VIRUS-L Digest Thursday, 14 Dec 1989 Volume 2 : Issue 260 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: New Virus Encyclopedia (Mac) File authentication software (PC) re: Preventative measure for DIR exec? (VM/CMS) RE: AIDS Trojan (PC) Becoming a Virus Expert (Mac) Re: AIDS DISK UPDATE (I) 1813 Virus Info Needed (PC) Re: AIDS -- UPDATE II -- What can you do. AIDS Trojan Update (PC) WDEF found at SUNY-Binghamton (Mac) --------------------------------------------------------------------------- Date: Wed, 13 Dec 89 04:01:26 +0000 From: henry@chinet.chi.il.us (Henry C. Schmitt) Subject: New Virus Encyclopedia (Mac) This is to announce a new version of Virus Encyclopedia. I have updated the stack to include the WDEF Virus and all those variants of nVIR that have appeared since its last release. Which release you have can be determined by the date modified listed on the Disclaimer card. This latest release is dated 12/12/89. I have just finished uploading VE to CompuServe, GEnie, several Chicago BBSs, and HomeBase BBS in California. I have also made arrangements with John Norstad to get a copy to the info-mac archives and comp.binaries.mac. If you are unable to get the stack in any other way (and please try!), I will accept requests accompanied by a disk or $2.50 at: Henry C. Schmitt 6613 Scott Lane - Apt. 17 Hanover Park, IL 60103-3849 I'll send back a copy of the NorthWest of Us Virus Control disk which includes VE, as well as the best of the virus control programs. Henry C. Schmitt Author of Virus Encyclopedia - -- H3nry C. Schmitt | CompuServe: 72275,1456 (Rarely) | GEnie: H.Schmitt (Occasionally) Royal Inn of Yoruba | UUCP: Henry@chinet.chi.il.us (Best Bet) ------------------------------ Date: Tue, 12 Dec 89 17:40:00 -0500 From: IA96000 Subject: File authentication software (PC) Recently I had the chance to discuss the inner workings of VALIDATE.EXE, (no..not VALIDATE.COM), with the authors. This program has been around for almost two years now, and has just under gone a dramatic change. In the past, it has detected changes in a file by reading the entire file, and using two proprietary formulas, calculated two CRC's for each file tested. VALIDATE.EXE is fast and capable of processing over 64,000 characters a second. The new version takes an entirely different approach. While I cannot go into intimate detail, basically it reads in large blocks of the file, takes a "snapshot" and continues. The block size varies depending on file size and available memory. If EMS or Extended memory is detected the program will increase the size of the blocks being read, up to the optimal size of a 1 megabyte block. Each "snapshot" taken is then processed. The contents of "snaphots" vary, depending on the type of file being processed (com, exe, ascii), the size of the file, and several other factors, including the total number of snapshots taken. As processing continues, two authentication strings are built. These are then encrypted, and converted to hex format for display. There are two versions of this program. The DOS version is capable of reading and processing over 113,000 characters a second.The OS/2 version of validate was designed to run under PM and takes full advantage of the advanced OS/2 functions. It has the ability to run several threads at the same time and does so whenever possible. The raw processing speed of the OS/2 version is not as fast as the DOS version, but the use of threads speeds the entire program up. Just thought you might like to know about this program. It will be available in both versions through SIMTEL in the near future. I have been asked to pass the following message along verbatim: Start of message ================= From: SWE To: VIRUS-L Subscribers Re: Free disk offer After processing and filling requests for over 570 EAGLSCAN (tm) disks, we are now withdrawing our offer. Each and every request has been filled, and all disks are on the back via US mail. SWE did not expect any where near the response we received and it has been a major project to produce these disks for you. So be it, we made the offer, and we learned our lesson. Any disks received after December 13, will not be processed until we open again, after the holidays. We will fill any requests starting January 4, when we return from holiday. Thank you for your requests and have a happy holiday. End of message =============== ------------------------------ Date: 13 Dec 89 00:00:00 +0000 From: "David.M..Chess" Subject: re: Preventative measure for DIR exec? (VM/CMS) Lee Miller (Gonzo) writes: > ... could use the touch exec and module > available from the listserver at BLEKUL11 to change the time date of > your files... > Thus before running any exec that you don't know what it > it you change all time dates to before 1990 so the deletion that dir > does wont find anything to erase. I think this is based on a misunderstanding of the damage that the DIR EXEC does. It never looks at the dates on *files*; it looks at the current date (via QUERY TIME), and if the last two digits of the year are greater than 89, it will erase all files with mode a0 or a1, regardless of the dates on the files. Changing dates on files will have no effect on how DIR behaves. DC ------------------------------ Date: Wed, 13 Dec 89 09:11:26 -0500 From: dmg@retina.mitre.org (David Gursky) Subject: RE: AIDS Trojan (PC) The AIDS Trojan Horse discussed by Alan Jay and John McAfee raises some interesting questions about accountability. Ignoring the issue that it is unlikely that the U.S. Government is unlikely to get cooperation from the Panamanian authorities in apprehending the culprits and bringing them to trial in either country, could the perpetrators be held liable under U.S. law for damages, when the licensing notice clearly states the program is not licensed to be used in the United States, and that damage will result if you attempt to do so. In the broader case, could the perpetrators be extradicted to one of the European countries that have better relations with Panama, and be held liable for damages even though the license says not to use the application without first paying for it. One consequence of this attack (although I find it unlikely legal authorities will be able to take advantage of it because of the situation in Panama) is that the perpetrators should be relatively easy to track. Someone rented the Post Office box in Panama. Hopefully someone is picking up the mail from that box, and from there it goes to the people behind it, somehow. ------------------------------ Date: Wed, 13 Dec 89 10:09:49 -0500 From: "Gregory E. Gilbert" Subject: Becoming a Virus Expert (Mac) Earlier in the year (mid to late October) someone inquired on some suggestions for becoming a "virus expert". (I assume in hopes to become an anti-virus expert.) Joe MacMahon suggested a number of things one of which included reading about ROM patches, INITs, and VBL tasks in Inside Macintosh. I made an attempt to locate these topics in Inside Macintosh and came up with the table below. (I was unable to find any information in the index on ROM Patches.) I have not read the topics I have listed, but intend make reading them a priority. Are what I have listed below relevant to the person who wants to maximize the amount of information attained while minimizing material to be studied? Are there other references that would be better? (Inside Macintosh references and "outside" references.) Other thoughts and comments are most welcome. I hope this helps some and hope that others will help this list get "fine-tuned". If you find anything grossly wrong with the list please do not bug flame Joe, flame me. Thanks. Greg Topic Volume Pages - ----- ------ ----- Inits I 114-115 InitGraf I 162-164 Font Manager Routines I 222-227 Window Manager I 280-288 Dialog Manager I 410-423 Memory Manager II 3- 52 Vertical Retrace II 349-354 Parameter RAM Operations II 380-382 The Video Interface III 18- 20 Resource Manager V* 29- 38 - --------------------------------------------- * - Sorry don't have access to Volume IV. Greg Postal address: Gregory E. Gilbert Computer Services Division University of South Carolina Columbia, South Carolina USA 29208 (803) 777-6015 Acknowledge-To: ------------------------------ Date: Wed, 13 Dec 89 16:09:36 +0000 From: Alan Jay Subject: Re: AIDS DISK UPDATE (I) AIDS INFORMATION DISK ===================== The latest on this is as follows: If you have run this disk contact ROBERT WALCZY at PC Business World on 01-831 9252 they have a FREE disk that combats the effects of the disk and they will send a copy to users effected. Either call Robert of FAX him on 01-405 2347 with your name and address. The disk should be available in the next day or two. The program will be available on CONNECT (01-863 6646) for download as soon as it has been tested. ======================================================================= The AIDS disk when installed creates a number of hidden files and directories. You can remove these files by running the program mentioned above or by using the Norton Utilities, PC Tools or equivalent program. The files that are hidden include a new AUTOEXEC.BAT and a number of other files and directories that contain characters that can not be accessed by standard DOS commands. You will need to rename the files/ directories before they can be deleted. This information will be updated as we learn more about the disk. Alan Jay -- The IBM PC User Group -- 01-863 1191. ------------------------------ Date: 13 Dec 89 15:40:48 +0000 From: gademsky@njitx.njit.edu Subject: 1813 Virus Info Needed (PC) I have encountered the virus 1813 here at my school. Does anyone out there know anything about this virus. This was detected using the Virscan program by IBM. I think this virus may be related to the "Friday the 13th" virus. Any comment out there. Please post in the news group since some people may be interested. Thanks Doug ------------------------------ Date: Wed, 13 Dec 89 18:26:57 +0000 From: Alan Jay Subject: Re: AIDS -- UPDATE II -- What can you do. AIDS INFORMATION DISK ===================== Update 2 13-Dec-1989 6pm IF you have not run this disk DO NOT INSTALL it appears to be a very cleverly written TROJAN program that can be activated by a number of methods. Currently the activation method that has been detected uses a counter of the number of system reboots. When the counter gets to 90 the system goes into a second phase and encrypts files and directories on your hard disk. The program appears to have a number of embelisments that makes one think that the front door we have been shown MAY not be the only method that the system uses for deciding when to activate. This is a very nasty program and the only 100% safe thing to do is to backup all DATA files and perform a full reformat of your hard disk. Followed by a reinstallation of all DATA, from your backup, and programs from original system disks (or backup prior to installing this software). This should only be attempeted once at least TWO copies of all valuable data have been extracted from the system. Please remember to boot your system off an original DOS disk before starting this procedure. Full details of the suggested procedure will be posted tomorrow. Alan Jay Readers who do not wish to follow this route may be interested to in the folowing information about the primary activation system. 1) A hidden 'ACTOEXEC.BAT' file contains CD \ REM it then runs your AUTOEXEC.BAT which the program renamed AUTO.BAT 2) A hidden subdirectory contains a file REM.EXE Each time the system is booted the program is run and the counter incremented/decremented. After 90 activations the system enters phase TWO. Please note that the system uses the character 'hi space' in the file names to stop standard DOS procedures acting on these files. IT MAY be possible to delete these entries and thereby disable the program this is NOT certain and it will take several months to discover if this is a safe course of events to take. I hope that this information helps. I also understand that this is in the hands of the Fraud Squad / Computer Crime Division of the Metropolitan Police. If you have any further information I am sure that they would be interested to here from you. Alan Jay -- IBM PC User Group - 01-863 1191 ------------------------------ Date: Wed, 13 Dec 89 16:58:52 -0800 From: Alan_J_Roberts@cup.portal.com Subject: AIDS Trojan Update (PC) This is a forward from John McAfee: A lot more has been discovered about the AIDS Information Trojan in the past 24 hours. First, the diskette does not contain a virus. The install program does initiate a counter, and based on a seemingly random number of re-boots, the trojan will activate and destroy all data on the hard disk. The diskette was mailed to at least 7,000 corporations, based on information obtained from CW communications - one of the magazine mailing label houses used by the perpetrators. The perpetrator's initial investment in disks, printing and mailing is well in excess of $158,000 according to a Chase Manhattan Bank estimate that was quoted in a PC Business World press release from London. The bogus company that sent the diskettes had rented office space in Bond Street in London under the name of Ketema and Associates. The perpetrators told the magazine label companies that they contacted that they were preparing an advertising mailer for a commercial software package from Nigeria. All offices had been vacated at the time of the mailing, and all addresses in the software and documentation are bogus. The Trojan creates several hidden subdirectories -- made up of space and ASCII 255's -- in the root of drive C. The install program is copied into one of these and named REM.EXE. The user's original AUTOEXEC.BAT file is copied to a file called AUTO.BAT. The first line of this file reads -- "REM Use this file in place of AUTOEXEC.BAT for convenience". The installation also creates a hidden AUTOEXEC.BAT file that contains the commands: C: CD \ REM Use this file in place of AUTOEXEC.BAT AUTO The CD \ actually contains ASCII characters 255, which causes the directory to change to one of the hidden directories containing the REM.EXE file. The REM file is then executed and decrements a counter at each reboot. After a random number of reboots, the hard disk is wiped clean. Definitely a new approach. So far the mailings appear to be limited to western Europe. No reports have been received from the U.S. If anyone does have the diskette, or has already run the install program, a disinfector has been written by Jim Bates and is available on HomeBase for free download. 408 988 4004. The name of the disinfector is AIDSOUT.COM. John McAfee ------------------------------ Date: 14 Dec 89 03:13:50 +0000 From: consp21@bingvaxu.cc.binghamton.edu Subject: WDEF found at SUNY-Binghamton (Mac) We have identified the WDEF virus here in our public complexes here at SUNY-Binghmton. Thanks to Disinfectant 1.4, we are already asking all users to come to our consulting office and have their disks checked. The earliest date of infection that we have noticed in our work tonight is December 11, 1989; indicating that it spread extremely rapidly here, possibly due to a pair of infected printing stations that we found. Over the last eight hours, the number of infected disks found has been dropping rapidly, indicating that we caught it before it got too far. Many, many thanks to comp.virus for the alerts, and to John Norstad for his quick work with Disinfectant! - Ken - ------------------------------------------------------------------------- Ken Hoover [ consp21@bingvaxu.cc.binghamton.edu | consp21@bingvaxa.BITNET ] Resident computer jock and Mac hacker, SUNY-Binghamton Bio dept. Senior undergraduate consultant, SUNY-Binghamton Computer Center - ------------------------------------------------------------------------- ------------------------------ End of VIRUS-L Digest *********************