VIRUS-L Digest Monday, 21 May 1990 Volume 3 : Issue 99 Today's Topics: stoned in tn. (PC) New MDEF virus (Mac) re: Scan Res (PC) re: LZEXE and SCAN (PC) Where's M (PC) Re: Experimental UNIX viruses (UNIX) Re: "The Cuckoo's Egg" Return of the Internet Worm??? (UNIX) virii vs. viruses Re: Virus frequencies (PC) Compressed Files and Virus Scanning (PC) New MDEF Virus & Disinfectant 1.8 (Mac) Hacked PKZIP (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Fri, 18 May 90 11:48:00 -0500 From: Subject: stoned in tn. (PC) the 'Stoned" virus has been detected in the jackson,tn. area by the lab supervisor at jackson vo-tech..there are a lot of businesses in the area that might take heed.unfortunately "stoned" is heading westward across tennesee...MSU VIRUS ATTACK TEAM-MCSLANNUM@MEMSTVX1 ------------------------------ Date: Fri, 18 May 90 14:31:59 +0000 From: jkirsh@contact.uucp (Joel Kirsh) Subject: New MDEF virus (Mac) XMU@CORNELLA.BITNET (Tom Young) writes: > The Vaccine program will successfully block an infection. When >an application is launched, Vaccine will display a message asking if >you wish to grant permission to add an MDEF resource. If you see this >message, you have the new virus. Does anyone know if Gatekeeper will block this virus? ------------------------------ Date: 18 May 90 09:03:04 +0000 From: "The.Gar" Subject: re: Scan Res (PC) Scanres is distributed by McAfee Associates. If you would like to talk to them about your problem, their voice line is (408) 988-3832. If you would like to get the newest version of their program, call THE HOME BASE BBS, which is McAfee's own board, at (408) 988-4004. I have version 5.2 which was released on 12-31-89, so its pretty recent. As far as I can tell from the documentation, which comes with the program, there is no way to remove it from memory. Of course if you have a TSR management system, or even something like MARK and CLEAR, that wouldn't be very tough. (How that works is you run MARK before you invoke a TSR, and then CLEAR to take the TSR out of memory. Both are available on any good BBS.) I got a copy of SCANRES in for evaluation, but have decided not to use the product, because I just am NOT scared of this whole virus craze. I am a smart, careful user, and I believe that smart users will probably never be hit. Unfortunately I have a campus full of less smart users that have been hit on occassion. We are using SAM for the Macs, and have decided that at this time we don't need anything on the PCs. Oh, you might point out to your boss that SCANRES is only using 17K of RAM and it probably is not worth his time to try and get that 17K, unless you just really are TIGHT on RAM. (You could use MAPMEM to show him that figure, which is also available on most good BBS systems.) Later THE GAR AKA Gary Warner ------------------------------ Date: 18 May 90 09:11:24 +0000 From: "The.Gar" Subject: re: LZEXE and SCAN (PC) McAfee also has a solution for this problem. SHEZ, which is a compressed file manager, will work in cooperation with SCAN from McAfee to scan compressed files for viruses. If I understand its functioning correctly what actually occurs is that it searches the compressed file for .EXE, .COM, .OBJ, and .SYS files, then uncompresses them into a temporary file and scans that temp file. I am not sure on that. SCAN and SHEZ are both available at the HOME BASE BBS (408) 988-4004. Remember, if you are going to use SHareware regularly, you are obligated to REGISTER it. Go ahead and d/l the programs, try them out, and see if you have a use for them. If you do: REGISTER THEM!! Later THE GAR AKA Gary Warner ------------------------------ Date: Fri, 18 May 90 19:59:00 -0400 From: Subject: Where's M (PC) >Subject: Re: New anti-viral programs from McAfee > >I downloaded ACS Virus scan from simtel20 and by doing a >avs c:\ /a /e ... Where is this AVS in the archives? How new is it? I looked under PD1: and it's not there. Anxiously awaiting your reply, Santo Nucifora SANTO@SENECA.BITNET ------------------------------ Date: Thu, 17 May 90 20:39:17 -0500 From: michael@uller.UUCP Subject: Re: Experimental UNIX viruses (UNIX) In Craigs' note of Fri 18, May, he writes: >> he loosed the thing inside AT&T as an experiment to see how well such >> a weak virus would spread, and how it could be started. (he started the >> infection by adding an infected copy of "echo" to some public directories >> he had write access too). It is important that the following distinction be made: 1- he had the virus only on his test machine. 2- for some reason, one of his co-workers shipped a file around that was infected. The distinction here, is that he didn't set it loose inside of AT&T, but only on HIS test machine... Because of unfortunate events, it got loose. In either case, he also did the presentation for Decus in the Spring of 1989. ( You might be able to find someone with the audio tape. ) - -- Michael F. Angelo rice!uller!michael Decus Unisig Symposia Coordinator angelo@pilot.njin.net 14926 Walters Rd, Houston TX o1s@j.cc.purdue.edu (v)713-374-8141, (c)713-586-8329 uunet!cpqhou!michaela ------------------------------ Date: Fri, 18 May 90 18:46:51 -1000 From: jwright@cfht.cfht.hawaii.edu (Jim Wright) Subject: Re: "The Cuckoo's Egg" >From peterd@opus.cs.mcgill.ca (Peter Deutsch) > Unfortunately, the > author didn't have the end of the story and I don't recall > seeing it in the media. Anyone able to tell me what > happened to the guy? "The wily hacker turned out to be 26-year-old Marcus Hess of Hanover, West Germany. Just a week and a half before Compcon Spring 90, the trial was concluded. The very clever--and cautious--invader received a two-year sentence." Ware Myers IEEE Computer, May 90, p. 106 (in a sidebar) Clifford Stoll spoke at Compcon 90, thus the above reference. Has the press been particularly quite about this? Morris got lots of press for a hack, but Hess stole time, services and information. Jim ------------------------------ Date: 19 May 90 06:12:26 +0000 From: coplex!dannie@uunet.UU.NET (Dannie Gregoire) Subject: Return of the Internet Worm??? (UNIX) In this month's issue of Unix World (May, pg 56), there is a small note as follows..... Next Month In Unix World "The Internet Worm: We show you the code, and Investigate Whether the Holes have been patched." I'm not sure how much of the code is to be published, but I suppose this is one way to find out if the holes have been plugged ;-( ! Gee, I wonder if they will publish the MAKE file as well? ;-) Dannie Gregoire Copper Electronics dannie@coplex.UUCP ------------------------------ Date: Sat, 19 May 90 22:33:25 +0200 From: swimmer@fbihh.informatik.uni-hamburg.de (Morton Swimmer) Subject: virii vs. viruses Hey, what's up? I thought it was an established convention to speak of _viruses_ and not _virii_. If I remember correctly there was a discussion about this a few months back, and the _viruses_ was thought of as most widespread. Cheers, Morton Virus Test Center, University of Hamburg PS: Fred Cohen also calls them critters _viruses_ ------------------------------ Date: Sat, 19 May 90 22:38:21 +0200 From: swimmer@fbihh.informatik.uni-hamburg.de (Morton Swimmer) Subject: Re: Virus frequencies (PC) frisk@rhi.hi.is (Fridrik Skulason) writes: >Here is my personal estimate on the situation in Iceland right now. and mine for Germany (but because we unfortunately do not keep records they are not too relyable) > USA (Chess) Iceland Germany(West) >> Bouncing Ball 26% 30 % 10% >> 1813 (Jerusalem) 21% 5 % 15% >> 1704 15% 50 % (2 variants)20% >> Stoned 9% 2 % 10% >> 1701 8% 5 % 5% >> 648 (Vienna) 7% --- 10% >> Brain 7% 2 % --- >> Yale 1% --- --- >> 17Y4 < 1% --- --- >> 2772 (Y.D.) < 1% --- --- >> 765 < 1% --- --- >> Disk Killer < 1% 2 % 5% >> Lehigh 1 < 1% --- --- >> Sunday < 1% --- --- >> Sylvia < 1% --- --- > Icelandic 1/2/3 3 % --- > Ghostballs 1 % --- Macho 1% Advent < 1% Dark Avenger 2% 5120 < 1% (I hope) Vacsina (TP04) 5% Yankee (TP44) ? We haven't seen Brain for a long time, now any of the Icelandic viruses. There seems to be a Bulgaria connection somewhere as we have both Vacsina and Dark Avenger (1st version). Stoned was distributed along with a video card by a major realsaler in Germany and they didn't do a great job at cleaning up after themselves. We are getting quite a few reports of viruses we have never heard about, reported by obscure antiviruses. Until we see the disks we wont know what they really have. Cheers, Morton Virus Test Center, University of Hamburg ------------------------------ Date: Sun, 20 May 90 10:40:03 -0700 From: Alan_J_Roberts@cup.portal.com Subject: Compressed Files and Virus Scanning (PC) This is a forward from John McAfee: =================================================================== Rich Garzon's posting, (V3 #96) about the dangers of LZEXE compressed files, mirrors the real and growing problem with people planting viruses inside such self-extracting executables. LZEXE has become extremely popular and is readily available to anyone wishing to hide a known virus and distribute it. Nearly all EXE files can be compressed with LZEXE and one need only infect a given file with a common virus, LZEXE it, and the end result is a functioning program carrying a non-detectable virus. The average user cannot distinguish a compressed executable from a non- compressed version in most cases. In addition to purposefully planting viruses inside LZEXE'd files, many cases have surfaced where end users have inadvertently compressed already infected files for their own use. These files have then been passed around to friends and co-workers. After a virus begins to spread from one of these self- extracting executables it can readily be identified. But the problem, of course, is that the disinfection process usually skips over the compressed carrier program -- since it can't be identified with normal scanning techniques -- and the virus begins spreading all over again. The issue is further complicated by the fact that LZEXE compressed files may carry an external infection as well as an internal infection. What this means is that a virus inside such a file may re-infect the compressed executable as if it were a normal EXE file. The virus fails to detect that it has already infected the program (internally). This external infection may be cleaned using a disinfector and yet the file will still be infectious. This adds confusion to the end user who is trying to deal with an infection. All in all this is becoming a serious problem. Numerous shareware and commercial packages (SHEZ, CHECKOUT, etc.) have been developed as companion programs to allow VIRUSCAN to scan inside ZIP, ARC, LZH, ZOO, PAK and other non-self extracting archive files. Even without special utilities, the non-self extracting archives do not represent a serious problem because the user may simply UNZIP (or UNARC etc.) the archive and then scan the contents prior to execution. But no-one has yet addressed the LZEXE problem. Since we are not compression specialists, we were hoping for someone competent in the field to develop another SCAN companion program, like SHEZ, to do the internal scanning. This has not happened. Therefore, version 63 of SCAN, to be released June 1, will contain its own internal scan capability for LZEXE compressed files. It automatically identifies LZEXE compressed files and scans inside them. The program works fine and successfully identifies all the known viruses inside such files, but it probably is not as fast as it could have been if it had been developed by hands more experienced in compression/decompression algorithms. Nevertheless, it's all that we have for now and it works. If you have only a few LZEXE compressed files in your system, you probably will not notice a significant slowdown in the scanning process. If you have no such files, the scan time will be the same as before. If ALL of your files are LZEXE'd, then I'd suggest you go out for coffee and donuts during the scan, or possibly take a brief nap, catch up on your paperwork or do a few calisthenics -- you'll have plenty of time. We have included a switch, by the way, to turn off the internal LZEXE scan if you choose. John McAfee 408 988 3832 - voice 408 970-9727 - fax 408 988 4004 - BBS ------------------------------ Date: Sun, 20 May 90 19:06:21 -0400 From: jln@acns.nwu.edu Subject: New MDEF Virus & Disinfectant 1.8 (Mac) Disinfectant 1.8 ================ May 20, 1990 Disinfectant 1.8 is a new release of our free Macintosh virus detection and repair utility. Version 1.8 recognizes the new MDEF virus. Thanks to Tom Young for reporting this new virus and sending us a copy. The MDEF Virus ============== The MDEF virus was first discovered at Cornell University in May, 1990. It is also sometimes called the "Garfield" virus. MDEF infects both applications and the System file. It does not infect document files. The Finder and DA Handler also usually become infected. The System file is infected as soon as an infected application is run. Other applications become infected as soon as they are run on an infected system. As with all of the other known Macintosh viruses, MDEF does not intentionally attempt to do any damage, but it is harmful anyway. It does not beep, display messages or pictures, or do anything other than spread from file to file. For technical reasons, the MDEF virus only spreads on some kinds of Macintoshes. It causes the Mac 128K and the 512K to crash. It spreads successfully on the 512KE, Plus, SE, SE/30, II, IIx, and IIcx. On the Mac IIci and IIfx, it spreads from infected applications to uninfected system files, but it does not spread from infected systems to uninfected applications. We have not yet had the opportunity to test the virus on the Mac Portable. The MDEF virus has an unfortunate reaction with Vaccine. On Vaccine-protected systems, if an infected application is run, Vaccine properly notifies the user of the attack, but it blocks only part of the attempt by the virus to infect the System file. The virus cannot spread from the System file to applications in this situation, but the System file is damaged, and menus no longer work properly. When you press on a menu title in the menu bar, no menu pops down. Menus continue to work properly only in infected applicationsthey do not work properly in the Finder or in uninfected applications. Disinfectant will properly detect and repair these kinds of damaged System files. GateKeeper is totally effective against the MDEF virus. It successfully blocks the attempt by the virus to infect the System file. The System file is unchanged. Menus do not work properly in infected applications, but they do work properly in the Finder and in uninfected applications. This menu behavior is the exact opposite of what happens on Vaccine-protected systems. The MDEF virus is named after the type of resource it uses to infect files. MDEF resources are a normal part of the Macintosh system, so you should not become alarmed if you see them with ResEdit or some other tool. The MDEF and WDEF viruses have similar names, but they are completely different and should not be confused with each other. Other Changes in Version 1.8 ============================ A change was made in Disinfectant 1.7 which caused problems with GateKeeper for a few people. The change made it necessary to grant Disinfectant 1.7 GateKeeper privileges even when just scanning for viruses. Previous versions required privileges only when repairing infected files. This problem has been fixed in version 1.8GateKeeper privileges are now once again required only when repairing files. We made a change to the way that auto-floppy scanning works. Disinfectant first examines the internal floppy drive and the external floppy drive (if you have one) to see if they both contain inserted disks. If they both do, Disinfectant ejects one of them, then asks you to insert the first floppy to be scanned. Disinfectant will no longer eject a CD-ROM or any other kind of non-floppy removable disk in this situation. How to Get a Copy of Version 1.8 ================================ Disinfectant 1.8 is available now via anonymous FTP from site acns.nwu.edu [129.105.49.1]. It will also be available soon on sumex-aim, rascal, comp.binaries.mac, CompuServe, Genie, Delphi, BIX, MacNet, America Online, Calvacom, AppleLink, and other popular sources for free and shareware software. Macinstosh users who do not have access to bulletin boards, networks, user groups, or online services may obtain a copy of Disinfectant by sending a self-addressed stamped envelope and an 800K floppy disk to the author at the address below. John Norstad Academic Computing and Network Services Northwestern University 2129 Sheridan Road Evanston, IL 60208 Bitnet: jln@nuacc Internet: jln@acns.nwu.edu CompuServe: 76666,573 AppleLink: A0173 ------------------------------ Date: Sun, 20 May 90 23:01:44 -0700 From: Robert Slade Subject: Hacked PKZIP (PC) Apologies if this is redundant. Also, I have no idea whether this refers to a trojan or a virus. (816) Tue 15 May 90 4:16p By: John Williams * Forwarded from "Pittnet" * Originally to Lou Pascazi * Forwarded by Matt Troup 05/12/1990 12:26pm CDT WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! - ---------------------------------------------------------- There is a file being circulated on BBS's called PKZ120.ZIP or PKZ120.EXE or similar, and that claims to be version 1.20 of PKZIP but in fact is a hacked version of PKZIP 1.10. As of the date of this writing, the latest version of PKZIP is version 1.10. Furthermore, due to this intentional act of vandalism, PKWARE will not release any versions of PKZIP in the future with the version 1.20. If you see the files PKZ120.ZIP or PKZ120.EXE on any BBS or on-line system, please ask the SysOp of that system to remove the files IMMEDIATELY, and please contact PKWARE to report where the files were seen. REWARD! - ------- PKWARE is offering a reward of lifetime free upgrades for PKZIP to anyone who can provide information leading to the identification and prosecution of the person or persons responsible for creating this bogus version 1.20 of the software. They have only served to confuse and hurt the user community, and the perpetrators of this crime are at minimum in violation of Federal Copyright Law. If you have any information about the source of PKZ120.EXE or PKZ120.ZIP, please report it to PKWARE immediately, either: by Voice at 414-352-3670 by BBS at 414-352-7176 by FAX at 414-352-3815 or by mail: PKWARE Inc. 7545 N. Port Washington Rd. Glendale, WI 53217 I have seen no other confirmation of this, but the latest PKZIP is version 1.10 as far as I can determine. Robert Slade Vancouver Institute for Research into User Security ------------------------------ End of VIRUS-L Digest [Volume 3 Issue 99] *****************************************