VIRUS-L Digest Monday, 15 Jan 1990 Volume 3 : Issue 11 Today's Topics: Possible New Infection (Mac) Re: Shrink Wrap...still safe? Re: Shrink Wrap...still safe? IBM's VIRSCAN and the 1813 virus (PC) Implied Loading and Accidental Destruction (Mac) Re: virus scanning WDEF and Virus Detective 3.0.1 (MAC) An unfortunate victim (Mac) Organizational attitudes about virus prevention WDEF virus (Mac) in southwestern Ohio RE: Shrink wrap...still safe? Re: Shrink Wrap...still safe? Shrink-Wrapped Software F-PROT clarification (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk --------------------------------------------------------------------------- Date: Fri, 12 Jan 90 07:49:47 -0500 From: "Gregory E. Gilbert" Subject: Possible New Infection (Mac) I saw this posted in Vol. 8, Number 6 of the INFO-MAC Digest. THought is was worthy of a cross posting. Date: Tue, 9 Jan 90 15:22 EST From: FRIEDMAN@anchor.rutgers.edu Subject: Trojan Horse???? A new one I recently saw a posting about two new sharewares, JCremote and Mac II Diagnostic Sound. After unBinHexing and Unstuffing them, I did what most of would, I checked for viruses using SAM Virus Clinic 1.3. No known viruses were detected. I tried the Mac II Diagnostic Sound and then installed JCremote. As I installed JCremote into my system folder SAM 1.3 warned me about attempts to modify the system file, however, this is not uncommon with a CDEV or RDEV. After installing it, I opened the chooser and selected JCremote. The system froze. When I rebooted the computer the computer started to launch, but the crashed. There was no bomb or any message, just a blank screen. After rebooting with a floppy and checking with Disinfectant 1.5, the system file was noted as having a damaged resource fork. This meant I had to install a new one . I am not sure which of the two mentioned files are the culprit. The first time it happened I heard a sound which sounded like one of the Mac II Diagnostic Sound sounds and the freeze occurred when I tried running JCremote. Rich Friedman@biovax Greg Postal address: Gregory E. Gilbert Computer Services Division University of South Carolina Columbia, South Carolina USA 29208 (803) 777-6015 Acknowledge-To: ------------------------------ Date: 12 Jan 90 09:14:40 -0500 From: fac2@dayton.saic.com (Earle Ake) Subject: Re: Shrink Wrap...still safe? JZH1@MARISTB.BITNET (Craig W. Fisher) writes: > At a meeting yesterday some people made comments that some viruses > have been found in shrink-wrapped diskettes. This did surprise me as > we have been using a rule of thumb to stick to shrink wrapped software > to help avoid viruses. What comments &/or advice do you have for this > situation? > Thanks, Craig If you have a virus on your system that reproduced your master diskette, that virus could infect the copy. If the store that re-sells your software takes off the shrink-wrap, tests the program and re-shrink-wraps it, there is a chance of a virus infecting it there. If someone buys a package, takes it home and discovers it will not work on his system and returns the software, the store re-shrink-wraps it and sells it for new. Yet another way to infect a disk even though it was sold 'shrink-wrapped'. Do we have to put all software in tamper-resistant packaging like Tylenol? If a store tries a package out so they can be able to tell customers how good it is, can they sell that diskette as new software still? Do we have to demand a no-returns policy on software? Hey, the customer might have a shrink-wrap machine available to them and would be able to shrink-wrap and return as new. Where do we draw the line? Shrink-wrap doesn't mean virus-free! _____________________________________________________________________________ ____ ____ ___ Earle Ake /___ /___/ / / Science Applications International Corporation ____// / / /__ Dayton, Ohio ----------------------------------------------------------------------------- Internet: fac2%dayton.saic.com@uunet.uu.net uucp: uunet!dayvb!fac2 ------------------------------ Date: 12 Jan 90 15:09:31 +0000 From: spaf@cs.purdue.edu (Gene Spafford) Subject: Re: Shrink Wrap...still safe? Many large retailers (and some wholesalers) have shrinkwrap machines. They use these to rewrap packages of software that endusers may have purchased and then returned. They may also rewrap software packages that they have been using in-house as demo programs. They usually do not check the diskettes to see if they have been modified with a virus or other nasty. The purchaser usually has no way of knowing if the package they have just purchased has been rewrapped in this manner. Additionally, there have been some commercial distributions shipped with a virus on the diskettes. Usually, this contamination occurs in the stages where the diskette is formatted or copied, not when the master copy of the software is produced. That is, the machines doing the copying are infected and they introduce the infection when they copy the master version onto the diskette. Most software houses are now aware of this problems and they take greater care to protect the machines used to produce the distribution. Words of advice: Get in the habit of using virus scan programs on EVERY new diskette you add to your system. It will only take you a few extra minutes but may save you a great deal of trouble. Establishing the habit is very good practice. Keep a virus monitor (e.g., Gatekeeper, FluShot+) installed on your system and activated just in case. Point out to your retailer/wholesaler that should you ever buy a product from them with a virus on it, introduced because they have re-wrapped an infected product, they are liable for damages in a lawsuit. Encourage them to label any package so rewrapped -- then be extra careful when purchasing same. - -- Gene Spafford NSF/Purdue/U of Florida Software Engineering Research Center, Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004 Internet: spaf@cs.purdue.edu uucp: ...!{decwrl,gatech,ucbvax}!purdue!spaf ------------------------------ Date: 12 Jan 90 00:00:00 +0000 From: "David.M..Chess" Subject: IBM's VIRSCAN and the 1813 virus (PC) The 1813 virus is sometimes referred to (here, in the news, etc) as the "Jerusalem" virus. So if VIRSCAN says you have the 1813, information about, and disinfectors for, the Jerusalem virus are appropriate... DC ------------------------------ Date: Fri, 12 Jan 90 09:33:36 -0500 From: Joe McMahon Subject: Implied Loading and Accidental Destruction (Mac) Bob Woodhead noted the distinct possibility that a useful resource in a "non-application" file could be accidentally trashed by GateKeeper Aid or a similar program which kill executable resources. First, I assume that Chris J. was careful enough to include a list of "don't do that to this file type/creator" entries (I can't check today, my Mac's dead :-( ), or maybe a list of file types that should NOT contain executable code resources. I think the *idea* is good; I'm sure that he put more thought into the implementation than I did in my glib oversimplification of its functions. I was just trying to explain why it was that the ADBS resources were being trashed by GK Aid. For those who may have missed the beginning of all this, GK Aid will kill off code resources (and WDEF, PACK, etc. executables) in files in which they "don't belong". Deciding what "doesn't belong" is, of course, the kicker. Bob is very right about the possibility of damage to "non-standard" files. --- Joe M. ------------------------------ Date: Fri, 12 Jan 90 09:53:42 -0500 From: Eric Roskos Subject: Re: virus scanning > I am told that in the November '89 issue of the American Mathematical > Monthly, to the effect that no completely safe computer virus test is > possible. The proof is suppose to be short, and along the lines of > the various proofs of the Halting problem. Of course. Just replace the "halt" instruction with a sequence of code to insert a virus (or to perform any malicious action). The approach to addressing the problem of viruses is not to automatically analyze code, but rather to prevent the propagation of viruses. This aside, turning to what I'd intended to say when I started this reply (I get easily sidetracked by computing theory :-)): > The Desktop Fractal Design System by Michael F. Barnsley, Iterated Systems, > Inc. (1989) is infected with a virus. This surprises me, since I bought a copy of this program at Reiter's Scientific Bookstore in Washington DC last November, and used it on my PC for a couple of days (before getting inspired by it to write my own programs... some of his algorithms he gives in the manual are really hard to figure out, since he's optimized them for integer arithmetic and he doesn't show all the simplifications he did, only the final result)... since then I have used the PC everyday, and have run one of the virus-checking programs on it several times, without any indication of a problem! Does anyone have details on which particular virus this is, or what is added to the end of the object files that one can check for? I'll run the virus-checking program on the disk itself this evening to make sure, but from the (very limited) evidence it looks like either not all the copies of the program are infected, or this is not one of the standard viruses. ------------------------------ Date: Fri, 12 Jan 90 13:35:15 -0500 From: V2002A@TEMPLEVM.BITNET Subject: WDEF and Virus Detective 3.0.1 (MAC) Hi, This past week we have had numerous infections of WDEF A. I noticed some odd behavior by Virus Detective 3.0.1 1) Open Virus Detective and select 'autocheck disk on insertion' 2) Insert a diskette known to be infected with WDEF A 3) When the scan detects the virus, click Continue to finish the scan. Now drag the disk to the trash to eject it. The diskette will remain infected until the desktop is rebuilt on it. The hard disk is untouched, though. If, however, instead of clicking Continue, you click Cancel and eject the disk in the same manner, the virus immediately infects the hard disk. Any one else had this problem? Andy Wing Senior Analyst Temple University School of Medicine ------------------------------ Date: Fri, 12 Jan 90 14:30:03 -0500 From: dmg@lid.mitre.org (David Gursky) Subject: An unfortunate victim (Mac) The latest MacWeek (9 Jan) has an article on page 10 that describes the latest victim of the problem of electronic vandalism. 1st Aid Software, publisher of Anti-Virus Kit (which recently acheived notoriety as being the only Mac Anti-virus application that effectively detected and prevented WDEF *before* WDEF was isolated) has announced they will issue no further updates to the application. Their line of reasoning is the same as Don Brown's for not updating Vaccine. 1st Aid does not wish to get into an ever escalating battle of more sophisticated tools s. more sophisticated threats. I'm sorry to see this happen. While I believe we are essentially fighting a "staying effort" with vandalism today, walking away from the problem will not stop the continuing evolution of electronic threats. ------------------------------ Date: Fri, 12 Jan 90 12:09:00 -0800 From: jmolini@nasamail.nasa.gov (JAMES E. MOLINI) Subject: Organizational attitudes about virus prevention Jeff Spitulnik writes: > What should be done to rid UM of the WDEF virus or of any virus for >that matter? How does the bureaucracy at your institution handle it? >I question the ethicality of a laissez-faire attitude on viruses at >any institution. Although I agree with Brian McMahon's response (Virus_L 9 Jan 90) that: > KNOWINGLY allowing unsuspecting users to contract infections is > EXTREMELY irresponsible. I think there is a more subtle problem here. If U. Mich is like most universities, they place a great deal of emphasis on COOP work terms and Summer Faculty Research programs at government agencies and corporations around the US. Since most of these people bring their own programs and utilities along with them, a laissez-faire attitude toward viruses is like not doing anything about head lice. It may be easy to do at home, but can be embarrassing if you go some place else. Once these people get to their prospective sites and infect a few computers, they may find that their sponsors are unwilling to take a similar risk next year. I can say from experience that the cost of eradicating a virus at a large research facility usually costs more than the money spent sponsoring the faculty fellow, or coop. Therefore, even though no one may directly say so, the amount of problems you cause with a naive attitude about computing could have a bearing on whether, or not you are invited back. (Please don't take this thought out of context and try to flame on me for it.) Something any university should be concerned about is the concept of "Guilt by association." I have listened to several people who used to (incorrectly) associate Lehigh University with virus problems. Fortunately Lehigh is now developing a reputation for their efforts in the area of virus control. But I think you understand the point. Now, there are a few minor guidelines that anyone can follow to reduce their chance of taking viruses, or malicious programs with them when they travel. Although the methods are not foolproof, they should reduce the risk to a more acceptable level. 1. Don't bring bootable floppies with you when you go to a new job. There is usually no need to boot someone else's machine from your floppy and it will go a long way toward stopping boot infector viruses. 2. If you have written programs to use while you are there, bring the source code and recompile your programs at the new location. It is a reasonable way to prevent viruses and will avoid problems you may have with OS version differences. 3. If you use public domain software, try to download copies from the Organizational BBS at your new location, if they have one. Most large institutions today have a designated BBS system which is frequently checked for viruses and malicious programs. And if you find that you are infected anyway, at least you know where you got the software from. 4. If you must bring executable code with you, ask your sponsor if there is a procedure for checking software that comes in. Usually this function is centralized and associated with other help functions that you will probably need in the future. Anyway, by asking, you will show yourself to be a knowledgeable and concerned user. 5. NEVER bring pirated software with you when you go to the new location. There is nothing worse than finding out that someone infected your site with a piece of software that they weren't supposed to have in the fist place. Most large organizations already have all the software you should need and have huge software investments to protect. Prudent organizations would see this as cause for immediate dismissal. I hope this helps. Jim Molini ------------------------------ Date: Fri, 12 Jan 90 16:44:38 -0500 From: Joe Simpson Subject: WDEF virus (Mac) in southwestern Ohio Miami University in Oxford,Ohio has been visited by the WDEF virus. An instance was detected and eradicated with GateKeeper Aid 1.0.1. ------------------------------ Date: 12 Jan 90 19:34:00 -0400 From: "WILLIAM HADLEY" Subject: RE: Shrink wrap...still safe? Craig, When you buy software in a computer store that is shrink wrapped, it may not have always stayed in that condition before *you* bought that software. There are software stores (at least in the Washington, D.C. area) that will re-shrink wrap software packages when they are returned. For example, if someone bought a software package, took it home, and didn't like it. They could take it to the software store who would take the software back as long as the software still had the documentation AND the registration card. They would take the software and offer an exchange or refund and send the customer on his/her way. Then the store would take the software into the backroom and procede to re-shrink wrap the software and put it back on the shelf. I (as the customer) had an experience like this. I returned a piece of software that I was not what I thought. The store I bought it from was more than happy to assist me (keep the customer happy). They asked if everything that came in the box was there, which of course it was. Then the sales clerk SPECIFICALLY asked me if the registration card was in the box. Again, I assured him that everything was there. He explained that he had to ask about that because they were going to put it back on the shelf and re-sell the package. I asked if he could sell it without the shrink wrap on the box, to which he replied, "Nah, we have a shrink wrap machine in back" (not necessarily a direct quote). I thought about that, about specifically asking for the registration card. I could have pirated the software and sent in the card as though I *actually* paid for it. But then I thought a little bit more about the whole transaction. The clerk never looked in the box when I was standing there to see if everything was in it. After refunding my money, he took the box in back, wrapped it, and brought it back before I left the store. He could have looked while he was in back, but I don't think he did because he was not gone for very long. Also, he never asked to see a sales recipt. There was no price tag on the box (it was shrink wrapped when I bought it and the tag was stuck to the wrapping which I threw away) so he wouldn't have known for sure if I even bought it at his store - if I bought it at all. I could have stolen the software, pirated it and get *my* money back. Or I could have stolen the software, INFECTED it, and then get *my* money back. The store and the software company would have never known - neither would the unsuspecting customer who might have bought that software. **JUST FOR THE RECORD** I *did* pay for it, and I *did* have my sales recipt with me when I returned the software. I was *not* satisfied with the program. And, I did *not* pirate it and did *not* infect it with anything. ------------------------------ Date: 14 Jan 90 01:45:42 +0000 From: woody@rpp386.cactus.org (Woodrow Baker) Subject: Re: Shrink Wrap...still safe? I applogize for posting this here, but my mailer would not let me reply to someone who replied to a message I posted here. siia!drd: Postscript fonts are executable files. Like any other postscript program they have file access, and full unfettered access to the system. They are for the mostparts, encrypted, but the encryption and decryption algs are known. A malicious person could create a font program that could when run, delete all files off the hard disk, or more viciously, subtly alter existing fonts from say Adobe, or some other font company. They could be altered to do more than just print funny. They could clear the page, print messages over pages, corrupt the filesystem (very easy to do by the way, and in general create all manner of havoc. The posiblilty is very real. Cheers Woody ------------------------------ Date: Sun, 14 Jan 90 18:02:00 -0500 From: WHMurray@DOCKMASTER.ARPA Subject: Shrink-Wrapped Software >At a meeting yesterday some people made comments that some viruses >have ben found in shrink-wrapped diskettes. This did surprise me as >we have been using a rule of thumb to stick to shrink wrapped software >to help avoid viruses. What comments &/or advice do you have for this >situation? > Thanks, Craig Shrink wrapping is a form of encapsulation that reduces the risk that software will be contaminated and increases the probability that tampering will leave evidence. The vendor of software has an interest in an orderly market place and in the reputation of his product. If you have evidence that the product has not been tampered with since the vendor shipped it, then you may rely, in part upon his interests. Shrink-wrap that is applied by the vendor would help to serve that purpose. However, few original vendors use labelled shrink-wrap and many distributors and retailers can apply shrink wrap. Since much software is poorly labelled, since it is hard to demonstrate, and generally difficult to buy, Many retailers have adopted a "Trial/Return" policy. Under this policy a purchaser is permitted to return software for a full refund within a limited period of time. The retailer re-wraps the software and returns it to the shelf. Most such retailers are simply naive, a few are irresponsible. The risk to the retailer is that the "purchaser" will simply make a copy of the software and return the original media and documentation to the retailer. However, the retailer can measure this risk. The risk to subsequent purchasers of the used package is that the media was contaminated before it was returned. This risk is harder to measure and is not to the person making the decisions. Vendors can help by using labelled shrink-wrap. To the extent that users come to expect such labelling, the re-wrap strategy becomes less effective and efficient for the retailer. Users can protect themselves and discourage this risky practice by refusing to deal with retailers that offer them the right to return. William Hugh Murray, Fellow, Information System Security, Ernst & Young 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ------------------------------ Date: Mon, 15 Jan 90 12:16:31 GMT From: frisk@rhi.hi.is (Fridrik Skulason) Subject: F-PROT clarification (PC) Since I made the F-PROT package available, I have received a considerable number of messages containing the same questions over and over. So, here is an attempt to clarify a few details: When new viruses appear, you do not have to obtain a new version of the program. It is only necessary to add a single line to a file. This line contains an encrypted signature string with a checksum. The programs will then be able to find any infections by the new viruses. I will create this line and post it here on VIRUS-L/comp.virus. However, you need a new version of the program if you want to disinfect a program infected with any of those new viruses. I have to write a disinfection routine for each virus - a task that sometimes takes as little as five minutes, but in other cases a full day of work. The tiny (2K) .SYS file that prevents the execution of any infected program must also be updated to stop new program viruses. It should, however, be able to detect any new boot sector viruses without changes. The list of viruses the program can handle ... Agiplan, Alabama, Alameda (Yale), Amstrad, April 1., Brain, Cascade, Dark Avenger, DataCrime, DataCrime II, dBase, December 24th, Den Zuk/Ohio, Disk Killer (Ogre), Do-Nothing, 405, 4096, Fumble, Fu Manchu, Ghost, Icelandic/Icelandic II/ Saratoga, Jerusalem/New Jerusalem/Sunday, Lehigh, MIX1, New-Zealand (Stoned), Oropax, Perfume, Ping-Pong/Typo, South African "Friday 13.", Sylvia, SysLock/Macho, Swap (Fallboot), Traceback/2930, Vacsina, Vcomm, Vienna/Lisbon, Virus-90, W13, Yankee Doodle and Zero Bug (Palette) ... does not quite match other lists of known viruses, but in most cases this is because different names are used for the same virus. There are, however, a few viruses that have been reported but not made available for research. They are obviously not included (yet). The documentation includes a description of all the viruses, even the most recent ones like Amstrad, Perfume, Virus-90, W13 and Vcomm. The suggested contribution of $15 is for a single copy - for an organization which uses the program on more than one machine, the suggested contribution is $2 for each additional copy. ------------------------------ End of VIRUS-L Digest *********************