VIRUS-L Digest Tuesday, 8 Mar 1994 Volume 7 : Issue 16 Today's Topics: New Mac Virus Announcement -- Please circulate (Mac) Virus Info List By P.Hoffman? Philosophy More Philosophy Re: A few truths Have we lost track of the virus problem? Re: Computer Lab protections strategies Virus CD-ROM product re: A few truths Symantec's BBS numbers New Virus Related FTP site. Yet *another* worm program.. (IBM VM/CMS) Datalock 1740 Ouch! (PC) Info on NVC (PC) re: Which ANTIVIRUS package to use????? (PC) Posible Virus (PC) Re: ViruSafe and MtE-Infected Virus (PC) Re: Is it a virus or not! (PC) Has anyone information on the FORM virus? (PC) LZR Virus (PC) Filler virus (PC) Quox virus? (PC) Re: Form. Should it be Hated and Feared?? (PC) Re: Is speed really important (PC) Need info on Halloween virus (PC) Scanning compressed files (PC) The Green Catapillar (PC) Re: FAQ? Norton & PKUNZIP? (PC) Possible Virus (PC) Re: Is speed really important? (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 07 Mar 94 17:08:38 -0500 From: spaf@cs.purdue.edu Subject: New Mac Virus Announcement -- Please circulate (Mac) This is NOT an official posting from the PCERT. Update on INIT-9403 Mac Virus 7 March 1994 This is an update on the INIT-9403 Mac virus, announced on March 3rd. First, we note that the strain of the INIT-9403 virus that was announced a few days ago has been found only on Macs running the Italian version of MacOS (so far). However, we strongly urge you to obtain and run the most current version of at least one Mac anti-virus tool. Second, at least one vendor has decided to call the INIT-9403 virus the "SysX" virus, although they will list INIT-9403 as an alias. There is no common naming scheme for new Mac viruses. The majority of anti-virus vendors and researchers have decided to use the name INIT-9403 as the primary name in an attempt to reduce user confusion. We note the name "SysX", however, as a possible alias in some places. Third, an unexpected system conflict sometimes results in Disinfectant 3.4 giving "unexpected error -192" messages when running on Macs with enabler versions 003 (the LC III) and 040 (the Centris/Quadra 610, 650, and 800), and with the 32 bit system enabler. You can safely ignore this error message as it does not signify a real problem. Disinfectant 3.4 and the Disinfectant INIT can both be safely used on all Macintosh systems to protect against all known Macintosh viruses until John Norstad, the author of Disinfectant, releases version 3.4.1 (soon). It will be announced and available in all the usual places where Disinfectant is available: ftp.acns.nwu.edu, sumex-aim.stanford.edu, rascal.ics.utexas.edu, AppleLink, America Online, CompuServe, Genie, Calvacom, MacNet, Delphi, comp.binaries.mac ------------------------------ Date: Tue, 22 Feb 94 21:32:54 -0500 From: engpheng@solomon.technet.sg (MR Tan Eng Pheng) Subject: Virus Info List By P.Hoffman? Does anybody know if Patricia M. Hoffman has released her latest Virus Information Summary List? And if so, where can I obtain a copy. What I have is the list dated 15 May 1991 and I hope to have it updated. Thanks. ------------------------------ Date: Wed, 23 Feb 94 08:28:25 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Philosophy Recently we have seen a number of postings about "harmless" viruses. Different people have different viewpoints. Some say "They are no problem on my computer." and that is one viewpoint. Others have vested interests. My outlook is skewed by the fact that PCs are my hobby and I am a computer fanatic (also like Pontiacs, mindless action movies, SF, thoughtful parties, & warm weather). However, I receive my income for curing electronic information problems. Here we have over 5000 PCs and this is only one site out of many. I will guarentee that somewhere here there is a machine that would be harmfully affected by any virus if only by the "black screen of death" in Windows. Which will leave a paniced user in its wake. And they will call me. Some posters are liable to say "well that's their fault for running Windows". The same people would say on seeing a thoroughly trashed disk in the wake of the 4096 "well that's their fault for running CHKDSK/F..." The fact that the operating system is so bad has nothing to do with viruses. Instead Virus writers are like a purse-snatcher who looks for old ladies with canes "because they cannot run so fast". (of course I am also one of those people who believes that no-one - including the police - should have a gun. Since that is unachievable, *everyone* should be armed & receive compulsorary training. Then at least people might be a bit more polite.) In the "best of worlds" there would be no viruses. Since we are stuck with what we have, I write active prevention and removal software and give it away. - so that everyone can be armed. And believe me, writing a virus is *much* easier than writing *good* anti-viral software. Warmly, Padgett ------------------------------ Date: Wed, 23 Feb 94 08:53:07 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: More Philosophy Actually, there is a place for a very slow (take a long coffee break) scanner. It works like this: We provide site licensed anti-virus software for every PC. Despite making is a easy to use and RAM-stingy as possible, some people always find ways to deactivate it. At first we used the technique that if the software was not running on the PC, the login to the LAN would be refused (and everybody needs to read their E-Mail). Certain people complained & instructions were issued to find another way. Now if someone logs into the LAN without the resident stuff, a *very* slow uninterruptable full disk scan is started. If the machine is clean, the login is allowed to complete. Most holdouts now run the resident software 8*). Warmly, Padgett ps Speaking for myself only as usual, darn it. ------------------------------ Date: Wed, 23 Feb 94 09:44:08 -0500 From: Rob Subject: Re: A few truths I'm sure many others will reply to ktark's latest outpouring, but here's my penny's worth. As a system administrator I often get students coming to me saying, I just need to print out this file from the disk, or, take a look at the code on this floppy, I can't find the bug, etc. I have a spare machine in my room that I don't use for work, and which has Guard, from Dr. Solomon loaded full time. The reason for this is that most (probably over 80%) of such disks have a virus. Mainly Form, but occasionally I get an odd one. In the labs, we now have Guard loaded continually, and also provide a protected McAfee and FindViru on a read only section of the network drive. Before these measures were taken, a virus attack on one machine rapidly caused widespread damage. I have recently been responsible for purging another department that had no knowledge about viruses whatsoever. Very productive morning that was! Every disk that was sent from that department to anyone else had a virus on it. All of their hard disks were infected. Data was being lost, and then being put down to hard disk unreliability. Part of this is due to the floppy disk culture, ie they don't use the network when they should be. So this guy from the NCSA may well be an expert, but once again real-world experience suggests that he's kidding someone (I would suggest you). He has pandered to your conspiracy theory, confirming your prejudices and so you cite him. You have not chosen to cite any other security 'expert' who differs from your opinion. Do you think 'your' experts are more valid than 'our' experts? To reiterate: I am a System Administrator at a UK University. I have no connection with the anti-virus industry, except as an end user of McAfee, Dr. Solomon and occasionally VISCAN. Whilst I am no capitalist, I still would not deny these companies the right to make a profit, given that computer users have a need that must be met. If it should come about that they are generating business for themselves by illicit means, my opinion about their stature would change. As it is, my low-level knowledge of PCs is not sufficient to write anti-virus code myself, so I rely on someone who can. That I have not had a virus attack with my machines, or using my floppies I put down to the success of this code, given that all around me people are suffering from virus damage. Rob. ------------------------------ Date: Wed, 23 Feb 94 09:54:24 -0500 From: "Mitchell Cottrell" Subject: Have we lost track of the virus problem? I have been watching this listing for quite some number of years. I am disturbed by the track we seem to be taking here. When I started watching this listing it was because I was managing about 20 PC based systems, two of witch had severe infections of the Jerusalem Virus. I really did not know a lot about viruses, but knew enough that the disk performance problems were not tied to a hardware problem. As a result of a virus scan with a product provided by a friend in another department, I discovered the hard drive was hopelessly infected with over 3000 copies of the virus. About 10% of the software on the drive could not be properly disinfected. Thankfully all of the infected routines were available on my backups (which were infected, but not as bad). This experience taught me that a virus can and will cause damage even as mundane as changing the volume label, or relocating the boot record to someplace else on the disk. The problem is that the virus does not know what is overwriting on the disk, or what it is doing to the software it is relocating. I am now in charge of a network of about 150 pc's as well as mac systems. The last thing I need is a new virus running around. And yes we do get them. Most new infections can be traced to either stupidity or intentional infection for malicious purposes. As far as there being a harmless virus. I have to feel sorry for anyone with that opinion because they obviously don't place any value on their time. If an infection occurs on a machine I must allocate time of either myself or another technician to solve the problem. In today's marketplace time is money, and that virus has literally cost me money to deal with. The focus of this forum seems to have shifted as late to trying to clean up the image of the virus writers from a malicious thief (yes thief, that what you call someone who steals money from people) to some overactive computer wizard. If you want to really look at it in terms of reality think about this: A new virus is released on the world that proliferates into machines at a rate of machine infection that after 10 days 10,000 machines are infected. Each machine takes 1 hour to clean up. no other loss is counted at this time. The technician time is $25 per hour. The originator of this virus has just stolen $250,000 from some number of people. Is this a definition of HARMLESS?????? I certainly hope that the computer society has not sunk to that level of thinking. It is unfortunate that some people feel that they must make and release viruses. It is people like myself that get stuck trying to clean up after they "had their fun". To those who feel they must come to the defense of virus creators i ask; are you trying to justify your past actions?? That is the ONLY reason that I can ever see for any intelligent person in the computing industry to take that stand. I apologize for running on.. Mitchell S. Cottrell Sr. Research Electronics Technician University of Missouri - Rolla Mechanical and Aerospace Engineering Department ------------------------------ Date: Wed, 23 Feb 94 10:38:20 -0500 From: Otto Stolz Subject: Re: Computer Lab protections strategies On Mon, 07 Feb 94 12:44:43 -0500 Gerry Howser said: > [...] academic computer labs [...] have been attacked by a virus > (stoned monkey). [...] We are going to place a number of 286 machines > (one or two) in each lab and require that all diskettes be scanned on > those machines prior to use in the lab. Surely, you had required your students not to boot the lab computers from their own diskettes, and to remove diskettes from the drives before leaving the computer unattended, and to remove diskettes immediately in case of a power failure, and to avoid using the Cntrl-Alt-Del key-stroke combination, and to make sure that the drives are empty before switching on the machine, and to have all disks write-protected whenever possible, and ... Still, your students managed to carry in a bootsector virus. Now, you are going to require that every disk will be scanned before it is used in your computers. Do you, in earnest, expect to achieve better success with this new requirement? What you really need, is a policy to render an inadvertent infection impossible, and a deliberate infection difficult. And this implies technical means, not relying on human co-operation. 1. For all lab computers, choose the "Boot sequence: C:, A:"option (if your BIOS chips allow so), in the advanced CMOS setup menus. This will reliably prevent boots from floppies -- no need to rely on your students to remember the rules that be. Use Setup passwords to prevent tampering with your CMOS setup. When your lab computers are connected to a local network, you can even equip them with extension cards that will boot from a boot- server in the network (which will, of course, be located in a separate room, only accessible to trustworthy people like yourself). When none of these are feasable, install a TSR to scan the boot sector of any floppy disk inserted, preventing data transfers from, and to, any floppy disk infected with a boot sector virus. Instruct your users to remove such disks immediately, and seek professional advice. (If the disk is left in the drive, no TSR program can prevent booting from it, if the power is turned off, and on again.) 2. On all lab computers, set up the boot sequence (CONFIG.SYS, or AUTOEXEC.BAT) to scan the MBR of the hard disk(s) and the DBR of the active partition, and to stop the boot sequence when a known virus is sensed. (This takes about 5 seconds, on a 486 with two HDs). An even better defence would be an integrity checker to compare the boot sectors to a copy of their original contents; however this will give a false positive when a user has given a new label to the disk. In both cases, the program used should be able to tunnel under any TSRs (such as stealth viruses) that may be loaded during the scan. It is a good idea, to have a conspicuous banner displayed when a virus is found, telling the startled user what to do next, particularly, which staff member to contact. Thus, you will prevent further propagation of any boot sector virus that managed to evade provision 1, above (e.g. a virus inserted by a dropper program). 3. On all lab computers, install a TSR virus scanner to be activated during the boot sequence. This TSR shall be set up to prevent starting, or even copying, any program infected with a known file virus. Make sure that it stays in effect during the whole session (e.g. beware of the weird effect the Logon to a Novell server has on such TSRs). 4. Use a reliable integrity checker, in regular intervals, to alert you to any programs that have been changed on, added to, or removed from, the hard disks. Make sure you understand every single complaint it tells you. Keep the integrity checker's data base off-line from the lab computers (e.g. on a floppy disk you keep on you) to prevent attacks based on tampering with your data base; boot from a clean floppy (or via the network) to exclude stealth viruses, and fast infectors, while you check the files. A very reliable package to provide for items 1 to 3, above, is F-PROT from Frisk Software. This contains even a heuristic scanner that could be exploited to find unknown viruses in items 2, and 4, above. A good, though not perfect, integrity checker, is Integrity Master from Stiller Research. Both of these are very reasonable priced shareware products. Good luck, Otto Stolz ------------------------------ Date: 23 Feb 94 12:59:54 -0400 From: zuriffl@mcl.saic.com Subject: Virus CD-ROM product I recently heard about a CD-ROM package that looks closely at computer viruses. It is called Hylex or Cybex or Cylex or Cytex or something to that effect. The person who passed the tip along to me is not computer literate and may not have heard the name correctly. If any one knows of this product please let me know. Thanks Laurence Zuriff PS please e-mail to my address if possible. ------------------------------ Date: Thu, 24 Feb 94 08:45:12 -0500 From: "David M. Chess" Subject: re: A few truths > From: ktark@src4src.linet.org (I've changed "malign" to "benign" in this quote, because that's the only way it makes sense! I assume a typo slipped in somewhere...) > The really dangerous ones that maliciously eat away at your data > are extremely rare, says Stang. Most viruses are rather benign, > like the 'Stoned' virus, so-called because it makes infected > computers say, 'Your PC is stoned, legalize marijuana' when > booting. > "I have run thousands of sample viruses on a machine, and I have > never gotten wiped out,' Stang says, downplaying the reputation > of viruses as computer killers. With all due respect to David Stang, I'd like to add a few contrary pieces of evidence from our own experience: - We have a machine that automatically executes and analyzes incoming viruses as the first step of "triage". It regularly has its hard disk wiped, CMOS corrupted, files erased, and so on. I suspect Stang may have been misquoted here, or a sentence about only running selected viruses may have been left out. While it's certainly possible to argue about the nature of "most" viruses, no one can deny that there are hundreds, and probably thousands, of intentionally destructive ones. - Even the Stoned virus, which is cited as an example of a virus that's not "really dangerous", can cause considerable disruption. It assumes that track 0 on hard disks is unused, and stores a copy of the original Master Boot Record there. On some machines, including those set up with an old version of FDISK, and those that have adapters that use track 0 for startup code, a Stoned infection can overlay important data, making the machine non-bootable, and sometimes corrupting the File Allocation Table. - The FORM virus, another common virus that contains no intentionally destructive code, has similar problems: it assumes that all bootable hard disk partitions are FAT formatted. On systems running Boot Manager, HPFS, Linux, or anything else besides FAT in the bootable partition, the FORM can cause basically random system corruption when it operates on what it thinks is the BPB and File Allocation Table. Sorry, Kohntark, if this is a bit technical, but I think the basic meaning is clear: even viruses that aren't intentionally destructive can cause expensive and time-consuming damage. This coupled with the fact that viruses run without the knowledge or consent of the system owner seems to imply pretty unequivocally that they are Bad Things that we'd be much better off without. - - -- - David M. Chess | Hic Sunt in Fossa High Integrity Computing Lab | Viruses Ossa IBM Watson Research | ------------------------------ Date: Thu, 24 Feb 94 15:42:38 -0500 From: "Jimmy Kuo" Subject: Symantec's BBS numbers >Does anyone know the new number for the Symantec BBS. I would greatly >appreciate it. I do not check this group regularly so direct e-mail >would be helpful. Thanks a lot. 9600: 503-484-6669 slower: 503-484-6699 And if you lose this, the numbers are in the back of the NAV 3 manuals. Jimmy Kuo cjkuo@symantec.com Norton AntiVirus Research ------------------------------ Date: Fri, 25 Feb 94 00:24:54 -0500 From: datadec@ucrengr.ucr.edu (Kevin Marcus) Subject: New Virus Related FTP site. The virus-l archives, as well as the other information at ftp.cert.org is now available for anonymous ftp from corsa.ucr.edu (in /pub/virus-l). (Basically it's a mirror of ftp.cert.org's collection). Additionally, F-Prot, Vsum, and VirusScan are available in /pub/anti-virus-tools. - -- --=> Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu CSLD Room Monitor, Tues, Thurs 9-12p, Sat 11a-2p (909)/787-2842. Computer Science Dept., University of California, Riverside. .oOo.oOo.oOo. Thieves Suck. Don't steal. .oOo.oOo.oOo. ------------------------------ Date: Wed, 23 Feb 94 03:29:00 -0500 From: Valdis Kletnieks Subject: Yet *another* worm program.. (IBM VM/CMS) Here's yet *ANOTHER* worm program to add to your 'Selective File Filter' control files: 'EID EXEC'. This one seems to be from SAUPM00, and is amazingly enough not a clone of the others we've seen lately, and although written in Rexx, looks like it was written by somebody more familiar with EXEC-2. It's replication code is rather lame, and this will fortunately tend to slow down its rate of propagation. Has somebody from Bitnic talked to the Gulfnet powers-that-be about this situation? It's getting more than slightly tiresome. If things don't improve in the near future, it's going to become *very* tempting to automagically trap *everything* from the problem nodes, just so I don't have to add Yet Another Exec every 2-3 days... Valdis Kletnieks Computer Systems Engineer Virginia Polytechnic Institute ------------------------------ Date: Tue, 22 Feb 94 22:53:12 -0500 From: jlundgr@eis.calstate.edu (John E. Lundgren) Subject: Datalock 1740 Ouch! (PC) WE had a classroom of 20 '486 pcs mostly infected by a virus, but the Norton Anti Virus on them didn't detect it. We found that the dates and times of the program files after execution were changed to 08-08-88 8:08 am. WE tried MSAV, and CPAV, but they didn't find anything wrong. We tried McAfee Scan V111 and it didn't find anything. The teacher started formatting the HD and, using LapLink 5, cloned the drive from an uninfected PC. We found later that F-PROT 211 could find the virus, and it was Datalock 1740 variant. I downloaded McAfee Scan V112 two days ago and tried it, anf it caught the virus. Apparently it is a new virus from Nov. 1993, according to Hoffman's VSUMX401. I would like people to know that F-prot seems to be better that SCAN, at least V111, at finding the newer virus. It is obvious that the best protection is having a clean backup in case the virus or any other problem, like a crashed hard disk. gets you. It has shaken my faith in the abilities of virus protection programs to protect one's PC. - -- John Lundgren @ Rancho Santiago Community College District ------------------------------ Date: Wed, 23 Feb 94 05:25:07 -0500 From: Norman Data Defense Systems A/S Subject: Info on NVC (PC) In reply to Richard Hosker and Henrik Stroem, I would like to supply some information about Norman Virus Control (NVC) as it is shipped in Europe. As mr. Stroem points out, the resident smart-blocker (NVC.SYS, nicknamed 'Armour') is a part of the NVC package. This package consists of three scanner modules, which are built around the same detection mechanism. There is one command line version (fast and simple), one version for Windows, and one full-screen interactive DOS version. The definition- file that is distributed for updates is used by all three scanners. Also included in the package are the Canary-programs, which are based on checksum-principles to detect self-infection and changes in the hard-drive boot areas. Finally, there is a set of documents in hypertext, including the Norman book on computer viruses. This is an overview of NVC as delivered in Europe. The US and Far East versions differ slightly. There is always a risk of false alarms when using behavior-blocking techniques. However, Henrik Stroems description of how false alarms are generated and avoided is too general. NVC.SYS uses a large set of rules to detect virus activity in a stream of activities, and does not generate alarms on any single event. We clearly differ between behaviour-blockers and smart-blockers in this regard. The number of viruses continue to grow near exponentially. The experiences we have with our users regarding the number of false alarms compared to the number of stealth/unknown viruses detected, clearly show that the use of an intelligent behaviour blocker is a very important part of a secure computer environment. The chance of detecting a new or unknown virus is considerably(!) higher when you are using a smart-blocker in addition to scanners. It is hasty to dismiss a technique because it is not 100% secure. Scanners are not 100% safe either, and rely on frequent updates. It is the combined use of techniques that gives safety, although I know the discussion of which approach is the best will continue. One last note for Richard Hosker: computer signature updates as well as new software versions are shipped approximately every other month. Sincerely, Kristian A. Bognaes Norman Data Defense Systems norman@norman.no norman@digex.com ------------------------------ Date: Wed, 23 Feb 94 06:19:40 -0500 From: Otto Stolz Subject: re: Which ANTIVIRUS package to use????? (PC) On Tue, 08 Feb 94 22:16:14 -0500, Dave Spitz said: > Here is the situation: > Current virus package site licence expires end of March > Currently have in excess of 3000 pcs, from 8088 to 486DX2/66. > Currently running DOS ver 3.3+ to DOS 6.2. > Currently running Windows 3.1. > Currently have 5 - 8 Novell servers (3.11) with approx 300 users. > Currently running 2 Banyan servers (ver unknown, users unknown). > Expect 2 -4 additional Novell 3.12 servers 50 - 100 users each My recommendation: device an echeloned strategy. - - For the end-user PCs, I definitely recommend VIRSTOP from the F-PROT package. This will cost you 1 US$ per user per year plus handling costs (mostly your own time, and the media you will choose to distribute it). For newer PCs, I recommend you exert the "Boot Sequence: C:,A:" option in the setup (or advanced CMOS setup) menu to keep boot-sector viruses out. - - For the file servers, I recommend carefully considered access, and modification, rights. In particular, every person in charge of maintaining a software library on some server shall have a particular user-id for this task only; this user-id shall not be used for other purposes, and it must not allow reading/executing access to insecure software (not even to the maintainer's own programs!). I also recommend to run an integrity checker on the libraries, in regular intervals (say once a day). Make sure that the account the integrity checker runs from has no write access to any software library. - - For the in-house Computer Emergency Responce Team, I recommend at least two reliable Virus scannersd disinfectors, such as Dr. Solomon's and F-prot, plus some more tools (e.g. Dr. Solomon's, Norton Utilities, and DOS) plus technical descriptions (of interrupts, data areas, ...). Dave, I've sent you three files with more hints on anti-virus strategies, reviews of PC anti-virus software, and sources/adverisements for anti- virus software (mostly FTP sites). Good luck, Otto Stolz ------------------------------ Date: Wed, 23 Feb 94 09:17:04 -0500 From: "David M. Chess" Subject: Posible Virus (PC) > From: U56371@uicvm.uic.edu > Today when i went to use my Printer a cuious thing happened. > When i turned on my printer on, it started printing a letter as soon > as it came online. ... My first guess would be that it's the printer's test sheet; many modern printers have one (or several!) stored pages in ROM that they can print out when you push the "test" button, or raise an internal "test" line, or whatever. It's possible that you accidentally leaned on the test button, or a switch- glitch pulled the test line high, for instance. Did the letter seem to contain lots of fonts, or other evidence that it might be designed to test or show off the printer's features? The other day I pushed the wrong button on a postscript printer and got several pages of font lists, images, etc, etc. Quite a surprise! - - -- - David M. Chess | "Shh... We is seein' who kin High Integrity Computing Lab | dream 'bout the biggest cat-fish." IBM Watson Research | -- P. Pine ------------------------------ Date: Wed, 23 Feb 94 09:16:58 -0500 From: Otto Stolz Subject: Re: ViruSafe and MtE-Infected Virus (PC) On Mon, 07 Feb 94 12:05:35 -0500, Glenn E. Davidson said: > I would like to add this virus's signature to my VirusSafe program. MtE is not a virus, but rather a subroutine used by various virus writers. MtE renders a virus polymorphic, i.e. you cannot pinpoint it by exploiting a simple signature (not even if you allow wildcards); rather, you need an algorithm specifically designed to detect various instances of the MtE code. My advice: use a virus scanner capable of reliably detecting MtE. Cf. VIRUS-L log files for Vesselin's pertinent test reports. > Does anyone [...] and know what the signature is? This apparently implies that every virus has a particular, unique signature (as several more recent postings did). This is a gross misconception. A virus signature is any characteristic feature an anti-virus programmer may exploit to recognize a particular virus, such as some bytes from the virus code that are unlikely to be found in other programs. Of course, everybody may legitimately choose his or her own signatures -- as long as they reliably work. A sound anti-virus product will exploit its own signatures, not shared by other products; two anti-virus programs (I hesitate to term them "products") exploiting the same set of signatures, e.g. from some public source, are not better than one of them alone. Hence, my advice: use two products (at least) from vendors who do their own research and choose their own virus signatures and detection algorithms. Do not use amateur, or epigonous, programs that thrive on published signature collections. Best wishes, Otto Stolz ------------------------------ Date: Wed, 23 Feb 94 09:40:40 -0500 From: hermanni@wavu.elma.fi (Mikko Hypponen) Subject: Re: Is it a virus or not! (PC) Torban Bennett (torban@csuvax1.murdoch.edu.au) wrote: > When I ran Nortons Disk Doctor It recovered the lost data to files > (160 of them) which nearly all contain the words "HiJaak 2" and > "Awesome" in them at the begining. I just taked a look at my copy of HiJaak 2.02 screen-grabbing program, and the main program (HJ.EXE) contains the strings 'Hijaak 2' and 'Awesome' at offset 01A820h. I don't know what caused to initial corruption, but it seems that the 'HiJaak' text is not related to the damage - did you have this application installed on your hard disk? - -- Mikko Hypponen // mikko.hypponen@df.elma.fi // Finland Data Fellows Ltd's F-PROT Professional Support: f-prot@df.elma.fi PGP 2.3a public key available, ask by e-mail ------------------------------ Date: Wed, 23 Feb 94 09:50:55 -0500 From: wjryan@amoco.com (Bill Ryan) Subject: Has anyone information on the FORM virus? (PC) Our support group just received a query about the FORM virus and the tools available to handle it. We have never heard of it, so I thought I'd ask the community at large if anyone has any info on this particular virus. Please reply by email to wjryan@amoco.com. Thanks. - --- Bill Ryan reply to: wjryan@amoco.com Amoco ITD Distributed Computing/Customer Support(713)272-1085 ->Unix<->VMS<->MS-DOS<->MVS<->VM/CMS<->?<- "Any opinions expressed are my own unless they prove valuable." ------------------------------ Date: Wed, 23 Feb 94 10:29:36 -0500 From: Bill VanderClock Subject: LZR Virus (PC) I hate to admit it but I have not been reading Virus-L as closely as I should the last few months due to other job demands. I apologize if someone has already covered this but, can anyone give me any information on what F-Prot 2.11 identifies as the LZR virus? We have had an outbreak here and although we know how to deal with it, I'd like to be able to answer the questions about where it came from, what the trigger is, what it is suppose to do, etc. Thanks for anything that you can tell me about this virus. Bill VanderClock Faculty Consultant Bentley College ------------------------------ Date: Wed, 23 Feb 94 12:30:13 -0500 From: kitten@sneeze.resp-sci.arizona.edu (Bruce Saul) Subject: Filler virus (PC) Pardon me if the form of my question is incomplete for this forum. One of the ibm-at clones at our office has been reported as being infected by the Filler virus. The virus was discovered by scanning a floppy disk with Mcafee scan v109. Filler was discovered in active memory at that point and an advisory came up on the screen to shut down, then boot from a clean disk and scan once more. This was done. The disk scan found no virus. We then ran scan from a network drive. It reported Filler and advised us to shut the unit down. When we tried to reboot once more from the write protected disk we got a drive error, and had to press the f1 key. An addittional attempt to boot resulted in a disk controller failure. Can anyone help me with this problem? e-mail is fine. kitten@resp-sci.arizona.edu Bruce Saul ------------------------------ Date: Wed, 23 Feb 94 17:29:48 -0500 From: frahm@ucsu.colorado.edu (Joel A. Frahm) Subject: Quox virus? (PC) I found the Quox virus on two PC's, using F-prot 2.10, but I cannot find a description of this virus or any mention of it in the documentation for F-prot, or on the Virus Lists. What does it do? It appears to be a boot sector virus. - -Joel (frahm@ucsu.colorado.edu) ------------------------------ Date: Wed, 23 Feb 94 19:34:07 -0500 From: kurtl@wrq.com (Kurt Lutterman) Subject: Re: Form. Should it be Hated and Feared?? (PC) daveg@robin.EE.UNLV.EDU (David Good) writes: >Then I started thinking... What happens if I leave a Form infected >non-bootable disk in the drive and reset the pc?? Will it be released, >so that it may hatch some insidious plot on my HD?? Is there any other >way it can creep into my machine other then booting off the floppy?? While I'm not absolutely sure, it is my understanding that booting with a FORM infected diskette will transfer the FORM to your hard drive, even if the floppy isn't a "bootable" diskette. This is because your BIOS redirects the boot process to a specific track/sector on the floppy. Then the program there takes over. In the case of FORM, FORM does its nasty stuff then redirects the boot process to the copy of the original sector it made on the floppy, so then you'd get the "not a system" disk message. Kurt Lutterman Internet: kurtl@wrq.com Technical Support WRQ Tech Support: (206) 325-4357 (voice) Walker Richer & Quinn, Inc. support@wrq.com (Internet) 2815 Eastlake Ave. East GO REFLECTION (Compuserve) Seattle, WA 98102 (206) 329-7565 (FAX) BBS: (206) 322-8047 (modem to 14,400) bbs.wrq.com (telnet) ------------------------------ Date: Wed, 23 Feb 94 20:58:47 -0500 From: "Roger Riordan" Subject: Re: Is speed really important (PC) Keith A. Peer wrote: >I have read and heard about how fast some antiviral scanners are. My >question is with all of this so called speed is it possible to be >missing some infections? Are some scanners not scanning the entire >file to increase speed? Being that some viruses can enter a file in >the front, middle or end and in some cases anywhere how can a scanner >that does not scan the entire file find all infections? F-Prot and >ThunderByte are very fast scanners compare to McAfee. Does McAfee scan >the entire file while F-Prot and Thunderbyte don't? I mean really >isn't the quality of the scanner really what's important and not that >it can scan a hard disk in "X" seconds? The primary difference is one of cleverness. There are two tricks which are used in the better products. The first is what is called "intelligent scanning". With this a block of code around the initial entry point to the file is loaded and analysed. If this transfers control outside this block a second block is loaded. This process may be repeated several times if necessary. This process can reduce the scanning time by about 70% on a typical hard disk. This process will find all genuine infections with any virus the program can detect. It may "miss" some corrupted files where a faulty virus has been tacked onto a file without patching the entry point, so the program still operates normally, or where a virus like 4096 has written random rubbish into the middle of a data file, but it is far less prone to generate false alarms than a "dumb" scan. Most programs providing intelligent scanning can do a "dumb" scan if corrupted files are suspected. The second trick is to use a better search algorithm. Early programs simply loaded the file, and then searched it sequentially for each template in turn. Thus the scanning time increases proportionally with the number of templates. One can only presume from its (lack of) performance that Scan still uses this technique. Better programs use some form of hashing to search for multiple templates simultaneously. For example VET uses the PolySearch algorithm. This can search for an almost unlimited number of templates simultaneously, and effectively conducts 16 searches at once (for templates starting on successive bytes), but has only 14 microprocessor instructions in the crucial inner loop. It is estimated that the process will be able to handle over 10,000 templates without significant performance degradation. It must be emphasised that this process does not involve any loss of security. ALL instances of any of the templates will be detected. F-Prot and Dr. Solomons Toolkit presumably use similar algorithms, and give about the same performance as VET. TBSCAN apparently does not have quite such a good algorithm, but it uses a further trick. Whereas most programs use the normal DOS calls for file handling TBSCAN bypasses DOS completely, and uses direct disk reads. This gives a substantial improvement in speed, at the risk of compatibility problems. In this mode TBSCAN is significantly faster than anything else we have tested, but in the "compatible" mode, which uses normal DOS calls, it is a bit slower than VET. The improvement in the normal mode is a measure of the gross inefficiencies in DOS, which reads the same sectors over and over again. TBSCAN appears to work well, but the authors of other scanners probably feel they have enough support calls caused by compatibility problems, without deliberately going looking for trouble! Finally IS speed important? If the scanner you choose takes almost 10 minutes to scan a 360K floppy, or 15 minutes to scan the hard disk every time the users start their PCs you can guarantee that they will find a way to bypass the tests, and you will be worse off than if you had no software, as you will think that your PCs are protected, when in fact they are not. With Best Wishes, Roger Riordan Author of the VET Anti-Viral Software riordan.cybec@tmxmelb.mhs.oz.au CYBEC Pty Ltd. Tel: +613 521 0655 PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727 ------------------------------ Date: Thu, 24 Feb 94 05:47:02 -0500 From: sgr4211@ggr.co.uk Subject: Need info on Halloween virus (PC) Does anyone have any information on the Helloween virus? It seems to be a resident COM and EXE infector, but that's all I know. What's its payload (if any) and its trigger? Where did it originate? Any information anyone has on this would be of interest. Regards, Steve Richards. ------------------------------ Date: Thu, 24 Feb 94 06:04:10 -0500 From: sgr4211@ggr.co.uk Subject: Scanning compressed files (PC) Is there any way I can detect the presence of "compressed" files on a disk? I'd like to be able to reliably detect any files that may be harbouring compressed viruses, and therefore not reliably detectable by scanners. I realise that many scanners can scan inside some compressed files (e.g. PKLite, Diet, EXEPack etc.) but this all presumably relies on the scanner knowing about the compression method. Is there any way of indicating "This file is compressed in some way, I don't really care how" that would catch all methods (including those mentioned above, archives, Microsoft's COMPRESS etc.) ? I want as foolproof a way as possible of detecting the presence of such files - a simple ERRORLEVEL indicating that compressed files (including archives) are present would suffice - to flag the disk for closer inspection. Regards, Steve Richards. ------------------------------ Date: Thu, 24 Feb 94 09:38:39 -0500 From: RSMITH@venus.cc.hollandc.pe.ca (ROBERT SMITH) Subject: The Green Catapillar (PC) We have been having some trouble with multiple reoccurrences of the green catapillar virus in our lab. Can anyone tell me if they know this to be a polymorphic virus. Thanks Rob ------------------------------ Date: Thu, 24 Feb 94 15:53:13 -0500 From: "Jimmy Kuo" Subject: Re: FAQ? Norton & PKUNZIP? (PC) Re: FAQ? Norton & PKUNZIP (PC) Bill Geake writes: >We/ve been having fun with an apparently infected copy of PKUNZIP.EXE. >Norton Anti Virus detects a variant of Maltese Amoeba, but Dr Solomon >and F-Prot don't, despite the latter listing Maltese Amoeba in its >library. >I seem to remember, may be a year ago, a thread in which Norton was >described as producing a few false positives - was it with PKUNZIP.EXE? >The file size is 28806 bytes, and it's dated 28-12-92. I deduce that >this is not the safe, official release 2.04g or 1.10 as the size and >date are wrong, so I won't use it, but is it really infected? This was a false id situation with NAV 2.1 that was corrected with the AUG92 virus definitions update (and any following). (Note: AUG92! PKZIP 2.04c came out in DEC92, not that it was PKWare's problem. But if the user had any updates, they would not have come across this.) NAV 3.0, that which you would purchase now, does not have this problem. Jimmy Kuo cjkuo@symantec.com Norton AntiVirus Research ------------------------------ Date: Thu, 24 Feb 94 16:18:28 -0500 From: djb15@po.cwru.edu (Dan) Subject: Possible Virus (PC) Yesterday I tried to run Qpeg, a shareware Jpeg viewer I've run several times before. This time it said: "File is infected by Th-Th virus. Access Denied." This appeared after rebooting also. Mcafee ScanV111 reported nothing. Has anyone heard of this? I'm not the only user of this computer, so I could not save a copy of the program. I ftp'd Qpeg from "ftp.tu-clausthal.de". Note that I am not saying QPEG is at fault here. Most likely, if it is a virus, it came from somewhere else. Any Ideas? - -Paul pjc11@po.cwru.edu ------------------------------ Date: Fri, 25 Feb 94 00:23:03 -0500 From: datadec@ucrengr.ucr.edu (Kevin Marcus) Subject: Re: Is speed really important? (PC) Steve Bonds (007 wrote: >Keith A. Peer wrote: >>I have read and heard about how fast some antiviral scanners are. My >>question is with all of this so called speed is it possible to be >>missing some infections? Another idea that I forgot to mention in my last post is to have VERY generic scan 'strings' (for now, w'ell say strings, though that could very well be some function) which inaccurately detect a lot of different viruses. A small set of these could detect lots of viruses, and once this detection has been made, then one can use a much more precise 'string' to exactly identify the varient. If there is no match, there is an option to display something like, "Possible xxxx". Since most systems scanned are probably clean, a fast scan time can be achieved while still having very accurate scanning. - -- --=> Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu CSLD Room Monitor, Tues, Thurs 9-12p, Sat 11a-2p (909)/787-2842. Computer Science Dept., University of California, Riverside. .oOo.oOo.oOo. Thieves Suck. Don't steal. .oOo.oOo.oOo. ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 16] *****************************************