|
Virus- L Digest, Vol 1, Issue 52
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
From: Kenneth R. van Wyk (The Moderator) <[email protected]>
Errors-To: [email protected]
To: [email protected]
BCC: [email protected]
Subject: VIRUS-L Digest V1 #52
Reply-to: [email protected]
--text follows this line--
VIRUS-L Digest Monday, 19 Dec 1988 Volume 1 : Issue 52
Today's Topics:
List of known viruses (PC & Mac)
MS-DOS and write protected diskettes
Re: Virus listings and the DIRTY DOZEN listings
Diskette write-protection (PC)
article in pc magazine
Write protect tab and warm boot inadequacy, etc. (PC & Mac)
Write protect tabs
how vicious is nVIR? (Mac)
my $0.02 on write protect tabs and reset keys (PC)
---------------------------------------------------------------------------
Date: Mon, 19 Dec 88 08:42:39 LCL
From: Bret Ingerman [{315} 443-1865] <[email protected]>
Subject: List of known viruses (PC & Mac)
I just read someone else asking if there is a comprehensive list of
viruss for the PC and Mac. I was the one who originally asked the
question and volunteered to compile such a list. I have a copy of the
Dirty Dozen, but it is out of date (Feb. 1988, I believe).
I received a lot of replies from people on the list who thought a
comprehensive file would be great. I'm still willing to edit one
together. What I need is for the "experts" to send me a note with the
name of the virus, what system it can be found on, what does it do,
how to check for it, and how to eradicate it. It would also be nice
if you would let me know if I can include your name/userid so that
people with more involved questions can get in touch with you. What
does everyone think?
BRET INGERMAN ACADEMIC COMPUTING SERVICES
______ SYRACUSE UNIVERSITY
/ | -------
| | BITNET: INGERMAN@SUVM
_________/ | NOISENET: (315) 443-1865
| * | SNAILNET: 215 Machinery Hall
/ SYRACUSE | Syracuse, NY 13244-1260 USA
|______________ |
|_ |
|__| Disclaimer: (use your favorite)
------------------------------
Date: Mon, 19 Dec 88 09:23:19 EST
From: Joe Simpson <[email protected]>
Subject: MS-DOS and write protected diskettes
1. Media susceptible to virus attack.
Formatted MS-DOS diskettes with or without an operating system
have a boot block. Some viruses, including Brain, can subvert
this boot block and use it as a vector for infection. Some
viruses also can survive a warm boot. Thus it is quite possible
for a disk containing only Fortran source code to be infected.
This can happen while DOS as we know it is active, or after an
attempt to warm boot the diskette on an infected computer.
2. Write protect tabs and protection.
This topic has come up before on this list. If the write protect
circuitry works at the hardware level to prevent energizing the
write head you are protected. If protection is the result of
MS-DOS software sensing the tab and reacting accordingly, then
the level of protection is substantially reduced. I know of no
manufacturer who publicly asserts that one or the other of these
alternatives has been choosen. Caveat Emptor. On a more
positive note, there is weak evidence that the origional IBM PC's
used real hardware protection. If anyone can authoritatively
assert that brand X MS-DOS computers use one or the other forms
of protection, it would be wonderful to have the information,
with source citation, posted to this list.
------------------------------
Date: Mon, 19 Dec 1988 09:37 EST
From: J.D. Abolins
Subject: Re: Virus listings and the DIRTY DOZEN listings
The last DIRTY DOZEN listing I know of is the one from April 88-
version 8B. I have lost contact with Eric Newhouse since he left Los
Angeles and moved to Massachusettes. I have tried the new number
mentioned by the telephone company recording for the CREST BBS's
former number: no answer.So if anyone knows how to contact Eric
Newhouse and/or has a more recent version of the DIRTY DOZEN listing,
please let me know.
I have been seeking to start up such a listing and am willing to
carry on with it or help anybody else with such a project. But I
should mention some special challenges that Eric and I saw coming up
with computer viruses-
* The biggest challenge is that viruses (the "classic definition"
type, not the current popular designation), are carried WITHIN
other- usually otherwise legitimate - files. The other types of
"bogusware" (Trojans, worms, hacked or pirated software, etc.)
are distinct files by themselves. Being distinct files, they are
easier to spot and describe. Many have evident characteristics -
display screens, texts, promised effects,etc. Viruses do not
have these characteristics.
* So we need to develop a better cataloging system. I have read
several of these proposals and still weighing them.
* Also, because the viruses tend to lack "surface characteristics"
described above, a virus "dirty dozen" listing may not as helpful
in prevention as in the detection and diagnosis of virus case.
* The reporting of viruses as compared to other forms of "bogusware"
has been a "Swiss Chesse" - some substance and many holes. Samples
of the offending programs are virtually impossible to obtain.
Many victims of viruses are far more cautious in their comments than
the victims of Trojans Horses. So in any listings one does, there
will be a "fog factor" where the verification of facts is difficult.
For the last point, a trusted "go-between" might be a great help.
Dr. Highland of COMPUTERS & SECURTIYmagazine has been one such
"go-between" in my experience. Dr. Fred Cohen and some others also
can fill such a function. The reason for this is that people like Eric
Newhouse, I or most of the people on this discussion list lack the
credentials to establish trust sufficient for virus victims, especially
in industry and governemnt, to share information. From the items that Dr
Highland has shared with me, I can see the editting that he must do to
maintain the contact he has. Furthermore there are things that I have
been told by him and others that have come with a request for
confidentiality. So anybody who does this type of info clearing
has to have discretion and accountability.
In parting, I'll leave a partial listing of the major virus
cases I have come across in the past year or so-
Hebrew University case (aka Israeli virus and, unfortunately, the
misnomer- the "PLO virus" which I mention only so that if readers
run across such reference, they will know it really is.)There are
several variants of this virus.
The Lehigh University case
The AMIGA SCA virus
The BRAIN and its variants - ASHER, ASHTAR, ISHTAR, etc.
TheMACMAG case
The SCORES virus
These are the ones that have gotten the most attention, but there are
other. Some bear resemblence to the cases mentioned. As I have listed
the virus case, I notice another problem in making a listing. The
designation of the virus types. Unlike Trojan Horses, most viruses
don't go under a common used filename. Often, the site of the first
reported incident is used. This can lead to another hinderence to
repoirting such cases. Many universities, companies, etc. do not desire
to have their names immortalized in the name of a virus. (This is
true for both computer and biological ones.) A more neutral form
of designating the viruses in any listings that I or others may do
would help to lessen this obstacle.
Thank you,
J. D. Abolins
301 N. Harrison Street, #197
princeton, NJ 08540 (609) 292-7023
------------------------------
Date: 19 December 1988, 10:05:33 EST
From: David M. Chess CHESS at YKTVMV
Subject: Diskette write-protection (PC)
'way, 'way back, before VIRUS-L was even a digest, we went around
on this several times, and it was generally agreed that on virtually
all IBM PC compatible diskette drives, write protection with the
little tabs is in fact in hardware, and that software can't write
on a properly-tabbed diskette. If you have really seen a
write-protected diskette get infected, the possibilities are:
- You were using a tab that doesn't work (for instance, some
drives detect the tab optically, and some tabs are not
opaque!),
- The tab wasn't on right (dented, holed, etc),
- The drive is broken, and write-protection isn't working,
- The drive in question is a very non-standard one, with
software write-protection (and you happened to pick up a
virus that knows about that kind of drive!),
- The infection actually happened at a time different from
when you think it did (for instance, at least one version
of the Brain diddles the system so that if you try to
look at the boot sector while the virus is resident, you
will be shown an uninfected boot sector, even though the
real boot sector is in fact infected).
I think the whole list would be very interested if you could
duplicate the effect on correctly used, working, standard
hardware!
DC
------------------------------
Date: Mon, 19 Dec 88 11:38:41 EDT
From: Swifty LeBard <[email protected]>
Subject: article in pc magazine
two issues back in pc magazine, john dvorak wrote an article
pertaining to the issue of software manufacturers imbedding viruses
in their applications.
he stated that many companies are doing this to sort of 'do away
with the competition'. the virus writes itself to the boot disk and
when booted up searches for the competition. if found, it does some damage.
(the following is a hypothetical example!) i.e.
ashton tate writes a bug to the boot disk and upon booting up and using
foxbase, the bug does some mean things!
i hope that software (as well as hardware) manufactureres do not
continue implenting viruses to monopolize the market. heaven knows we small
at users will have to program our own applications!
swifty LeBard OO--=+
------------------------------
Date: Mon, 19 Dec 88 11:52:11 EST
From: "Christian J. Haller" <[email protected]>
Subject: Write protect tab and warm boot inadequacy, etc. (PC & Mac)
>> I found that if I booted a machine with an infected disk,
>> and then put a new clean boot disk WITH A WRITE PROTECT
>> TAB in the same machine and performed a warm boot, the new
>> disk also became infected. Nothing short of turning the
>> machine off and then back on was safe enough.
>Could some one please explain
>
>1. Why a warm boot by itself is not enough to prevent the spread of
>infection
A virus or Trojan already present in memory (because it was run since
the last cold boot) can trap keystroke combinations like Control-Alt-
Delete and fake a warm boot by calling a similar BIOS routine that does
not clear active memory. Power users would probably detect this from
noticing differences in timing and boot messages, but the potential is
there for deceit as long as the DRAM has power. CMOS will be even more
vulnerable, because it will usually keep memory even when the machine
is powered off. And unplugged. Thanks to batteries.
>2. How a write-protected boot disk could get infected during warm boot.
An IBM PC can write to a write protected floppy via a low level BIOS
directive which bypasses DOS and directly addresses the diskette drive
controller hardware. If the BIOS directive is absent from some versions
of DOS, it may still be possible to address the hardware below the BIOS
level.
(From a different poster:)
> We have for a long time been considering selling a MAC disk that
>would introduce the user to fractals that was written in Forth and was
>highly interactive and very much executable code. With all this virus
>stuff going around I have had to have second thoughts.
There is no known corresponding software bypass for Macs; i.e., a Mac
diskette is really hardware protected if its tab is slid to the corner
of the diskette. So your Mac disks should be safer.
> From what I can see, there is no absolutely safe way to guarantee
>that the disks I send out are virus free, and no safe way to prove
>they WERE virus free if they should later become infected.
From a purely technical perspective, I agree: there is no absolutely
safe proof that your machines are not ALREADY infected with some very
subtle virus that might pass itself on undetected. However, such a virus
would be very difficult to write if someone knowledgeable were looking
for it, and had access to the source code and compilers used to develop
the software intended for market. Furthermore, there are ways to prove
that the files you write and intend to ship are identical to the files
the end user is reading, even after years of use. The proof is
statistical, using polynomial checksums, for example; commercial products
will soon appear using this approach.
> 1.) Who is legally liable for a virus if a new disk bought by a
>customer has one? How does one prove that one did one's best to
>insure the disk was virus free? Does it matter that one did one's
>best or is it always the manufacturer's fault?
I'm no lawyer, but I have read that you can never tell what a jury will do.
> 2.) Should I produce the disk?
I would say yes, using reasonable caution. If you are sued, through no
real fault of your own, any good lawyer should be able to whip up a
countersuit. That's the way we're all going to get rich in 2007, by
sueing each other. Kind of like a chain letter.
> 3.) What is going to happen to the software industry as a whole?
It will survive, and here is your best legal protection. If you use
common sense in your software distribution, look for evidence of known
viruses, compare files for unwanted modification, and provide checksum
info for recipients, you will be ahead of EVERYONE else in the software
industry and no one in her/his right mind would pick on you to sue. If
you also provide source code and info about the compilers you used, you
will STAY ahead of everyone else in the industry for years to come, and
your users will take care of a lot of your R&D by suggesting improvements
(if you play your cards right, they will write, test, and document these
improvements for you in return for favorable mention in your newsletter).
Acknowledge-To: <CJH@CORNELLA>
------------------------------
Date: Mon, 19 Dec 88 12:50:55 EST
From: Jim Kenyon <[email protected]>
Subject: Write protect tabs
>From my old Apple ][+ days, and I know some IBM drives are the same,
not all drives look for a mechanical block over the write protect tab.
Many look for a block to a light beam....which means that if you are using
anything that is opaque or transparent, the beam will go right thru and
assume there's nothing there. Always use totally opaque tabs or you may get
a nasty surprise.
Another thing that has gotten lost in the discussion is the early comments
on viruses coming from the manufacturer. I've been hit with nVIR (MAC)
straight from the dealer....but from a commercial software package. NOT
from "fresh disks from reputable factories". It was put there by the
software vendor. Go for it Homer! Make sure you're clean and put a good
disclaimer on it. They don't come from the factory with viruses.
Jim Kenyon NetNorth [email protected]
Dept. of Anaesthesia
Toronto General Hospital
------------------------------
Date: Mon, 19 Dec 88 13:20:31 EST
From: Michael Palmer <[email protected]>
Subject: how vicious is nVIR? (Mac)
I find that one of my disks is infected by the nVIR virus. (My
thanks go to John Norstad of Stanford for a very informative posting
on the nVIR and Scores viruses - VIRUS-L, 15 Nov.) What can I expect
from nVIR - does it simply spread quietly or is it a 'timebomb' virus
that will eventually start doing damage to disks? How worried should I
be?
A mystery: all that nVIR appears to do when I run an infected
application is remove itself from that application, without adding
itself to another appplication as far as I can tell - the nVIR
resources disappear and the application's own resources are all the
same size as before infection. A virus can't get very far by behaving
like that, so what am I missing?
I would like to recommend the Vaccine program for the Mac (a
well-written INIT which alerts you to significant changes to
resources) - it's what first tipped me off.
The dates of other old postings to VIRUS-L concerning nVIR would
also be very useful.
With thanks,
Mike Palmer
------------------------------
Date: Mon, 19 Dec 1988 15:17:33 EST
From: Ken van Wyk <[email protected]>
Subject: my $0.02 on write protect tabs and reset keys (PC)
> Christian J. Haller writes (in this issue):
> A virus or Trojan already present in memory (because it was run since
> the last cold boot) can trap keystroke combinations like Control-Alt-
> Delete and fake a warm boot by calling a similar BIOS routine that does
> not clear active memory.
> ...
> but the potential is there for deceit as long as the DRAM has power.
On IBM PC compatibles, the Ctrl-Alt-Del sequence is a software driven
reset, therefore it is quite possible and feasible for a program to
trap the keyboard interrupt and fake a reboot (the Yale virus that
Chris Bracy showed me did this). During an *actual* reboot, all
interrupt vectors, etc., are initialized; thus, a virus that is active
would become inactive if an actual reboot takes place. The only way
(that I know of) that a virus could remain in memory would be to
simulate a boot process by loading the boot tracks, etc., while
remaining in "control" of its own interrupts and allocated memory.
Some machines do have hardware resets, however, which would prevent
this (a hardware reset forces the machine to perform a reboot as per a
power-up state). The Zenith Z-100 (8088 based, MS-DOS 3.1, non-IBM PC
compatible), for example, has a hardware reset that cannot be trapped
by software. In fact, most (all?) machines used hardware reset
buttons until the IBM PC came along, and then in the interest of
compatability, other companies used software resets also...(10,000
lemmings can't be wrong! :-)
> Christian J. Haller writes (in this issue):
> An IBM PC can write to a write protected floppy via a low level BIOS
> directive which bypasses DOS and directly addresses the diskette drive
> controller hardware.
Can anyone verify that a program can write to a properly
write-protected disk? I just wrote a short MASM program that
attempted to use INT 13H function 03H (absolute disk write) to write
to a floppy disk, which was write-protected with an opaque (flat
black) write protect tab in a 5 1/4" 360k drive on a Zenith Z-386.
The program failed to write to a write-protected floppy disk, but (as
is to be expected) had no problems writing to a non-write-protected
disk. That's the closest ROM BIOS interrupt to the disk controller
hardware that I know of. Anyone want to write a short piece of code
that programs the disk controller itself without the aid of any
supplied interrupts?
This topic has been kicked around unconclusively here for some time
now, and unless someone can come up with a verifyable and duplicatable
method to get around a properly write-protected disk, then I think
that we should assume that it is not possible to circumvent.
Ken
Kenneth R. van Wyk Mom: Calvin, what do you need designer
User Services Senior Consultant jeans for?!
Lehigh University Computing Center Hobbes: Pssst, for the babes!
Internet: <[email protected]> Calvin: The babes, Mom, I gotta look
BITNET: <LUKEN@LEHIIBM1> cool!
------------------------------
End of VIRUS-L Digest
*********************
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X
|
|
