VIRUS-L Digest Tuesday, 15 Mar 1994 Volume 7 : Issue 17 Today's Topics: Sorry.... New Book on Viruses "Good viruses" Antiviral software and hardware database Jeffrey Bloss' fire analogy Intelligent detection Re: 7th InComp Virus & Security Conf Re: Another VM virus - ICM EXEC (IBM VM/CMS) Aurora text editor bug/virus/problem (PC) Potential Virus Help (PC) Re: Form. Should it be Hated and Feared?? (PC) Anyone ever heard of "D2"? (PC) Floppy boot-up (Re: Form. Should it be Hated (PC)...) monkey business (PC) Virus Info Database (PC) Form virus (PC) Shrink-wrapped virus? (PC) Recuperating text files zipped.... (PC) BOBO virusR (PC) New (windows !!!) virus ??? (PC) strange virus message (PC) Monkey, an easier way (PC) FORM problems (PC) DOS 6.X Anti-Virus (PC) M-day ? (PC) "Chip Away Viruses" Evaluation (PC) McAfee VIRUSCAN V112 uploaded to the SimTel Software Repository (PC) hs-v358.zip - HS v3.58: Boot virus detection and repair pgm (PC) VIRUS-L/comp.virus is a moderated mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 22 Feb 94 07:05:04 +0200 From: Fred_Janssen@f1.n9931.z9.virnet.bad.se (Fred Janssen) Subject: Sorry.... > RV> * Origin: Virus Research Centre Holland (9:9931/4) > You should know better! You should read better, Rob is not giving files to anybody, he is just informing somebody about which files are infected. THis kind of information can help somebody that is a victim of these files. Read make sure you understand a message for the full 100% before flaming. [Moderator's note: ...and when you want to flame, do it somewhere other than VIRUS-L/comp.virus.] Fred RC-31 - --- * Origin: Fred's Place (9:9931/1) ------------------------------ Date: Fri, 25 Feb 94 10:21:28 -0500 From: Subject: New Book on Viruses "A Short Course on computer Viruses - 2nd Edition" Now available from John Wiley and Sons Publishers Author Dr. Frederick B. Cohen (me) Contents: Computer Virus Basics Real-World Viruses Technical Protection From Viruses Non-Technical Defenses Some Analysis Stategy and Tactics in Virus Defense Finishing Up Appendices: The Good Joke The Formal Definition of Viruses Models of Practical Virus Defenses Some Sample Forms of Program Evolution Viruses in Networks Annotated Bibliography Also available with a software disk containing examples of how defenses work, spreadsheets for financial analysis of virus defenses, and much much more. "If you liked the last version of the book, this one will knock your socks off" - not an actual quote ALSO INCLUDED: - Why IBM's epidemiological model of virus defense may lead to global catastrophy! - How to save a lot of money by making better management decisions about viruses! - The history of benevolent viruses, what are their risks, and how to aviod them! Order lots! Order now! While supplies last!!! (was this too advertisy?) FC ------------------------------ Date: Fri, 25 Feb 94 17:48:26 -0500 From: Brian Seborg Subject: "Good viruses" In the last issue someone asked about the FIST virus. I guess this is where many of us would like to see standard naming conventions right!? Well, most likely, the virus you are experiencing is the Screaming Fist. Also, it is probably the Screaming Fist 696. This is a virus that infects on file open (known as a "fast-infector"). It is harmless except for the fact that it will corrupt some .exe files (your anti-virus will not be able to "clean" the .exe files and you will end up having to delete them and re copy them from clean back-ups). .com files should clean up relatively well. The virus adds 696 bytes to all .com files, but becomes over-writing on .exe files and adds a variable length to .exe files. It's minorly polymorphic ( it has 2 forms :-)). Make sure you re-boot your machine from a clean write protected DOS disk before scanning (since it will infect every program on the disk if you scan with some scanners while the virus is RAM resident). Other than that it is unremarkable. See Patricia Hoffman's VSUM under "screaming fist" for more information. Hope this helps. As for Ktark (is this a leap or what?!) :-). My only comment is that you are seemingly proving the old addage "If your going to be wrong, be loud!" You have not refuted any of the arguments regarding "good" viruses, and if David Stang actually stated that most businesses would not be affected by viruses, that is probably because he is aware that most businesses fail. :-) Those businesses that are on-going concerns, and which have PCs and networks will see a virus if they have not already. But this is not worth arguing over. The fact is, there is no such thing as a good virus in the wild. You have even admitted as much, end of argument. So, if you want to waste bandwidth by arguing the contrary, argue on, but know that the rest of us know the truth. :-) Brian Seborg VDS Advanced Research Group ------------------------------ Date: Sun, 27 Feb 94 21:35:52 -0500 From: dm252@cleveland.freenet.edu (Keith A. Peer) Subject: Antiviral software and hardware database I am compiling a data base of all antiviral software and hardware because I have found that the greatest problem facing a person trying to defend against viral attacks is knowing what is available. Any help is GREATLY appreciated. This data will be distributed to corporations and individuals and I am planning on this information to be FREE of charge. Please don't assume I know of the company or product. I probably don't! What I am looking for (but any help is appreciated): 1. Company Name or Individual's Name 2. Company Address 3. Phone, FAX, BBS 4. E-Mail Address 5. Products 6. General Discription of Products 7. Anything else you want to add Thanks in advance for any help you give. Please E-Mail any responses to -=> dm252@cleveland.freenet.edu Keith A. Peer - -- Keith A. Peer +---------------+ Cleveland Freenet -=> dm252 | PGP Key | Internet -=> dm252@cleveland.freenet.edu | Available | Interests -=> Antiviral Software and Hardware +---------------+ ------------------------------ Date: Tue, 01 Mar 94 07:43:38 -0500 From: Rob Subject: Jeffrey Bloss' fire analogy We are asked by Jeffrey to be less alarmist about viruses (repeat viruses). The example he cites to convince us of that is that whilst viruses can damage data, so can fire. Call me Mister Yellow, but I'm fairly 'alarmist' about fire, in that I seek to avoid situations where fire is likely to arise. Eg, I don't carry a can of petrol to work, or sit too close to naked flames, or encourage the use of napalm in the labs. In the same way, I try to ensure that my computer is not exposed to viruses (or fire for that matter), and my aim is that student's computers at home should not have viruses on them either (and preferably that they don't play with matches or smoke in bed). The proof you give to your customers: of what value is it? Are you trying to convince them that viruses are harmless, mere trinkets of interest only to paranoid computer scientists? If I put a bunsen burner beneath your computer would you laugh it off - "Oh it may cause data loss, but so would drowning". The difference between fire damage (presuming it's accidental, not arson or negligence) and virus damage is one of intent, and that goes to the heart of the question of 'good' v 'bad' viruses. Alternatively, let's make the fire deliberate: would you argue that a pyromaniac who damaged your data was different to a virus writer who damaged your data? Does one of them need any less help/correction/whatever than the other? Sure there's media hype. But at the heart of it is a nugget of 'truth'. The existence of viruses, as they appear today, is dangerous for data, and no amount of thought experimentation or theorising is going to convince me otherwise, given that I see virus damage at work. Rob. ------------------------------ Date: Fri, 04 Mar 94 13:29:28 -0500 From: iszucs@stwing.resnet.upenn.edu (Istvan Szucs) Subject: Intelligent detection Hello, My name is Istvan Szucs, I am a junior (undergraduate) of the University of Pennsylvania. I am currently working on a project, to implement an intelligent virus detector program on the PC. (By intelligence I mean capable of learning by example, using heuristics in an intelligent manner, etc). In theory I have solved most of the problems that came up to make the program intelligent, but there is one issue I haven't been able to settle to my satisfaction: extracting signatures automatically. I am wondering if anybody attempted to solve this question automatically. I think it would even be helpful if someone could tell me how it is oone manually. From the books and articles I have read so far it seems to be a synthesis of disassembly and black magic. Is that true? I would be also appreciate if someone would be willing to assist me with the project in a more general sense. I would be happy to exchange notes with anyone working on a similar project, or to have my ideas reviewed by someone more experienced with viruses. I am not interested in making money on this project, so I would be willing to give up claims for financial gain this project may yield for significant assistance. ------------------------------ Date: Mon, 07 Mar 94 09:23:34 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: 7th InComp Virus & Security Conf isckulp@leonis.nus.sg (ku liang ping) writes: >Posting on behalf of a friend >He would like to find out about the forthcoming >7th International Computer Virus & Security Conference That's LefConference, right ? Is that conference really going to happen ? I thought it was for all practical purposes dead...after all, the conference last year was such an incredible fiasco that it is hard to describe. I'm not so terribly upset about last year's conference myself, but I believe those who paid to attend, and did not even get the proceedings will certainly not show up again this year. - -frisk ------------------------------ Date: Fri, 04 Mar 94 13:27:28 -0500 From: Otto Stolz Subject: Re: Another VM virus - ICM EXEC (IBM VM/CMS) On Wed, 2 Mar 1994 10:54:24 IST Hank Nussbacher said: > The following virus appeared today in Israel and was sent from STUCBC2 > at SAUPM00. [...] > It was sent as ICM EXEC. Please add it to your RSCS filters. The replication code in ICM EXEC matches exactly the replication code of RAMA EXEC we saw last week. i.e. COPY RAMA EXEC A = EXCERPT = ( FROM 98 FOR 26 COPY ICM EXEC A = EXCERPT = ( FROM 2 FOR 26 COMPAREX RAMA EXCERPT A ICM = = will report but 1 difference, viz. the SENDFILE command in line 22 (of the EXCERPT files). > From the inside of the virus it would appear as if the author > is from SAUPM00 and not merely redistributing someone else's virus. The payload of this chain letter (this beast does not qualify for the term Virus, as it is widely understood) is an interactive advertisement (in a horrible spelling) for a magazine, or perhaps a dicussion forum (to me, it appears a bit muddled). When the user chooses to join, a file is sent to -- apparently a student account at King Fahd University of Petroleum and Minerals. This sort of junk mail clearly is an offense against EARN rules. How can we keep those Arabic narcissists from wasting our user's and programmer's time, our storage media and net bandwidth? Best wishes, Otto Stolz ------------------------------ Date: Sun, 20 Feb 94 01:28:00 +0200 From: Malte_Eppert@f6050.n491.z9.virnet.bad.se (Malte Eppert) Subject: Aurora text editor bug/virus/problem (PC) Hi Andrew! > directory, deleted the files and everything is O.K. Typing this > up makes me wondering - I had that directory APPENDed with "APPEND > C:\UTIL\AURORA;". Would this have been the problem? Yep, that's it. APPEND makes any files in the APPENDed directories appear in any other as if they were there, too. This feature is to e.g. use some datafiles from anywhere in your tree even if the program you're using demands the files in the directory you're in. No virus at all :-) cu! eppi - --- GEcho 1.01+ * Origin: Another Virus Help Node - The EpiCentre! (9:491/6050) ------------------------------ Date: Sun, 20 Feb 94 01:31:01 +0200 From: Malte_Eppert@f6050.n491.z9.virnet.bad.se (Malte Eppert) Subject: Potential Virus Help (PC) Hi Christopher! > appears that any disk that is formatted in this particular > office will generate an addition 0 byte hidden file that I have only > detected through CHKDSK. Suspicious. Some boot viruses exceeding 512b sector length hide their code in sectors marked as bad. Maybe this is just another trick like this. What's the file called? Does CHKDSK report lost clusters? Watch out and hand such a disk to a virus researcher. cu! eppi - --- GEcho 1.01+ * Origin: Another Virus Help Node - The EpiCentre! (9:491/6050) ------------------------------ Date: Fri, 25 Feb 94 15:21:57 -0500 From: wjryan@amoco.com (Bill Ryan) Subject: Re: Form. Should it be Hated and Feared?? (PC) Does anyone have specific information on the form virus and ways to disinfect? Please send email to wjryan@amoco.com. Thanks. - --- Bill Ryan reply to: wjryan@amoco.com Amoco ITD Distributed Computing/Customer Support(713)272-1085 ->Unix<->VMS<->MS-DOS<->MVS<->VM/CMS<->?<- "Any opinions expressed are my own unless they prove valuable." ------------------------------ Date: Fri, 25 Feb 94 17:12:29 -0500 From: rhorlick@mtholyoke.edu (Rick Horlick) Subject: Anyone ever heard of "D2"? (PC) Does anyone know if this is a real virus, or just a norton antivirus false-positive? I can't find an up-to-date virus list on the internet (anyone know a good, well maintained virus list?), and I don't detect this with my 9-month old copy of Virex [VPCSCAN v.2.7] (the last copy they've sent out; honest!). (Anyone know why Microcom (publisher of Virex) won't answer their phone?) If it exists, is D2 new (since mid-1993), or was VPCSCAN v.2.7 braindead to begin with? ------------------------------ Date: Fri, 25 Feb 94 21:53:45 -0500 From: Mahmoud.Mirzamani@lambada.oit.unc.edu (Mahmoud Mirzamani) Subject: Floppy boot-up (Re: Form. Should it be Hated (PC)...) wrote: > >At this point the CMOS is read in. Assuming that the PC is set up to >boot in a standard manner, the ROM code then examines the first floppy >drive to see if it has a disk in it. If it does, the contents of the >disk's boot sector is read into memory and executed. > >I am sure that you will have seen the message `Non System Disk or Disk >Error...' - this is displayed by code located in the boot sector of a >non-bootable floppy disk. If Form were to infect this disk, it would >treat this boot sector as valid, and store it for later use. Thus, >when booting from an infected disk, the Form virus would be loaded >(which would infect the first fixed disk), following which the >contents of the `non-bootable' boot sector, and the message `Non >System disk etc' would be displayed. The golden rule is that any >floppy disk could contain a boot sector virus. > >The only way for a boot sector virus to get off that floppy disk in >normal use is to boot from it. Get out of the habit of using the >three-fingered salute (Ctrl-Alt-Del) to your machine when it hangs - >remove the floppy first. Any disk, whether it be bootable or not, is a >potential hazard. > >Regards, > >Dicky Ford >Editor, Virus Bulletin. > Good point, however I have a question about ways to prevent a disk boot-up. I know of the NoFBoot and SumFBoot programs which prevent and accidental warm boot-up, but what about cold boot-up? Is there a way to prevent reading of A: drive all together? The reason I ask this is that I have to find a way to prevent about fifty PCs from becoming infected by this very reason. It seems that college students can't understand this simple instruction. Thanks for any help. Mike- - -- The opinions expressed are not necessarily those of the University of North Carolina at Chapel Hill, the Campus Office for Information technology, or the Experimental Bulletin Board Service. internet: laUNChpad.unc.edu or 152.2.22.80 ------------------------------ Date: Sat, 26 Feb 94 12:19:29 -0500 From: aj247@freenet.buffalo.edu (Brent R. Cooley) Subject: monkey business (PC) The Monkey virus is running rampant at in my school district (not State Univ. at Buffalo). Its even killed some of my friends hard drives. We are all veteran computer users, and we can't seem to get rid of it, even with McAfee's Scan and Clean... Any other info on this Monkey virus would be appreciated via E-mail.. - -- L8r, ************* Delevan, NY USA ************* * Brent Cooley aj247@freenet.buffalo.edu * Brent ******************************************* ------------------------------ Date: Sun, 27 Feb 94 13:42:30 -0500 From: Mikael Larsson Subject: Virus Info Database (PC) Hi, I am wondering a bit about databases containing info about viruses, we all know about VSUM but I am interested to know about alternatives to VSUM and where to get them.... Doesnt matter if they are shareware or totally commercial Thanks, Mikael ---->>> NOTE!!! New Mailing address to VHC from 28th Of January <<<---- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Virus Help Centre Phone: +46-26 275740 Email: mikael@vhc.se Box 244 Fax: +46-26 275720 or : mikael@abacus.hgs.se S-811 23 Sandviken BBS #1: +46-26 275710 Fido : 2:205/204 & 2:205/234 Sweden BBS #2: +46-26 275715 Authorized McAfee Agent! ------------------------------ Date: Mon, 28 Feb 94 10:02:06 -0500 From: jeff.chilton@thor.ece.uc.edu (Jeff Chilton) Subject: Form virus (PC) SS> We have had a RAMPANT infection of Form at work. The most evident SS> we have experienced is an error when loading the Windows 32-bit SS> disk driver upon Windows startup. SS> Good luck getting rid of this sucker...it's a BUGGER! Yea, that thing sits in the boot sector of the disk and is passed on to a hard drive by booting on an infected floppy disk (any floppy disk can carry this bug around and pass it on). So if you accidently leave a floppy disk in your machine and boot it, it will infect the hard drive of the computer. Did a disassembly on it and found it only activates on the 24th of each month. When it does it messes around with the disk drive and makes a mess of things. Also an infected computer will infect, every floppy disk that is inserted into it. Really nasty little bug! Jeff * RM 1.3 01375 * All the kookies are not in the jar ------------------------------ Date: Mon, 28 Feb 94 10:10:34 -0500 From: Chip Seymour Subject: Shrink-wrapped virus? (PC) We have apparently received a virus-infected 3.5" HD diskette directly from a well-known manufacturer who will remain unnamed. When installing their product from the shrink-wrapped floppy, F-PROT v2.11a reported Scanning boot sector B: Boot infection: Stoned.Manitoba This virus cannot be removed by this version of the program. McAfee Scan v1.06 reported Found the Generic Boot [Genb] virus in boot sector. MSAV reported Total boot sector viruses FOUND : 0 Total boot sector viruses REMOVED: 0 The manufacturer denies having sent a virus-infected product, and when we received a replacement floppy, it too was infected. Can anyone tell me what to look for in the boot sector to confirm this, and what we can expect from Stoned.Manitoba (which is not listed in F-PROT's virus information database nor in VSUM 9312)? Chip Seymour NetAdmin Computervision Corp Bedford MA (617) 275-1800 ext 3651 ------------------------------ Date: Mon, 28 Feb 94 13:18:15 -0500 From: cholette@jsp.umontreal.ca (Cholette Martin) Subject: Recuperating text files zipped.... (PC) Hello everyone, If I have some text files that were store in a zip file with PkZip. Now my problem is that the disk containing this ZIP file is contaminated by a nasty virus that cannot be cleaned. Is it safe to access this floopy and to copy this zip file to my system and unzip it? What is the best way to recuperate these text files that are very important to me? Thanks for the help.. Martin Cholette ------------------------------ Date: Mon, 28 Feb 94 18:02:00 -0500 From: udsm@sunyit.sunyit.edu (Derek S. Meyer) Subject: BOBO virusR (PC) What is this virus?? I belive we have possiably a new strain here (dont know for sure) Ive ran f-prot211 scan111 nav 3.0 only scan detects it and after we try to clean it all seems to go well until we reboot agian and up comes a message "We will be back BOBO" Yes we are trying to clean from a "bootable write protected" disk and cleaning from the "clean" disk. I wasnt able to find any info on this virus in VSUM or f-prot all scan has is that it is a stelth encripting program that affects *.coms and runtime. The runtime has not been noticable yet. Does anyone know how to get rid of this thing? Thanks Derek ------------------------------ Date: Fri, 04 Mar 94 13:30:27 -0500 From: tkoyt@theseas.ntua.gr (Tasos) Subject: New (windows !!!) virus ??? (PC) I was working at Word the other day, writting some very serious stuff, when all of a sudden when I tried to save, my screen got black and it seemed scrolling up, making the mouse hourglass look like bubbles.!.! :(((( After that, I got all alerted, got the brand new scan (version 112) and scanned all my local and network files (we use Novell).... In vain though! Scan reported no virus, and it seemed like everything wa OK.. But it wasn't. The day after, when trying to open the File manager, my screen blanked again :( Then, I was sure that something was wrong. I'm posting this to the world, and begging for help. Does anybody knows about this new f* virus. It's the first one I know that messes up Windows screens, so I guess it should be kind of new. Please take some time and answer. I would be grateful !!! _/_/_/_/_/ _/_/_/ _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/ _/_/ _/ _/ _/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ /_/_/_/ _/_/_/ /_/_/_/ tkoyt@theseas.ntua.gr AKA: Tasos Koutoumanos 35, Kekropos str, 176-73 Athens, GREECE ------------------------------ Date: Fri, 04 Mar 94 13:32:24 -0500 From: "W. Tilstra" Subject: strange virus message (PC) Hallo! Is there anybody who knows something about the following message concerning a virus-infection? situation: PC-LAN (DEC microVAX, VMS 6.0, Pathworks for DOS 4.1-2) virusscanner F-PROT 2.11 User1 wants to execute on her PC the file FLEX.EXE (Dataflex); this file is on the server. She gets the next message: infected with SPMf0MBNB4PMP4bTJ6 virus. When another user (user2) logs in on the same PC and tries to execute this file, there's no problem. When both users log in on ANOTHER PC, there's also no problem. After some time the problem suddenly has disappeared: after about 12.00 h user1 can start FLEX.EXE on her PC without any problem. Someone who knows about this? Wiebe Tilstra. - ------------------------------------------------------------------------- Wiebe Tilstra, | tel. 058-934344 Steunpunt Informatisering Algemene Faculteit, | 058-934326 Rengerslaan 10, | NL 8917 DD Leeuwarden. | fax 058-934335 - ------------------------------------------------------------------------- ------------------------------ Date: Fri, 04 Mar 94 13:33:33 -0500 From: Brian Seborg Subject: Monkey, an easier way (PC) I haven't bothered to post a solution to this virus before because I figured that a decent solution would have been posted by now, but to my surprise, it still seems that most solutions proposed are relatively difficult to pull off. Here is another solution. Monkey is a MBR virus that encrypts the partition table. Consequently, if monkey runs, it will have to decrypt the MBR to allow use of the disk (otherwise the system would just hang). What this means is that if you get infected with the monkey, all you have to do is boot from the infected disk (monkey goes resident and decrypts the partition table) and then use Norton or some other disk-editor to copy the partition table (logical sector 0) to a file. Since your disk-editor is likely to use the same interrupt that Monkey has hooked, you will get a decrypted copy of the partition table (unfortunately, you will also get the infected MBR too, but we'll fix this next). Make sure you save this file to a diskette. Next, turn off the infected machine and re-boot it from a clean DOS disk with the same version of the operating system as the one on the infected machine (only a clean version :-)). Copy the file you created in the previous step back to sector 0. Next, run FDISK/MBR (this will overwrite the Monkey part of sector 0 leaving the partition table intact). That should do it. Of course, the usual disclaimer applies, but if you know what you are doing, you will find this method preferable to other methods previously mentioned. Brian Seborg VDS Advanced Research Group ------------------------------ Date: Fri, 04 Mar 94 13:34:21 -0500 From: "Gretchen King Ryan, Development" Subject: FORM problems (PC) II am a new internet user and am still quite confused about getting around. Briefly, we can't seem to get rid of Form in our office and lately it appears to be getting more virulent. Is this possible? Vsafe and Norton's don't always catch it. Lately, they can't repair it! We have lost a heck of a lot of data on floppies. In my opinion this virus should be taken quite seriously.X-News: scuacc virus-l:659 ------------------------------ Date: Mon, 07 Mar 94 03:29:34 -0500 From: slbray@deakin.edu.au (Sharyn Bray) Subject: DOS 6.X Anti-Virus (PC) Hi to all reading comp.virus, I was wondering whether anyone could offer an opinion, comment, thought etc. regarding the effectiveness of the Anti-Virus for Dos (and A-V for Windows) package now bundled with MS-DOS, version 6.x, compared to other offerings (such as Scan, V-Prot, etc.) ? Thanks in advance. Stuart Palmer (kindly via slbray, kindly via Deakin) ------------------------------ Date: Mon, 07 Mar 94 06:39:51 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: M-day ? (PC) I was just wondering if anybody, anywhere had encountered Michaelangelo yesterday - I don't know how many machines got hit yesterday, perhaps a few thousand, but it might have been more if the 6th had not been a Sunday. - -frisk P.S. I will be away for the next couple of weeks, so the delay in replying to any E-mail sent to me will be even longer than usually....I apologize to the senders of the 1942 E-mail messages that are currently waiting for a reply in my mailbox... Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Fri, 25 Feb 94 09:46:44 -0500 From: Henrik Stroem Subject: "Chip Away Viruses" Evaluation (PC) Testing and comparing "Chip Away Viruses" PCscan, against F-PROT 2.11 This is a random test with 61 files containing virus-code. The test gives some pointers to whether Chip Away Viruses is performing well compared to e.g., F-PROT anti-virus program - Shareware version 2.11. 7 "old" file infector samples missed by ChipAway's scanner Old is here defined as samples detected by F-PROT 2.04d Aug-92. Whale X:\FILE\WHALE.COM Whale (?) X:\FILE\12855.COM MtE X:\FILE\GROOVE.EXE MtE X:\FILE\COFFSHP2.EXE Seventh_son.284 - Generation 1 X:\FILE\7SON4.COM Starship X:\STARSHIP\COM\STARSHIP.COM Starship X:\STARSHIP\EXE\DEBUG.EXE 12 "new" file infector samples missed by ChipAway's scanner New is here defined as samples not detected by F-PROT 2.04d Aug-92. New or modified variant of DIR-II X:\FILE\DIR-2.COM Leprosy.Seneca.493 X:\FILE\SENECA2.COM Trident.90210 - Generation 1 X:\TRIDENT\90210.COM New or modified variant of Coffeeshop or TPE X:\TRIDENT\BOSNIA.COM Cluster (?) X:\TRIDENT\CLUSTER.COM Possibly a new variant of Coffeeshop X:\TRIDENT\CRUNCHR1.COM New or modified variant of Coffeeshop X:\TRIDENT\CRUNCHR2.COM Dos1 X:\TRIDENT\DOS1.COM Flue (?) X:\TRIDENT\FLUE.COM Cybertech.501 - Generation 1 X:\TRIDENT\ICECREAM.COM Trident.611 - Generation 1 X:\TRIDENT\RIZWI.COM New or modified variant of Trident X:\TRIDENT\SERVANT.COM 2 object files containing the MtE, also missed by ChipAwayViruses' scanner MtE (?) X:\MTE\MTE.OBJ.OBJ MtE (?) X:\MTE\DEMOVIR.OBJ 8 Boot infector images missed by ChipAwayViruses' scanner Stoned.Empire.Monkey.A image file X:\MONKEY\MONKEY.BOO Stoned.NoInt.A image file X:\NOINT\NOINT.BOO Brain.Standard.1986 image file X:\BRAIN\BRAIN.BOO Ping-Pong.Standard.A image file X:\PINGPONG\PINGPONG.BOO Exebug.A image file X:\EXEBUG\EXEBUG_A.BOO Exebug.B image file X:\EXEBUG\EXEBUG_B.BOO Exebug.C image file X:\EXEBUG\EXEBUG_C.BOO V-Sign image file X:\V-SIGN\V-SIGN.BOO 32 file infectors found by both products, but ChipAway seems to be using their own naming scheme. Notice that F-PROT's naming scheme is very close to the CARO standard, with extra information where needed. PCscan V2.65 (5-14-93) F-PROT 2.11 Shareware (2-7-94) YANKEE Yankee_Doodle.TP.44.A VENGEANCE Vienna.Vengeance - Generation 1 V2P6 V2Px.V2P2/V2P6 V2P2 V2Px.1260 2144 Hymn.2144 TYPO Fumble.867.A - Modified (255 extra bytes) TINY-2 Danish_tiny.163.A - Generation 1 TERROR-1 Terror.Terror MARAUDER Marauder.860.B SVC_3 SVC.4644 SUNDAY-2 Jerusalem.Czech.B JERU-A Jerusalem.1808.CT.Subzero AMBULANCE-1 Ambulance.D - Generation 1 MUTATION MtE OTTO Otto.640 ONTARIO Ontario HYMN Hymn.Hymn.A 808 Rythem.907 MICRO-128 Micro-128 VIPER Leprosy.B KENNEDY Danish_tiny.Kennedy.A - Modified (298 extra bytes) FISH2 Frodo.Fish_6.A DARK_AVG Dark_Avenger.1800.A - Modified (1 extra bytes) DARTH-1 Darth_Vader.344.C - Generation 1 DARK_AVG-1 Dark_Avenger.1800.A DARK_AVG-2 New or modified variant of Dark_Avenger CANNA615-1 Coffeeshop BETA Phalcon.Cloud ANTHRAX-1 Anthrax - Modified (112 extra bytes) 4096 Frodo.Frodo.A 808 Rythem.1992 1963 Necropolis (?) Conclusion: The scanner that comes with ChipAwayViruses is not of the best. It is using its own naming scheme, making it hard for "experts" to assist in disinfection over phone or E-Mail. It also missed some very old viruses that is detected by most good scanners. One could argue that the May-1993 version is a bit old for testing, but it was the newest I could get here in Norway. It was received by one of the norwegian distributors only a couple of weeks ago! The viruses missed are older than the scanner. In addition the ChipAwayScanner was slow, and not very easy to use. Its ability to find new variants of old viruses seems to be non-existing. ChipAway is mainly for boot virus protection. Something it accomplishes with hardware. I did not test this hardware solution. My own program (hs-v358.zip) detects and removes all boot viruses as of today, so a hardware solution like ChipAway's should not be necessary. Henrik Stroem Stroem System Soft (02/24/94) ------------------------------ Date: Sat, 26 Feb 94 17:54:43 -0500 From: aryeh@mcafee.com (McAfee Associates) Subject: McAfee VIRUSCAN V112 uploaded to the SimTel Software Repository (PC) I have uploaded to the SimTel Software Repository (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): pub/msdos/virus/ clean112.zip CLEAN-UP 9.23V112, remove viruses from PC/LAN scanv112.zip VIRUSCAN 9.23V112, scans PC & LAN for viruses vshld112.zip VSHIELD 5.56V112, virus prevention TSR wscan112.zip SCAN for Windows V112, Win3.x version of SCAN WHAT'S NEW Version 112 of the VIRUSCAN series adds detection of 63 new viruses and 81 variants, bringing the total number of known viruses to 1,877, or counting variants, 2,819 viruses. All of McAfee Associates' programs are archived with Version 2.04g of PKWare's PKZIP Authentic File Verification. When unzipped with Version 2.04g of PKWare's PKUNZIP program, an "-AV" will be displayed after each file is unzipped and our serial number: Authentic files Verified! # FZW807 McAFEE ASSOCIATES will appear once all files are unzipped. VALIDATE VALUES: NAME OF PROGRAM: SIZE: DATE: CHECK METHOD: CLEAN-UP 9.23V112 (CLEAN.EXE) 196,896 2-18-94 M1: D649 M2: 06B4 VIRUSCAN 9.23V112 (SCAN.EXE) 164,314 2-18-94 M1: 7AF3 M2: 1264 VSHIELD 5.55V112 (VSHIELD.EXE) 52,749 2-17-94 M1: EA1D M2: 1A84 SCAN for WINDOWS 112 (WINSTALL.EXE) 19,606 2-18-94 M1: 974A M2: 1FF2 SCAN for WINDOWS 112 (WSCAN112.EXE) 76,868 2-18-94 M1: C5D0 M2: 0B3C Regards, Aryeh Goretsky McAfee Associates Technical Support - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: aryeh@mcafee.COM 2710 Walsh Ave, Suite 200| FAX (408) 970-9727 | IP# 192.187.128.1 Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95051-0963 USA | USR HST Courier DS | America Online: McAfee ------------------------------ Date: Sat, 05 Mar 94 13:52:22 -0500 From: hstroem@ed.unit.no (Henrik Stroem) Subject: hs-v358.zip - HS v3.58: Boot virus detection and repair pgm (PC) I have uploaded to the SimTel Software Repository (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): pub/msdos/virus/ hs-v358.zip HS v3.58: Boot virus detection and repair pgm HS v3.58 is a small program written to protect against boot viruses. It checks for changes in the boot sectors of your harddisk. It will find almost any boot virus, notify you of the virus, and cold boot your machine after removing the virus. A copy of the infected boot sector is stored for later examination. I wrote the program because I couldn't find the virus protection setup I wanted. My program executes in less than a second, and generates no output to the screen, as long as no virus is detected. Major enhancements in this update are: - Support for the PCI-BUS, on which the harddisk interface is sometimes implemented in strange ways. - The anti-hardware stealth has been improved. It now works on even weirder machines. - Support for Novell DOS 7.0 which was recently released. Henrik Stroem Stroem System Soft hstroem@ed.unit.no ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 17] *****************************************