and renders the printer unusable. Apparently the article refers to the PostScript "server" password, the password requires to make a permanent status change to the printer. I believe the password is a 2-byte unsigned integer. In order to change this password, a PostScript job must know the original server password. The default password is 0, but it can be changed with the "setpassword" command. (Not too sure about the actual command word...my PostScript is rusty...) A program that resets the server password would be really nasty, as it would prevent any future permanent status changes to the printer (such as defaultpapertray, defaultpapersize, etc.) However, a careful system administrator would set the password to something other than 0; this action would keep such a program from doing any harm. As far as I know, there is no way to figure out the server password (unless, of course, you know it). A program like this would do it: serverdict begin xxxxx exitserver % xxxxx is the old "server" password. statusdict begin yyyyy setpassword % yyyyy is the new password. % (I hope this is the right syntax!!) (ctl-d) Someone might want to get a PostScript "red" book to check me on this.... |Chuck Kincy "I do not think that there is any question | |University of Missouri about it--it can only be attributed to | |Rolla MO 65401 human error. This sort of thing has cropped| |S096264@umrvma.umr.edu up before, and it has always been due to | |314/341-8922 human error." -- HAL 9000. | ------------------------------ Date: Mon, 08 Oct 90 11:29:00 -0400 From: HAYES%urvax.urich.edu@vma.cc.cmu.edu Subject: virus outbreak in Richmond, VA I found the following message on a local BBS which is reputable *and* dependable. Regards, Claude - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET) University of Richmond hayes@urvax.urich.edu (Bitnet or Internet) Richmond, VA 23173 ...!psuvax1!urvax.bitnet!hayes (UUCP) - ---- begin forwarded message -- Msg # 1425 Dated 10-07-90 22:43:03 From: TOM HUFFMAN To: ALL Re: COMPUTER VIRUSES AT VCU Received 10:53:56 on 10/08/90 ************************************ ** Attention All VCU Students!!!! ** ************************************ This message concerns all VCU students and the general public who have either used the PC's on campus or have software that has been used on the PC's around the campus!!!! There has been a serious outbreak of VIRUSES (Yale/Alameda, Stoned-B, and Jerusalem) on the campus and we are recieving little if any help from the students!!! If you have ANY diskettes that have been used on the PC's on campus, PLEASE bring them into one of the PC Labs on the second floor of the Business building. The lab monitors will check and clean your diskettes for any of the three viruses mentioned above!! People at the school rely on the computers to do their school work! Not having your diskettes checked means that you may reinfect a PC and cause someone else unneeded grief!!! Please comply!! You can even check and clean your own diskettes and systems with the McAfee software on this BBS!!! Business building lab monitors thank you for your time!!!!! Tom Huffman! ------------------------------ Date: Wed, 10 Oct 90 11:32:00 -0400 From: "Dr. Harold Joseph Highland, FICS" Subject: Author name correction Note that Thom is doing an article about computer viruses and wants info. > I'm doing a column for a magazine about information on worms, viruses, > and security. I'll be talking about > > Computer Security Risk Management/ Potter & Palmer > Computer Virus Handbook/ Fics Have had my name listed as Hiland, Hylan, etc. ["Red Mike" Hylan, mayor of New York City in the '20s was a distant relative] but this is first time I have been called **** Fics ****. Thom better look at the book I sent to him several months ago. The FICS FOLLOWS my name. It stands for "Fellow of the Irish Computer Society." Been a Fellow since 1985 and probably the only one in the States who was born here and still lives here. Have about 30 books written in past several years about viruses as well as a file draw about 24-inches deep with newspaper and magazine clips. Plan to donate the mess to a local university in the next year or two. My library getting too big with materials on other areas of computer security, particularly encryption. Retired as Distinguished Professor from SUNY a decade ago. Gave up as Editor-in-Chief of Computers & Security, which I started nine years ago, this past January. I still write my column, Bits & Bytes, regularly. But at 73 plan to retire again in the near future and write scientific children's books as I did in the late fifties and early sixties. ------------------------------ Date: 11 Oct 90 16:52:24 +0000 From: perry@beach.gal.utexas.edu (John Perry KG5RG) Subject: OHIO virus found at UTMB (PC) Just a quick note to let everyone know that several IBM and compatible PC's here at the University of Texas Medical Branch in Galveston, Texas have been infected with the OHIO virus. I have not yet attempted to remove the virus and I would like any suggestions on the best way to go about it. I have the McAfee products. I will try them first. Anybody have any thoughts or suggestions? John Perry KG5RG University of Texas Medical Branch Galveston, Texas 77550-2772 You can send mail to me at any of the following addresses: DECnet : BEACH::PERRY THEnet : BEACH::PERRY Internet : perry@beach.gal.utexas.edu BITNET : PERRY@UTMBEACH SPAN : UTSPAN::UTADNX::MBIAN::PERRY ------------------------------ Date: 11 Oct 90 18:23:46 +0100 From: "Otto.Stolz" Subject: re: Jerusalem B (PC) > This version of WordPerfect refused to run with the infection. That has been known to VIRUS-L readers for a year or so. I've sent you a copy of Y. Radai's original poster of 15 Jun 89 14:46:58 +0300. > With WP v4.2 it scanned both disk drives (presumably for other disks > to infect), ... Probably to find a clean copy of WP4.2 to load, as WP's self-consistency check had failed. > What is the behavior of Jerusalem B? I've sent you our ISRAELI PCMEMO file which contains info on the various Israeli strains (thanks to Virus Test Center, Hamburg, and other sources). > Does Jerusalem B only infect programs that are invoked from the > command prompt while it is in memory? It infects all programs invoked via the pertinent system function (i.e. either from the command prompt or internally from another program). > Under what conditions does a multiple infection occur? EXEC files are infected multiply (bug|), COM files just once. > Thanks. You're welcome Otto Stolz ------------------------------ Date: Thu, 11 Oct 90 21:51:54 -0400 From: AZX@NIHCU.BITNET Subject: Help with Jerusalem B (PC) I am a regular 'listener' to Virus-L, but this is the first time I am faced with removing a virus from someone's computer. I tried to remove Jerusalem B from a computer using McAfee's M-J. It claimed to have removed many occurances the first time I ran it, but Scan (v6.3) still found lots of infected files. Subsequent runs of M-J said "clean" for all the files, yet Scan (and VIRscan) said files were still infected. I have tried using a 'clean' disk for boot and virus scanning. Note, M-J complained about my write protect being on. What I am doing wrong? Note, due to problems with BITFTP, I would rather using a modem long distance to transfer files then pull them off of Bitnet/Internet -- so please make suggestions accordingly. Thanks. Andrew Mitz Biomed Engineer NIH Animal Center Animal Research Saves Lives! Poolesville, MD ------------------------------ Date: Fri, 12 Oct 90 13:43:36 -0400 From: tak@micor.ocug.on.ca (Keith Takayesu) Subject: Re: mac virus(?) in school machines (Mac) ROEBUCK@admin1.usask.ca (Terry (TR) Roebuck; 966-4841) writes: > I post this since it shows how persuasive some viruses (viri?) can be; > the typical users at that site would have *NEVER* thought about > checking. (sigh) I've found that the educational market (i.e. schools, universities, etc.) are the worst for spreading ANYTHING. This is partially a function of the ease with which Macintosh files can be copied, and the desire for poor students to copy anything of interest. It does not seem to happen as much at IBM PC sites, since files are harder to copy. For instance, WordPerfect on the macintosh only really requires 1 diskette (2 if you want spell checking), or even just the application file; on the PC, you need MANY diskettes to copy the files & it's not so easy to determine which ones are needed. The last place that I had to install WP 5.0 only had 5.25" drives, and there was a pile of 15 source diskettes! Keith Takayesu, DMR Group Inc. ------------------------------ Date: Sat, 13 Oct 90 17:38:45 +0000 From: dave%triton.unm.edu@ariel.unm.edu (Dave `White Water' Grisham) Subject: Re: Request for Article/ ? Procedures Will someone e-mail me the recently posted article on the Sun Devil case that got thrown out of court? Thanks in Advance. - ------ Now for a Virus related question. Is there a consensus from Lab/Pod managers- that a good virus checking policy at your lab's perimeter makes for a safe environment? Or are detection tools not adequate, usable, or cumbersome? I ask because, an enforceable policy with a good tool - should make a VERY safe environment. There are always exceptions, what have you encountered? grish Dave Grisham, Security Administrator Phone (505) 277-8032 FAX 277-8101 Computer & Information Resources & Technology Internet DAVE@triton.unm.EDU Univ. of New Mexico Albuquerque, NM 87131 BITNET DAVE@UNMB ------------------------------ Date: Sun, 14 Oct 90 03:09:35 +0000 From: Bill.Viggers@comp.vuw.ac.nz (Bill Viggers) Subject: Scan v67 and killer.com (PC) There seems to be a little problem with the latest version of Scan and its related products. Killer is (I think) locally written, and is designed to remove the STONED virus. When I ran Scan v67 it picked up killer.com as being infected with the invader virus. Thinking that I actually might have the virus I used clean to fix it up. This unfortunatly seems to have destroyed killer.com. Checking further, I discovered the invader virus on the version of killer.com given to me by my dealer. Having successfuly used killer.com before, and the 'virus' not having spread, I was a little surprised, and used scan v67 to check out killer.com that was on a pc at VUW. That too it appears had this virus. The documentation for Scan v67 said that the invader virus is a new virus, and that was why the release of this version of Scan was delayed. Putting 2 and 2 together, I assume that this means that killer.com has some code in it that Scan uses to identify the invader virus. If anyone who could either confirm or refute this, I would appreatiate it. Bill Viggers (Under graduate). ------------------------------ Date: Mon, 15 Oct 90 09:55:45 EDT From: krvw@cert.sei.cmu.edu (Kenneth R. van Wyk) Subject: VIRUS-L indices and misc administrivia Thanks to all of you who responded to my request for input on whether or not to distribute the VIRUS-L indices periodically! The overwhelming (i.e., unanimous) result is that we should do it. There were also a couple of good suggestions. Depending on file size, etc., I currently plan to distribute the indices every 100 digests, in a separate digest(s) - on a trial basis. If, after sending them out, it is decided that this is too much bandwidth (or some such), then I'll not send more out. Also, sorry for the delay in some of the messages in today's digest. I was out of town all of last week, and terminal access was at a premium. We did have one message sent in to VALERT-L during that time, and it went out asap. A reminder to anyone sending to VALERT-L - if you want your message to go out as quickly as possible, phone the CERT hotline (412-268-6935) and instruct whoever answers the phone to contact me. Thanks, Ken ------------------------------ End of VIRUS-L Digest [Volume 3 Issue 170] ******************************************