|
Virus- L Digest, Vol 1, Issue 56
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
From: Kenneth R. van Wyk (The Moderator) <[email protected]>
Errors-To: [email protected]
To: [email protected]
BCC: [email protected]
Subject: VIRUS-L Digest V1 #56
Reply-to: [email protected]
--text follows this line--
VIRUS-L Digest Wednesday, 21 Dec 1988 Volume 1 : Issue 56
Today's Topics:
followup on alleged modem virus (PC)
File: Misc. Notes: Virus Listings / Pc Mag Article
Write protect circuitry on Apple II line
Re: Can virus be placed on blank formatted disk? (PC)
Write Protect Gritch
Can virus be placed on a blank formatted disk? (PC)
Nightline virus program
Questions about the Hard Drive (PC)
You can't fool the write protect line w/software (PC)
virus in bad sectors of an unbootable floppy (PC)
Problems with commercial software (PC)
---------------------------------------------------------------------------
Date: Wed, 21 Dec 1988 9:11:09 EST
From: Ken van Wyk <[email protected]>
Subject: followup on alleged modem virus (PC)
It's been brought to my attention that the report of a modem virus
here on VIRUS-L a couple weeks ago was a hoax. After looking at the
original announcement of the virus, I'm inclined to agree with that.
Specifically:
> TIME: TUE 10-04-88 03:17:41
> FROM: MIKE ROCHENLE
> TO: ALL
> SUBJ: Really nasty virus
> AREA: GENERAL (1)
>
> I've just discovered probably the world's worst computer virus yet.
> ...[Body of text deleted]
> do now is to stick to 1200 baud until we figure this thing out.
>
> Mike RoChenle
In addition to the fact that the reported virus is highly incredible,
as was pointed out by several of our readers, it's even more unlikely
that someone would have the name Mike RoChenle (read: Micro Channel).
Thus, unless someone can come forward with some substantial evidence
on this matter, I'd like for everyone to assume that the reported
virus was a hoax.
Obviously, I can't follow up on every message that gets sent to
VIRUS-L, but I would like to ask all persons submitting messages,
particularly when forwarding messages from other sources (as was the
case here), to confirm their sources of information, within reason. I
certainly don't want VIRUS-L to become a source of disinformation, and
I'm sure that the readers don't want that either.
Thanks in advance for everyone's cooperation on this. Oh, and Happy
Holidays to all!
Ken
------------------------------
Date: Wed, 21 Dec 1988 09:31 EST
From: [Ed. No From: field, I assume this is from J.D. Abolins?]
Subject: File: Misc. Notes: Virus Listings / Pc Mag Article
VIRUS LISTINGS: Brett Ingerman and anybody else interested in
compiling a virus "Dirty Dozen", let's keep in contact. Pam Kane
is putting up a message on Delphi in order to find out how to
contact Eric Newhouse. I still needto cull together some tools
for desinating the cases on the listing so that the listing does
drive university and other institutional public relations people
up the wall.
A possible format for a listing would a "neutral" identifier followed
by the various names the virus is called. Then the symptoms and any
particular qualities it may have. If the recovery procedure have any
special indications, these would be mentioned with the listing for the
virus. At the end of the listing would be general recovery procedures.
PC MAG ARTICLE: Recently somebody mentioned that John Dvorak's column
of a few months ago claimed that software writers were already using
viruses to attack competitors' products. From my recollections, the
gave this as a hypothetical future scenario, not as a statement of
current practice. While there have case were virus code was considered
as a means of dealing with piracy and copyright infringement, no
major "virus wars" are going on for now. (I have heard reports of
immature BBS SysOps sabotaging eachother's systems with Trojans and
viruses, but that's a different matter.)
------------------------------
Date: Wed, 21 Dec 88 08:27:39 EST
From: Joe Simpson <[email protected]>
Subject: Write protect circuitry on Apple II line
Apple 2 5.25 inch drives had circuit level protection for disk drive
write protection. Many people installed switches on the drive to
circumvent this.
------------------------------
Date: Wed, 21 Dec 88 09:15:15 EST
From: "Christian J. Haller" <[email protected]>
Subject: Re: Can virus be placed on blank formatted disk? (PC)
>Date: Wed, 21 Dec 88 06:44:57 EST
>From: "Homer W. Smith" <[email protected]>
> Still not clear on this. If I put a fresh floppy in the A drive
>and format it, can the virus be laid down on the floppy at this time?
Yes, if your FORMAT command has been subverted by a virus.
>If I then copy files from the C drive, can the virus be laid down at
>this time?
Yes, if your COPY or DISKCOPY or XCOPY command has been subverted.
> If I attempt to warm boot the machine with the empty floppy in
>place, this results in a failure to boot of course, but can the virus
>be laid down at this time?
Yes, if the warm boot key sequence has been trapped and subverted.
There is a BIOS call that generates a warm boot without clearing
active memory. There is no corresponding key combination that can
produce this, but a program can do it easily.
> Let's say the floopy gets infected. How can it then infect
>another machine? During a warm or cold boot with the floppy in
>place (causing boot failure)?
Yes, either one. The boot sector of the floppy is small, but can easily
point to someplace in memory, which could survive an apparent warm boot,
or to some obscure file on a hard disk, which could survive a cold boot.
> If the floppy is infected must it have bad sectors? Won't
>checkdsk find this out? If the disk has no bad sectors, does this
>mean the floppy is clean of all or just certain viruses?
With only a boot sector's worth of space, a virus couldn't be very
elaborate. A floppy-based virus would probably have info stored in
bad sectors, like Brain, but not necessarily. Given complete control
of the File Allocation Table, a virus could hide its presence by
appearing to be junk in unused sectors at the end of the diskette.
Given complete control of the disk controller hardware and its pattern
of representation in memory, other things may be possible, like writing
between the formatted sectors on the diskette, or outside the pattern
of formatted tracks. The PC system is more full of holes than Swiss
cheese, and I expect the same goes for other kinds of systems too.
> The implication in a past posting is that some brain viruses
>will cause debug to not execute properly d0:0. Is this the boot
>sector? And is this correct about brain?
I don't know about Brain's location in memory, but you could take a look
at the chapter on memory in the MS-DOS Encyclopedia in our Software
Lending Library, 126 CCC, Homer. Too bad you missed my talk on viruses.
- -Chris Haller
Acknowledge-To: <CJH@CORNELLA>
------------------------------
Date: Wed, 21 Dec 88 09:43:09 EST
From: Don Alvarez <boomer@space.mit.edu>
Subject: Write Protect Gritch
OK gang, we're now up to 547 comments on write protect tabs.
99.9% of these took the form of either "somebofy told me it was
hardware" or "somebody told me it was software." I may have missed
one, but near as I can recall, the ONLY PERSON who actually did
his homework right was our fearless leader, Ken.
I know Ken doesn't like people flaming on the list, so maybe I'll
get booted for saying this, but PLEASE, if somebody asks a question
which has a simple, yes or no answer, and you want to respond with
an nth generation rumor of unknown origin, keep it short, because
a thousand people or more are going to have to take the time to
read what you say. Better yet, if you want to respond to it,
be an experimentalist like ken and read the manual or write a piece
of code or something.
*Flame off*
- Don
+ ----------------------------------------------------------- +
| Don Alvarez MIT Center For Space Research |
| [email protected] 77 Massachusetts Ave 37-618 |
| (617) 253-7457 Cambridge, MA 02139 |
+ ----------------------------------------------------------- +
------------------------------
Date: Wed, 21 Dec 88 08:53:38 EST
From: Joe Simpson <[email protected]>
Subject: Can virus be placed on a blank formatted disk? (PC)
I'm sorry I was not clear. Viruses are a lot like game theory from hell.
1. Places for viruses to remain dormant.
If it's magnetic and fits in the drive it can be infected.
2. Places for viruses to be active.
As far as I know there is only one place for a to
be active. That is the computers primary store, where instructions
can be fetched and interpreted by the CPU. For most PC's this means
ram. Note that the ram may be battery backed up! If it is not,
then removing power from this ram is the ONLY safe way to kill an
active virus image.
3. How a virus activates.
As far as I know, all viruses are activated by inserting virus activation
code in software routinely executed by the PC. Obvious places for this
are the boot block of a floopy, with or without DOS on it, the DOS
hooks where reading and writing take place, and the keyboard interrupt
hook.
4. My conclusions.
If you have an active ram based image of a virus in your system,
it can do anything it has been programmed to accomplish, including
writing on any magnetic media it wants to. NOTE: Thanks to Ken's
rigorous inclinations, I feel comfortable in declaring that viruses
don't have access to write protected floppies on IBM PC's (old 5.25
style machines).
5. What can you do?
Pray
Run protection software like FluShot for partial protection.
Routinely check your hard disk for infection.
Sample floppies to check for virus infection.
Get a lawyer to write an obnoxiious, unfair, and effective statement
of limited liability.
------------------------------
Date: Wed, 21 Dec 88 10:06:28 -0500 (EST)
From: Leslie Burkholder <[email protected]>
Subject: Nightline virus program
Did anyone tape the Ted Koppel Nightline program on viruses (for
deferred viewing) run on 10 November? Please reply to
[email protected], rather than the list.
Thanks,
Leslie Burkholder
------------------------------
Date: Wed, 21 Dec 88 10:22:07 EDT
From: Swifty LeBard <[email protected]>
Subject: Questions about the Hard Drive (PC)
Query: What can any of the known viruses do to the Hard Disk?
Can they actually disrupt data, or even damage the drive?
It now seems that the viruses can actually infect write-protected
diskettes, how will this effect the hardware of the Hard Disk?
I also want to thank Christian J. Haller for his info. I learned
a lot from it! (I just joined virus-l).
+------------------------+
| O |
| ~|\o-# Swifty LeBard |
| // |
+------------------------+
[Ed. Oh no... Take a look at the following message from Richard Baum
and John Hunt; write-protection is done in hardware.]
------------------------------
Date: Wed, 21 Dec 88 11:40 EST
From: X-=*REB*=-X <[email protected]>
Subject: You can't fool the write protect line w/software (PC)
According to the circut diagram from IBM for IBM 5.25" diskette
drives, (From the logic diagram section in the IBM technical reference
guides) the write protect mechanism is a hardware device that takes
its input from the write protect switch. Normally, the switch remains
closed. When a write protect tab is placed in front of the switch, the
switch is opened. Then, the erase line and the write signals are
disabled. This is directly controlled by the switch. There is a
provision for this to be jumpered so that the drive permanently
ignores the write protect switch. Thus, all the talk recently of this
being controlled by software is incorrect.
Richard Baum & John Hunt
PS: We have not examined the circut diagrams for 3.5" drives, but we
assume that they work in a similar fashion.
________________________________________________________________
/InterNet:[email protected] BitNet: [email protected] ",
/ SlowNet: 508 E 4th St Suite #1, Bethlehem, PA 18015 215-867-8433",
/NJ Slownet: 861 Washington Avenue Westwood, NJ 07675 201-666-9207 ",
"--------------------------------------------------------------------"
If you'll be my Dixie chicken, I'll be your Tennessee lamb,
and we can walk together down in Dixie land...
[Ed. Thanks guys! The only possible weak link then would be a
malfunctioning write-protect sensor (normally an optic sensor, I
believe). If the light to the sensor passes through the tab due to
a tab being not opaque enough, then I'd assume that the drive might
believe that the drive is ok to write to. Likewise, if the light is
sent and detected on the same side of the disk via a reflector on the
other side, and if the write-protect tab itself is reflecting light,
then the detector might get an incorrect signal.
The solution, of course, is to use black non-reflecting write-protect
tabs, and to trust the hardware to do its job.
Let us all hope that this issue has been cleared up once and for all.
Thanks to everyone who helped out!]
------------------------------
Date: Wed, 21 Dec 88 11:24:26 EST
From: Jefferson Ogata (me!) <[email protected]>
Subject: virus in bad sectors of an unbootable floppy (PC)
There's no harm in a virus hanging out in "bad" sectors of an
unbootable, source-only floppy; the virus cannot be invoked. Even if
an executable is copied to the disk later, it won't be linked with the
virus in any way. All a virus can do by putting itself on bad sectors
is take up disk space, since nothing will ever read memory from those
sectors. The only danger will be if the virus is also in the boot
block somehow.
If the disk is bootable, or has an infected executable, then either of
those programs could load the virus off the bad sectors.
I don't know the format of the boot record, but if IBM did things with
their customary stupidity, the OS loads a boot program off the block
and attempts to execute, regardless of whether there was a boot
program actually on the disk. However, I give them credit for having
done something different, because if you try to boot a non-system
disk, it behaves in a predictable manner. So either the formatter
puts a program on the boot block that prints the message: Non-system
disk, etc., or the OS looks at the boot record and sees that there's
no boot program there.
Putting an unfunctional boot program there would allow virus infection
of an unbootable diskette, since the virus could hook up to the boot
program. Any time you did a warm boot, the virus would get executed
and then you'd see the non-system disk message. This would have been
a stupid design decision for (among others) precisely this reason.
Having the OS check for a boot program is a tougher situation for the
virus. In this case, there is a magic number or some other indication
of whether a program is residing on this block. The OS checks this
indicator and performs accordingly. A virus could still infect an
unbootable disk by jumping on the boot block and pretending it's a
boot program, but in order to be inconspicuous it would have to then
print out a non-system disk message and wait for the user to load a
new disk. I haven't heard of any virus that does this.
So there are basically two scenarios:
1: the OS always loads and executes whatever is on the boot block; in
this case, the formatter must always put a program in the boot
block, or the computer would hang.
2: the OS checks what's on the boot block and then loads and executes
it if there's something there.
In scenario 1 virus infection is pretty easy; in scenario 2, it requires
a more sophisticated virus. Does anyone know which is the actual case
(or if I've missed something)? Someone with a Technical Reference?
A corollary of scenario 2 is that if such a virus does not exist, there
is no danger in a virus inhabiting "bad" sectors of an unbootable,
source-only disk.
Some people have talked about doing low-level formats of their hard
disks in order to kill a virus. I'm curious as to what ye believe the
difference is as far as virus infection is concerned. Does a
bad-sector virus have some method of linking its lost segments back
into a file? Whenever a new FAT is created, no file will ever use
those bad sectors unless a virus links them up again. If the sectors
are recovered, their contents will be irrelevant. Even if the
contents remain in an execut- able file, through a very unusual
procedure involving a copy program that opens its output file
read-write, the virus code will no longer be part of the code segment
of the executable. And I don't think any such copy program exists
anyway.
So what is the thing with a low-level format that will destroy a virus
when a normal format won't?
- - Jeff Ogata
------------------------------
Date: 21 December 1988, 18:50:18 CET
From: Thomas Zielke 0441/798-3109 113355 at DOLUNI1
Subject: Problems with commercial software (PC)
We have recently heard from people having trouble formatting disks
on their MS-DOS-PCs. In fact their computers did not allow formatting,
reading or writing diskettes of any type. Some also reported that
some files or programmes residing on the harddisk were damaged or even
destroyed.
We have already found out that only those who had a copy of a game
called 'Leisure Suit Larry' installed on their disk were affected.
Actually, this game was to be found on some PCs at our Computer Center,
and the people in question 'just made a copy' of it.
Our problem now is: How can we get rid of that virus (at least, we
believe it to be one)? Has anybody heard of it and can help us
to solve our problem? I would be most glad to get some mail...
Yours truly
Thomas Zielke (113355 at DOLUNI1)
- - we never ask for a wonder - we simply produce one -
------------------------------
End of VIRUS-L Digest
*********************
|
|
