_____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ _____________________________________________________ INFORMATION BULLETIN KAOS4 Virus August 2, 1994 1600 PST Number E-32a _____________________________________________________________________________ PROBLEM: A new computer virus is preventing systems from booting. PLATFORM: All MS-DOS, PC-DOS, Windows systems. DAMAGE: May damage executable files and make systems unbootable. SOLUTION: Update your Anti-Virus program to detect/remove the virus. _____________________________________________________________________________ VULNERABILITY The KAOS4 virus is becoming widespread after being posted to ASSESSMENT: a USNET newsgroup. The virus has been seen at multiple locations within the DOE community. The virus does not appear to be intentionally damaging, but does render systems unbootable until the system files can be replaced. Most current virus scanners must be revised to detect it. _____________________________________________________________________________ This is a minor revision of E-32, the correction is in the next to last paragraph of the appendix. Critical Information about the KAOS4 Virus CIAC has received information that a new computer virus named KAOS4 was posted to a USENET newsgroup, which resulted in its wide distribution. Our research indicates the virus is not intentionally damaging, but it does tend to make systems unbootable until the virus is removed. Most virus scanners do not detect this virus without being updated, however most file change detectors should detect it now. The most common symptom of an infection from this virus is that infected machines become unbootable. Unfortunately, that is a common symptom of many other problems, including hardware problems. If a machine has become unbootable from its hard disk, but can boot from a floppy, compare the size of COMMAND.COM with the original copy. If it has changed, suspect a virus. If you examine COMMAND.COM with a disk editor and find the text KAOS4 in the last sector, you know you have the KAOS4 virus. The KAOS4 virus is a variant of the Vienna virus that has been extended to infect .EXE files as well as .COM files. The virus is direct acting (it runs once whenever an infected program is run) and randomly infects one .COM and one .EXE file every time it is run. It attacks COMMAND.COM first and then attacks other files. During our testing, it seemed to prefer the \DOS and the \NU (Norton Utilities) directories, but that may be coincidental. The virus adds 697 bytes to the length of both .COM and .EXE files, but the modification date of the files does not change. The following text is in the clear in the last sector of an infected program file. KAOS4 / Kohntark It is not detected by DDI's DataPhysician Plus version 4.0D or McAfee's SCAN version 116. A virus signature file is available from DDI named KAOS4.PRG that works with version 4.0C of DataPhysician Plus, giving it the capability to detect this virus. __________________ NOTE: DO NOT use this file with version 4.0D of DataPhysician Plus; use it with version 4.0C instead. There is a problem with version 4.0D that prevents the user installed virus signature file from working correctly. __________________ There are two ways to install the KAOS4.PRG file into the VirHUNT program in DataPhysician Plus: you can load it on the command line or you can install it with a program menu command. To start VirHUNT, and load the signature file on the command line, type the following at the DOS prompt: VIRHUNT USC:\DDI\KAOS4.PRG This assumes that the KAOS4.PRG file is in the DDI directory on the C drive. If the file is stored somewhere else, change the path to point to the appropriate location. The file will be loaded into VirHUNT and VirHUNT can be used to scan any attached disks for the virus. To load the file in a running version of VirHUNT, select the Options menu and the E: User specified search/remove command. In the dialog box that is displayed, type KAOS4.PRG. Include a path with the file name if the file is not in the default directory. You may now scan files like normal and if the KAOS4 virus is detected, it is reported as an "Unknown Virus". The signature file also contains sufficient information to remove the virus from an infected program, but programs should be replaced whenever possible. The file KAOS4.PRG is available on the CIAC file servers. You can use anonymous FTP to ciac.llnl.gov (128.115.19.53) and find the file in the /pub/ciac/sectools/pcvirus directory. It can also be obtained from the CIAC BBS in the File Transfer:Downloads: PC Virus section. A special version of McAfee's SCAN program named SCN-KAOS.ZIP is available that only removes the KAOS4 virus. It is available on the McAfee BBS (408- 988-4004), Compuserve, or via anonymous FTP to mcafee.com. A new version of the Norton Anti-Virus, Virus Definitions file is available to make NAV 3.0 detect and remove KAOS4. The file is 30a09b.zip and is available on the Symantec BBS (503-484-6669), and Compuserve. _____________________________________________________________________________ CIAC wishes to thank Bill Kenny of DDI for so quickly getting us a signature file for this new virus. _____________________________________________________________________________ APPENDIX: PROTECTING A PC AGAINST NEW VIRUSES ============================================= Note: The following sections use the DataPhysician Plus package to illustrate how to apply the virus detection strategies. This package is used in these examples because the DOE has a site license for it, making it relevant to the CIAC constituency. There are many other packages available with similar capabilities. With new viruses appearing almost weekly, it seems almost impossible to keep an up-to-date scanner available on every vulnerable machine. In the time it takes to distribute a new scanner, several new viruses are already in the wild. So how do you protect a machine against new viruses? First, not all machines need to be protected. If a machine never shares floppy disks with anyone and never downloads an executable file (documents are OK) over a network, that machine is highly unlikely to ever encounter a new virus. While that machine should be scanned occasionally, the risk of virus infection does not warrant more extensive checking. For the rest of us that do exchange files and executables, most current anti- virus programs have ways to protect against a new virus. Actually, there are two capabilities in most anti-virus programs to protect against new viruses: TSR (Terminate and Stay Resident) suspicious activity detectors and program change detectors. A. Suspicious Activity Detectors --------------------------------- A suspicious activity detector is a small TSR program that is loaded into memory at boot time and then watches over a system for virus type activities. Suspicious activities include such things as writing to the boot blocks of a disk, changing or creating an executable file, or going memory resident. When such an activity occurs, the suspicious activity detector pauses the activity and displays a dialog box giving you the option of continuing the activity or halting it. Since some suspicious activity is normal, you must decide whether to stop or continue it. For example, copying an executable file creates a new executable file which sets off the alarm. Since this is a normal activity, you would allow it to continue. If, on the other hand, when you start up your word processor and the suspicious activity detector detects an attempt to change the executable for your spreadsheet program, you should prevent the activity from occurring, as this is not a normal activity for a word processor. In the DataPhysician Plus package, available to all DOE sites, the suspicious activity detector is the VirALERT program. VirALERT is loaded as a device driver in your CONFIG.SYS file. Normally, the DataPhysician Plus installer program takes care of installing VirALERT for you. VirALERT has several options that set the type of suspicious activity to watch for. Each of the options is explained in the installer program. While you might think that you should set the options to detect all suspicious activity, that might not be a good idea. If the suspicious activity detector alarms all the time, you will probably start ignoring it and won't notice when a truely suspicious activity indicates a virus is present. A reasonable setup from the CONFIG.SYS file is the following. DEVICE=C:\DDI\VIRALERT.SYS TV Z=RESSCAN.COM, WIN-RS.COM With this setup, VirALERT checks for any attempts to write an executable file, (T) watches for other TSR programs attempting to install themselves, (V) warns you when it is off, and (Z=...) ignores the TSR programs in RESSCAN.COM and WIN-RS.COM. In general, the installer does all this setup for you. If you are performing an activity that sets off the suspicious activity detector, such as copying a directory full of executable files, you don't want to have to sit there pressing C (Continue) every time the dialog pops up. In this case, you can disable VirALERT by pressing I (Inactivate) to turn VirALERT off for the duration of this command. VirALERT automatically turns back on again when the command completes. You can also toggle VirALERT off by pressing Alt-V to see the VirALERT dialog, press the space bar until OFF appears and press Esc to continue. You must repeat this sequence to turn VirALERT back on again. B. Program Change Detectors ---------------------------- A program change detector creates and stores a signature for some or all the executable files on your disk. Later, using the stored signatures, the program change detector can tell if any executable file has changed. In addition, most program change detectors store those parts of a program that are most often changed by a virus and can usually restore the program using those stored parts, even for a program infected with a new, unknown virus. Unlike a virus scanner that can be used after an infection has occurred, a program change detector requires some forethought. A program change detector must have a baseline program signature file in order to tell that a change has occurred. Thus, you must have run the scanner before an infection occurred to create that signature file. The VirHUNT program in the DataPhysician Plus package contains both a virus scanner and a program scanner. The virus scanner searches for known viruses in your executable files, and the program scanner is the program change detector. The program scanner must be run once with the create new signature file option set to store the program signatures. It is then run later to scan for changes in the protected programs. The installer program does this initial scan for you if you request it. As with virus scanners, a problem with a signature scanner is that it takes a lot of time to scan a hard disk. If the scanner is set up in the AUTOEXEC.BAT file to run every time a machine is booted, it extends the amount of time it takes to boot a machine. A large hard disk can take several minutes to scan, significantly trying a user's patience. Scanning the whole hard disk for viruses or for program changes every time you boot is probably unreasonable for all but the front door and open machines in your organization. A front door machine is one reserved by an organization specifically for scanning disks coming into an organization. Open machines are those made available for anyone to use and, because of their uncontrolled nature, are very susceptible to viruses. A better strategy is to scan the whole hard disk at times convenient to the user (at night, at lunch, etc) and to only scan a few particularly sensitive files at boot time. By always scanning those files most likely to be infected by a new virus, you should catch most new infections before they have gone very far. In most cases, the root directory of the C drive and the DOS directory are the most likely places for a new infection to occur. Of course, you should always scan any floppies brought into your area, including those in shrink wrapped containers and any new executable files copied onto your hard disk. To use the program signature scanner in an efficient manner, you need to make two program signature scans: one of the whole hard disk and one of the directories you are going to scan at every boot. Before creating the program signature file, you must insure that your disk is free from virus infections, otherwise the scanner will include the virus as part of the signature for a program. Assuming your disk is well scanned and as clean of infections as you can make it, perform the following steps to create the initial program signature file. 1. Start VirHUNT. 2. Execute the command: Options, F: Signature Mode, A: Set signature options, G: Create new signatures, and press Esc to return to the main menu. 3. Execute the command: Options, A: Directory to scan. 4. Type ALL in the dialog box and press Return. 5. Open the Options menu and check that the command: D: Scan subdirectories is set to Yes. 6. Open the Options menu and check that the command: B: Scan is set to Files, memory and boot. 7. Execute the command: Scan and sit back while all the files are scanned and a signature file is created named VIRHUNT.SIG. 8. When this process completes, you may want to save a copy of this signature file on a floppy disk. You now need a second signature file for only those files you want to scan at every boot up. With all the options set as in the steps above, perform the following steps. 1. Execute the command: Options, A: Directory to scan. 2. In the dialog box, type the directories you want to scan at every boot time and press return. For example, C:\ C:\DOS scans the root directory on the C drive and the DOS directory. 3. Execute the command: Options, D: Scan subdirectories, which should toggle the option to No. 4. Execute the command: Options, F: Signature Mode, A: Set signature options, G: Create new signatures, B: Set signature filename,. 5. In the dialog box that appears, type a file name for the program signature file such as VIRHUNT2.SIG, press return and then Esc to return to the main menu. 6. Execute the Scan command and sit back while this small group of files is scanned and a second program signature file is created. To actually do a signature scan, assuming nothing is set (default,) perform the following steps. 1. Start VirHUNT. 2. Execute the command: Options, F: Signature Mode, A: Set signature options, B: Scan, find New files 3. While still in the signature mode, execute the command: B: Set signature filename. 4. In the dialog box that appears, type VIRHUNT2.SIG, press return and then Esc to return to the main menu. To scan all the files on the disk, instead of just the ones in C:\ and C:\DOS, use VIRHUNT.SIG as the filename instead of VIRHUNT2.SIG. 5. Execute the command: Options, A: Directory to scan. 6. In the dialog box, type C:\ C:\DOS. To scan the whole drive, change this to ALL. 7. Open the Options menu and check that the command: D: Scan subdirectories is set to No. To scan the whole disk, set this to Yes. 8. Open the Options menu and check that the command: B: Scan is set to Files, memory and boot. 9. Execute the command: Options, E: User specified search/remove. 10. In the dialog box that appears, type KAOS4.PRG and press return. This loads the virus signature file for the KAOS4 virus. 11. Execute the command: Scan and sit back while all the files are scanned. The program first does a virus scan for all the files in C:\ and C:\DOS directories and then does a program signature scan for all the files in the VIRHUNT2.SIG signature file. It checks the C:\ and C:\DOS directories and lists any new executable files found there. If the new files are legitimate and you want to not alarm every time you run a scan, you must create a new signature file for those directories as you did above. To do the same run of VirHUNT every time the machine is booted, place the following command in the AUTOEXEC.BAT file. C:\DDI\VIRHUNT.EXE C:\ C:\DOS USC:\DDI\KAOS4.PRG SCN SFC:\DDI\VIRHUNT2.SIG LIC:\DDI\SCAN.OUT SISN QU This command assumes that the files VIRHUNT.EXE, KAOS4.PRG, and VIRHUNT2.SIG are all in the C:\DDI directory. Started with this command VirHUNT scans the C:\ and C:\DOS directories. The US option loads the KAOS4.PRG virus signature file. The SCN option sets scan subdirectories to No. The SISN does a program signature scan and reports new files found. The QU option makes the program quit after it finishes a successful scan. The SF option sets the file name of the program signature file to use and the LI option sets the file to use to store the results of the scan. C. Dealing With Stealth Viruses -------------------------------- Stealth viruses are a special problem for virus scanners and program change detectors. A "good" stealth virus can hide its presence on a disk by diverting low level disk read requests to different sectors so that when a scanner examines a file, the file appears OK. In fact, it is infected with a virus. However, a stealth virus can not do its stealthy things if it is not in memory. To defeat a stealth virus, boot the system using a clean, locked floppy. You can then use your scanner programs to find and remove any virus. If there is any chance that your scanner program on the hard disk is infected (it will usually tell you if it is) have another copy of the scanner on the clean, locked floppy to do your scanning with. If the scanner on your hard disk indicates that it was infected, be sure to shut down completely and reboot to get the virus out of memory. Unfortunately, some virus infected hard drives cannot be mounted by a system without the virus in memory. Monkey is of this type. Because they move the partition table to a different place on the disk, the virus must be in memory in order to access the partition data so that the drive can be mounted. Luckily, most virus scanners know how to locate and remove these viruses. Note that KAOS4 is not a stealth virus. _____________________________________________________________________________ For additional information or assistance, please contact CIAC: Voice: 510-422-8193 FAX: 510-423-8002 STU-III: 510-423-2604 E-mail: ciac@llnl.gov Previous CIAC Bulletins and other information are available via anonymous FTP from ciac.llnl.gov (IP address 128.115.19.53) formerly irbis.llnl.gov. CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information, and Bulletins, important computer security information; 2. CIAC-NOTES for Notes, a collection of computer security articles; 3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 4. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. CIAC's mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for "list-name" and valid information for "LastName" "FirstName" and "PhoneNumber" when sending E-mail to ciac-listproc@llnl.gov: subscribe list-name LastName, FirstName PhoneNumber e.g., subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36 You will receive an acknowledgment containing address, initial PIN, and information on how to change either of them, cancel your subscription, or get help. _____________________________________________________________________________ PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending E-mail to first-request@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes.