VIRUS-L Digest Monday, 10 Dec 1990 Volume 3 : Issue 198 Today's Topics: Virus? (PC) Re: WDEF-A Response (Mac) U.S. sighting of ZUC B (Mac) Re: LZEXE - a possible anti virus application (PC) Re: Computers at Risk, in Washington Post, Virus-L #197 New Virus? (The Invader?) (PC) LZEXE anti-viral application (PC) Anti-virus Plus (PC) Re: WP viruses (PC) Re: MusicBug (PC) Scanv68 problems (PC) Virus detection (unix, pc) RE - SAM/MS Mail Problem Virusdetect. for UNIX Call for Papers - 14th National COmputer Security Conference VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: 07 Dec 90 20:11:14 +0000 From: cr1@beach.cis.ufl.edu (Anubis) Subject: Virus? (PC) We're having a very weird problem here at the office... Our keyboards keep going into 'Warp Mode', meaning that the key repeat rate keeps going VERY VERY high...you hold down a key for half a second and the result is many many consecutive keyclicks. Normally a reboot will cure this for a while at least. We're using 386 clones with hard drives, both two different types of computers...I'm using an HP Vectra. At first I thought that maybe it was something we are both using causing this problem...but the only things we use commonly are Turbo C++ and maybe one or two common utilities. Could a virus be causing this? Does this symptom sound familiar? - -- =-=-=-=-=-=-=-=That is not dead which may eternal lie-=-=-=-=-=-=-=-=-=-=-=-= * Christoper Roth * "Machines have no * InterNet : cr1@beach.cis.ufl.edu * Conscience..." =-=-=-=-=-=-=-=Yet with strange eons even death may die-=-=-=-=-=-=-=-=-=-=-= ------------------------------ Date: 07 Dec 90 20:34:19 +0000 From: jalden@eleazar.dartmouth.edu (Joshua M. Alden) Subject: Re: WDEF-A Response (Mac) asqe-y-v-ssi@stuttgart-emh1.army.mil (Dale Jones) writes: >Please be careful with your very broad statement of "You can get rid >of virus by rebuilding the Desktop on your >hard disk (which is where it resides)." > >Dale Jones >Chief, Information Center, 589th Signal Company >Stuttgart Germany I think the problem here is that you must re-build the Desktop and then make sure the virus is not active in memory. To do that, simply re-start. You CAN get rid of WDEF by re-building the Desktop; we do it here all the time. But WDEF is a persnickity little thing, and it spreads quickly back to your hard drive from any floppies you have that still have it, and from anyone else's infected floppy, all at the insertion of the disk. We recommend GateKeeper Aid to our users. It completely removes WDEF whenever it sees it; no action on the part of the user is necessary. So you throw GateKeeper Aid in your System folder, re-boot, and insert all your floppies once, and you know you haven't got WDEF, and that you can't get it again as long as you've got GateKeeper Aid. - -Josh Alden, Virus Consultant, User Services, Dartmouth College. - -- /--------------------------------------------------+-------------------------\ |Josh Alden, Consultant, Kiewit Computation Center | HB 48, Dartmouth College| | Private mail: Joshua.Alden@dartmouth.edu | Hanover, NH 03755 | | Virus mail: Virus.Info@dartmouth.edu | (802) 295-9073 | ------------------------------ Date: Fri, 07 Dec 90 15:14:41 -0500 From: Tom Young Subject: U.S. sighting of ZUC B (Mac) ZUC B has been detected on the Cornell campus. The vector was a student who had just returned from Italy, where ZUC seems to have originated. An alert operator in one of our public facilities was checking a diskette, and the patron mentioned having been in Italy. Our person scanned with his freshly downloaded Disinfectant 2.4 and up popped ZUC B. So, we may have nipped this one in the bud. All the same, this serves as a cautionary tale: Keep your virus-fighting software up-to-date, even if the newest version is just for an obscure or foreign virus. Note that Disinfectant 2.4, released Dec 3, is needed to detect ZUC B. Version 2.3 will not find this virus. Tom Young, Cornell Information Technologies, Workstation Systems Services Bitnet: XMU@CORNELLA Internet: xmu@cornella.cit.cornell.edu ------------------------------ Date: 07 Dec 90 20:55:16 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: LZEXE - a possible anti virus application (PC) tfarrell@lynx.northeastern.edu writes: >The really neat part, >though, is that it includes a self-check into every file compressed >with the utility, so that if the file has been changed it will notify >you. This would detect the presence of a virus in the software. No...no...no... Remember - if the program is infected after it is LZEXEd, then the virus will be activated first, when the program is executed. If it is a "stealth" type virus, the LZEXE self-test is useless, as the infected program will appear uncorrupted. On the other hand, if the program is first infected, and then LZEXEd, the main effect will be that the majority of current anti-virus programs will not detect the virus. McAfee's SCAN will, and my own F-PROT, but I know of no other programs capable of scanning LZEXE-packed files. This is a nice program, but not of much use against viruses... - -frisk ------------------------------ Date: Fri, 07 Dec 90 16:12:40 -0500 From: hoffman@seas.gwu.edu (Lance J. Hoffman) Subject: Re: Computers at Risk, in Washington Post, Virus-L #197 The complete report described in yesterday's front page article in The Washington Post (and in an inside pager in the New York Times) is terrific. It is called COMPUTERS AT RISK and is published by the National Research Council. The panel that put it together is top-notch, and the 303 page report describes the whole world of computer security, with viruses as a (small) subset; the technical, administrative, and policy aspects are all covered well. The report is available from the National Academy Press, 2101 Constitution Ave NW, Washington DC 20418 (though I drove down and bought my copy at the Press' bookstore at 2001 Wisconsin Ave NW (they were running out, but expecting another shipment yesterday afternoon, so supposedly they have them now; you can call and ask first). I'm sure there are better ways for those not in driving distance, but I don't know what they are. The book costs $19.95. Lance Hoffman - -- Professor Lance J. Hoffman Department of Electrical Engineering and Computer Science The George Washington University Washington, D. C. 20052 (202) 994-4955 fax: (202) 994-0458 hoffman@seas.gwu.edu ------------------------------ Date: Fri, 07 Dec 90 18:37:59 -0500 From: Bob McCabe Subject: New Virus? (The Invader?) (PC) I got word today of a possible new virus that was apparently deliberaty spread around at the Canadian Computer Show. As I have not heard or seen any postings of a simular virus I thought I'd post a description here to see if anyone knows anything about it. The virus apparently infects the CMOS on an AT, changing the drive type after an incubation period, and the locking out the hard drive. It can be spread by running a program from an infected disk (how disks are infected is unknown, nor is it know if a particular program is the source). According to one distributor that got hit, the only way to remove the virus is to disconect the AT board from the battery backup and to wipe the BIOS on the hard disk controler. This may be a little extreme, but I have yet to see an infected machine. Apparently there is also a message displayed when the virus becomes active, calling the virus 'THE INVADER'. Does this sound simular to any know virus? Does SCAN pickup the virus, and if so which version? Is there a simpler way to remove the virus from an infected machine? Any help would be appreciated. I should get a copy of an infected disk on monday and may have more information then. ======================================================================== INET : PSYMCCAB@VM.UOGUELPH.CA Bob McCabe CoSy : bmccabe Psycholgy Dept., Compuserv : 72260,1501 University of Guelph Phone : (519) 821-8982 Guelph, Ont. Canada ========================================================================= ------------------------------ Date: Fri, 07 Dec 90 14:18:56 -0800 From: p1@rlyeh.wimsey.bc.ca (Rob Slade) Subject: LZEXE anti-viral application (PC) tfarrell@lynx.northeastern.edu writes: > I use a program on my hard drive called LZEXE. It is a shareware There are a number of these programs. > though, is that it includes a self-check into every file compressed > with the utility, so that if the file has been changed it will notify > you. This would detect the presence of a virus in the software. There are a couple of problems with this. One is that if you compress an infected program, you end up with a compressed, infected program. The second is that, as with the discussion on CRC checkers earlier, a stealth virus simply "lies" to any checking or authentication routine. One additional problem is that programs which already have "self chekcing built in will fail because of the compression and addition of the decompression module. ------------------------------ Date: Fri, 07 Dec 90 14:52:29 -0800 From: p1@rlyeh.wimsey.bc.ca (Rob Slade) Subject: Anti-virus Plus (PC) I tend to use Word Perfect's "Files List" feature to move files around on the disk, and to make up floppies. I was doing just that, when I got a message that I had been "running an infected file. PREVENT1 has removed the infection." This was a little odd, since Word Perfect is one of the commercial programs that does it's own self check. Not proof against a stealth virus, of course, but still, it would be an unlikely candidate for infection. PREVENT1 had dumped me back at the DOS prompt, so I did a quick F-SYSCHK. Nothing. I F-FCHKed, SCANned and VPCSCANned the WP51 directory, with no results. (VPCSCAN is the scanning portion of Virex-PC, written by Ross Greenburg of Flu-Shot fame. Let me say in passing that it is *FAST*.) Then I got to thinking. One of the files I had been trying to delete was a .COM file. So I tried it again. Same result. I tried deleting a few other types of files. No problems with anything but a .COM or an .EXE. I got sneaky and renamed MOVE.COM to MOVE.TXT. PREVENT1 didn't like that either, so it's pretty sneaky itself. PREVENT1 does not interfere with PCTOOLS deletion of program files, and I don't know what the difference would be, although I assume PCTOOLS would use a "deeper" call to do it's deletions than WP would. So Antivirus Plus is making some assumptions, generally valid, about what some programs should be doing with other program files. A way to catch unknown viri, perhaps, but it may interfere with operations you want to do if, like me, you use programs for things they were never meant to do. :) ------------------------------ Date: Sat, 08 Dec 90 05:40:16 +0000 From: jkelly@violet.berkeley.edu (John Kelly) Subject: Re: WP viruses (PC) SSAT@PACEVM.BITNET (Jean F. Coppola) writes: >Does anyone know of a WordPerfect virus that the document duplicates >itself within the document and if you try to go to the end of the >document it takes a very long time and then goes to the top of the >document...I have seen this happen 3 times to 3 people in the last >couple of days and was wondering if such a virus exists? I wonder, too. I have seen this and another strange thing with WordPerfect: floppy disks' FATs get completely scrambled. It could be user error, but at least some of the half-dozen users I've seen this happen to are too competent to pull this sort of screwup on their own. You don't mention what version of WP you're using or what the overall environment is. Our problems started with the installation of WP 5.1 on a Novell Netware LAN. SCAN has not turned up anything. WP being the hog it is, and somewhat new to the network world, I more than half suspect that this is a memory-allocation bug in WP. Or else it's user error. As I told a user's group the other day, the only way we'll find out is by all of us taking notes and sharing them. ------------------------------ Date: Sat, 08 Dec 90 00:45:00 -0500 From: "Russell E. Billings/HSCC Student Supervisor IV" Subject: Re: MusicBug (PC) I purchased a Packard Bell Pack-Mate 386X in September, so the VALERT message caused me to immediately check my system. McAfee Scan v71 claimed that both disks mentioned (ComBase and the VGA Utility) were clean. I then went into the boot sectors of both with Norton Utilities, and found the DOS error messages at Sector 0, Cylinder 0, Offset 377. At least some of the PB systems are not infected with MusicBug. Russell Billings Student Supervisor Health Sciences Computer Center University of Louisville, Louisville, Kentucky ------------------------------ Date: Sun, 09 Dec 90 18:32:25 +0200 From: Baruch Even Subject: Scanv68 problems (PC) Here are some corrections for the info that was given at:vol 3 iss 191 The file contain a virus now named: The Saddam Virus The only bad activity it does is when you do Del with any parameter it will do Del *.* by mistake or delibately. BTW: latest scan is SCAN71B PS: not long time ago I posted the virus desc. if some1 wants I have corrected few things there... Hopes this helps, Baruch Even +-------------------------------------------------------+ | Baruch Even | | | | BitNet - NYEVENBA@WEIZMANN.BITNET | | Might be changed to NYEVENBA@WICC-XA | | InterNet - nyevenba@weizmann.weizmann.ac.il | | | | Enjoy The Silence - Depeche Mode | +-------------------------------------------------------+ ------------------------------ Date: 09 Dec 90 20:20:29 +0000 From: theall@rm105serve.sas.upenn.edu (George A. Theall) Subject: Virus detection (unix, pc) I am looking for software that runs under xenix yet will detect viruses in DOS software. This will be used on a bbs system operating under xenix (no VP/ix available:-( to scan uploads to DOS file areas. Pointers towards pd, shareware, or commercial solutions -- C source or binaries -- would be welcome. Thanks in advance, George [Ed. George, please summarize any responses that you get to the list. It may be useful to note that there are publicly distributable versions of UNZIP and ARC (in C source) that run under UNIX. Both are available on SIMTEL20.] - --- theall@rm105serve.sas.upenn.edu Dept. of Economics theall@ssctemp.sas.upenn.edu Univ. of Pennsylvania gtheall@penndrls.upenn.edu Philadelphia, PA 19104 ------------------------------ Date: 09 Dec 90 22:11:00 +0000 From: D1660@AppleLink.Apple.COM (SoftPlus, Paul Cozza,PRT) Subject: RE - SAM/MS Mail Problem Werner: Thanks for forwarding that info to me about SAM and MS Mail. Please forward the below info to the appropriate forum. Paul There was a compatibility conflict between MS Mail 2.0 and early versions of SAM 2. This compatibility problem was correctable at that time by simply having MS Mail run before SAM. I made changes to SAM to avoid the conflict. These were incorporated in SAM 2.0.2B which was released last May or so. Since then I have heard nothing of any SAM/MS Mail problem. SAM doesn't touch data files, nor have I heard of it randomly crashing. I suspect the problem to be MS Mail since the problem was verified to have also occurred on machines running without SAM. Paul Cozza SAM Author ------------------------------ Date: 10 Dec 90 11:27:25 +0000 From: eric@cssoff.syssup.tds.philips.nl (Eric van Rheenen) Subject: Virusdetect. for UNIX Hello netters, I'm relative new to this newsgroup and the subject, but I didn't read anything about virusses in UNIX here. But I still will give it a try. I have the following questions: - Are there any virus detectors for UNIX virusses. If yes, where can I find them. - where can I get more information about UNIX virusses (I prefer information on Motorola oriented machines). Thanks in advance. Eric van Rheenen Philips Informatie Systemen Nederland B.V. Tel : +31 (0)55 - 43 3372 | UUCP : ...!mcsun!philapd!cssnl!eric Fax : +31 (0)55 - 43 3487 | Internet: eric@syssup.tds.philips.nl ------------------------------ Date: Sat, 08 Dec 90 23:34:00 -0500 From: Jack Holleran Subject: Call for Papers - 14th National COmputer Security Conference CALL FOR PAPERS 14th NATIONAL COMPUTER SECURITY CONFERENCE Sponsors: National Computer Security Center and National Institute of Standards and Technology Theme: Information Systems Security: Requirements & Practices OCTOBER 1-4, 1991 OMNI SHOREHAM HOTEL WASHINGTON, D.C. The focus of the 14th NCS Conference will be on the "Experiences in our Applications". These applications include, but are not limited to, efforts to meet the policy requirements required by law or corporate policy. We would like you to share your learning curve with the Computer Security Community. We also encourage submission of papers on the following topics of high interest: Systems Application * Access Control Strategies * Achieving Network Security * Application of Trusted Technology * Integrating INFOSEC into Systems * User Experience with Trusted Systems * Secure Architectures * Securing Heterogeneous Networks * Small Systems Security Criteria, Evaluation and Certification * Assurance and Analytic Techniques * Conducting Security Evaluations * Federal Computer Security Criteria * Experiences in Applying Verification * Integrity and Availability * Formal Policy Models Management and Administration * Accrediting Information Systems and Networks * Specifying Computer Security Requirements * Life Cycle Management * Managing Risk * Role of Standards * Preparing Security Plans International Computer Security Activities * Conformance Test Development and Evaluation * Harmonized Criteria * International Evaluation Infrastructure * Prototype Development * Research Activities Innovations and New Products * Approved/Endorsed Products * Audit Reduction Tools and Techniques * Biometric Authentication * Data Base Security * Personal Identification and Authentication * Smart Card Applications * Tools and Technology Awareness, Training and Education * Building Security Awareness * COMPUSEC Training: Curricula, Effectiveness, Media * Curriculum for Differing Levels of Users * Keeping Security In Step With Technology * Policies, Standards, and Guidelines * Understanding the Threat Disaster Prevention and Recovery * Assurance of Service * Computer Viruses * Contingency Planning * Disaster Recovery * Malicious Code * Survivability Privacy and Ethical Issues * Computer Abuse/Misuse * Ethics in the Workplace * Laws * Privacy and Individual Rights * Relationship of Ethics to Technology * Standards of Ethics in Information Technology We are pleased to invite academic Professors to recommend Student papers in the application of Computer Security methodology. Three student submissions will be selected by the Technical Committee for publication in the 14th NCS Conference Proceedings. To be considered, the submission must be solely authored by an individual student and be recommended by an Academic Professor. Only one copy for student submission is required. BY FEBRUARY 15, 1991: Send eight copies of your draft paper* or panel suggestions to one of the following addresses. Include the topical category of your submission, author name(s), address, and telephone number on the cover sheet only. * Government employees or those under Government sponsorship must so identify their papers. BY MAY 11, 1991: Speakers selected to participate in the conference will be notified when their camera-ready paper is due to the Conference Committee. All referee comments will be forwarded to the primary author at this time. For additional information on submissions, please call (301) 850-0272. Mailing Information: 1. FOR PAPERS SENT VIA U.S. or Foreign Government MAIL ONLY: National Computer Security Conference ATTN: NCS Conference Secretary National Computer Security Center 9800 Savage Road Fort George G. Meade, MD 20755-6000 2. FOR PAPERS SENT VIA COMMERCIAL COURIER SERVICES (e.g.- UPS, FEDERAL EXPRESS, EMERY, etc.) National Computer Security Conference c/o NCS Conference Secretary National Computer Security Center 911 Elkridge Landing Road Linthicum, MD 21090 Please note that the US Government Postal System does not deliver to Elkridge Landing Road. 3. FOR Electronic Mail: NCS_Conference@DOCKMASTER.NCSC.MIL (1 copy only; no figures or diagrams) Preparation Instructions for the Authors To assist the Technical Review Committee, the following is required for all submissions: Page 1: Title of paper, submission, or panel suggestion Focus & keywords (e.g. - Innovations and New Products - Biometric Authentication, Tools and Technology) Author(s) Organization(s) Phone number(s) Net address(es), if available Point of Contact Additionally, submissions sponsored by the U.S. Government must provide the following information: U.S. Government Program Sponsor or Procuring Element Contract number (if applicable) U.S. Government Publication Release Authority Note: Responsibility for U.S. Government pre-publication review lies with the author(s). Page 2: Title of paper or submission - do not include author(s) or organization(s) Abstract (with keywords) The paper (Suggested Length: 8 pages, double columns, including figures and diagrams; pitch: no smaller than 8 point.) A Technical Review Committee, composed of Government and Industry Computer Security experts, will referee submissions only for technical merit for publication and presentation at the National Computer Security (NCS) Conference. No classified submissions will be accepted for review. The Conference Committee provides for a double "blind" refereeing. Please place your names and organizations on page 1 of your submission, as defined above. Failure to COMPLY with the instructions above may result in non-selection BEFORE the referee process. Papers drafted as part of the author's official U.S. Government duties may not be subject to copyright. Papers submitted that are subject to copyright must be accompanied by a written assignment to the NCS Conference Committee or written authorization to publish and release the paper at the Committee's discretion. Papers selected for presentation at the NCS Conference requiring U.S. Government pre-publication review must include, with the submission of the final paper to the committee, a written release from the U.S. Government Department or Agency responsible for pre-publication review. Failure to comply may result in rescinding selection for publication and for presentation at the 14th NCS Conference. Technical questions can be addressed to the NCS Conference Committee by mail (see Mailing Information) or by phone, (301) 850-0CSC [0272]. ------------------------------ End of VIRUS-L Digest [Volume 3 Issue 198] ******************************************