VIRUS-L Digest Monday, 19 Dec 1988 Volume 1 : Issue 52 Today's Topics: List of known viruses (PC & Mac) MS-DOS and write protected diskettes Re: Virus listings and the DIRTY DOZEN listings Diskette write-protection (PC) article in pc magazine Write protect tab and warm boot inadequacy, etc. (PC & Mac) Write protect tabs how vicious is nVIR? (Mac) my $0.02 on write protect tabs and reset keys (PC) --------------------------------------------------------------------------- Date: Mon, 19 Dec 88 08:42:39 LCL From: Bret Ingerman [{315} 443-1865] Subject: List of known viruses (PC & Mac) I just read someone else asking if there is a comprehensive list of viruss for the PC and Mac. I was the one who originally asked the question and volunteered to compile such a list. I have a copy of the Dirty Dozen, but it is out of date (Feb. 1988, I believe). I received a lot of replies from people on the list who thought a comprehensive file would be great. I'm still willing to edit one together. What I need is for the "experts" to send me a note with the name of the virus, what system it can be found on, what does it do, how to check for it, and how to eradicate it. It would also be nice if you would let me know if I can include your name/userid so that people with more involved questions can get in touch with you. What does everyone think? BRET INGERMAN ACADEMIC COMPUTING SERVICES ______ SYRACUSE UNIVERSITY / | ------- | | BITNET: INGERMAN@SUVM _________/ | NOISENET: (315) 443-1865 | * | SNAILNET: 215 Machinery Hall / SYRACUSE | Syracuse, NY 13244-1260 USA |______________ | |_ | |__| Disclaimer: (use your favorite) ------------------------------ Date: Mon, 19 Dec 88 09:23:19 EST From: Joe Simpson Subject: MS-DOS and write protected diskettes 1. Media susceptible to virus attack. Formatted MS-DOS diskettes with or without an operating system have a boot block. Some viruses, including Brain, can subvert this boot block and use it as a vector for infection. Some viruses also can survive a warm boot. Thus it is quite possible for a disk containing only Fortran source code to be infected. This can happen while DOS as we know it is active, or after an attempt to warm boot the diskette on an infected computer. 2. Write protect tabs and protection. This topic has come up before on this list. If the write protect circuitry works at the hardware level to prevent energizing the write head you are protected. If protection is the result of MS-DOS software sensing the tab and reacting accordingly, then the level of protection is substantially reduced. I know of no manufacturer who publicly asserts that one or the other of these alternatives has been choosen. Caveat Emptor. On a more positive note, there is weak evidence that the origional IBM PC's used real hardware protection. If anyone can authoritatively assert that brand X MS-DOS computers use one or the other forms of protection, it would be wonderful to have the information, with source citation, posted to this list. ------------------------------ Date: Mon, 19 Dec 1988 09:37 EST From: J.D. Abolins Subject: Re: Virus listings and the DIRTY DOZEN listings The last DIRTY DOZEN listing I know of is the one from April 88- version 8B. I have lost contact with Eric Newhouse since he left Los Angeles and moved to Massachusettes. I have tried the new number mentioned by the telephone company recording for the CREST BBS's former number: no answer.So if anyone knows how to contact Eric Newhouse and/or has a more recent version of the DIRTY DOZEN listing, please let me know. I have been seeking to start up such a listing and am willing to carry on with it or help anybody else with such a project. But I should mention some special challenges that Eric and I saw coming up with computer viruses- * The biggest challenge is that viruses (the "classic definition" type, not the current popular designation), are carried WITHIN other- usually otherwise legitimate - files. The other types of "bogusware" (Trojans, worms, hacked or pirated software, etc.) are distinct files by themselves. Being distinct files, they are easier to spot and describe. Many have evident characteristics - display screens, texts, promised effects,etc. Viruses do not have these characteristics. * So we need to develop a better cataloging system. I have read several of these proposals and still weighing them. * Also, because the viruses tend to lack "surface characteristics" described above, a virus "dirty dozen" listing may not as helpful in prevention as in the detection and diagnosis of virus case. * The reporting of viruses as compared to other forms of "bogusware" has been a "Swiss Chesse" - some substance and many holes. Samples of the offending programs are virtually impossible to obtain. Many victims of viruses are far more cautious in their comments than the victims of Trojans Horses. So in any listings one does, there will be a "fog factor" where the verification of facts is difficult. For the last point, a trusted "go-between" might be a great help. Dr. Highland of COMPUTERS & SECURTIYmagazine has been one such "go-between" in my experience. Dr. Fred Cohen and some others also can fill such a function. The reason for this is that people like Eric Newhouse, I or most of the people on this discussion list lack the credentials to establish trust sufficient for virus victims, especially in industry and governemnt, to share information. From the items that Dr Highland has shared with me, I can see the editting that he must do to maintain the contact he has. Furthermore there are things that I have been told by him and others that have come with a request for confidentiality. So anybody who does this type of info clearing has to have discretion and accountability. In parting, I'll leave a partial listing of the major virus cases I have come across in the past year or so- Hebrew University case (aka Israeli virus and, unfortunately, the misnomer- the "PLO virus" which I mention only so that if readers run across such reference, they will know it really is.)There are several variants of this virus. The Lehigh University case The AMIGA SCA virus The BRAIN and its variants - ASHER, ASHTAR, ISHTAR, etc. TheMACMAG case The SCORES virus These are the ones that have gotten the most attention, but there are other. Some bear resemblence to the cases mentioned. As I have listed the virus case, I notice another problem in making a listing. The designation of the virus types. Unlike Trojan Horses, most viruses don't go under a common used filename. Often, the site of the first reported incident is used. This can lead to another hinderence to repoirting such cases. Many universities, companies, etc. do not desire to have their names immortalized in the name of a virus. (This is true for both computer and biological ones.) A more neutral form of designating the viruses in any listings that I or others may do would help to lessen this obstacle. Thank you, J. D. Abolins 301 N. Harrison Street, #197 princeton, NJ 08540 (609) 292-7023 ------------------------------ Date: 19 December 1988, 10:05:33 EST From: David M. Chess CHESS at YKTVMV Subject: Diskette write-protection (PC) 'way, 'way back, before VIRUS-L was even a digest, we went around on this several times, and it was generally agreed that on virtually all IBM PC compatible diskette drives, write protection with the little tabs is in fact in hardware, and that software can't write on a properly-tabbed diskette. If you have really seen a write-protected diskette get infected, the possibilities are: - You were using a tab that doesn't work (for instance, some drives detect the tab optically, and some tabs are not opaque!), - The tab wasn't on right (dented, holed, etc), - The drive is broken, and write-protection isn't working, - The drive in question is a very non-standard one, with software write-protection (and you happened to pick up a virus that knows about that kind of drive!), - The infection actually happened at a time different from when you think it did (for instance, at least one version of the Brain diddles the system so that if you try to look at the boot sector while the virus is resident, you will be shown an uninfected boot sector, even though the real boot sector is in fact infected). I think the whole list would be very interested if you could duplicate the effect on correctly used, working, standard hardware! DC ------------------------------ Date: Mon, 19 Dec 88 11:38:41 EDT From: Swifty LeBard Subject: article in pc magazine two issues back in pc magazine, john dvorak wrote an article pertaining to the issue of software manufacturers imbedding viruses in their applications. he stated that many companies are doing this to sort of 'do away with the competition'. the virus writes itself to the boot disk and when booted up searches for the competition. if found, it does some damage. (the following is a hypothetical example!) i.e. ashton tate writes a bug to the boot disk and upon booting up and using foxbase, the bug does some mean things! i hope that software (as well as hardware) manufactureres do not continue implenting viruses to monopolize the market. heaven knows we small at users will have to program our own applications! swifty LeBard OO--=+ ------------------------------ Date: Mon, 19 Dec 88 11:52:11 EST From: "Christian J. Haller" Subject: Write protect tab and warm boot inadequacy, etc. (PC & Mac) >> I found that if I booted a machine with an infected disk, >> and then put a new clean boot disk WITH A WRITE PROTECT >> TAB in the same machine and performed a warm boot, the new >> disk also became infected. Nothing short of turning the >> machine off and then back on was safe enough. >Could some one please explain > >1. Why a warm boot by itself is not enough to prevent the spread of >infection A virus or Trojan already present in memory (because it was run since the last cold boot) can trap keystroke combinations like Control-Alt- Delete and fake a warm boot by calling a similar BIOS routine that does not clear active memory. Power users would probably detect this from noticing differences in timing and boot messages, but the potential is there for deceit as long as the DRAM has power. CMOS will be even more vulnerable, because it will usually keep memory even when the machine is powered off. And unplugged. Thanks to batteries. >2. How a write-protected boot disk could get infected during warm boot. An IBM PC can write to a write protected floppy via a low level BIOS directive which bypasses DOS and directly addresses the diskette drive controller hardware. If the BIOS directive is absent from some versions of DOS, it may still be possible to address the hardware below the BIOS level. (From a different poster:) > We have for a long time been considering selling a MAC disk that >would introduce the user to fractals that was written in Forth and was >highly interactive and very much executable code. With all this virus >stuff going around I have had to have second thoughts. There is no known corresponding software bypass for Macs; i.e., a Mac diskette is really hardware protected if its tab is slid to the corner of the diskette. So your Mac disks should be safer. > From what I can see, there is no absolutely safe way to guarantee >that the disks I send out are virus free, and no safe way to prove >they WERE virus free if they should later become infected. From a purely technical perspective, I agree: there is no absolutely safe proof that your machines are not ALREADY infected with some very subtle virus that might pass itself on undetected. However, such a virus would be very difficult to write if someone knowledgeable were looking for it, and had access to the source code and compilers used to develop the software intended for market. Furthermore, there are ways to prove that the files you write and intend to ship are identical to the files the end user is reading, even after years of use. The proof is statistical, using polynomial checksums, for example; commercial products will soon appear using this approach. > 1.) Who is legally liable for a virus if a new disk bought by a >customer has one? How does one prove that one did one's best to >insure the disk was virus free? Does it matter that one did one's >best or is it always the manufacturer's fault? I'm no lawyer, but I have read that you can never tell what a jury will do. > 2.) Should I produce the disk? I would say yes, using reasonable caution. If you are sued, through no real fault of your own, any good lawyer should be able to whip up a countersuit. That's the way we're all going to get rich in 2007, by sueing each other. Kind of like a chain letter. > 3.) What is going to happen to the software industry as a whole? It will survive, and here is your best legal protection. If you use common sense in your software distribution, look for evidence of known viruses, compare files for unwanted modification, and provide checksum info for recipients, you will be ahead of EVERYONE else in the software industry and no one in her/his right mind would pick on you to sue. If you also provide source code and info about the compilers you used, you will STAY ahead of everyone else in the industry for years to come, and your users will take care of a lot of your R&D by suggesting improvements (if you play your cards right, they will write, test, and document these improvements for you in return for favorable mention in your newsletter). Acknowledge-To: ------------------------------ Date: Mon, 19 Dec 88 12:50:55 EST From: Jim Kenyon Subject: Write protect tabs >From my old Apple ][+ days, and I know some IBM drives are the same, not all drives look for a mechanical block over the write protect tab. Many look for a block to a light beam....which means that if you are using anything that is opaque or transparent, the beam will go right thru and assume there's nothing there. Always use totally opaque tabs or you may get a nasty surprise. Another thing that has gotten lost in the discussion is the early comments on viruses coming from the manufacturer. I've been hit with nVIR (MAC) straight from the dealer....but from a commercial software package. NOT from "fresh disks from reputable factories". It was put there by the software vendor. Go for it Homer! Make sure you're clean and put a good disclaimer on it. They don't come from the factory with viruses. Jim Kenyon NetNorth TGHVET@UTORONTO.CA Dept. of Anaesthesia Toronto General Hospital ------------------------------ Date: Mon, 19 Dec 88 13:20:31 EST From: Michael Palmer Subject: how vicious is nVIR? (Mac) I find that one of my disks is infected by the nVIR virus. (My thanks go to John Norstad of Stanford for a very informative posting on the nVIR and Scores viruses - VIRUS-L, 15 Nov.) What can I expect from nVIR - does it simply spread quietly or is it a 'timebomb' virus that will eventually start doing damage to disks? How worried should I be? A mystery: all that nVIR appears to do when I run an infected application is remove itself from that application, without adding itself to another appplication as far as I can tell - the nVIR resources disappear and the application's own resources are all the same size as before infection. A virus can't get very far by behaving like that, so what am I missing? I would like to recommend the Vaccine program for the Mac (a well-written INIT which alerts you to significant changes to resources) - it's what first tipped me off. The dates of other old postings to VIRUS-L concerning nVIR would also be very useful. With thanks, Mike Palmer ------------------------------ Date: Mon, 19 Dec 1988 15:17:33 EST From: Ken van Wyk Subject: my $0.02 on write protect tabs and reset keys (PC) > Christian J. Haller writes (in this issue): > A virus or Trojan already present in memory (because it was run since > the last cold boot) can trap keystroke combinations like Control-Alt- > Delete and fake a warm boot by calling a similar BIOS routine that does > not clear active memory. > ... > but the potential is there for deceit as long as the DRAM has power. On IBM PC compatibles, the Ctrl-Alt-Del sequence is a software driven reset, therefore it is quite possible and feasible for a program to trap the keyboard interrupt and fake a reboot (the Yale virus that Chris Bracy showed me did this). During an *actual* reboot, all interrupt vectors, etc., are initialized; thus, a virus that is active would become inactive if an actual reboot takes place. The only way (that I know of) that a virus could remain in memory would be to simulate a boot process by loading the boot tracks, etc., while remaining in "control" of its own interrupts and allocated memory. Some machines do have hardware resets, however, which would prevent this (a hardware reset forces the machine to perform a reboot as per a power-up state). The Zenith Z-100 (8088 based, MS-DOS 3.1, non-IBM PC compatible), for example, has a hardware reset that cannot be trapped by software. In fact, most (all?) machines used hardware reset buttons until the IBM PC came along, and then in the interest of compatability, other companies used software resets also...(10,000 lemmings can't be wrong! :-) > Christian J. Haller writes (in this issue): > An IBM PC can write to a write protected floppy via a low level BIOS > directive which bypasses DOS and directly addresses the diskette drive > controller hardware. Can anyone verify that a program can write to a properly write-protected disk? I just wrote a short MASM program that attempted to use INT 13H function 03H (absolute disk write) to write to a floppy disk, which was write-protected with an opaque (flat black) write protect tab in a 5 1/4" 360k drive on a Zenith Z-386. The program failed to write to a write-protected floppy disk, but (as is to be expected) had no problems writing to a non-write-protected disk. That's the closest ROM BIOS interrupt to the disk controller hardware that I know of. Anyone want to write a short piece of code that programs the disk controller itself without the aid of any supplied interrupts? This topic has been kicked around unconclusively here for some time now, and unless someone can come up with a verifyable and duplicatable method to get around a properly write-protected disk, then I think that we should assume that it is not possible to circumvent. Ken Kenneth R. van Wyk Mom: Calvin, what do you need designer User Services Senior Consultant jeans for?! Lehigh University Computing Center Hobbes: Pssst, for the babes! Internet: Calvin: The babes, Mom, I gotta look BITNET: cool! ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253