Conference hydra::amiga_v1

2070.0. "New Virus/Viri" by ALAZIF::WHERRY (Celebrate Gotham's Tricentennial) Tue Jan 03 1989 15:45

              <<< MSBIS::DISK15:[USENET.AMIGA]AMIGA_TECH.NOTE;2 >>>
                    -< USENET comp.sys.amiga.tech articles >-
================================================================================
Note 1032.0                  New Year's Virus Report                     1 reply
MSBIS::LANDINGHAM "cbmvax!grr"                       56 lines   1-JAN-1989 18:09
--------------------------------------------------------------------------------

Newsgroups: comp.sys.amiga,comp.sys.amiga.tech
Path: decwrl!labrea!rutgers!mailrus!ncar!ames!oliveb!amiga!cbmvax!grr
Subject: New Year's Virus Report
Posted: 1 Jan 89 00:08:28 GMT
Organization: Commodore Technology, West Chester, PA
Xref: decwrl comp.sys.amiga:29844 comp.sys.amiga.tech:3659
 
The following Virus report was posted on BIX today. My recollection is that
Steve is English, so perhaps this virus hasn't arrived here.  Still, be
warned and take the usual care with suspicious disks...
 
TITLE: New Virus
While I'm not 100% certain of all the details of what this virus does,
(I got it yesterday), I figure I should post this anyway.
 
(What I do say here, I'm quite certain of).
 
I recieved in the mail a new virus, from 2 different continents on the
same day.  This one's NOT just another bootblock virus.
 
This one affects executable programs.  It attaches itself to them.
But not just any executable (thankfully), what it does, is it parses
your startup-sequence looking for the first executable program there.
That's the one it hits.
 
It doesn't seem to be malicious in any way, though it will crash
your machine under KS 1.3.  It intercepts the OpenLibrary() call
(that's how it stays around- whenever OpenLibrary is called,
it again checks the startup sequence (thinking maybe a disk has
changed - it uses ":S/Startup-sequence" so it will go after any
SS on the current disk).  It also uses a KickTagPtr, but I'm
not sure what for yet.  Seems to take about 10 seconds longer
to boot, though.
 
Easy way to protect yourself from it:  Change your startup sequence on
any disk in any drive, so that the first character before the first
executable filename is a TAB.  The virus tries to Open() the whole line,
parses out a few characters, but not the tab.  Note that if you use a
pathname as in DH0:C/BLAH, and you put a tab in front, you'll get a
requester for [TAB]DH0:.  Just use [TAB]C/BLAH or whatever.
 
For those out there who have been safe from boot block viruses thus
far, well, this one you can get from a downloaded program.  Ick.
I'll be posting a little utility soon to check a program for this
specific virus.
 
(Also, last thing it does:  On it's first invocation in a session,
it will set the title bar of the ActiveWindow to it's name
(IRQ virus), and since it's running as the first thing in your
startup sequence, it's changing the intial CLI window's title.
 
      ...Steve
-- 
George Robbins - now working for,	uucp: {uunet|pyramid|rutgers}!cbmvax!grr
but no way officially representing	arpa: cbmvax!grr@uunet.uu.net
Commodore, Engineering Department	fone: 215-431-9255 (only by moonlite)
================================================================================
Note 1032.1                  New Year's Virus Report                      1 of 1
MSBIS::LANDINGHAM "cbmvax!grr"                       41 lines   1-JAN-1989 18:10
--------------------------------------------------------------------------------

Newsgroups: comp.sys.amiga,comp.sys.amiga.tech
Path: decwrl!labrea!eos!ames!lll-lcc!pyramid!cbmvax!grr
Subject: Re: New Year's Virus Report
Posted: 1 Jan 89 07:30:17 GMT
Organization: Commodore Technology, West Chester, PA
Xref: decwrl comp.sys.amiga:29848 comp.sys.amiga.tech:3661
 
More info from Steve Tibbett and co. and on the New Year's virus this evening:
 
From BIX:
 
==========
One more item on the IRQ virus.  If it can't attack your Startup-Sequence
it will home in on C:DIR just to be sure that it gets executed.
This is a benign intruder that can mutate to something real nasty in the
hands of a sicko.  We have the start of a real problem here.
Djj
 
[ which is to say it will modify the dir command if it can't mess
     with the startup-sequence... ]
 
==========
No, (I'm a bit rusty on this hunk stuff) I believe it sticks another code
hunk at the beginning of your program, about 1.1K, and when it's done
it's job, it calls your original program.
 
Note that if the first file in your startup sequence is over 100K
long, it won't infect it.  (big help, that... 8-)
 
I'm thinking of having an option in VirusX (or probably a separate
standalone utility) that would block any CMD_WRITE operation to a
disk device (and something that would just block Write() attempts),
and give the user a requester showing who asked for the Write, and
a Yes/No option.  Not much good for general use, but it would
help when checking out unknown programs.
 
 ...Steve
-- 
George Robbins - now working for,	uucp: {uunet|pyramid|rutgers}!cbmvax!grr
but no way officially representing	arpa: cbmvax!grr@uunet.uu.net
Commodore, Engineering Department	fone: 215-431-9255 (only by moonlite)
    

    I'd like to meet one of these virus writers on the street.
    

    I just had an Idea.... zzzz.......
    
    
    May be the thing to do is to take have a shutdown program that takes
    a snapshot of your system disk before you turn it off or any other
    time you request it.  If it is the same as the previous snapshot
    then everything is o.k. if not it should show the differences. 
    
    The snapshot should record the following of the system diskette:
    
    - boot record info
    - all the files (the files of the system disk do not change often)
    - the files' size check sum etc.            
    
    .....Just a bright moring idea......zzzz....

    
    ...gss...

    ViruxX V3.0 not only identifies the IRQ virus but comes with a special
    utility to purge your system of it. I'll put it on PAULY"AMIGA"::
    tonight.

    There is yet another VirusX out .. V3.1. V3.0 had a minor bug. I'll
    post if the net will stay up long enough for me this weekend.
    
    

    Does anyone have this in another location? I can't get anything
    copied from PAULY"AMIGA":: today.

    Try  PAULY"AMIGA"::[UTILITIES]VIRUSX31.ZOO
    

    I get an RMS-F-DNF error on that, but at least the access to PAULY
    appears to be going through. Does the UTILITIES directory exist?

    Try pauly"amiga"::dw003:[utilities]
    

    
    >    Try pauly"amiga"::dw003:[utilities]

    
    protection violation
    

    Oookay ... how about ...
    
    PAULY"AMIGA"::DW003:[UTILITIES]VIRUSX31.ZOO
    
    Should be okay .. trust me!

    If anyone can get this off node PAULY, please post the location
    so I can get a copy of it. I don't think I have ever been successful
    in copying anything through the network from this node.

I'll have to second that. I've started copy's from PAULY that "hung" for
days without a single block copyied...


John

>< Note 2070.12 by WJG::GUINEAU >


>I'll have to second that. I've started copy's from PAULY that "hung" for
>days without a single block copyied...


>John

Yup...

That's the case here since we went to VMS Ver. 5. There seems to be
some incompatibility between the PRO Net file transfer and VMS Ver. 5.

I will use a Ver 4.7 Node to bring it down and it should be in
CGOU01::AMNEW: before to long.

                Regards... Clint

P.S. - Has anyone pulled the new Version of Bankn off of Fish Disk
163, I don't have access to that Fisk Disk and would like to see what
the improvements are. An Upload of just Bankn or the whole disk would
be muchly appreciated.

    Interesting ... if I can free up enough blocks, I'll be creating
    a new library of file on MTWAIN::USER:[MACDONALD.AMIGA]. Fil at
    11.

    You can find Steve Tibbet's latest version of VirusX (V3.2) at:

                     CRISTA""::AMIGA:VIRUSX32.ZOO

VirusX 3.2 Release Note:


8 new viruses, and one new option - CHECK.  If you say
VirusX CHECK, VirusX will check RAM and installed disks, then
quit.  Great for including VirusX with release disks.

Last Minute Bug Report:

VirusX waits for a NEWSIZE message before doing anything after
changing the size of a window.  Now, the OS doesn't bother sending
the NEWSIZE message if the window isn't currently selected.

Sooo, if you tell VirusX to resize the window somehow (using the
right mouse button, maybe), then you de-select the VirusX window,
VirusX will lock up.  

I'll try and fix it next version.


			...Steve

    Does anyone know what the HCS virus does?  I had a disk infected
    with this one, and I tried to see what it did from the VIRUSX 3.2
    docs and realease notes as well as the C source, but no answers.
    
    Jean
    

What is the revision, and where can I find a copy of the latest VirusX? 

Also, I seem to recall that there was word of a "blenny" or phoney VirusX
floating around waiting for a chance to attack an unprotected system. If so, how
do I avoid getting it?

Dave


(Note: The cleaner wrasse is a small fish which normally picks parasites from
the body of a larger host. The blenny is a fish which masquerades as a wrasse, 
with one major exception. When allowed to approach, it takes a bite out of the 
host.)