VIRUS-L Digest Wednesday, 13 Dec 1989 Volume 2 : Issue 259 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Preventative measure for DIR exec (VM/CMS) AIDS Disk sent in UK Wdef at UKCC (Mac) re: Poland Viruses/Oropax (PC) Re: Seeking Gatekeeper (Mac) Never say die Major Trojan Warning (PC) Update on AIDS Trojan (PC) Yet Another EAGLE Appears (PC) --------------------------------------------------------------------------- Date: Tue, 12 Dec 89 09:58:06 -0500 From: Lee Miller (Gonzo) Subject: Preventative measure for DIR exec (VM/CMS) Just a suggestion but anyone who wants to take an extra precautionary measure towards the dir exec or any virus erasing files meeting certain time date criteria could use the touch exec and module available from the listserver at BLEKUL11 to change the time date of your files. Thus before running any exec that you don't know what it it you change all time dates to before 1990 so the deletion that dir does wont find anything to erase. If you have any inquiries to this exec e-mail me. Lee Miller LPM102@PSUVM.psu.edu.Bitnet ------------------------------ Date: Tue, 12 Dec 89 14:53:34 +0000 From: Alan Jay Subject: AIDS Disk sent in UK AIDS DISK -- PC Cyborg Corporation This disk was mailed to many people on a major magazine mailing list today 12-DEC-1989. If you recived a copy DO **NOT** RUN it -- We do NOT know what it does. This disk implies that it may cause harm to your PC -- DO NOT RUN IT!!!! If you have run it -- DO NOT PANIC!!!! Currently we have NO proof that the disk is harmful. DO NOT RUN THE PROGRAM AGAIN. The program renames your "autoexec.bat" so you will have to reconstitute your old one. "Autoexec.bat" has been hidden by setting the 'hidden' attribute you may need NORTON or similar to delete the new "Autoexec.bat". There are also a number of other hidden subdirectories. Currently we do not kenow the purpose of this disk and so can not say what damage that it may do, if any, or what you should do about it. Warn other users not to run the program. Currently the only 100% safe course of action is to boot of the original DOS system disk and perfrm a reformat of your disk -- We DO NOT recommend you do this unless you have a recent backup that you are happy with -- We have no proof of any malicious nature in this disk. We hope to update this bulletin later today or tomorrow as more information becomes available. [Ed. See more information below.] Alan Jay @ The IBM PC User Group, PO Box 360, Harrow HA1 4LQ ENGLAND Phone: +44 -1- 863 1191 Email: alanj@ibmpcug.CO.UK Path: ...!ukc!slxsys!ibmpcug!alanj Fax: +44 -1- 863 6095 Disclaimer: All statements made in good faith for information only. ------------------------------ Date: Mon, 11 Dec 89 17:28:00 -0500 From: someone please stop the bunny Subject: Wdef at UKCC (Mac) Guess what?! I just talked to someone at UKCC (University of Kentucky) with a finder slowdown problem. He checked and it was WDEF. So now we have another site for WDEF infection. To date Southeastern Mass U is clean (of WDEF that is). This is not nice. Anyone know where this one came from? - Zav "ACS - Never a dull moment" ------------------------------ Date: 12 Dec 89 00:00:00 +0000 From: "David.M..Chess" Subject: re: Poland Viruses/Oropax (PC) Alan_J_Roberts@cup.portal.com: > One of the five viruses submitted to McAfee by Andrzej Kadlof > appears to be the long-lost Oropax virus, at least according to Dave > Chess at IBM. Just to be as timid as possible, I didn't say "this is the Oropax virus"; I said "this seems to match the description of the 'Oropax' given in the MSDOSVIR.A89 document from Hamburg". For all I know, this is a brand-new virus, written by some unimaginative virus author who heard the Oropax rumors, and decided it was a good idea! *8) DC ------------------------------ Date: Mon, 11 Dec 89 19:41:41 -0700 From: Ben Goren Subject: Re: Seeking Gatekeeper (Mac) Thanks to all those who replied. Here's a summary of what people reccomended: Gatekeeper is avaible 1) through the Info-Mac archives. These can be accesed (as I did) through Macserve (tell Macserve at PUCC help for instructions) or FTP at sumex-aim.stanford.edu or Rice University (I no longer have their complete address). There also is a relay in Ireland, and I believe others; 2) through FTP at Simtel-20. 3) through many individuals, including myself, if all else fails. Just ask! The Info-Mac archives have several other virus protection programs, as well as a large collection of other free-, shareware, and public domain files. I imagine that Simtel-20 also has a similar collection, if it is not another copy of Info-Mac. Now, one more question: is there a complete list of resources one shoul configure VirusDetective with? Thanks again, .............................................................. Ben Goren T T T / Trumpet Performance Major )------+-+-+--====*0 Arizona State University ( --|-| |---) Bitnet: AUBXG@ASUACAD --+-+-+-- .............................................................. ------------------------------ Date: Thu, 07 Dec 89 21:42:23 -0800 From: cpreston@cup.portal.com Subject: Never say die Virus Immortality There is a growing trend, not just in portable computers, to save the state of the machine when the computer is "turned off". This is a consideration for fault-tolerant or semi-fault-tolerant systems, where there has been great attention paid to saving all files and system state no matter what, but probably these system administrators will be knowledgeable enough to work through the problems created by system design. There will, however, be users who don't understand what is happening when they put a computer to sleep or turn it off, or even remove the battery. In some cases, even removal of the power supply (battery) does not kill the contents of RAM due to a "keep-alive" smaller battery backup. Leaving aside the other security implications of always preserving RAM, (such as password retention or decrypted file retention) virus detection and removal will certainly be more confusing. In other words, the current practice of telling computer users to be sure their machine has been turned off during virus removal will no longer be sufficient. Even the people who think they are being extra careful by removing the battery for a minute or two will be fooled. Cases in point: 1. Macintosh Portable. The normal "off" mode is really a sleep mode, with all RAM contents retained. At the touch of a key, the user is able to continue with any operations in progress at the time the machine was left. The running program (s) are still running, data files open, etc. Removal of the main battery will not erase RAM due to a 9 volt backup, designed to ensure continuity during battery switches. According to an Apple representative, use of the reset switch (not the interrupt) will force an immediate power-off to RAM, and a start-up with clean RAM. 2. Zenith MinisPort. Part of RAM can be configured as a non- volatile RAM disk. A number of other machines have this feature also. This shouldn't cause as much problem, since people are used to permanent storage on disks and know that it needs to be checked and purged. Extra RAM can also be configured as EMS memory, probably also non-volatile. 3 Poqet pocket MS-DOS PC. Memory is powered all the time. Even when the batteries are changed, a capacitor will keep the system going for 10 to 15 minutes. The keyboard I/O "on/off" switch merely puts the machine to sleep. There is a recessed reset button which will purge RAM. 4 Toshiba portables. New portables, such as the T1000SE, have an "auto-resume" feature to allow the computer to be turned "off", including changing the battery, while RAM contents are preserved. 5 Emerson Accucard. This is an IBM PC hardware card with its own battery. It is designed to detect a power failure, and save the state of the machine to disk before shutting down. When I called both the company and their national distributor, nobody could tell me whether there was any way to defeat this system, such as cold booting from a floppy disk, without physically removing the card. They promised to call back with more information. ------------------------------ Date: Tue, 12 Dec 89 11:26:29 -0800 From: Alan_J_Roberts@cup.portal.com Subject: Major Trojan Warning (PC) This is an urgent forward from John McAfee: A distribution diskette from a corporation calling itself PC Cyborg has been widely distributed to major corporations and PC user groups around the world and the diskette contains a highly destructive trojan. The Chase Manhattan Bank and ICL Computers were the first to report problems with the software. All systems that ran the enclosed programs had all data on the hard disks destroyed. Hundreds of systems were affected. Other reports have come in from user groups, small businesses and individuals with similar problems. The professionally prepared documentation that comes with the diskette purports that the software provides a data base of AIDS information. The flyer heading reads - "AIDS Information - An Introductory Diskette". The license agreement on the back of the same flyer reads: "In case of breach of license, PC Cyborg Corporation reserves the right to use program mechanisms to ensure termination of the use of these programs. These program mechanisms will adversely affect other program applications on microcomputers. You are hereby advised of the most serious consequences of your failure to abide by the terms of this license agreement." Further in the license is the sentence: "Warning: Do not use these programs unless you are prepared to pay for them". If the software is installed using the included INSTALL program, the first thing that the program does is print out an invoice for the software. Then, whenever the system is re-booted, or powered down and then re-booted from the hard disk, the system self destructs. Whoever has perpetrated this monstrosity has gone to a great deal of time, and more expense, and they have clearly perpetrated the largest single targeting of destructive code yet reported. The mailings are professionally done, and the style of the mailing labels indicate the lists were purchased from professional mailing organizations. The estimated costs for printing, diskette, label and mailing is over $3.00 per package. The volume of reports imply that many thousands may have been mailed. In addition, the British magazine "PC Business World" has included a copy of the diskette with its most recent publication - - another expensive avenue of distribution. The only indication of who the perpetrator(s) may be is the address on the invoice to which they ask that $378.00 be mailed: PC Cyborg Corporation P.O. Box 871744 Panama 7, Panama Needless to say, a check for a registered PC Cyborg Corporation in Panama turned up negative. An additional note of interest in the license section reads: "PC Cyborg Corporation does not authorize you to distribute or use these programs in the United States of America. If you have any doubt about your willingness or ability to meet the terms of this license agreement or if you are not prepared to pay all amounts due to PC Cyborg Corporation, then do not use these programs". John McAfee ------------------------------ Date: Tue, 12 Dec 89 18:17:04 -0800 From: Alan_J_Roberts@cup.portal.com Subject: Update on AIDS Trojan (PC) The following is a posting from John McAfee: Early reports from people who have disassembled the AIDS trojan that has been mailed to numerous European corporations indicate that the trojan may be encrypting information on the disk rather than destroying it outright. The results are the same without a decrypting routine but the possibility is] now raised that the perpetrators do have and may offer such a decryptor. The report from Chase Manhattan Bank that the name and address in the Trojan are bogus may not be correct. John Markoff of the New York Times has since stated that his sources found a real corporation corresponding to the name and address in the file. This raises some interesting questions which, I believe, only time will answer. Whatever is happening, this much is known: The trojan will make all data on the hard disk unusable; the change happens suddenly; and no recovery is yet known. If you find or have a copy of this diskette don't use it. John McAfee ------------------------------ Date: Tue, 12 Dec 89 18:09:00 -0500 From: IA96000 Subject: Yet Another EAGLE Appears (PC) At 03:00 yesterday another version of EAGLE.EXE was discovered and forwarded to SWE for analysis. Here are the results. See back issues of VIRUS-L and/or VALERT-L for original symptoms. This new version has changed slightly: 1) Contains Jerusalem-D virus. Active and spreads! 2) Seeks out and overwrites the following files and locations: a) COMMAND.COM (ascii 246 used to overwrite) b) BOTH FAT's (ascii 246 used to overwrite) c) BOOT SECTOR (ascii 246 used to overwrite) d) EAGLSCAN.EXE (string "F**K YOU" used to overwrite) e) SCAN.EXE (string "F**K YOU" used to overwrite) f) VIRUSCAN.EXE ( same as last two above used to overwrite) 3) There seems to be a built in timer. Once the file has been loaded it remains dormant for twenty minutes. During this time the VIRUS can be detected by SCAN.EXE if you use the /M switch. Once the timer has run down, the trojan takes over and does its dirty deed. 4) Unlike previous versions, it DOES NOT matter if the disk is a DOS system disk or not. If a file is not found, it just continues on down the list. Previously COMMAND.COM had to be in the root to trigger the trojan. 5) SWE reports that they feel this WAS NOT written by the same author(s) as the first two versions. First, this new version appears to be written in Pascal. Second, SCAN.EXE will identify the file. It has not been encrypted or compressed like the previous versions. Since SCAN.EXE will detect the virus, and since SWE is closing for their vacation period, they feel there is NO rush to update EAGLSCAN at this time. They said it will be done when they get back. One important point needs to be repeated! SCAN.EXE will identify the virus, in memory when you use the /M switch. It will also detect the virus in a file. It has no way of knowing if the file also contains a trojan (understandable, it wasn't designed to) so be wary if you decide to experiment with this new version of EAGLE.EXE!!!! Thanks to Harriman, New York for sending it for evaluation. ------------------------------ End of VIRUS-L Digest *********************