VIRUS-L Digest Monday, 7 Mar 1994 Volume 7 : Issue 15 Today's Topics: New Mac Virus Announcement -- Please circulate (Mac) 7th InComp Virus & Security Conf RAMA EXEC (VM) MADONA MODULE (VM) dubious NETX.com (trojan?) (PC) DATALOCK 1740 infects us (PC) Microsoft Anti-Virus Update.... (PC) February 1994 LAT (PC) Re: virus signature database? (PC) Empire.Monkey.A variant of Stoned (PC) DiskWasher-virus (PC) Virus Updates for Nav 3.0 (PC) Network Virus Scanners (PC) Cleaning Stamford Virus? (PC) Yankee (Frikken) Doodle. (PC) How Can I H/W Protect Hard Drives (PC) MISIS (Zharanov) (PC) virus called JUS ?? (PC) Any reviews of InVircible/V-Care? (PC) MtE (Mutation Engine) on PC (PC) VSafe + Scan = Iboot, false positive? (PC) CONFIG.BOO? Sound Familiar? (PC) Is this a virus? (PC) Repairing a botched Monkey repair (PC) Re: Alternate Infection method (V-Sign) (PC) need help on mandela 2 virus! (PC) Re: Clean 111 & Mich. (PC) Datalock 1740 Virus infect'n (PC) vds comments (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 04 Mar 94 13:29:58 -0500 From: spaf@cs.purdue.edu Subject: New Mac Virus Announcement -- Please circulate (Mac) This is NOT an official posting from the PCERT. New Macintosh Virus Discovered (INIT-9403) 3 March 1994 Virus: INIT-9403 Damage: Alters applications and system files. May destroy all disk volumes. Spread: only in Italian version of MacOS so far, but extensive there. Systems affected: All Apple Macintosh computers, all systems. The INIT-9403 virus was recently discovered in Italy. It appears that the virus is being spread (initially) by an altered version of some pirated commercial software. This software, when run, installs the virus on the affected system. Once present, the virus alters the Finder file, and may insert copies of itself in various compaction, compression, and archive programs. These infected files can then spread the virus to other Macintoshes. This virus can only spread under the Italian release of MacOS. After a certain number of other files have been infected, the virus will erase disks connected to the system: it attempts to destroy disk information on all connected hard drives (> 16 Mb) and attempts to completely erase the boot volume. The authors of all major Macintosh anti-virus tools are planning updates to their tools to locate and/or eliminate this virus. Some of these are listed below. We recommend that you obtain and run a CURRENT version of AT LEAST ONE of these programs. Some specific information on updated Mac anti-virus products follows: Tool: Central Point Anti-Virus Status: Commercial software Revision to be released: 3.0c Where to find: Compuserve, America Online, sumex-aim.stanford.edu, Central Point BBS, (503) 690-6650 When available: immediately Comments: New 'MacSig' antidote file available - dated 3/4/94. Tool: Disinfectant Status: Free software (courtesy of Northwestern University and John Norstad) Revision to be released: 3.4 When available: immediately Where to find: usual archive sites and bulletin boards -- ftp.acns.nwu.edu, sumex-aim.stanford.edu, rascal.ics.utexas.edu, AppleLink, America Online, CompuServe, Genie, Calvacom, MacNet, Delphi, comp.binaries.mac Tool: Gatekeeper Status: Free software (courtesy of Chris Johnson) Revision to be released: 1.3.1 When available: On or before March 11th Where to find: usual archive sites and bulletin boards -- microlib.cc.utexas.edu, sumex-aim.stanford.edu, rascal.ics.utexas.edu, comp.binaries.mac Comments: Some uncertainty remains as to the need for an update, but it is most likely that one will be required. People on the gatekeeper-news mailing list will be updated as details become available. Tool: Rival Status: Commercial software Revision to be released: INIT-9403 Vaccine When available: Immediately. Where to find it: Contact the authors if you haven't upgraded to 1.2.5 yet. Otherwise, the vaccine will be sent directly to your account. America Online: RIVAL, AppleLink: TESTNONE, Compuserve: 73112,2144, Internet: miserey@laguna.ics.uci.edu Tool: SAM (Virus Clinic and Intercept) Status: Commercial software Revision to be released: 3.5.11 When available: immediately Where to find: CompuServe, America Online, Applelink, Symantec's Customer Service @ 800-441-7234 Comments: Updates to various versions of SAM to detect and remove INIT-9403 are available from the above sources. Tool: Virex Status: Commercial software Revision to be released: 5.02 Where to find: Datawatch Corporation, (919) 549-0711 When available: Detection Strings will be available 3/3 on AOL and on the "DataGate" BBS @ (919) 549-0042. Updated version with detection, repair and prevention capabilities will be available March 3. Comments: Virex 5.02 will detect the virus in any file, and repair any file that has not been permanently damaged. All Virex Protection Service subscribers will automatically be sent an update on diskette. Guide Number: 14713088 1: 0053 7973 3620 04D0 / B7 2: 3001 FC90 7714 0053 / E9 3: 7973 3642 6700 02A9 / 25 4: AB00 1DA9 AB81 8090 / 7B Tool: VirusDetective Status: Shareware Revision to be released: 5.0.11 When available: immediately Where to find: various Mac archives Comments: VirusDetective is shareware. Search strings for the new virus will be sent only to registered users. If you discover what you believe to be a virus on your Macintosh system, please report it to the vendor/author of your anti-virus software package for analysis. Such reports make early, informed warnings like this one possible for the rest of the Mac community. If you are otherwise unsure of who to contact, you may send e-mail to spaf@cs.purdue.edu as an initial point of contact. Also, be aware that writing and releasing computer viruses is more than a rude and damaging act of vandalism -- it is also a violation of many state and Federal laws in the US, and illegal in several other countries. If you have information concerning the author of this or any other computer virus, please contact any of the anti-virus providers listed above. Several Mac virus authors have been apprehended thanks to the efforts of the Mac user community, and some have received criminal convictions for their actions. This is yet one more way to help protect your computers. ------------------------------ Date: Tue, 22 Feb 94 10:02:33 -0500 From: isckulp@leonis.nus.sg (ku liang ping) Subject: 7th InComp Virus & Security Conf Posting on behalf of a friend He would like to find out about the forthcoming 7th International Computer Virus & Security Conference The contact person Judy S Brand can no longer be reached at jsb@well.sf.ca.us. The toll free number given is also unreacheable from Singapore. My friend would like to attend the above mentioned conference. Is the registration still open? If so how does he register himself? As the conference is scheduled fro 9-11 March, a swift reply will be much appreciated. Please mail replies to geakkhoo@trantor.dso.gov.sg ------------------------------ Date: Wed, 16 Feb 94 13:00:48 -0500 From: Otto Stolz Subject: RAMA EXEC (VM) Entry...............: RAMA EXEC Alias(es)...........: --- Strain..............: --- Detected when.......: February 1994 where.: CMSUG-L mailing-list Classification......: Chain Letter (aka Rabbit) Length of Virus.....: 1. As NETDATA file (in the virtual reader): 74 Records 2. On disk: RECFM is V, LRECL is 79, size is 124 records. - --------------------- Preconditions ------------------------------------ Operating System(s).: CMS (under VM/SP, VM/XA, or VM/ESA) + RXFS package (by Tom Wilson; available, e.g., from LISTSERV@DEARN.Bitnet) Version/Release.....: presumably Rel. 3, and up; tested with VM/SP Release 5, Service Level 526 Computer model(s)...: IBM Mainframes, and Compatibles - --------------------- Attributes --------------------------------------- Easy Identification.: 1. Program comes in a file named RAMA EXEC. 2. Source lines 1 through 6 contain, in a box, the following comment: NAME: MSS. DATE: 6 FEB 1994 AUTHOR: Ehssan Abuzaid FUNCTION: Display GOOD Morning message to my .... 3. Source lines 13 through 36 assign a crude image of a mosque to REXX variables l.1, l.2, etc.; line 21, in particular, reads: l.9= ' ||| H A P P Y rrrrrrrrrrrr R A M A D A N ||| Type of propagation.: Inspects the user's Standard Names File, and tries to send a copy of itself to every address found therein (for limitations, cf. sub Particularities, below). Propagation Trigger.: Running the EXEC, e.g. by issuing the RUN prefix command against the pertinent line in the Filelist. Note that the EXEC must be received (e.g. by hitting the PF9 key, in the Rdrlist) prior to running it. Note also, that both receiving and running an EXEC file are basic operations that will be executed almost instantly by any moderately experienced CMS user. Storage media affected: Disk; RSCS Network (e.g. Bitnet/EARN/Netnorth) Damage..............: Permanent Damage: Any file named RAMA EXEC A will be erased. Transient Damage: A crude image of a mosque will be displayed (each line in a different colour); after the Enter key is hit, the following message (the typos are authentic) enters the screen, line by line, from the left: Dear Users ; I would like to take this apportinuty to wish all of you the best of R A M A D A N and GOD be with you, and I wish you good luck in your study, or in your work. BY the way, we are here to help you in your computer work So do not hasitate and feel free to call us. etc. Side effects: Network jams are possible due to processing multiple copies of RAMA EXEC. Damage Trigger......: Permanent Damage: Running the EXEC (as above). Transient Damage: Running the EXEC (as above). Particularities.....: RAMA EXEC is coded rather awkwardly, and sloppyly, in particular: 1. When the RXFS package is not accessable via any of the standard function packages (RXUSERFN, RXLOCFN, or RXSYSFN), message DMSREX478E will be issued, and RAMA EXEC will be aborted with RC=20043. 2. When the program is renamed, it will still try to propagate a file named RAMA EXEC, and sub- sequently erase it. 3. The CMS Sendfile command RAMA exploits accepts only RSCS addresses (such as RZOTTO@DKNKURZ1); hence, a user located in Bitnet will propagate the file to Bitnet addresses, but not to Inter- net adresses -- not even to an Internet style Bitnet address (such as RZOTTO@DKNKURZ1.Bitnet). 4. RAMA EXEC contains code to supply the local node name to abbreviated RSCS addresses (such as RZOTTO); however, due to a bug, it will append the words VIA RSCS, and the current date, to the node name it inserts. Due to the resulting syntax error, no file will be sent to the abbreviated address. 5. During the propagation phase, CMSTYPE HT is in effect; hence the error messages caused by items 3 through 5, above, are invisible. 6. RAMA will consume any lines present in the Program Stack. Similarities........: Initial comments strongly resemble Ronald Page's BOOGIE EXEC (part of RXFS PACKAGE, as distributed by LISTSERV@DEARN.Bitnet). Propagation method resembles ZT EXEC; however, ZT uses the CMS Punch, rather than the Sendflie, command. - --------------------- Agents ------------------------------------------- Countermeasures.....: Sysadmis should include RAMA EXEC in their RSCS filters. Standard means......: Users should purge, or erase, RAMA EXEC rather than running it. - --------------------- Acknowledgement ---------------------------------- Location............: Rechenzentrum der Universit Classification by...: Otto Stolz Documentation by....: Otto Stolz Date................: 1994-02-15 Information Source..: Analysis, and test runs, of RAMA EXEC. VIRUS-L logs pertaining to ZT EXEC. ===================== End of RAMA Chain Letter ========================= ------------------------------ Date: Thu, 17 Feb 94 03:17:02 -0500 From: Pete Gifford Subject: MADONA MODULE (VM) In response to my recent description of RAMA EXEC, I learned about a similar (yet even more nasty) beast that apparently is in the wild. I'll quote only that part of the mesage that describes it. Best wishes, Otto Stolz - ----------------------------Original message---------------------------- I received a file called MADONA MODULE today. It is compiled REXX which does the usual, sending itself to everyone in your names file, then does PUR RDR ALL, ERASE PROFILE * *, ERASE MADONA MODULE [...] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Pete Gifford Systems Manager Bitnet: pgifford@allegvm Allegheny College Internet: pgifford@admin.alleg.edu Meadville, PA 16335 Phone: (814) 332-2755 ------------------------------ Date: Tue, 15 Feb 94 09:18:44 -0500 From: zrash01@mailserv.zdv.uni-tuebingen.de (Peter Schill) Subject: dubious NETX.com (trojan?) (PC) Last week we had a couple of young people here who used a part of our PC-Pool for training for a competition. I took those respective PCs from our (Novell)-Net, unfortunatly only by software, i.e. I removed the respective commands from autoexec.bat. At the end of the first day I was told that some of the guys tried to intrude into the net. They even managed to do so, fortunately they didn't do any damage, as far as I know until now. However, one of the guys manipulated the NETX.COM file. Well, after that first day, I removed the NETX.COM and IPX.COM files from the local disks and replaced them by my own. Saturday, when they all went off, I replaced the files with the originals (from the respective disks) and found out that on that one machine I couldn't connect to the net any more. It was that manipulated NETX.COM that caused the failue. Far worse, after about three minutes after boot, the machine freezed sometimes, sometimes showed some blinking characters at the screen and could only be cold rebootet. Also sometimes it booted by his own. I do not think that this is a virus (F-PROT showed nothing), rather I think it's a trojan. Since I am not familar with Assembler, I would like to know, what the changes are worth for :-) Anyone interested in a copy of this trojan? Of course, only trustable persons will get a copy! (Frisk?) Peter Schill schill@zdv.uni-tuebingen.de ------------------------------ Date: Tue, 15 Feb 94 11:15:57 -0500 From: jlundgr@eis.calstate.edu (John E. Lundgren) Subject: DATALOCK 1740 infects us (PC) Well, I just knew it would happen someday. We got infected with DATALOCK 1740 virus. The classroom had 18 '486s in it and almost all had it. It started with programs that had the date and time changed to 08/08/88 8:08 and the funny thing is that all of the PCs had Norton Anti Virus on them. In desperation, we tried Scan V.111 and it didn't find it either. Finally we just got out the laplink cables and cloned the drives from an uninfected PC. We found out that F-PROT V. 211 finds it. If you want a description of the virus, it's in Hoffman's VSUMX401. It says that the virus was isolated around Nov. 1993. Pretty new. BTW, near the end of the infected program these strings can be found: "Hacker: NGUYEN HIEU VINH" "22 / 1A Truong Quoc Dung" "Phuong 10 Quan Ph Nhuan" "Thank Pho Ho Chi Minh" "South of Viet Nam" I hope it isn't spreading. It does some nasty things to all programs that are executed. - -- Fortune cookie/Tagline for the week: Funny -- only sensible people agree with me. Reality-ometer [\.....] Hmmph! Thought so... Two rights don't make a wrong, they make an airplane. ------------------------------ Date: Tue, 15 Feb 94 16:15:13 +0000 From: SYSTEM@whqvax.picker.com (Dennis Leiterman) Subject: Microsoft Anti-Virus Update.... (PC) Has anybody updated Microsoft's (Central Point's) virus database??? How??? - ----------------------------------------------------------------- | Dennis Leiterman | Picker International | | VAX System Manager | 595 Miner Road | | e-mail: leiterman@picker.com | Highland Heights, OH | - ----------------------------------------------------------------- ------------------------------ Date: Tue, 15 Feb 94 23:40:48 -0500 From: vfreak@aol.com Subject: February 1994 LAT (PC) LAT 9402 February 15, 1994 +--------------------------+----------+---------+-----------+-----+ | SCANNER | COMMON | POLY- | ZOO |FLAGS| | | | MORPHIC | | | | | | | | | | |39 |56 |2135 | | +--------------------------+----------+---------+-----------+-----+ | TBAV 610 |39 100% |56 100% |2122 99.4%| GS | | F-Prot 2.11 |39 100% |56 100% |2119 99.3%| S | | Integrity Master 221 |39 100% |56 100% |2103 98.5%| GS | | | | | | | | Dr Sol A-V toolkit 6.56 |39 100% |52 92.9%|2007 94.0%| C | | Scan 111 |39 100% |52 92.9%|1960 91.8%| S | | VIRx 2.91 |36 94.7%|35 62.5%|1855 86.9%| S* | | | | | | | | NAV 3.0 |39 100% |53 94.6%|1701 79.7%| C | | MSAV w/DOS 6.0 |29 74.4%|18 32.1%|1090 51.1%| D | +--------------------------+----------+---------+-----------+-----+ *- Updated signature patterns C- Commercial software G- Generic Virus detector. The other utilities with this product may detect viruses that this scanner misses, so don't judge this product too harshly because the scanner isn't as effective as you would like. S- Share Ware or Free Ware procuct. ======================================================================== I have tested the following generic products, and recommend them. FLAGS +------+ F-Prot Professional (Command Software Systems) | IV | Integrity Master (Stiller Research) |*ISV | PC-cillin (Trend Micro Devices) | ASV | PC-Rx (Trend Micro Devices) | ASV | TBAV (Thunderbyte) |*AISV | Victor Charlie (Bangkok Security Associates) |*BEISV| +------+ *-Share ware product A-Activity Monitor B-Uses Bait files that try to get infected by unknown viruses E-extract the signatures for unknown viruses I-uses integrity checking S-Stores System areas. Boot sector, and Partition table V-comes with a Virus scanner. I placed the generic virus detectors in alphabetical order. I do not recommend one product over another. All of them work differently and may not fit the way you use a computer, so request information on several before you decide. The TBAV documentation claims to extract virus signatures in the registered version. I do not have the registered version of TBAV, and I refuse to recommend unless I have tested it myself. ========================================================================= I would like to thank most of these companies for providing me with evaluation copies of their software to test. If your company produces anti-viral software, and would like for me to test it in LAT, contact me at either of the addresses below. ======================================================================== These tests were performed on a 33 MHZ 486 Bill Lambdin 102 Jones Lane P.O. Box 577 East Bernstadt, Ky. 40729 Internet address> v.freak@aol.com Metaverse BBS Co-SysOp (606) 843-9363 ------------------------------ Date: Wed, 16 Feb 94 00:38:43 -0500 From: datadec@ucrengr.ucr.edu (kevin marcus) Subject: Re: virus signature database? (PC) steve mazdeh wrote: > I was wondering if there is a sort of reference list anywhere on the >internet that has the names and signatures of all the known viruses. >I would be very interested in getting a hold of it. Jan Terpsta has a file that goes along with TBSCAN (or at least did awhile back) that you should be able to ftp from most of the av sites. Try oak.oakland.edu. There are a lot of files there; try /pub/msdos/virus/vsigxxxx where xxxx refers to a date. It does not contain a list of all viruses, but it should be a pretty decent source. Information on viruses can be obtained from mcafee.com, look around for vsumxxxx. I'm not sure of it's location on their site. Most of the information is vsum is inaccurate, and it does not follow naming conventions that will make it easy for you to communicate with other 'antivirus guys/gals' It, too, is not a listing of all known viruses. - -- --=> Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu CSLD Room Monitor, Tues, Thurs 9-12p, Sat 11a-2p (909)/787-2842. Computer Science Dept., University of California, Riverside. .oOo.oOo.oOo. Thieves Suck. Don't steal. .oOo.oOo.oOo. ------------------------------ Date: Wed, 16 Feb 94 12:41:57 -0500 From: "Jeremy J. Blumenfeld" Subject: Empire.Monkey.A variant of Stoned (PC) We are experiencing some problems in our student computer lab with the Empire.Monkey.A variant of the Stoned virus (reported by F-Prot 2.10c). We are using F-Prot 2.10c with virstop installed, but the virus keeps coming back and apparently infecting the hard drive after accessing an infected floppy. The typical scenario: a user reports an infection on their diskette after scanning with f-prot, the last computer they used is checked and virus shows up in memory, after a full reboot it still shows up and we must use KILLMONK to get it off the computer. Is there anyway to keep it off of the hard drive? Should /boot warn against this type of infection? ------------------------------ Date: Wed, 16 Feb 94 07:04:29 -0500 From: vf1@irz301.inf.tu-dresden.de (Volker Fischer) Subject: DiskWasher-virus (PC) Hi, we found the DiskWasher Genb with McAfee's scan 111 in our PC-pool (DECstations 316 (386sx-16, DOS5.0)) - with the options /chkhi and /m in scan. f-prot 211 couldn't find any virus. After booting from a clean floppy-disk and scanning the virus is still present. Is there anyone with the same problem - especially with DEC's 316 because on DECstations 300 we didn't found any virus (in the same pool seems to be not a virus ... Any help ? - -- V. Fischer FRZ email: vf1@irz.inf.tu-dresden.de ------------------------------ Date: Tue, 15 Feb 94 20:05:28 -0500 From: "Jeffrey Rice - Pomona College, California." Subject: Virus Updates for Nav 3.0 (PC) I'm not aware of an FTP site that Symantec runs, but I'd rather not pay the toll charges to their BBS get get the virus def. updates. Is there an FTP site that consistantly carries the most recent version? I've seen a few, but they aren't always kept up to date. Jeff Rice ------------------------------ Date: Wed, 16 Feb 94 18:10:08 -0500 From: ken_diliberto@csufresno.edu (Ken Diliberto) Subject: Network Virus Scanners (PC) I am looking for a good solution for virus protection for our multiple server network. We have 12 servers and over 800 workstations. We would like something that runs on the servers and something that can scan standalone workstations. Periodic updates would be nice, too. Thanks. ========================================================================= Ken Diliberto, KD6KGK | Does ETHERnet put your Ken_Diliberto@CSUFresno.edu | computer to sleep? - ------------------------------------------------------------------------- "Most congressmen are charlatans who are either ignorant or contemptuous of our Constitution." Walter E. Williams ------------------------------ Date: Tue, 15 Feb 94 16:04:52 -0500 From: muckenhi@ux1.cso.uiuc.edu (muckenhirn geoffrey) Subject: Cleaning Stamford Virus? (PC) I got a call today from someone needing a virus removed. It turned out to be the Stamford virus (F-Prot calls it Flame) and has infected the Partition table. Neither F-Prot 2.11 nor McAffee Clean 111 will clean this bug up. Any ideas? Geoff - ------------------------------------------------------------------------- Geoffrey B. Muckenhirn muckenhi@ux1.cso.uiuc.edu Language Learning Lab geofmuck@uiuc.edu University of Illinois ------------------------------ Date: Wed, 16 Feb 94 00:57:26 +0000 From: rsmadej-madi@violet.uwaterloo.ca (Robert Madej) Subject: Yankee (Frikken) Doodle. (PC) Help Me! I have the Yankee Doodle Virus. Can I get rid of it with McAfee's CLEAN106? I tried and I can't. I have loaded all of my files again (that were infected) but everytime I reboot, all my files accesses by config.sys get infected... Help. Reply to rsmadej-madison@violet.uwaterloo.ca Thanks Richard. ------------------------------ Date: Wed, 16 Feb 94 00:11:34 -0500 From: "Lynda L. Armbruster" Subject: How Can I H/W Protect Hard Drives (PC) Our school has been regularly bombarded with viruses...we usually catch them by scanning etc. but every once in awhile one gets by us and wreaks havoc. I have seen references to write protecting a hard drive with hardware but don't know how to do it, or how to get additional information about products, pricing, etc. Our hardware "guru" doesn't know where to begin and preventing students from writing to the hard disk could solve a LOT of problems besides viruses. Can somebody help? Thanks. - ----------------------------------------------------------------------------- LYNDA ARMBRUSTER, CNI/CNE larmbru@eis.calstate.edu Snailmail: Rancho Santiago College, 1530 West 17th St, Santa Ana, CA 92706 - ----------------------------------------------------------------------------- * EVERY EXPERT WAS ONCE A BEGINNER * ------------------------------ Date: Thu, 17 Feb 94 05:58:05 -0500 From: reeda@sun1.bham.ac.uk (Alan Reed) Subject: MISIS (Zharanov) (PC) We now have about 10 systems (to my knowledge) containing the above virus F-prot 2.11 can detect this virus but as yet cannot remove it. neither virus is refered to by those names in the Hamburg list MSDOSVIR.* I am looking for a spec of what damage the virus could have done and a removal procedure. Any ideas? It is a boot sector virus containing the string NIKA. ------------------------------ Date: Thu, 10 Feb 94 19:07:04 +0200 From: Malte_Eppert@f6050.n491.z9.virnet.bad.se (Malte Eppert) Subject: virus called JUS ?? (PC) Hi Dave! > A user just informed me that a **brand new** computer, just > installed and never used was found to contain a virus identified by Mcafee > Scan V109 as JUS. The user turned off the pc , then rebooted with a > clean write protected floppy (CWPF), and scanned the pc. The scan > then indicated that four viruses were found. She again turned off > [...] Did she load any MSAV TSR when booting? This may result in ghost-virus alerts, as MSAV keeps unencrypted scanstrings in memory. cu! eppi - --- GEcho 1.01+ * Origin: Another Virus Help Node - The EpiCentre! (9:491/6050) ------------------------------ Date: Thu, 17 Feb 94 09:16:11 -0500 From: GOL AMIR Subject: Any reviews of InVircible/V-Care? (PC) Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) wrote: > What you call >Invircible was once a part of V-CARE and now is a separete product. As so V- >CARE has all the features that are in the InVircible product, The InVircible >doesn't have what V-CARE has. For example it doesn't have a TSR prevention >module. Wasn't it you who told me, about a year ago, that the reason InVircible has got no TSR module is that those TSRs can sometimes be as dangerous as a virus? You had some frightening tales about lost partitions and damaged files ... > > Well, I can only point out an oddity I discovered > > after install.exe has finished the installation. > > The size of files inoculated by CPAV were > > decreased by 5 bytes. Is this normal ? >Beware! InVircible attacks the CPAV immunization system as it considers it a " >virus" or an illegal type of modification. The problem you described could be >the result. >Generally the InVircible is a part of the Generic modules of >V-CARE, it requires to be previously installed in order to protect >your PC, and it will allways work *ONLY AFTER* the infection was done! The original posting was clear: the files in question had been "immunized" by CPAV before InVircible was installed, while your answer refers to "immunization" done after InVircible was installed. I called you with a similar problem a few months ago. The answer you gave me then is summarized in my previous post on that thread (well, as far as I remember it). Comments and corrections will be appreciated. BTW, the latest version of InVircible is now 5.04c release 2. Amir Gol (I) ------------------------------ Date: Thu, 17 Feb 94 13:30:32 -0500 From: csc2u2bn@sun.leeds.ac.uk Subject: MtE (Mutation Engine) on PC (PC) Could anybody provide information on the MtE (Mutation Engine) virus add-on written by the Dark Avenger? I understand that it allows a virus to adopt one of 4 billion forms, and to mutate with infection randomly throughout these forms. The Engine is designed to fool signature scanners by making the code unrecognisable - but if this is the case, how does the virus itself recognise an infected program to prevent reinfection? I assume that MtE mutates viruses by inserting random nop's within the virus code, but would like to clarify this. Any help would be appreciated. Thanks to those who responded to my last mailing on 'anti-viral' viruses. Particularly to SAM for his help with the Potassium Hydroxide Virus. Dan Lynch. ---------------------------------------------------------------- Dan Lynch. (csc2u2bn@sun.leeds.ac.uk) (isxdsl@scs.leeds.ac.uk) (csc2l2bn@gps.leeds.ac.uk) ---------------------------------------------------------------- ------------------------------ Date: Fri, 18 Feb 94 09:44:21 -0500 From: kalju@mega.chem.ut.ee (Kalju Kahn) Subject: VSafe + Scan = Iboot, false positive? (PC) Dear moderator, I post a message to inform You about effects that come up when McAfee scan (Ver 108 and 111) runs under DOS 6.2 environment in presence of memory manager EMM386.EXE (with NOEMS flag!) and monitoring program VSafe. If these conditions are fulfilled, then after booting from hard disk, and loading Vsafe (default options or /2+ /7+), and scanning memory: scan c:\ /M /chkhi the warning * Found the Israeli Boot active in memory * * Found 1 file containing virus * appears one time. No files are named. Somtimes Filler (next scans) or Tula (Vsafe loaded in High Memory) are reported. We think that this is software incompatibility, not real virus, since 1) We rewrote our MBR, repartitioned our hard disk and formatted it using original MS-DOS 6.2 diskettes, installed DOS from it, take Scanv111 from McAfee.com and used only UNIX low-level formatted + UNIX mtools DOS formatted floppies for coping scan. 2) This effect comes up with 2 other computer, which used different DOS 6.2 installation disks. VSafe contains some virus signatures and names, but without NOEMS flag in EMM386.EXE line in CONFIG.SYS no messages/warnings appear. Any comments? You may answer me personally by email, but if it seems relevant, maybe some note in comp.virus is good. I hope, that other people, who got such strange messages, dont rush to reformat hard disk. In addition, I add brief description of our machine: AMIBIOS 92, 80486-25 SX , Memory: 640 Base, 3328 Extended 128 KB Cache, 384 K Shadow RAM, FAST A20 GATE ENABLED CONFIG.SYS: DEVICE=C:\DOS\HIMEM.SYS DEVICE=C:\DOS\EMM386.EXE NOEMS BUFFERS=20,0 FILES=30 DOS=UMB LASTDRIVE=E FCBS=4,0 DEVICEHIGH /L:1,12048 =C:\DOS\SETVER.EXE DOS=HIGH DEVICEHIGH /L:1,9072 =C:\DOS\ANSI.SYS SHELL=C:\DOS\COMMAND.COM C:\DOS\ /p COUNTRY=358,,C:\DOS\COUNTRY.SYS STACKS=9,256 AUTOEXEC.BAT: @ECHO OFF PATH=C:\DOS;C:\WINDOWS;E:\AVIRUS\SCAN C:\DOS\VSAFE /2+ /7+ E:\AVIRUS\SCAN\SCAN C:\ /M /chkhi # ALARM HERE # pause C:\DOS\VSAFE /U LH /L:0;1,45472 /S C:\DOS\SMARTDRV.EXE LH /L:1,6384 C:\DOS\doskey /insert SET TEMP=C:\temp C:\DOS\chkdsk.exe c: pause E:\AVIRUS\SCAN\SCAN e: # NO ALARM HERE # PROMPT $e[31m$t$h$h$h$h$h$h $e[32m$p$g$e[0m$e[K -------------------------------------------------------------------------- Kalju Kahn Internet : kalju@chem.ut.ee University of Tartu, Dept. of Chemistry fax : int+(372)72-41453 2 Jakobi street, Tartu, Estonia, EE2400 voice : int+(372)34-35224 ------------------------------ Date: Fri, 18 Feb 94 10:46:37 -0500 From: Goose Subject: CONFIG.BOO? Sound Familiar? (PC) Hi. I help maintain a lab of about 30 PC's. They are not on any network, and all system files have been routinely hidden/archived/etc. For some reason, I find that the config.sys file is being changed to config.boo. (this is the only problem I can find easily). THere have been some incidental hard disk crashes as well, which may or may not be linked to this. Has anyone have any ideas why this is happening? ScanV109 finds nothing, and I am about to install Norton 3.0. Thanks! - --> Andy ------------------------------ Date: Fri, 18 Feb 94 21:14:51 +0000 From: kirkh@indirect.com (Lee Kirk Hawley) Subject: Is this a virus? (PC) When you power up your PC, the message appears "Non-system disk or disk error". When you boot up on a floppy and check your local disk, there is nothing but ASCII garbage where the directory structure used to be. All the system files are ASCII garbage. This has happened on three separate workstations hooked up to a Novell 3.11 server. The server appears to be functioning properly, at least the current version of McAfee finds no virus. Please send e-mail. - -- The ghost of electricity Kirk Hawley howls in the bones kirkh@indirect.c of her face. Cunning Widgets IPRO, Inc. ------------------------------ Date: Sat, 19 Feb 94 04:43:02 -0500 From: "Jimmy Kuo" Subject: Repairing a botched Monkey repair (PC) Repairing a botched Monkey repair (PC) Some have asked how to repair a hard disk that is no longer detectable because Monkey was once on it and trying to repair Monkey somehow screwed it up and it's worse now. Get Norton Utilities. Using Disk Edit, zero out the MBR. Using Norton Disk Doctor, issue the command "NDD /rebuild". NDD will then reconstruct the partition table. You could use this method on purpose, if you like. Boot clean. Then deliberately screw up your Monkey repair. :-) (I didn't really say that.) But of course, if you used NAV 3.0, you wouldn't be in this mess. Jimmy Kuo cjkuo@symantec.com Norton AntiVirus Research ------------------------------ Date: Sat, 19 Feb 94 04:43:09 -0500 From: "Jimmy Kuo" Subject: Re: Alternate Infection method (V-Sign) (PC) Re: Alternate infection method? (V-Sign) (PC) Kevin Kenney writes: >Ran into a virus F-Prot 2.10(c?) calls V-Sign, and other programs >call Cansu. CARO name is V-Sign. >Since it is a boot-sector infector and was on a non-bootable disk, it had >partially corrupted a(n executable) file on that disk. By trying to run >that program, I at least moved the virus into memory, and possibly >activated it there. (VIRHUNT reported the virus active in memory.) VIRHUNT found it in memory. It however could not be active. >I don't know my DOS file structure well enough to know if starting an EXE >(possibly) executes code in the 1st block of a file, and thus could run >a 'non-file infecting' virus residing there. This might be an alternate >way to be infected with any (or some) boot virii. Interesting. And in theory, possible. BUT! Not in your situation. >Also, no disinfector I tried (F-Prot, Virhunt, Norton 2.1) repaired the file >to an properly executable state. (It may not have been executable before >infection - the disk's source is unknown.) Not possible to repair. When repairing a virus, there must be some copy of the original info somewhere. The repair mechanism knows for which virus, where to find such information. But in your case, a bug of the virus simply overwrote a sector. Thus, a sector's information was lost. Utterly, completely, lost. Well..., if you spent a few thousand dollars, a specialty house might be able to figure out what was on there from secondary electro-magnetic patterns but that's only if the info is worth that much and then it's not guaranteed. >Several questions: >Can anyone confirm/refute this alternate infection method? Above, I gave a "BUT!" and my answer is, it's not really possible. 1) Boot infectors need to run from specific environments (0:7c00, top of memory after relocation, etc.). As a passenger in a file, if it gets accidentally executed, it's not in its necessary environment and would not correctly infect. 2) A boot infector could be designed to work that way. But since it was a fluke that got you to where you are, how are the chances that a virus designed this way would ever get anywhere to infect anyone? >Is disinfecting a boot infector from a file more prone to failure >than other disinfections? (Yes I know backups are best: In this case, >not knowing the source of the disk, running the infected file was desirable >to try to find the disk's owner. (I'm a programmer: this looked like a >utility from someone at work.) Trying to repair this type of failure will *never* work. They say, "Never say never." But in this case, "never" is correct. >Can someone send me a rundown of V-sign, so I can panic to the proper degree? >(Is there an informational server I could e-mail to for automatic info?) Slightly polymorphic (randomly arranges 3 instructions; 6 variants) MBR and floppy infector. Places a big V on the screen. FDISK /MBR will take care of it. >How might I tell (due to the disinfection failures) if this might be a new >strain, and if so how (for a boot virus) and where should I send it? >(i.e. what ftp sites might have BootId or Checkout (from the FAQ).) Nah. >As always, thanks in advance... Jimmy Kuo cjkuo@symantec.com Norton AntiVirus Research ------------------------------ Date: Sun, 20 Feb 94 16:09:04 -0500 From: amueller@sun1.ruf.uni-freiburg.de (Armin Mueller) Subject: need help on mandela 2 virus! (PC) Hello, How can I identify and fight the mandela 2 virus. Since some days I watch strange delays on my PC on some disk-accesses. They occur sporadic and last for around 30 sec. I have scanned my PC with Mc-Affee scan Version 111 without any result. Now during work with Borland Pascal and the Debugger I saw the following words as the contents of a new allocated Variable: "Mandela 2 [Mnd-2] ..(rubbish).. Nice Day". Since those varibles only show a part of memory when they are newly initialised, this string was located in memory at that moment. Because neither my program nor I myself ever use this string, I thought this could be the ID of a virus. Browsing through McAffees VIRLIST.TXT I discovered the description of two viruses called Mandela. Neither this latest scan-Version nor clean discovered Mandela on my PC. So what can I do? Has anybody experiences with this viruses? Ciao Armin - -- ONE PLANET, ONE PEOPLE PLEASE ------------------------------ Date: Mon, 21 Feb 94 09:16:23 -0500 From: woody@knapper.cactus.org Subject: Re: Clean 111 & Mich. (PC) I just got hit with Michealangelo. My system is a dos 3.3 system with a 240 meg hard disk. I have a primary and a secondary partion. The secondary partition is split into volumes d: e: f: g: h: i: j: k:. I took clean111 and attempted to clean Mich off. There are two problems with clean111 in this situation. One is a stupid procedural problem to wit: When clean is scanning ram, and encounters Mich. active in memory, it quits, requiring you to boot off a floppy. My floppy drive was acting up, adn would not boot off of any of the 6 backup copies that I tried. Clean should have enough brains to be able to inactivate Mich in memory, or at least know that once it cleaned it and you rebooted, that the active in memory portion would no longer be a threat. But No, it can't do that. The other and much more serious problem, is that after I cleaned the disk heads, and managed to format a floppy with a system on it, and rebooted off of that, it cleaned the hard disk. BUT it killed the dos extended partion. Drives d - K had nothing on them. norton showed only 1 partition (the primary one). THIS IS TOTALY UNACCEPTABLE BEHAVIOR. CLEAN SHOULD BE ABLE TO DO THIS WITHOUT CLOBBERING THE EXTENDED PARTITION TABLE. I spent an hour, working out what I thought were the right paramters to rebuild the second partition, and used norton 4.5 to edit the partition table. The drives were still gone, even with a re-boot. Then I ran NDD which detected the bad partition table (I had made a screwup in the numbers I entered), and asked me if wanted it to find the missing partitions. IT found them, and rebuilt the table and all is well. McAfee CLEAN should be at least smart enough to know how to preserve the partition table. Cheers Woody - -- Woody Baker Postscript consultant/Flint knapper 512-837-8317 (Austin, Tx) "If you ain't bleedin' you ain't knappin'" ---> go ahead, ask me... woody@knapper.cactus.org woody@chinacat.unicom.com (temporary) is forwareded to woody@knapper ------------------------------ Date: 18 Feb 94 19:45:19 -0800 From: jlundgr@eis.calstate.edu (John E. Lundgren) Subject: Datalock 1740 Virus infect'n (PC) Well, I left a msg over on comp.virus, but I don't see it there, so I guess I'll try here. Last week, a classroom of 20 '486s was, for the most part, infected by something that we couldn't figure out at first. The programs, after they were run, had their date and time changed to 08/08/88 08:08am. We have Norton Anti Virus on those pcs, but it didn't detect it. We tried CPAV, but it didn't show it as there either. I was certain that something was lurking, because I did a DIR of C:, and the A: drive lit up, and the PC locked up because I had a WP tab on the floppy. I had the feeling that some little nasty thing was after my disk. We just started to fdisk, format and use laplink parallel cables to clone the disk of a known good PC. I left after an hour or so, but the teacher was in there most of the day. The next day, I found out that it was the Datalock 1740 virus, and I d/l'd VSUMX401 which described it. THe older VSUm didn't have it. I guess we'll have to get the latest updates to our a/v programs, so this doesn't sneak by us again. The '486s have the bios that warns of a boot sector write, but it didn't help in this case because this virus infects .com and .exe, etc. files. C U ltr - -- Fortune cookie/Tagline for the week: Funny -- only sensible people agree with me. Reality-ometer [\.....] Hmmph! Thought so... Two rights don't make a wrong, they make an airplane. Geek Code: GAT d-- p-@ c++(++++) l? u? e+/* m++(*) s !n h+/(*) f g+ w+ t++ t- y-(*) We are just a few miles down the road from Disneyland. ------------------------------ Date: Tue, 22 Feb 94 21:24:13 -0500 From: hobbit@ftp.com (*Hobbit*) Subject: vds comments (PC) I gave it a whirl last night. The default .ini file contains QUICK_VERIFY = yes, which makes VDS fail to find fairly significant changes to a test .exe file, including changing several bytes, changing the date, etc. Could the documentation perhaps be written to stay within 80 columns? _H* ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 15] *****************************************