VIRUS-L Digest Monday, 18 Dec 1989 Volume 2 : Issue 261 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: re: 1813 Virus Info Needed (PC) Aids disk information (PC) Re AIDS disk (PC) What does the WDEF virus do? (Mac) Re: Update on AIDS Trojan (PC) Disinfectant 1.5 (Mac) WDEF found at University of Vermont (Mac) AIDS TROJAN (PC) Gatekeeper Aid 1.0 Released (Mac) --------------------------------------------------------------------------- Date: 14 Dec 89 00:00:00 +0000 From: "David.M..Chess" Subject: re: 1813 Virus Info Needed (PC) The 1813 virus is the same virus that is commonly called "the Jerusalem virus". It is the most widespread of a number that activate on Friday the 13th, so it's sometimes called the "Friday the 13th" virus. That's not a very good name, though, since there's more than one virus that it fits. Stick with "1813" or "Jerusalem"! *8) DC ------------------------------ Date: Thu, 14 Dec 89 11:14:39 +0000 From: Alan Jay Subject: AIDS disk information (PC) The following, written by Alan Solomon, gives details of the AIDS Information Disk sent out by PC-CYBORG and gives a method for restoring your disk to its former state. Remember if you have not run this disk DO NOT run it. This information is believed to be correct BUT the program appears to be very clever and therefore we suggest that you must be very careful in carring out any of the followig instructions. Alan Jay -- IBM PC User Group -- 01-863 1191 PRELIMINARY INFORMATION ON THE "AIDS" DISKETTE FROM PC CYBORG CORPORATION. This is bulletin number AS/3 You will probably have read in the press about the AIDS diskette, a diskette that was mailed out to a great subscribers to PC Business World (through absolutely no fault of the magazine's). This diskette is a trojan - DO NOT RUN IT. It is a diskette that was sent through the post, unsolicited, and claiming to be a program that gave you useful information about the AIDS disease. The accompanying licence was abit suspicious, so many people didn't run it (it threatened to do dire things to your computer if you didn't pay for the software). We've done a preliminary analysis on it, and it works like this. If you run the INSTALL program, it creates two subdirectories with "impossible" names on the hard disk - one of these has a one-character name, and that character is [Alt-255] (hexadecimal FF). In that subdirectory , it puts a program called REM[Alt-255] .EXE. The [Alt-255] character is invisible. It copies your AUTOEXEC to a file called AUTO.BAT, and puts an Echo off and a REM statement in front. It creates a new AUTOEXEC.BAT file, and makes it hidden and readonly. In that AUTOEXEC, it does a "CD \[Alt255]" and then "REM[Alt-255]" followed by a plausible-looking remark. After you run the AUTOEXEC, and therefore the REM [Alt-255] program, a number of times (we triggered it with 90, but this is only a preliminary result, and it may be triggerable with fewer or more), the damage routine is triggered. This would usually happen when the machine has been booted that many times. A series of messages are put up on the screen, aimed at persuading you not to switch off, and the trojan then encrypts your directory and makes all the files hidden except one called CYBORG.DOC. If you then boot from the hard disk, it tells you that a software licence has expired, and tells you to renew it - another request for money. If you do a Ctrl-Alt-Del, it fakes a reboot, and pretends to be running the Dos prompt - actually, a program is now running which fakes Dos. If you do a DIR, it shows you the unencrypted filenames, followed by a warning not to use the computer. it tells you that you must renew the lease in the software. Any other command, it also fakes a response to, and shows you the same message. It also has a routine that could be called the SHARE routine. When this runs, it tells you that you can have 30 more applications of the program if you follow it's instructions. It tells you to put a blank formatted floppy in drive A, and it then copies files onto it. Then you are asked to put the diskette in another computer and type A:SHARE. We're still pursing this path. It may also do other damage - we're still investigating, but what we've found so far is enough to make me want to issue an urgent warning. If you've already installed it, remove it. You can do this temporarily by making the AUTOEXEC.BAT file (in the root directory) read/write, and non-hidden, which you can do using one of a number of utilities. Then delete the AUTOEXEC.BAT. This disables the trojan lines that the install program put in. This APPEARS to deal with the trojan, but since there is a lot of deep stuff going on, we would not assume that it actually does fully deal with it. Our recommendation at this point in time, is based on the fact that this thing is doing some pretty deep work on the disk, and since it contains a lot of code, it will be a long time before it is completely understood. So as of now, our suggestion is: First, switch off the computer, put a known CLEAN DOS diskette in drive A, and switch on again. This makes sure that the trojan has no control. Back up all your data files using a file-by-file backup. Format the disk, reload all your executables from known clean diskettes, and restore the data files. You should take two backups, in case the first one fails to restore. If you haven't installed it, don't and tell everyone else not to. The police have been brought into this case; if you wish to make a formal complaint to the Computer crime unit, please contact Detective Sergeant Donovan on 01-725 2434. Also, contact him if you have any useful information. If you want more information about this trojan, it will be covered in full in Virus Fax International - please call if you want to know more about this. Please note that the information has been got out quickly as possible, and is therefore subject to change in the details. ALAN SOLOMON ------------------------------ Date: Thu, 14 Dec 89 13:31:49 +0000 From: Martin Ward Subject: Re AIDS disk (PC) I feel that I should point out that the effects of this disk are entirely in accordance with the standard warrenty used by most commercial software developers (the ones which disclaim that the programs are fit for any purpose at all, that XXX will disclaims all responsibility for any damage or loss caused etc.) Either these warrenties are ILLEGAL or the perpetrators of this disk are entirely within their legal rights to do what they have done. Does anyone (eg a lawyer) know which is the case? Martin. My ARPANET address is: martin%EASBY.DUR.AC.UK@CUNYVM.CUNY.EDU OR: martin%uk.ac.dur.easby@nfsnet-relay.ac.uk UUCP:...!mcvax!ukc!easby!martin JANET: martin@uk.ac.dur.easby BITNET: martin%dur.easby@ac.uk ------------------------------ Date: Thu, 14 Dec 89 10:05:36 -0500 From: Jeff_Spitulnik@um.cc.umich.edu Subject: What does the WDEF virus do? (Mac) I just discovered that a scribes disk (one that is used by many different typists at different times to compile class notes) that crashed was infected with the WDEF virus. The Mac SE FDHD that I am using now had trouble reading the disk and MacTools confirmed that there were many damaged blocks. After using Symantec's utilities to recover the files on the disk, including the desktop, I checked to see if the file had the WDEF virus. It did. I reformatted the scribe disk with no problems and verified that it was ok after the reformatting. Did it crash because of WDEF? What's the latest on what WDEF does? Thanks! --Jeff ------------------------------ Date: Thu, 14 Dec 89 18:02:03 +0000 From: Matthew Moore Subject: Re: Update on AIDS Trojan (PC) This afternoon I was one of a small team which successfully tracked down the method of invocation of the Aids trojan, on a pc clone which was infected, but not devastated. Definition : <255> = the ascii character 255 , aka hex FF The program is called: rem<255>.exe (ie 4 char filename which shows as 3) It resides in a hidden directory called: \<255> (ie a 1 char filename) It is invoked by two lines in the autoexec.bat file :- cd \<255> (which if course usually looks like : cd \ ) rem<255> some statement (which looks like : rem some statement) There two additional features worth noting:- i) there is another root level hidden directory, also using a nonprintable character (I dont know which), containing further hidden subdirectories to four levels down, and at the bottom are files which appear to contain data from elsewhere on the disk, and sundry other info. ii) there is a red herring in the autoexec.bat file. Underneath the two statements listed above, the line 'auto.bat' followed by an EOF (^Z). The file \auto.bat contains the original autoexec.bat Presumably, it would be stopped by removing or renaming \<255>\rem<255>.exe and reverting to a clean auotexec.bat . (Corrections to this presumption welcome!) - -- mjm@cu.neur.lon.ac.uk | Post: Computing & Statistics Unit JANET : mjm@uk.ac.lon.neur.cu | Institute of Neurology INTERNET: try mjm%cu.neur.lon.ac.uk | Queen Square, London, WC1 Phone : 01-837-5141 | London WC1 3BG ------------------------------ Date: Thu, 14 Dec 89 16:20:56 -0500 From: jln@acns.nwu.edu Subject: Disinfectant 1.5 (Mac) Disinfectant 1.5 ================ December 14, 1989 Disinfectant 1.5 is a new release of our free Macintosh virus detection and repair utility. Shortly after the release of version 1.4, a new strain of the WDEF virus was discovered. Version 1.5 has been configured to recognize the new strain. Version 1.5 also contains code to detect and repair other strains of WDEF which may exist but have not yet been reported. Disinfectant 1.5 is available now via anonymous FTP from site acns.nwu.edu [129.105.49.1]. It will also be available soon on sumex-aim, comp.binaries.mac, ComuServe, Genie, Delphi, BIX, MacNet, America Online, Calvacom, and other popular sources for free and shareware software. The following text is extracted from the new section on WDEF in Disinfectant's online document. It describes what we know to date about this new virus. The description has been expanded to include new information that has recently become available. The WDEF virus was first discovered in December, 1989 in Belgium and in one of our labs at Northwestern University. Since the initial discovery, it has also been reported at many other locations throughout the United States, so we fear that it is widespread. We have reason to believe that the virus has been in existence since at least mid-October of 1989. We know of two strains, which we call "WDEF A" and "WDEF B." WDEF only infects the invisible "Desktop" files used by the Finder. With a few exceptions, every Macintosh disk (hard drives and floppies) contains one of these files. WDEF does not infect applications, document files, or other system files. Unlike the other viruses, it is not spread through the sharing of applications, but rather through the sharing and distribution of disks, usually floppy disks. WDEF may have been introduced initially via a Trojan Horse application, in a fashion similar to the way the MacMag virus was first introduced via a Trojan Horse HyperCard stack. We do not yet know if this is indeed the case, and we may never know. WDEF spreads from disk to disk very rapidly. It is not necessary to run a program for the virus to spread. The WDEF A and WDEF B strains are very similar. The only significant difference is that WDEF B beeps every time it infects a new Desktop file, while WDEF A does not beep. Although the virus does not intentionally try to do any damage, WDEF contains bugs which can cause very serious problems. We have received reports of the following problems: * The virus causes both the Mac IIci and the portable to crash. * Under some circumstances the virus can cause severe performance problems on AppleTalk networks with AppleShare servers. * Many people have reported frequent crashes when trying to save files in applications under MultiFinder. * The virus causes problems with the proper display of font styles (the outline style in particular). * We have two reports that the virus can damage disks. * We have a report that the virus causes Macs with 8 megabytes of memory to crash. * We have a report that the virus is incompatible with the "Virtual" INIT from Connectix. Even though AppleShare servers do not use the normal Finder Desktop file, many servers have an unused copy of this file anyway. If the AppleShare administrator has granted the "make changes" privilege to the root directory on the server, then any infected user of the server can infect the Desktop file on the server. This is one of the situations which can lead to the severe performance problems mentioned above. For this reason, administrators should never grant the "make changes" privilege on server root directories. We also recommend deleting the Desktop file if it exists. It does not appear that the virus can spread from an AppleShare server to other Macs on the network, however. When using Disinfectant to repair WDEF infections, you must use Finder instead of MultiFinder. Under MultiFinder the Desktop files are always "busy," and Disinfectant is not able to repair them. If you try to repair using MultiFinder, you will get an error message. Unfortunately, when the WDEF virus first appeared, none of the current versions of the most popular virus prevention tools were able to detect or prevent WDEF infections. This includes Vaccine 1.0.1, GateKeeper 1.1.1, Symantec's SAM Intercept 1.10, and HJC's Virex INIT 1.12. Chris Johnson, the author of Gatekeeper, has released "GateKeeper Aid," a free system startup document (INIT) that detects and automatically removes WDEF infections and notifies the user of the infection. GateKeeper Aid can be used together with GateKeeper or together with Vaccine to provide protection against WDEF. New versions of the commercial tools should also be released soon, and we expect that at least one other free protection tool will also be available soon. It is very important that all Mac users obtain and install GateKeeper Aid or some other WDEF protection tool. You can use Disinfectant to remove an existing infection, but if you do not install a protection tool you may very likely become infected again. In addition to the two known strains of the WDEF virus, Disinfectant will also detect and repair other strains which may exist but have not yet been reported. If an unknown strain is detected, Disinfectant places the following message in the report: ### File infected by an unknown strain of WDEF If you see this message, and if you have not already repaired the file, we would appreciate it if you would send a copy to the author. The author's addresses are at the end of this document. You may need the assistance of an expert, since the Desktop files that are infected by the WDEF virus are normally invisible. You should use ResEdit or some other file editing tool to make the file visible, then make a copy to send to us, then use the same tool to make the original file invisible again, and use Disinfectant to repair it. Send the copy to the author, then delete the copy. Please do not worry if you are not comfortable with these instructions and you do not have access to an expert. Go ahead and repair the infected file. It is more important that you rid your system of the virus than it is for us to get a copy of the unknown strain. This version of Disinfectant is being released only one week after the discovery of the WDEF virus. We do not yet understand it as thoroughly as we do the other older viruses. We have disassembled it completely, and we understand the basic replication mechanism. We know that it can cause serious problems, and we know why it causes some of the problems. Research into the behavior and adverse effects of this virus will continue for some time. You should keep in touch with your local Mac user group or bulletin board for more information about this new virus as it becomes available. Commercial online services like CompuServe and Genie and the Macintosh trade press publications like MacWeek are also good sources of information. When the WDEF virus was first discovered, the authors of most of the popular virus-fighting programs and other experts immediately began working together to analyze and test the virus. The information presented here is a compilation of our joint discoveries. The author would like to thank everybody who helped in the investigation. Particular thanks to Chris Johnson (GateKeeper), Jeff Shulman (VirusDetective), Paul Cozza (SAM), Robert Woodhead (Virex), Dave Platt, Werner Uhrig, and the Apple Virus Rx team. Thanks also to the many Mac users who sent reports of WDEF sightings and problems caused by the virus. John Norstad Academic Computing and Network Services Northwestern University 2129 Sheridan Road Evanston, IL 60208 Bitnet: jln@nuacc Internet: jln@acns.nwu.edu CompuServe: 76666,573 AppleLink: A0173 ------------------------------ Date: Thu, 14 Dec 89 17:31:10 -0500 From: Lynne Meeks Subject: WDEF found at University of Vermont (Mac) We discovered we have at least one Mac with the WDEF virus. The most likely source is a disk brought here from Dartmouth by a student. although there is another (unknown) potential source. The virus was discovered (and successfully removed) by Virus Detective 3.1 which we were trying out. We did not have any indication we had a virus. Guess this one travels fast... ------------------------------ Date: Thu, 14 Dec 89 19:08:00 -0500 From: IA96000 Subject: AIDS TROJAN (PC) The AIDS trojan does bring up some interesting questions. Political issues aside for a second, what makes anyone think that the company or individuals behind this are in Panama? Just because the mail goes to Panama does not mean a thing. There are also more lax regulations (I would assume) about renting post office boxes outside of the United States. Has anyone considered that this might be work of the people who introduced BRAIN to the world? Other than the address, it might well be the same culprits. Rather than worry about who did it, perhaps it would be a better idea to figure out what to do about? After all the potential for damage is quite high, and little seems to be know about what is happening, so far. ------------------------------ Date: 14 Dec 89 23:32:14 +0000 From: emx.utexas.edu!ut-emx!chrisj@cs.utexas.edu (Chris Johnson) Subject: Gatekeeper Aid 1.0 Released (Mac) Gatekeeper Aid 1.0 of 13-Dec-89 by Chris Johnson (c) 1989 Gatekeeper Aid is a supplement to version 1.1.1 of the Gatekeeper Anti-Virus System. Gatekeeper Aid is a new component designed to locate and remove the WDEF viruses that have recently appeared and which are not hindered by Gatekeeper's existing security system. Gatekeeper Aid also checks for possible future variants of WDEF. Gatekeeper Aid automatically checks files as they are used for the presence of specific viruses and, if viruses are found, it removes them. Like Gatekeeper, Gatekeeper Aid runs continuously without the attention (and usually without the awareness) of the user. Unlike Gatekeeper, Gatekeeper Aid requires no configuration by the user -- it's objectives are specific enough that there's simply no need for configuration at this point. Although Gatekeeper Aid is designed to supplement Gatekeeper, it does not require that Gatekeeper be present in order to operate. Gatekeeper Aid has been posted to comp.binaries.mac, and is immediately available for anonymous ftp from ix1.cc.texas.edu and ix2.cc.utexas.edu. You'll find it (and Disinfectant 1.5) in the ~microlib/mac/virus directory. The IP addresses of ix1 and ix2 are, respectively, 128.83.1.21 and 128.83.1.29. Gatekeeper Aid will should be available from sumex and simtel in the near future. Cheers, - ----Chris Johnson - ----Author of Gatekeeper - ----chrisj@emx.utexas.edu ------------------------------ End of VIRUS-L Digest *********************