The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 6 Issue 25

Thursday, 11 February 1988

Contents

o Something fishy is going on with credit cards
William Daul
o "Colloidal goo" considered harmful to ATM's
Jon Jacky
o Lottery Random Numbers Too Random... (Henry
H.W.) Troup
o New Scientist article on viruses
Bernie Cosell
o Virus code and Infected Definitions
Vin McLellan
o Yet Another Virus - The "Brain" Virus
Bruce N. Baker
o Two virus messages from Info-IBMPC
Jack Goldberg
o Virus (Trojan) protection program now available from SIMTEL20
Keith Petersen
o Another PC Virus
Y. Radai
o Info on RISKS (comp.risks)

Something fishy is going on with credit cards

William Daul / McAir / McDonnell-Douglas Corp <WBD.MDC@OFFICE-8.ARPA>
11 Feb 88 00:27 PST
From: PENINSULA TIMES TRIBUNE (Palo Alto, Feb. 10, 1988)

SAN FRANCISCO (AP) -- The same eelskin used to make popular handbags may be
erasing credit cards and confounding bankers by scrambling magnetic codes on
automatic teller cards, experts said Tuesday.  "We've had dozens of calls
from banks and individuals complaining that (automated teller machine) cards
and credit cards are sick." said John McCosker, director of San Francisco's
Steinhart Aquarium and a leading fish scientist.  McCrosker believes the
metallic residue left over from the tanning process performed in Korea,
where most of the wallets and purses are made, may be causing the problem.


"Colloidal goo" considered harmful to ATM's

Jon Jacky <jon@june.cs.washington.edu>
Thu, 11 Feb 88 10:33:35 PST
... Or, [icthyologist John McClosker] said, the problem might be from the
"colloiodal goo that comes out of the slime glands of these awful things."
The "eelskin" wallet problem has become so serious that (several banks) are
warning card holders.
                               ['COLLOIDAL GOO' SPELLS HEADACHE FOR BANKERS,
                               Seattle Post-Intelligencer, Feb 11, 1988, p. C1]

[Another theory, from an article by Kevin Leary in the SF Chron, 10 Feb 88:

   Katie Jarman, Bank of America's senior project analyst for the bank's ATM
   system, is not so sure.  "We have found that when we demagnetized
   Versatel cards, the wallets or purses have large magnetic clasps that
   could do the damage."   ]

       [Perhaps someone has a magnetic personeelity in the Korean tanning 
       salons that process the slime-eel skin.  Check with Colloids of London.
       {OK, what does Sylvester Stallone eat for breakfast?  Sly-meal.}  PGN]


Lottery Random Numbers Too Random...

Henry (H.W.) Troup <HWT%BNR.BITNET@CUNYVM.CUNY.EDU>
11 Feb 88 08:10:00 EST
Tuesday, February 9th's Ottawa Citizen ran a story, with a photo of the ticket,
of a lottery ticket with an impossible number.  The lottery is called 6/49.
The player chooses six numbers between 1 and 49.  A recent function added is
the "QuickPick", where the lottery terminal generates a set of numbers for you.

The photo clearly showed the number 67 in one generated line! Fortunately
for players, the final prize numbers are generated with a mechanical "bingo"
machine (the one with numbered ping-pong balls).  But one wonders what else
might be lurking in that software...

Has this been reported in other jursidictions using point-of-sale lottery
terminals?  Anyone out there know anything about them?

          [If you see any suspicious types hanging around a lottery site,
          be sure to do some strong type checking -- wOTTAWAy to go!  PGN]


New Scientist article on viruses

Bernie Cosell <cosell@WILMA.BBN.COM>
Thu, 11 Feb 88 8:45:34 EST
The 28 jan issue of _New_Scientist_ has a short article on viruses:
"Phantoms of the operating system, Andrew Emmerson with news of an
insidious threat to personal computers".  Nothing particular new
or interesting here for RISKS readers, but it is a pretty accessible
article for the otherwise-uninformed.

Bernie Cosell, BBN Labs, Cambridge, MA 02238

                                           [At least the title is catchy!  PGN]


Virus code and Infected Definitions

"Vin McLellan" <SIDNEY.G.VIN%OZ.AI.MIT.EDU@XX.LCS.MIT.EDU>
Thu 11 Feb 88 01:46:15-EST
    Discussions about viruses might benefit from some rigorous definitions.
The copy protection devices allegedly used in Softguard 3.0, and earlier
installed in Microsoft's master disk of ACCESS, apparently without the
company's knowledge or permission, and even earlier (back in '84), announced
as a forthcoming product by Vault Corp., have all at various times been
described as viruses, even by officials at the companies involved.  Yet all
seem to actually be fairly classic Trojan horse code, set to execute and
damage either the program being illicitly copied, or that program and other
available disk files, when and if the program is "pirated."

    A virus, according to Fred Cohen, a widely acknowledged expert on the
threat, is "a program that can 'infect' other programs by modifying them to
include a possibly evolved copy of itself.  With the infection property, every
virus can spread thoughout a computer system or network using the
authorizations of every user using it to infect their programs. Every program
that gets infected may also act as a virus and thus the infection spreads."

    Even in a PC environment, a virus is defined by contagion, by its ability
to bury copies of itself in other programs and thus spread to multiple disks,
multiple users. We may have many occasions to discuss the virus threat in the
future, and no one will be served if we allow the term to become as vague as
the word "worm" is today.  Those who make a living discussing security issues
will be haunted for years by the erroneous labelling of that automated Trojan
chain letter in Bitnet and IBM's Vnet as the "Christmas virus." (Some IBM
engineers ended up labelling that a "bacteria," just to help worried customers
get their terms straight.)

   The Germans -- who seem to have gotten into the development of viruses
earlier and with even greater enthusiasm than we see today in amateur America
-- seem to think that writing viruses that evade CRC or checksum alarms is
child's play, literally.  If the virus can't forge a checksum, they fiddle
with program's name or set the virus to displace the protected program, so the
virus code gets executed first and separately, then the protected program is
either renamed or run consecutively. Folks there and elsewhere who have been
exploring the potential of a constantly evolving virus also seem a little
awestruck at what they've been coming up with.

Vin McLellan, The Privacy Guild, Boston, Ma.               (617) 426-2487

   [Thanks.  I have on various occasions referred to Trojan viruses,
   but clearly the attacks are Trojan horses at the outset.  What is
   put inside the Trojan horse varies from attack to attack.  PGN]


Yet Another Virus - The "Brain" Virus

Bruce N. Baker <BNBaker@KL.SRI.COM>
Thu 11 Feb 88 16:50:47-PST
I expect some RISKS readers have heard of this one but I have not seen
anything yet in RISKS about it.  This is taken form the February 3, 1988
edition of The Chronicle of Higher Education and is quoted here in part
without permission.

George Washington University, the University of Delaware, and the University
of Pittsburgh all have taken steps to eradicate a virus - known as the "brain"
virus because it can be identified by "(c) BRAIN" on the directory screen.
The virus was created by Basit Farooq Alvi, 19, who claims to be a college 
student in Lahore, Pakistan.  In 1986 Mr. Alvi and his brother Amjad, 23,
wrote the computer code for the virus and placed it on a disk that they gave 
to another student.  He did it "for fun," he said and has no idea how it might 
have reached the United States.  A message with Mr. Alvi's name, address, and
telephone number appears in the computer code that carries the virus.

The antidote is to substitute a clean operating system for the one that was 
contaminated with the virus.

End of excerpts from the article.

Many RISKS readers and others are extremely concerned about the proliferation
of viruses.  To summarize some of the virus detection and eradication programs
that have appeared in RISKS to date, public domain programs include:
     CHK4BOMB - see RISKS 5.79
     BOMBSQAD - see RISKS 5.79
     FLU_SHOT - [See THIS ISSUE OF RISKS]
Programs to buy:
     DATA PHYSICIAN - references to it in several RISKS issues but nowhere  
       does this information about the vendor appear:
          Digital Dispatch Inc.         Attention:  Mr. Eric Hansen
          1580 Rice Creek Rd.   
          Minneapolis, Minnesota 55432  Telephone (617) 571-7400        
          U.S.A.                        For MS/DOS systems, sells for $199
     TRUSS was mentioned in RISKS 6.12 for UNIX version 8 but no indication was
       given about its availability to the public - free or for a cost.  I have
       asked Dennis  L. Mumaugh, "moss!cuuxb!dlm"@RUTGERS.EDU to let us know.

Bruce N. Baker, SRI International


Two virus messages from Info-IBMPC

Jack Goldberg <goldberg@csl.sri.com>
Thu, 11 Feb 88 09:19:04 -0800
EXCERPTS FROM 
Info-IBMPC Digest           Mon, 8 Feb 88       Volume 7 : Issue   8
This Week's Editor: Gregory Hicks -- Chinhae Korea <hicks@walker-emh.arpa>
Today's Topics:
       Another PC Virus (Y. Radai)
       Virus (Trojan) protection program now available (Keith Peterson)   
       ...

    SIMTEL20.ARPA can now be accessed access from BITNET is via
       LISTSERV@RPICICGE.BITNET using LISTSERV Commands
      INFO-IBMPC BBS Phone Numbers: (213) 827-2635 and (213) 827-2515

   [We include the article by Keith Peterson first, and then another
   (longer) article on the Israeli virus by Y. Radai -- although we 
   have had earlier articles on it in RISKS-6.6 and 6.12.  PGN]


Virus (Trojan) protection program now available from SIMTEL20

Keith Petersen <W8SDZ@SIMTEL20.ARPA>
Wed, 27 Jan 1988 00:56 MST
FROM Info-IBMPC Digest           Mon, 8 Feb 88       Volume 7 : Issue   8
    SIMTEL20.ARPA can now be accessed access from BITNET is via
       LISTSERV@RPICICGE.BITNET using LISTSERV Commands
      INFO-IBMPC BBS Phone Numbers: (213) 827-2635 and (213) 827-2515

Filename            Type  Bytes     CRC

Directory PD1:<MSDOS.DSKUTL>
FLUSHOT2.ARC.1           BINARY      5539  AFA8H

Here are some comments from the author, Ross Greenberg:

There exists a low-level form of dirt who gets joy out of destroying
your work.  They release a program, typically called a 'Trojan Horse',
which is designed to erase or otherwise damage your disks.

The programs are released into the public domain and typically are
downloaded or distributed exactly as you may have received this file.
Once run, they would print some sort of self-congratulatory message
and proceed to erase your data.  Obviously, these type of programs are
Not A Good Thing, and should be avoided.  However, usually you'll only
know you've been bit by a trojan after the fact.

Recently, a new breed has been developed.  Called a 'virus', it
infects all disks that it sees with a copy of itself, and then each of
these copies are capable of infecting all disks that *they* see.

Eventually, at some predetermined instance (a date, a time, a certain
number of copy operations), the virus attacks and destroys whatever
disks it can.  By this time, though, the virus has spread, and a
friends' machine may also be infected, infecting the disks of their
friends and so forth.

It was to counter just such a program that the enclosed program,
called FLU_SHOT, was developed.  The current virus making the rounds
infects the command processing program called "COMMAND.COM".  Every
bootable DOS disk must have a copy of this file.  FLU_SHOT examines
each write and will not allow a write operation to the COMMAND.COM
file to take place without your permission.  Normally, there should
never be a write operation to this file, so it should be effective in
that regard.

To run FLU_SHOT, place a copy of it in your root directory on the disk
you boot your system from.  Additionally, a line to invoke FLU_SHOT
should be placed in your AUTOEXEC.BAT file.

If you find the virus attacking your disk, please try to preserve a
copy of it and to forward it to me at my BBS at (212)-889-6438.  Once
I have a copy of the virus, I should be able to develop another
program which would serve as a vaccine.

Please be aware that there is a possibility that, if FLU_SHOT
determines a write operation taking place to your COMMAND.COM, it
*may* be a legitimate one ---- check the currently running program.
FLU_SHOT may indicate that a TSR program you're running seems to be
causing a problem.  If this happens to you, and you're sure the TSR
you're running is a valid one, then merely place the FLU_SHOT
invokation line in your AUTOEXEC *after* the TSR invokation line.

Additionally, FLU_SHOT can not determine whether your current
COMMAND.COM is infected, only if a COMMAND.COM is about to be
infected.

The odds of you being hit with this virus are slim, but running
FLU_SHOT should keep this particular incarnation of the virus from
infecting your disks.

Ross M. Greenberg
(212)-889-6438 24hr BBS, 2400/1200,N,8,1

Note from Keith:  This program is legitimate.  Ross is a personal
friend whose programming skills I highly respect.

--Keith Petersen
Arpa: W8SDZ@SIMTEL20.ARPA
Uucp: {decwrl,harvard,lll-crg,ucbvax,uunet,uw-beaver}!simtel20.arpa!w8sdz
GEnie: W8SDZ


Another PC Virus

Y. Radai <RADAI1%HBUNOS.BITNET@CNUCE-VM.ARPA>
Wed, 27 Jan 88 13:22:27 +0200
FROM Info-IBMPC Digest           Mon, 8 Feb 88       Volume 7 : Issue   8
    SIMTEL20.ARPA can now be accessed access from BITNET is via
       LISTSERV@RPICICGE.BITNET using LISTSERV Commands
      INFO-IBMPC BBS Phone Numbers: (213) 827-2635 and (213) 827-2515

   Issue 74 of the Info-IBMPC digest contained a description of a "virus"
discovered at Lehigh University which destroys the contents of disks after
propagating itself to other disks four times.  Some of us here in Israel,
never far behind other countries in new achievements (good or bad), are
suffering from what appears to be a local strain of the virus.  Since it
may have spread to other countries (or, for all we know, may have been im-
ported from abroad), I thought it would be a good idea to spread the word
around.

   Our version, instead of inhabiting only COMMAND.COM, can infect any ex-
ecutable file.  It works in two stages:  When you execute an infected EXE
or COM file the first time after booting, the virus captures interrupt 21h
and inserts its own code.  After this has been done, whenever any EXE file
is executed, the virus code is written to the end of that file, increasing
its size by 1808 bytes.  COM files are also affected, but the 1808 bytes
are written to the beginning of the file, another 5 bytes (the string
"MsDos") are written to the end, and this extension occurs only once.

   The disease manifests itself in at least three ways: (1) Because of this
continual increase in the size of EXE files, such programs eventually be-
come too large to be loaded into memory or there is insufficient room on
the disk for further extension.  (2) After a certain interval of time
(apparently 30 minutes after infection of memory), delays are inserted so
that execution of programs slows down considerably.  (The speed seems to be
reduced by a factor of 5 on ordinary PCs, but by a smaller factor on faster
models.)  (3) After memory has been infected on a Friday the 13th (the next
such date being May 13, 1988), any COM or EXE file which is executed on
that date gets deleted.  Moreover, it may be that other files are also af-
fected on that date; I'm still checking this out.

(If this is correct, then use of Norton's UnErase or some similar utility
to restore files which are erased on that date will not be sufficient.)

   Note that this virus infects even read-only files, that it does not
change the date and time of the files which it infects, and that while the
virus cannot infect a write-protected diskette, you get no clue that an at-
tempt has been made by a "Write protect error" message since the pos-
sibility of writing is checked before an actual attempt to write is made.

   It is possible that the whole thing might not have been discovered in
time were it not for the fact that when the virus code is present, an EXE
file is increased in size *every* time it is executed.  This enlargement of
EXE files on each execution is apparently a bug; probably the intention was
that it should grow only once, as with COM files, and it is fortunate that
the continual growth of the EXE files enabled us to discover the virus much
sooner than otherwise.

   From the above it follows that you can fairly easily detect whether your
files have become infected.  Simply choose one of your EXE files
(preferably your most frequently executed one), note its length, and ex-
ecute it twice.  If it does not grow, it is not infected by this virus.
If it does, the present file is infected, and so, probably, are some of
your other files.  (Another way of detecting this virus is to look for the
string "sUMsDos" in bytes 4-10 of COM files or about 1800 bytes before the
end of EXE files; however, this method is less reliable since the string
can be altered without attenuating the virus.)

   If any of you have heard of this virus in your area, please let me know;
perhaps it is an import after all.  (Please specify dates; ours was noticed
on Dec. 24 but presumably first infected our disks much earlier.)

   Fortunately, both an "antidote" and a "vaccine" have been developed for
this virus.  The first program cures already infected files by removing the
virus code, while the second (a RAM-resident program) prevents future in-
fection of memory and displays a message when there is any attempt to in-
fect it.  One such pair of programs was written primarily by Yuval Rakavy,
a student in our Computer Science Dept.

   In their present form these two programs are specific to this particular
virus; they will not help with any other, and of course, the author of the
present virus may develop a mutant against which these two programs will be
ineffective.  On the other hand, it is to the credit of our people that
they were able to come up with the above two programs within a relatively
short time.

   My original intention was to put this software on some server so that it
could be available to all free of charge.  However, the powers that be have
decreed that it may not be distributed outside our university except under
special circumstances, for example that an epidemic of this virus actually
exists at the requesting site and that a formal request is sent to our head
of computer security by the management of the institution.

   Incidentally, long before the appearance of this virus, I had been using
a software equivalent of a write-protect tab, i.e. a program to prevent
writing onto a hard disk, especially when testing new software.  It is
called PROTECT, was written by Tom Kihlken, and appeared in the Jan. 13,
1987 issue of PC Magazine; a slightly amended version was submitted to the
Info-IBMPC library.  Though I originally had my doubts, it turned out that
it is effective against this virus, although it wouldn't be too hard to
develop a virus or Trojan horse for which this would not be true.  (By the
way, I notice in Issue 3 of the digest, which I received only this morning,
that the version of PROTECT.ASM in the Info-IBMPC library has been replaced
by another version submitted by R. Kleinrensing.  However, in one respect
the new version seems to be inferior: one should *not* write-protect all
drives above C: because that might prevent you from writing to a RAMdisk or
an auxiliary diskette drive.)

   Of course, this is only the beginning.  We can expect to see many new
viruses both here and abroad.  In fact, two others have already been dis-
covered here.  In both cases the target date is April 1.  One affects only
COM files, while the other affects only EXE files.  What they do on that
date is to display a "Ha ha" message and lock up, forcing you to cold boot.
Moreover (at least in the EXE version), there is also a lockup one hour
after infection of memory on any day on which you use the default date of
1-1-80.  (These viruses may actually be older than the above-described
virus, but simply weren't noticed earlier since they extend files only
once.)

   The author of the above-mentioned anti-viral software has now extended
his programs to combat these two viruses as well.  At present, he is con-
centrating his efforts on developing broad-spectrum programs, i.e. programs
capable of detecting a wide variety of viruses.

   Just now (this will give you an idea of the speed at which developments
are proceeding here) I received notice of the existence of an anti-viral
program written by someone else, which "checks executable files and reports
whether they include code which performs absolute writes to disk, disk for-
matting, writes to disk without updating the FAT, etc."  (I haven't yet
received the program itself.)

Y. Radai, Computation Center, Hebrew University of Jerusalem 
RADAI1@HBUNOS.BITNET

Please report problems with the web pages to the maintainer

Top