-----BEGIN PGP SIGNED MESSAGE----- ___ __ __ _ ___ __ __ __ __ __ / | /_\ / |\ | / \ | |_ /_ \___ __|__ / \ \___ | \| \__/ | |__ __/ Number 95-11 August 10, 1995 This edition of CIAC NOTES includes: 1) FIRST Conference 2) Virus Update 3) Hats Off to Administrators 3) America On-Line Virus Scare 4) SPI 3.2.2 Released 5) The Die_Hard Virus Please send your comments and feedback to ciac@llnl.gov. $-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$ $ Reference to any specific commercial product does not necessarily $ $ constitute or imply its endorsement, recommendation or favoring by $ $ CIAC, the University of California, or the United States Government.$ $-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$ ========================================================================= 1) FIRST Conference ========================================================================= The 7th annual FIRST (Forum of Incident Response and Security Teams) Conference, scheduled for September 18th through the 22nd, is fast approaching. This year it is being held in Karlsruhe, Germany. For more information about the conference, and all that this area has to offer, see http://ciac.llnl.gov/ciac/FIRST95.html. Some of the exciting sessions this conference has to offer include: - - What Every Manager Needs to Know About the Internet, by Sandy Sparks, CIAC - - Tools for Incident Handling, by Danny Smith, AUCERT - - Experiences with SATAN, by Wietse Venema, TU Endhoven - - And Many, Many More.... ========================================================================= 2) Virus Update ========================================================================= The July 1995 issue of Virus Bulletin contains a listing of most commonly reported viruses. According to them, the Form, Parity_Boot, and AntiCMOS virus make up 42% of all reported viruses. Here is a quick description of each, all which have been seen in the DOE: Form (18.3%) - A boot sector virus that randomly destroys files. Parity_Boot (12.0%) - A memory resident boot virus that infects floppy disk boot records and hard disk parition tables. AntiCMOS (11.4%) - A primitive floppy disk boot sector and hard disk parition sector infector. It is buggy and causes unintentional hangs as well as leaving its intended payload. AntiEXE.A (8.6%) - This virus hides in the boot sector of a floppy disk. It is not known to be destructive, but it does have an ominous name. Some anti-virus programs refer to it as the Generic Boot virus. ========================================================================= 2) Hats off to Administrators ========================================================================= Being a system administrator is no easy job. They are constantly faced with a huge number of complex issues, such as irate users, tempermental networks, and troublesome hackers. So, in appreciation of these hard workers, here is a Top Ten List of things users DON'T want administrators to say: 10) "Why is my rm * .o taking so long??" 9) We prefer not to change the root password, it's an nice easy one 8) YEEEHA!!! What a CRASH!!! 7) We don't support that. We WON'T support that. 6) System coming down in 0 min.... 5) It is only a minor upgrade, the system should be back up in a few hours. ( This is said on a monday afternoon.) 4) Nobody was using that file /vmunix, were they? 3) find /usr2 -name nethack -exec rm -f {}; 2) Just add yourself to the password file and make a directory... And the number one thing you don't want your system administrator to say is.... 1) Go get your backup tape! ========================================================================= 3) America On-Line Virus Scare ========================================================================= Because of the high rate of virus rumors on the Internet, CIAC has avoided making official bulletins on them. But, many were concerned about rumors of a "BUPT" virus on AOL's installation diskettes. Here is the official response from AOL regarding this rumor: ========================Begin AOL Response====== AOL Statement regarding BUPT virus Dear Member: We have received several inquiries over the last couple of days regarding a rumored "BUPT virus" on new AOL registration diskettes that are being distributed. We have never had an occurence of a virus through the installation of AOL's registration diskettes. AOL uses a very careful and quality ensured process to duplicate its registration diskettes. While there has been quite a bit of rumor regarding this "BUPT virus, AOL has not been able to confirm a single incident of a member getting this virus when installing AOL software and registering as a member. We recommend that our members safeguard their computers against any viruses that could potentially be received from using software applications. We suggest that you visit the Virus Center on AOL, keyword: Virus. This area is where you'll find information about the latest virus or trojan horse, along with updates to all the popular commercial, shareware, and freeware anti-virus tools. Warm Regards, America Online =======================End AOL Response===== ========================================================================= 4) SPI 3.2.2 Released ========================================================================= The Computer Security Technology Center at Lawrence Livermore National Lab announces the SPI 3.2.2 Maintenance Release. The Security Profile Inspector (SPI) is designed to assess the security of varied UNIX computer systems. This SPI release highlights stronger default password testing, and improved installation allowing NFS-sharing of SPI executables. Free SPI distribution is restricted to DOE, DOD, and to other sponsoring agencies and their integrated contractors. Others must obtain SPI via the Energy Science & Technology Software Center (ESTSC.) Distribution details may be obtained by anon-FTP of ciac.llnl.gov in the pub/spi directory, or email to spi@ciac.llnl.gov. (Refer to the document "ACCESS" details.) This work is performed under the auspices of the U.S. Department of Energy by Lawrence Livermore National Laboratory under Contract W-7405-Eng-48. *** Visit SPI WWW at http://ciac.llnl.gov/cstc/CSTCProducts.html#spi *** *** Send mail to ciac-listproc@llnl.gov and subscribe to spi-announce *** ========================================================================= 5) The Die_Hard Virus ========================================================================= The Die_Hard or DH2 virus has been seen at a DOE site, so users sharing PC software with other DOE sites should watch for it. The virus only infects executable files (.COM and .EXE) so data disks, that contain no executables, will not carry the infection. *** Note that VirHunt 4.0E does not detect it! *** As far as we know, the virus does not intentionally damage a machine, it only replicates itself by infecting other executable files. We have seen it lock up a machine while infecting COMMAND.COM. It is a memory resident virus that reduces the memory available by 9232 bytes. Die Hard infects all executed or opened .COM and .EXE files. Infected files grow by exactly 4000 bytes. Because the DOE site licensed scanner (VirHunt) does not detect this virus and a new site license for a PC virus scanner is currently being negotiated, users will have to use other products to scan and remove this virus. The shareware programs F-PROT v. 2.18e, ThunderByte Antivirus v. 635, and SCAN v. 224e detect and remove it, as should most other up-to-date commercial and shareware products. These three scanners are available at most shareware sites and on the CIAC Archive. The virus was discovered in 1994, so scanners older than a year will not detect it. Another way to remove the virus is to use its own stealth capabilities against it. When an infected file is opened by another program, the memory resident virus removes the virus from the file as it is being read to make it appear uninfected, even though the file on disk is infected. To remove the virus, boot with a clean locked floppy, then run and quit an infected program to put the virus in memory. The virus is in memory, but can not infect any files on the locked boot floppy. The virus will infect any executable file on the hard drive if you try to run the file. Copy any infected .COM or .EXE files, changing the file name extensions to something non-executable, such as .COV or .EXV. The memory resident virus will remove the infection from the infected files as they are being copied, but will not infect the copies because they are not executable files. Reboot the computer with the clean, locked floppy to remove the virus from memory, delete the infected files, and then change the extensions on the copies back to their original names. ============================================================================ - ----------------------------------- Who is CIAC? CIAC is the U.S. Department of Energy's Computer Incident Advisory Capability. Established in 1989, shortly after the Internet Worm, CIAC provides various computer security services free of charge to employees and contractors of the DOE, such as: . Incident Handling Consulting . Computer Security Information . On-site Workshops . White-hat Audits CIAC is located at Lawrence Livermore National Laboratory in Livermore, California, and is a part of its Computer Security Technology Center. Further information can be found at CIAC. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. See FIRST for more details (http://www.first.org/first/). CIAC services are available for fee to other Federal civilian agencies. Contact Nancy Adair in the DOE Oakland Operation Office 510-637-1741. - ----------------------------------- CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy. CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE and DOE contractors, and can be contacted at: Voice: 510-422-8193 FAX: 510-423-8002 STU-III: 510-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE and DOE contractor sites may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), call the CIAC voice number 510-422-8193 and leave a message, or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC duty person, and the secondary PIN number, 8550074 is for the CIAC Project Leader. Previous CIAC notices, anti-virus software, pgp public key, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://ciac.llnl.gov/ Anonymous FTP: ciac.llnl.gov (128.115.19.53) Modem access: (510) 423-4753 (14.4K baud) (510) 423-3331 (9600 baud) CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information and Bulletins, important computer security information; 2. CIAC-NOTES for Notes, a collection of computer security articles; 3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 4. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for list-name and valid information for LastName FirstName and PhoneNumber when sending E-mail to ciac-listproc@llnl.gov: subscribe list-name LastName, FirstName PhoneNumber e.g., subscribe ciac-notes O'Hara, Scarlett W. 404-555-1212 x36 You will receive an acknowledgment containing address, initial PIN, and information on how to change either of them, cancel your subscription, or get help. - ------------------------------------------------------------------- This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. - -------------------------------------------------------------------- End of CIAC Notes Number 95-11 95_08_10 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMCozILnzJzdsy3QZAQFsNAQAuT5T16ko1eELAbUn57fz0oEIFP1p/BBZ Hzumgj44SfGoZcaxnwJi6ack55PQBpt0JmxiaSvnzsgpStyplP1EIcNVmOVkCVpI GkvtV/1OQlw2V9AFJGqNlaH3u1rCEZq65uF780S4pt+qsPgwcz+bpfSqb7l8Fsfi GpuqA0gX/w4= =SJA9 -----END PGP SIGNATURE-----