Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!zaphod.mps.ohio-state.edu!brutus.cs.uiuc.edu!apple!snorkelwacker!husc6!m2c!wpi!crimson From: crimson@wpi.wpi.edu (The Wanderer) Newsgroups: comp.sys.mac,wpi.sys.mac Subject: More fun with nasty trojans & virii Message-ID: <7728@wpi.wpi.edu> Date: 6 Feb 90 01:38:37 GMT Reply-To: crimson@wpi.wpi.edu (The Wanderer) Organization: Worcester Polytechnic Institute, Worcester ,MA Lines: 257 From bk1a+@andrew.cmu.edu Sat Feb 3 20:33:50 1990 From: Bryan Michael Kearney To: crimson@wpi Subject: Fwd: Some Virus Background Thought you may find this interesting..... -- bryan ---------- Forwarded message begins here ---------- Return-path: Date: Fri, 2 Feb 90 13:11:34 -0500 (EST) From: Thomas Louis Stachura To: Bryan Michael Kearney Subject: Fwd: Some Virus Background ---------- Forwarded message begins here ---------- Return-path: Date: Thu, 1 Feb 90 14:09:43 -0500 (EST) From: Howard Haruo Fukuda To: User Services Students Subject: Some Virus Background Since there was a request for more info on viruses and since I'm sooo busy here in CFA (4 users), here's some stuff known about Mac viruses. We basically see two types of viruses on campus, nVIR and WDEF, and I haven't seen any of the others, like HPAT or INIT 29. nVIR has been around a while. Story has it that "to better the Mac community" a magazine published the source code of this virus in hopes that the Mac would be made more virus-resistant. As a result, nVIR has many strands and clones. We see mostly two strands called nVIR A or B. There is an officially released version of Disinfectant 1.6 (released about 2 days ago) that will handle nVIR and all nVIR clones like AIDS, MEV#, and a newly discovered clone found at Stanford that uses a certain 4 letter word for its signiture (*uck). nVIR infects applications, the System file, and the Finder. If an infected application is run, the virus will try to spread to other applications, System, and Finders. If a disk with an infected System or Finder is the boot disk, the virus will try to infect as many applications as it can. To stop nVIR from spreading, we use RWatcher on all of our startup disks. If an infected application is opened, it will try to infect other applications immediately, and RWatcher will intercept this, beep 10 times, and then exit the application. However, some of our application disks, like MacWrite could still be infected if a user has his/her own startup disk which is infected. nVIR is transparent if RWatcher, Vaccine, GateKeeper, or SAM is not present. The only other symptom is that the user may get a system error while trying to print. WDEF is one of the newest viruses. WDEF was made to elude normal virus protection schemes like Vaccine, GateKeeper, RWatcher, and SAM. WDEF does not infect applications, but the desktop file on each disk. WDEF can spread simply by inserting an infected disk into the disk drive when the Finder is running. If a disk that has WDEF is the startup disk, all disks inserted will be infected. WDEF can be removed if the desktop is rebuilt (hold down command-option and insert the disk), but the best way is to use Disinfectant 1.5 or 1.6. In general, WDEF is transparent. A second strand of WDEF, called WDEF B, will beep when it infects a disk, but WDEF, which has been seen on campus will not. More system errors may occur, some erratic MultiFinder, MacWrite II, or Word behavier may occur, but not neccessarily. WDEF will crash a Mac IIci and be very buggy on IIcx's, but in general it spreads silently. In Baker, many disks that "need minor repairs" were infected by WDEF A, however a disk can be infected without giving this error. In general, the only way to tell if a disk is infected is to run Disinfectant 1.5 or 1.6, or use GateKeeper Aid. Disinfectant has quite a detailed set of information on viruses, if you want to know more, press the "about" box when you run it. -Howard From @po2.andrew.cmu.edu:bk1a+@andrew.cmu.edu Sun Feb 4 23:50:13 1990 Date: Sun, 4 Feb 90 23:47:51 -0500 (EST) From: Bryan Michael Kearney To: crimson@wpi Subject: Fwd: Mosaic & FontFinder VIRUS! ---------- Forwarded message begins here ---------- Return-path: Date: Sun, 4 Feb 90 22:37:03 -0500 (EST) From: Thomas Louis Stachura To: Bryan Michael Kearney Subject: Fwd: Mosaic & FontFinder VIRUS! ---------- Forwarded message begins here ---------- Return-path: Date: Sat, 3 Feb 90 21:45:28 -0500 (EST) From: Pythagoras Christian Watson To: User Services Students Subject: Fwd: Mosaic & FontFinder VIRUS! For those who don't read the cmu.mac bboard, I thought you should see this. Forwarded message begins here:---------------------------------------------- Not having seen anything on the net about the viruses embedded into the applications Mosiac and FontFinder, I decided to post this message I received through email. If this is a re-post, well, sorry for wasting the bandwidth, but this is a fairly important topic and I didn't want anybody to miss it. ------------------------------------------------------------------------- --- >From Christopher.A.Lasell@mac.dartmouth.edu Fri Feb 2 18:51:13 1990 Date: 02 Feb 90 18:47:56 From: Christopher.A.Lasell@mac.dartmouth.edu To: Virus.Info@mac.dartmouth.edu, consultants@dartvax.dartmouth.edu (Kiewit Consultants), crc-staff@mac.dartmouth.edu, stu-asst@dartvax.dartmouth.edu Subject: NEW VIRUS!!!! --- Forwarded Message from rickc@eleazar.dartmouth.edu (Frederick L. Crabbe) --- We have detected a new (to us) Macintosh trojan at the University of Alberta. Two different strains have been identified. Both are dangerous. The first strain is imbedded in a program called 'Mosaic', type=APPL and Creator=????. When launched, it immediately destroys the directories of all available physically unlocked hard and floppy disks, including the one it resides on. The attacked disks are renamed 'Gotcha!'. Unmounted but available SCSI hard disks are mounted and destroyed by the trojan. The files of hard disks are usually recoverable with one of the available commercial file utility programs, but often the data file names are lost. Files on floppy diskettes usually lose their Type and Creator codes as well, making recovery a non-trivial procedure. The second strain was detected in a Public Domain program called 'FontFinder', Type=APPL and Creator=BNBW. It has a trigger date of 10 Feb 90. Before that date, the application simply displays a list of the fonts and point sizes in the System file. On or after the trigger date, the trojan is invoked and disks are attacked as for the first strain. The trojan can be triggered by setting forward the Mac system clock. Because the second strain has a latency period during which it is non- destructive, it is much more likely to be widespread. Both trojans were originally downloaded from a local Macintosh BBS here in Edmonton. The second version was part of a StuffIt! archive named 'FontFinder.sit' that also contained documentation and the source code for the FontFinder application. This source code does NOT contain the source code for the trojan. A quick-and-dirty search string for VirusDetective (v/3.0.1 or later) has been developed that appears to detect the trojan engine in both strains. It is: Resource CODE & ID = 1 & Data 44656174685472616B Note that this will detect the currently known versions, but may or may not detect mutated versions of this trojan. There is some evidence that these trojans are related based on preliminary investigation of the code. It has been speculated that the second is an 'improved' version of the first (more sophisticated), or that the two versions were developed by two individual perpetrators working with the same trojan engine. There easily could be more versions either circulating or being developed. This appears to be the first deliberately destructive malicious code that targets on the Macintosh. There is some suspicion that one or both have been developed locally. There is also the possibility that one or both were uploaded from a BBS in the Seattle, Washington area. Our investigation is far from complete, but is continuing. Please warn your Mac users to make proper back-ups on a regular basis, be suspicious of all software not received from a trusted source until tested, and generally, to practice 'safe computing'. Any additional information on these two trojans or similar malicious code would be appreciated. As and when our investigation turns up more details, they will be posted... Peter Johnston, P. Eng. Senior Analyst, University Computing Systems, 352 - GenSvcBldg, The University of Alberta Edmonton, Alberta CANADA T6G 2H1 Phone: 403/492-2462 FAX: 403/492-7219 EMAIL: usergold@ualtamts.bitnet ------------------------------------------------------------------------- --- Just what we need!!!! Py Live long and may all you kernels pop. - Tomme "Blah, Blah, Blah..." -- bryan .....more for you to have nightmares about....... -- Disclaimer: "I'm the only one foolish enough to claim these opinions as mine." Reality: crimson@wpi.wpi.edu Outside: 100 Institute Rd #296 crimson@wpi.bitnet Worcester MA 01609 "New Oldsmobiles are in early this year."