VIRUS-L Digest Monday, 4 Feb 1991 Volume 4 : Issue 19 ****************************************************************************** Today's Topics: re: Apathy and viral spread (general) Q: Do I Have a Virus? (PC) Boot sector self-check (PC) Re: Weird Thing With F-Prot (PC) Re: Text in MLTI Virus (PC) Sun workstation virii? (UNIX) We seem to have a new virus (PC) Text in MLTI Virus (PC) MSDOS viruses (PC) Weird Thing With F-Prot 1.14 (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Thu, 31 Jan 91 17:02:13 -0500 From: attcan!john@uunet.uu.net Subject: re: Apathy and viral spread (general) p1@arkham.wimsey.bc.ca (Rob Slade) writes: >Recently, Stratford Software has started a new online information >service called SUZY. (The service is active in Canada, and is in (text ommitted) >What does this mean to you, and to data security? It means that >less than 3% of all, and 20% of *active* SUZY users care enough >about data security to join the anti-virus IN. This is the >*real* reason that computer viri are so widespread today: people >do not realize the danger. You are drawing conclusions from personal biases. Simply because members of SUZY do not subscribe to your IN, does not mean they are unaware of the danger of viruses. It simply means that they did not want to join your IN. Rather than allowing your 'statistics' to incorrectly lead people to false assumptions, let's clarify: 1) SUZY is a 'Pay to play' service 2) INtegrity is not an 'exclusive' source of information 3) INtegrity's user base is in all likelihood oriented towards 'personal' systems rather than 'corporate' systems (I draw this conclusion from my own experiences with the SUZY network) A niche that is already well covered by BBS systems. Now, as a user, why would I pay good money to join a SIG/FORUM/IN/whatever wneh I can probably get the same or better information for free from a local BBS or E-MAIL list? (Better, simply because more people subscribe to 'freebies' than 'pay to play' services and also people are more likely to post information when they aren't being charged to contribute). I am a supporter of SUZY. (Though I still prefer CompuServe, BIX and even PORTAL as far as 'pay' services are concerned) But I refuse to let your biased rantings go unchallenged. The following stats came from 3 BBS's: Percentage of users that subscribe to the 'virus' sections 68%, 77% and 83%! Message activity (rating/number of active sections) 37/145, 8/63 and 10/38 Apathy? I don't think so. One anti-virus program had been retrieved more than 500 times in the past 6 months! Most corporate security precautions include some form of computer virus control. Most BBS's make a point of checking programs for viruses prior to advertising them on their systems. I wish we could be this 'apathetic' about our environment and our fellow human beings. I think it's time for a large dose of reality, Rob. Why not look at how to make your 'IN' more appealing instead of trying to convince people that it's representative of the 'real world' Peace ____Opinions expressed are my own. Transcripts available for a small fee____ === =--==== AT&T Canada Inc. John Benfield =----==== 3650 Victoria Park Ave. Network Support Analyst (MIS) =----==== Suite 800 ==--===== Willowdale, Ontario attmail : ~jbenfield ======= M2H-3P7 email : uunet!attcan!john === (416) 756-5221 Compu$erve: 72137,722 __Genius may have its limitations, but stupidity is not thus handicapped.___ ------------------------------ Date: Fri, 01 Feb 91 01:06:36 +0000 From: rfink@eng.umd.edu (Russell A. Fink) Subject: Q: Do I Have a Virus? (PC) I would like to ask this community to consider an odd symptom on two machines I use, and tell me if this anomaly is characteristic of a virus: On two IBM PC's, one, a PS/2 Model 50; the other, an AT (circa '86), I notice that 'chkdsk' on the hard drives result in there being an identical number (and memory cost) of 'bad sectors' reported for both machines. Now, should I worry about viruses? Is there a viable chance that there happens to be the same number of bad sectors on both machines? If this sounds like a virus, which one could it be? I appreciate any consideration given to my problem, and thank all e-mailers in advance for any response given. - -- //===== //===== Russ Fink =============== // //____ rfink@eng.umd.edu // // University of Maryland //===== //===== College Park ============ ------------------------------ Date: Thu, 31 Jan 91 22:16:08 -0800 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Boot sector self-check (PC) gt1546c@prism.gatech.edu (Gatliff, William A.) writes: > To help combat this, what would be the possibility of 'delibrately' > infecting ones boot-sector with a piece of code that would display > some kind of 'ok' message if it hadn't been tampered with? Not a bad idea, although it would have to be done carefully, and wouldn't be 100% certain anyway. You see, boot viri generally remove the original boot sector to a safe location, and then install themselves in the original boot sector location. They are then run first. After that, they are perfectly content to let the normal OS take over ... under supervision, as it were. I could see your scheme working with some current viri, if the original boot sector "pointed" to another program which checked the boot sector to see if it was intact, andonly then called the OS. This would deal with a number of current viri, including Stoned. It would not, unfortunately, deal with "stealth" boot viri like Joshi, and I can see virus writers getting around it in other ways as well. Still, it's a thought. Vancouver p1@arkham.wimsey.bc.ca _n_ Insitute for Robert_Slade@mtsg.sfu.ca H Research into (SUZY) INtegrity / User Canada V7K 2G6 O=C\ Security Radical Dude | O- /\_ /-----+---/ \_\ / | ` ||/ "A ship in a harbour is safe, but that / ||`----'|| is not what ships are built for." || || - John Parks `` `` ------------------------------ Date: Fri, 01 Feb 91 09:22:09 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: Weird Thing With F-Prot (PC) > ...when F-FCHK came across the file INSTALL.EXE from the PCPANEL package > (something to do with redirecting printer output) I got an error message > saying it couldn't write to the A: drive The reason is that INSTALL.EXE is packed, using the LZEXE program. If it had been infected before it was packed, normal scanning would not find the virus. I added the ability to scan LZEXE-packed files to F-PROT, but the routine for scanning LZEXE-packed file has two problems - it is a bit slow, as it is written in C - I have not had the time to rewrite it in assembly language. The other problem, which is the cause of the above difficulties, is that F-FCHK will write a temporary file to the current drive. If the current drive is A: and the floppy disk is write-protected, this error may occur. I am planning to rewrite this in version 2.0 - doing the unpacking in memory. - -frisk ------------------------------ Date: Fri, 01 Feb 91 18:54:23 +0200 From: public@lehtori.tut.fi (PD Software Group) Subject: Re: Text in MLTI Virus (PC) > Regarding the discussion about "Eddie," I have always associated the > phrase, > "Eddie die somewhere in time" > along with the action of randomly picking a location to kill with the > book Slaughterhouse 5 by Kurt Vonnegut Jr, where the hero has become > unstuck in time. > >Am I alone? I don't know if you are alone, but the "Eddie lives somewhere in time" and the "Eddie die somewhere in time" phrases are taken from the heavy metal band Iron Maiden. Eddie is their mascot and "Somewhere In Time" is the title of their album which was released in 1986. Iron Maiden and the other heavy metal bands are really popular in the Eastern Europe. BTW, the texts in the Anthrax virus ("Anthrax" and "Damage Inc.") are also taken from two heavy metal bands. Anthrax is a quite popular band from the USA and the Damage Inc. was the cover name used by Metallica, also from the USA. Both of these bands play so-called speed metal, but the Iron Maiden plays more old-fashioned heavy metal. Tapio Keihanen public@cc.tut.fi ------------------------------ Date: Fri, 01 Feb 91 09:57:14 -0800 From: DAN Subject: Sun workstation virii? (UNIX) In the archives that I have seen so far for VIRUS-L, most of the information seems to be on PC virii. What about virii for Sun workstations? We are starting to download public domain software for our Sun 4's, and were wondering about potential virus risks. Thanks. Daniel Schwepker ------------------------------ Date: Fri, 01 Feb 91 15:08:38 -0500 From: Mark Strandskov <34HLEFG@CMUVM.BITNET> Subject: We seem to have a new virus (PC) Hello, We could use a little help. We have a PC which seems to have a virus which is undetectable by SCAN6.3V72. Like most, it infects COMMAND.COM and then procedes to infect all executables. As far as we can tell, it changes the first 8-12 bytes and then appends about 1579-1591 bytes on the end of the file. It does change the date and time for the file. It doesn't display any message or signature associated with it. If a disk is write protected, it doesn't error but it will make the drive sound like it is eating your disk for lunch. The infected files generally seem to either lock up the computer or cause errors when executing the program. As of this time, we have only spotted it on one computer. I would greatly appreciate any assistance in identifying the virus. I am going to try to get in touch with McAfee Assoc. to help with this "pain in the lower tender region." Thanks. Mark Strandskov Central Michigan University 34HLEFG@CMUVM ------------------------------ Date: Sat, 02 Feb 91 12:56:48 -0500 From: "Richard Budd" Subject: Text in MLTI Virus (PC) Y. Radai writes in VIRUS-L V4 #18 >Subject: Re: Text in MLTI virus (PC) > Fridrik Skulason asked about the meaning of the following text in >the MLTI virus: >> This programm was written in the city of Prostokwashino >> (C) 1990 RED DIAVOLYATA > > "RED DIAVOLYATA" is a partial translation of "Krasnie Dyavolyata". >It and "Prostokvashino" are the names of well-known Soviet films. >"Dyavolyata" was apparently too hard for the virus-writer to >translate. It means something like "little devils", and "Krasnie >Dyavolyata" refers to the youth who fought against the White Army >during the Russian Revolution. The village "Prostokvashino" is a >fictitious one, which explains why Brian McMahon didn't find it in the >books he consulted. Wes Morgan(morgan@engr.uky.edu) writes in VIRUS-L V4 #18 >>>The MLTI virus contains this text - clearly a reference to the "Eddie" >>>virus, but what does "RED DIAVOLYATA" mean ? (I want to emphasize >>>that "Dark Avenger" is the name of the author of the "Eddie" virus - >>>not the name of the virus itself.) >>> >>> Eddie die somewhere in time! >>> This programm was written in the city of Prostokwashino >>> (C) 1990 RED DIAVOLYATA >>> Hello! MLTI! > >Perhaps our virus author is a heavy-metal fan. "Eddie" is the mascot >of the group Iron Maiden. Eddie happens to be a {corpse, undead, zom- >bie}. (I'm not sure which word to use. That group's discography in- >cludes an album titled "Somewhere In Time". >Hmmmm.....a techno-metalhead conspiracy, perhaps? Subliminal messages >in rock albums inciting teenagers to digital terrorism? Hmmmmmmm..... Actually, it isn't anything subliminal. Dark Avenger, according to the | New York Times,is a Bulgarian. Families I've stayed with in Poland and | Czechoslovakia have explained that virtually the only "entertainment" | available in theaters and on television in East-bloc countries before o. 1989 were Soviet and domestic political and Communist historical films such as those mentioned by Mr. Radai. The American films now shown on Polish and Czech television aren't exactly Academy Award classics. There was and still is an active underground selling pirated recordings recordings of heavy-metal and 1960's groups. Boys in villages and large cities in Poland, Czechoslovakia, and Hungary wore T-Shirts and leather jackets with Iron Maiden, Metallica, MegaDeth, and Poison on them. Even though casettes from these groups are now available in stores in the larger cities, they are expensive (relative to their standards, cheap in relation to what the casettes cost in New York), especially when in some countries, food and other basic staples are hard to get. This adulation from young men in Bulgaria and other former Soviet-bloc countries for heavy metal is probably for the same reason the groups enjoy wide support from young people here - rebellion against repressive establish- ment. The only difference is the youth in Eastern Europe had a far more repressive establishment, less accessibility to outlets other than the "Party line" and more incentive to rebel than their counterparts in the West. Since the overthrow of Communist regimes in Eastern Europe, the economies of these countries have been in a mess, something we seem to vel be ignoring as we watch CNN cover the Persian Gulf. One wonders if those young men from Eastern Europe who are writing viruses are trying to get our attention? I have received no reply from Budapest about the POLIMER virus and am wondering if that sentence was in Magyar. Could somebody on the net be of help here. Richard Budd | E-Mail: - rcbudd@rhqvm19.ibm VM Systems Programmer | All Others - klub@maristb.bitnet IBM - Sterling Forest, NY | Phone: (914) 578-3746 - ------------------------------------------------------------------------ Question of the Week: Should the United States test the neutron bomb on Baghdad? ======================================================================== ------------------------------ Date: 02 Feb 91 21:45:29 +0000 From: lr@cs.brown.edu (Luigi Rizzo) Subject: MSDOS viruses (PC) Hi there, a question just to point out how things are. Suppose the following scenario: Given an MSDOS machine with an infected HARD DISK (no matter what kind of virus it is), and a sane floppy disk, I do the following: 1) Boot with a sane floppy disk; 2) SYS C: boot sector, IBMBIO.SYS, IBMDOS.SYS and COMMAND.COM are restored from the sane disk. 3) REN C:\CONFIG.SYS C:\CONFIN.OLD 4) REN C:\AUTOEXEC.BAT C:\AUTOEXEC.OLD avoid any infected driver/utility/whatever be called at startup 5) Reboot from the hard disk. At this point, am I sure that the virus cannot be installed in the PC, and that I can execute the 'internal' DOS commands ? Thanks Luigi Rizzo lr@cs.brown.edu, luigi@sssup2.sssup.it ------------------------------ Date: Mon, 04 Feb 91 09:58:39 -0400 From: pjc@sirius.melb.bull.oz.au (Paul Carapetis) Subject: Weird Thing With F-Prot 1.14 (PC) Richard W Travsky said: > A funny thing happened: when F-FCHK came across the > file INSTALL.EXE from the PCPANEL package (something to do with > redirecting printer output) I got an error message saying it couldn't > write to the A: drive (the familiar "abort, retry, fail"). I ran it Yes, I have observed a similar incident when F-FCHK came across VSHIELD.EXE (We are licensed for McAfee also). I have reported this anomoly to frisk - he is aware of this problem. - --Paul | Paul Carapetis, Software Advisor (Unix, DOS) | Phone: 61 3 4200944 | | Melbourne Development Centre | Fax: 61 3 4200445 | | Bull HN Information Systems Australia Pty Ltd |-------------------------| | Internet: pjc@melb.bull.oz.au | What's said here is my | | ACSnet : pjc@bull.oz | opinion (so I am told!) | ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 19] *****************************************