VIRUS-L Digest Friday, 29 Apr 1994 Volume 7 : Issue 29 Today's Topics: Survey Respondent Request Good Viruses vs. Bad Viruses Why are boot sector viruses so succesful? (paper?) Re: Number of viruses on non-PC machines The Lone Ranger Re: VIRUS-L Digest V7 #21... Various Topics Fractal Virus Detection History of The Comp. Viruses Re: A few truths Virus in OS/2 and Unix (OS/2) (UNIX) RS/6000 Viruses and Software for Detection/Removal (UNIX) NT susceptible to viruses? (NT) Re: NT viruses? (NT) Does anyone know anything (history) about RMIT??????????? (PC) Re: Dangerous bug in CLEAN (PC) Anti-Tel Virus. Need Help getting rid of it. (PC) Killer for Preditor ][? (pc) How to clean floppy ? (PC) Re: Clean 111 & Mich. (PC) antivirus programs for windows environment (PC) Virus warning (PC) Virus found on CD. (PC) F-PROT 2.10c and Tremor (PC) Re: Avoiding floppy boot (was: FORM problems) (PC) "Sticky" Virus - File damage??? (PC) Is this a virus? Please help... (PC) Re: top 10 anti virus s/w? (PC) chklist.ms? (PC) Re: Form.A (PC) BACLAB virus (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 11 Apr 94 21:59:22 -0400 From: omicron@genie.geis.com Subject: Survey Respondent Request Hello all, I know people are busy and I would like to request members of this mail forum to respond to the virus survey published in Digest V7, #18. It appears the forum has much experience and knowledge on viruses and related problems. Your assistance in my research project is greatly appreciated. To quote larmbru@eis.calstate.edu (Digest V7, #15): " * Every expert was once a beginner * ". Hoping to hear from forum members. Thank you very much. Sincerely, Conrad Capasso student at University of Wisconsin - Stout Omicron@genie.geis.com ------------------------------ Date: Tue, 12 Apr 94 12:20:10 -0400 From: olpopeye@aol.com Subject: Good Viruses vs. Bad Viruses Apparently, my humble attempt to simplify the on-going discussion(s) re: Good Viruses vs. Bad Viruses (your characterization, not mine) has gone astray. Instead of simplifying our mutual concepts, apparently all Ive done is stir an anthill with a large stick. I offer my apologies for causing so much bandwidth to be occupied with defining a problem that I **STILL** insist is one of **INTENT.** (See Vol 7 #24): WHMurray@DOCKMASTER.NCSC.MIL asserts: >In fact, since the virus writer has so little control, his intent is irrelevant. So little control?!?!?!?! You mean, these mental twirps are being forced to write viruses at gunpoint?!?!?!? Poor fellows!! Or might this be a further attempt to excuse people (??) from their own personal responsibility for their own actions or their own negligence? Lets get down to brass tacks: If you hit yer thumb with a hammer, dont blame the hammer! Its YOUR fault, not the hammers. He goes on with: >The virus writer. . .cannot predict how it will behave... Baloney! If not, then surely he should be locked in a rubber room. If computer code A causes behavior B in computer system C, then there is a markedly high probability that it will cause similar behaviors in Systems D thru Z, et al, assuming their operating systems are of the same genre, the systems are XXX-Compatible, etc. Ergo, Quod Erat Demonstrandum: A virus writer, by his simple act of writing a virus (that is, any program, macro, code, or other computer instruction NOT intended to be used for any socially accepted purpose - -- and which will damage to others systems or their data or cause inconvenience to them, etc. -- is NOT socially acceptable) must be **CERTAIN** that if it causes anomalous behavior in HIS system, then it will cause similar behavior it others systems! The sun rose in the East today as it did yesterday and there's a very high probability that it will do so tomorrow. This is pure cause and effect, **NOT** the fallacious "post hoc ergo propter hoc" (il)logic argument. Further, if the behavior caused is NOT what another would appreciate some other clod causing to occur in HIS computer system, then the virus writer has a MORAL and ETHICAL obligation to either (a) NOT write the virus code in the first place, or (B) DESTROY it immediately, BEFORE it is accidentally loosed into a population!! (The mind boggles -- I can just hear some scientist at the Center for Disease Control wailing as humanity dies by the billions, But I didnt MEAN for this nerve gas to be loosed among the population!! And thats not so far fetched as we might wish.) If this programming paragon were writing GOOD (useful, contributes to humanitys progress, assists businesses or educational concerns to become more efficient, empathetic, socially responsible) code, then hed call it an application software, wouldnt he?? (And this is what I meant in my original message about cut through the fog to the CENTRAL QUESTION. **WHAT DOES THE CODE WRITER INTEND?** Phil@mash.colorado.edu posits a case where an interloper might: >(1)- burn down my house, 2-eat some of my food, 3-nap on my couch, 4-dust my furniture, or, 5-leave me a fortune? Phil, I asked a legal beagle and he sez: Trespass is trespass, regardless of the actions of the trespasser. The viewpoint changes when **CRIMINAL** trespass is involved, that is, did the interloper come onto or into your property with the **INTENT** (emphasis mine) of committing a mischievous or criminal act? Putting out a fire hardly constitutes ill intent, unless the fire is in ones fireplace or barbecue. Leaving a fortune? Never heard of such a case. Arson? Yep; also the petty larceny of consuming food and booze while breaking & entering. But Walt, it all hinges on **INTENT** (emphasis mine again). Wolf@jove.acs.unt.edu avers >If it is useful, then I cannot see a logical argument to establish that the virus is evil. Just the fact that a program modifies code... Exactly. If it is USEFUL (like WordPerfect, Lotus 1-2-3, etc.), then we call it Application Software and actively seek it out, pay ridiculous prices for a weasel-worded license" to use it, and snarl&curse the bugs we then find in it while were USING it to accomplish some useful, socially acceptable purpose. We dont INTENTionally use the application software to ruin someones data/computer system/blood pressure. (Oh, we might ruin a business competitor, but we do that in a legal, moral, and ethical (read: socially acceptable) manner, dont we? We dont sneak in the night and burn down his place of business, do we? Then similarly, we shouldnt write virus code to accomplish the same ends in a less dramatic fashion (no sirens, flashing lights, and cops to haul us off to jail...)) HOWEVER -- And this is a BIG however -- Would you actively seek out and purchase software (i.e., code) that would fill your hard disk with garbage, trash your data, rearrange your FAT, or lock up your computer so its unusable? Hardly. Unless YOUR mental processes need refining!! The finest champagne can be ruined by a spoiled brat peeing into the glass. This has GOT to be the moral and ethical equivalent of a virus writer INTENTionally writing and setting loose code that does naught scratch the writers itch(es) to show how destructive he can be... Loss of control? Baloney. Good Viruses? Baloney. Ethical virus writers? Baloney. Morally adult virus writers? Baloney. Just a bunch of spoiled brats aiming at your -- and my -- champagne glass filled with Roederer Cristal... Anyway, I guess Ive said all I can say on the subject. I doubt Ive changed anyones opinion. But let me cease wasting bandwidth (and the valuable time) of the Forum with this thought: Many years ago, a businessmans company was on the verge of failing. His salesmen were making promises that HE couldnt deliver on, and problems were piling up. He devised a code of ethics for his company embodied in four simple rules. This Four-Way Test turned his company around, and his heirs today still reap the fortune he built. The Four-Way Test reads: 1. Is it the TRUTH? 2. Is it FAIR to all concerned? 3. Will it build GOOD WILL and BETTER FRIENDSHIPS? 4. Will it be BENEFICIAL to all concerned? If we all, as professionals in the computer industry, would inculcate this simple Four Way Test into our business or even into our personal lives, think of how much higher we could hold our heads... And how our fortunes would multiply! Walter E. Murdock OlPopeye@AOL.COM Murdock Associates, Palo Alto 75270.37@Compuserve.Com "I sign the payroll, so my opinions count. HERE, anyway!" ------------------------------ Date: Wed, 13 Apr 94 01:29:53 -0400 From: btf57346@uxa.cso.uiuc.edu (Byron Faber) Subject: Why are boot sector viruses so succesful? (paper?) I'm curious is somebody could point me to an answer to that question. Simply, why are boot sector viruses SO effective? I've heard/seen that Stoned is responsible for the most damage done to computers (formatting drives?) Maybe I'm reading wrong. But I seem to see alot of people get Stoned or Mich. Just recently I had to help three friends ride themselves of Michelangelo. Yet it would seem to be that the strategy used in boot sector viruses is a bad one. Has anybody written a paper on the tatics used by viruses? I would assume fast/efficient ones would be better. Of course, maybe that helps them get caught sooner. Can anybody help me ponder the question? Just interested, Byron Faber - -- `Playing this disk at loud volume may permanently damage your speakers or other sound components.' -LFO b-faber@uiuc.edu ------------------------------ Date: 14 Apr 94 01:44:57 +0000 From: hime@ponder.csci.unt.edu (Andrew Hime) Subject: Re: Number of viruses on non-PC machines wrote: >HP-48: 5 This number strikes me as quite amusing. I find that to be a bit improbable. >UNIX: 3 This I know is confirmed by many different sources. >Commodore 64: 2 This I don't believe, having used a Commodore for most of my computing career. (Though I'm trying to black it out now.) ------------------------------ Date: Thu, 14 Apr 94 05:57:22 -0400 From: davol@meiko.co.uk (David Wilson) Subject: The Lone Ranger I'm a stranger to this newsgroup - just passing through. I note there's a persistent thread on 'Good' vs 'Bad' viruses. Allow me to introduce (not literally, you understand - simply hypothetically) a 'good' virus - The Lone Ranger. The Lone Ranger - like his celebrated original - roams the computer prairie seeking out the bad guys and shooting them. If he was written cleverly enough he could put all these anti- virus vendors (the sheriffs) out of business. Imagine you're plaqued with really evil polymorphs. Suddenly, "BANG, BANG, BANG" - a message appears: "Hiiiyyooooo Silverrrrr !" and peace returns to town. And then someone always says: "Hey, who *was* that guy". and some old-timer replies: "That was the Lone Ranger". Just a thought - Dave Wilson. [Moderator's note: The topic of anti-virus viruses comes up from time to time here, though not usually quite so colorfully (admittedly); I urge anyone that wants to respond this message to peruse the archives first.] ------------------------------ Date: Mon, 11 Apr 94 13:32:24 -0400 From: hstroem@ed.unit.no (Henrik Stroem) Subject: Re: VIRUS-L Digest V7 #21... Various Topics PHIL@mash.colorado.edu writes: >> computer viruses. If they have any scientific value at all, they >> should be studied by scientists with the proper knowledge and >> equipment, not by teenage "wannabe" programmers. > >Is a person in his or her teen years, therefore, not to be taken seriously >as a programmer? Just a question. Teenage programmers should of course be taken seriously if they themselves are serious. Read 40-Hex and you can find some perfect examples of the "wannabe" programmers I was talking about. Actually programmers in their teen years seems to be some of the most creative. That is great, as long as they apply this creativity with some sense. Sincerely, Henrik Stroem Stroem System Soft ------------------------------ Date: Fri, 15 Apr 94 10:05:59 -0400 From: adamsb@un.org Subject: Fractal Virus Detection Tom Zmudzinski ask: > Is there something "virus-ish" in an infected file that is > detectable regardless of the particular virus involved? Probably not. Identification of a particular fractal form as part of a group of self similar forms depends upon which part of the mathematical set it belongs to that you look at. If you look at the wrong part of the set, or at the wrong set, there is nothing that looks like the particular form and there will often be numerous forms there that are totally different from it. Assuming that there were something "virus-ish" about a virus that could be detected as a fractal form, that form would have to be part of a set of self similar forms. If it were a new virus that was significantly different than other existing viruses, it probably would not be possible to identify it. For example, if you used a fractal form that identified broccoli and then tried to identify a mutant broccoli plant that resembled a fern, you would never identify the mutant plant. The fractal form that would identify the mutant plant would lie in a different part of the mathematical set. As another example, a wolf in sheep's clothing would be identified as a sheep. A mutant virus that resembled a normal piece of code would be identified as a normal piece of code. This already begins to sound like a discussion about whether viruses can be reliably detected by signature (and whether or not the term signature should be used, my apologies to those who believe it should not be used). The generalized signature of self-similar viruses in this case would be a fractal form, but anything that didn't fit the generalized signature would be undetectable. So, there would have to be a collection of fractal forms that were used to check for known virus. It all sounds very familiar. Bernard Adams, Fractal Dreamer ------------------------------ Date: Fri, 15 Apr 94 10:05:39 -0400 From: ELUARCA@vmredipn.ipn.mx Subject: History of The Comp. Viruses Hi all, This is Ernesto Luarca (Mexico) with one Question: Somebody can help me about the History of the Viruses? when, where and how apears the first Comp. viruses. (It's For one School work) Please answer me!!! Be prepared to Serve Ernesto Luarca +-----------------------------------------------------------+ | " Leave this World better do you encounter..." ! | | /\|/\ | | Lord Baden-Powell \|/ | | Founder of the Scout Movement + | +-----------------------------------------------------------+ ------------------------------ Date: Fri, 15 Apr 94 10:08:22 -0400 From: ramontur@ecst.csuchico.edu (Ramon Turner) Subject: Re: A few truths Robert Knippen wrote: >What I find most annoying about this whole topic is the fact that many >of the people who think it's cool to write viruses do not think it's >cool for the government to interfere in their lives. Why is it cool >to mess with other people's stuff? Wrong. You take for granted that those who write viruses are going to release them into the public domain. I've never written one before, but I DO plan to do so soon, just for the challenge. No, I don't want the government screwing around with me, either. But the two have absolutely NOTHING to do with each other. I'm planning on writing the virus as an intellectual challenge, and having it do something COMPLETELY harmless(like turn your screen white on purple instead of white on black), but beyond that, it stays on my computer, and it's not going ANYWHERE. I plan to archive it and keeping it as something to laugh at later on, but give me the benefit of the doubt, ok? Just because I'm writing a virus doesn't mean that I'm trying to "mess around with other people's stuff." - -- * + * + + * * + + + * Ramon Turner (ramontur@ecst.csuchico.edu) * + * * + * * + * + + + * + * ------------------------------ Date: Mon, 11 Apr 94 20:37:00 -0400 From: byng@solomon.technet.sg (Ng Bee Yong) Subject: Virus in OS/2 and Unix (OS/2) (UNIX) Has anyone come across any virus that attacks specifically OS/2 or Unix operating systems? Any info is appreciated. ------------------------------ Date: Fri, 15 Apr 94 10:05:50 -0400 From: leo_hauguel@maillink.cmic.com Subject: RS/6000 Viruses and Software for Detection/Removal (UNIX) I don't know which discussion Group to ask for information about the RS/6000, so I will try the two major expert Discussion Groups. I am interested in getting information about any VIRUSES that attack the RS/6000 AIX System. I am aware of Mac Viruses, IBM Compatible Viruses, and some of the new viruses for OS/2, but is there any concern about AIX? If there is a problem, WHAT products are available and HOW do I contact the vendor? What products are actually in use? What are the products inherent problems? What is recommended? Are there any comparison statistics? I would appreciate any help you can give on this subject matter. Thank you in advance for your time and consideration. ***************************************************************************** *Leo J. Hauguel * * Systems Security Specialist * * CMIC - CE2-446 * * 1352 Wm. Howard Taft Rd. * * Cincinnati, OH 45206-1775 * * PH#: (513) 872-8376 * * FAX#: (513) 872-8798 * * INTERNET MAIL: leo_hauguel@maillink.cmic.com * ***************************************************************************** ***************** >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ******************** ***************************************************************************** ------------------------------ Date: Fri, 15 Apr 94 10:01:15 -0400 From: radatti@cyber.com (Pete Radatti) Subject: NT susceptible to viruses? (NT) Microsoft claims that NT is immune from viruses. (big grin) My reply was to write a two line *.bat virus and hand it to them. They agreeded that this virus would infect the NT in native mode however they did not change their claim. NT can also execute MS-DOS and Windows based software products and includes the DOS filesystem in addition to the NTFS filesystem. It can be infected by any DOS or Windows file infector. I have not yet tested the other types, however boot viruses should work or at least write themselves onto the disk where they think the boot block will be, (the same as Unix). I think that NT is still too expensive (read that rare) to be bothered much by viruses, yet. It's day shall also come. ;-> (knowing smirk) Pete Radatti radatti@cyber.com ------------------------------ Date: Fri, 15 Apr 94 10:10:15 -0400 From: "Steve Bonds (007" Subject: Re: NT viruses? (NT) Craig Williamson wrote: >Have there been any NT viruses yet? As we consider moving to NT or >Chicago as our OS, I wonder about DOS viruses causing problems and how >we can find and fix them in that enviornment. Since DOS is not going >to be in Chicago or Daytona (the next release of NT) how much of a >problem could it be? A DOS virus will run under any operating system that provides a degree of DOS compatibility. The more compatible (and the more like "real" DOS) the operating system is, the more viruses and other DOS programs will be able to run under it. Since Windows NT provides rather pitiful DOS compatibility, running NT will protect you from most DOS viruses and also most other DOS programs. However, DOS-based boot sector (DBR) viruses very often do not check to see that the partitions on the hard disk are DOS partitions, and will attempt to infect your NT partition as though it were DOS. Usually this corrupts the boot sector and unless NT has some way of recovering the original, you might be in serious trouble... Most MBR infectors should not corrupt the MBR/Partition table, though they probably will not be able to spread under NT and could create compatibility difficulties resulting in lots of system lockups. I can't recall if NT includes something like OS/2's Boot Manager, but if it does an MBR infector could cause problems with its functioning properly. A few MBR infectors also make the assumption that the disk only contains DOS partitions and may inadvertently corrupt data by copying the MBR over an area of the hard disk that is unused in DOS, but in use by your operating system. The solution: set your BIOS to ONLY boot from the hard disk and DOS viruses should give you little trouble. -- Steve Bonds - -- 000 000 7777 | sbonds@jarthur.claremont.edu and Steve_Bonds@hmc.edu 0 0 0 0 7 |----------------------------------------------------------- 0 0 0 0 7 | Childhood is short... [Calvin & Hobbes] 000 000 7 | ...but immaturity is forever. ------------------------------ Date: Mon, 11 Apr 94 23:37:25 -0400 From: eyewell@sdcc13.ucsd.edu (Erik Yewell) Subject: Does anyone know anything (history) about RMIT??????????? (PC) just finished getting rid of this virus about 2 hours ago, good thing I have a tape drive. Do you have any history on it ( did it start at MIT??? (RM.I.T. ??) Plz reply over e-mail. Thanks - -- Erik Yewell tiger@ucsd.edu U.C. Sun Diego La Jolla, California ...Tout droit, on ne peut pas aller bien loin... ------------------------------ Date: Tue, 12 Apr 94 09:27:54 -0400 From: "R. Wallace Hale" Subject: Re: Dangerous bug in CLEAN (PC) Vesselin Bontchev wrote: >As it turns out, this is sometimes not an alternative, and CLEAN has >made the choice for you. In those cases, when it tells the user that >it is unable to remove the virus and asks whether to delete the file, >this is a rhetorical question - because the file is *already* >destroyed. Never did recommend file cleaning, but wasn't aware of that "fringe benefit" until I ran some tests last night. >Here is how to reproduce the bug. Take an executable file you don't >care about if it is destroyed, and use a hex editor to change its >last ten bytes to 03 F3 A5 26 C6 06 FE 03 CB 58. Set up an assortment of .COM and .EXE files, either changing the last ten bytes or adding those ten to the end of the file, and tried CLEAN, with varied results. >Now, start CLEAN, and tell it to disinfect the "[Jeru-A]" virus from >the file. It will display several messages that it is trying to remove >the virus. At the end it will notice that it can't do it (quite >naturally, since there is no virus in the file), and will suppose that >this is a new variant and will propose you to delete it. Reject the >proposal and tell it NOT to delete it. In some cases, CLEAN did NOT give that option. Rather, it reported a single infection and that it HAD successfully cleaned the file..... and it had -- with the expected results! Interesting part is that the 10 bytes were still present in the "cleaned" file.... >At this point, CLEAN has been unable to remove the virus, and you have >told it not to damage the file. It is natural to assume that the file >has rematined in its original (although "infected") state. Nope! Look >at it, it has been severly truncated! On the top of that, CLEAN says Not all were. Some small files remained undamaged, in their "infected" form. >that the virus is removed (or even something more weird - that 9 >viruses are removed). Or 5 or 7 or whatever... :) >The bug is verified to exist in in CLEAN versions 112 and 113 and >probably exists in many of the previous versions. A copy of this Only tried 113, so can't comment. >don't use disinfectors at all - just delete the infected files and >restore them from a clean backup instead. A hearty "Amen!" to that! R. Wallace Hale "Thinking is the hardest work there is, halew@nbnet.nb.ca which is the probable reason why so few BBS (506) 325-9002 engage in it." - Henry Ford ------------------------------ Date: Tue, 12 Apr 94 09:33:40 -0400 From: glenn.davidson@acadiau.ca (Glenn E. Davidson) Subject: Anti-Tel Virus. Need Help getting rid of it. (PC) Is there any Anti Virus Software that can detect and remove this virus correctly. MacAphee can detect and remove it but the format of the disk is permanently altered so that it is no longer bootable (Hard Drives) or unrecognized as being formatted in the case of floppies. Does MS-DOS VSAFE correctly detect and remove it? From what I can tell it may detect it but can not remove it. - --------------------------------------------------------------------------- Glenn Davidson, Consultant/Programmer | Acadia University Computer Centre | Wolfville, N.S. | E-Mail: GLENN@ADMIN.ACADIAU.CA | - --------------------------------------------------------------------------- ------------------------------ Date: Tue, 12 Apr 94 14:25:46 -0400 From: str8jkt@cyberspace.com (Glenn M. Brockett) Subject: Killer for Preditor ][? (pc) Is there a killer for the Pred][ virus. It is a stealth virus, and attacks com/exe files. and can effectively hide in the boot block, (It shows a clean boot block when you try to view it). All I could do to kill it before was to LLF the hard drive. E-mail would be appreciated, but I will check the newsgroup. ------------------------------ Date: Wed, 13 Apr 94 07:58:14 -0400 From: W Geake Subject: How to clean floppy ? (PC) Does formatting a floppy guarantee freedom from viruses, or can some survive this? Bill. ------------------------------ Date: Wed, 13 Apr 94 12:17:58 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Re: Clean 111 & Mich. (PC) >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) > >There is no such virus which cannot be disabled correctly in memory. >There are only anti-virus programs which are unable to do that. The >better ones can do it, but it requires a lot of care and effort and we >see fewer such programs lately. Agree >> With the almost unlimited numbers >> of PC configurations in use, it is impossible to test for compatibility >> with each operating environment. >Sorry, but the above doesn't make any sense. In order to deactivate >the virus in memory, the anti-virus program must be able to detect it >there, to identify it, to patch the relevant part of it, and to >check that the patch has been successful. This has nothing to do with >the "unlimited numbers of PC configurations in use" - it is more >related to the "unlimited number of existing computer viruses". :-) Actually much simpler than this - all an integrity manager type a-v needs to know is what the environment is supposed to look like (true, this means that the a-v must be given the chance to check a "clean" machine but this in not difficult. True, some activation points are harder than others but all the a-v needs is a clean path for its purposes. For instance to deactivate most MBR & BSI infections (my specialty), it is only necessary to know what the direct paths to the ROM BIOS are. Then the entries to the virus can be re-vectored and no changes to the virus code in memory are necessary. The same "tunnelling" methods used by viruses can be equally effective against them. Few legitemate programs revector the Int 13 location in the IO data space so that is one easy check. The big thing to keep in mind is that protection from "all known viruses" is fairly straightforward. Protection from all *possible* viruses is something else again and IMNSHO must start before DOS loads. Warmly, Padgett include std_disclaimer.h ------------------------------ Date: Wed, 13 Apr 94 17:18:56 From: imer400@hyrax.iupui.edu (Martha Rapp) Subject: antivirus programs for windows environment (PC) I have been out of the antivirus area for awhile, is there a good windows environment antivirus software available? Thanks Martha Rapp IUPUI -IT imer400@hyrax.iupui.edu ------------------------------ Date: Tue, 12 Apr 94 02:09:00 +0200 From: Rob_Vlaardingerbroek@f0.n3110.z9.virnet.bad.se (Rob Vlaardingerbroek) Subject: Virus warning (PC) Virus warning dated Sunday April 10 1994 Hello, We received a file with the name RAUSER.ARJ. The length of the original ARJ file is unknown as the uploader added some text in the file. The file is downloaded from a BBS. In the original file the following files can be found: RAUSER.COM length 250 bytes RAUSER.DOC length 2760 bytes FILE-ID.DIZ length 66 bytes What the program promises to do is added at the end of this text. What it does is the following: Starting RAUSER will make the program terminate and stay resident (TSR). If you start an EXE file after RAUSER is TSR the virus makes a COM file, with alength of 250 bytes. This COM file is hidden. On our testmachine the first letter of a filename was replaced by a capital (e.g. pctools.exe becomes Pctools.com). It is a typical companion (spawning) virus. The virus can fill the screen with te following message : "Maaike I Love You !" repeated all over the screen on a red background with flashing green letters. Dos starts a COM file before an EXE file, the results we saw were different, mostly we saw a blinking cursor and the system stopped. Every now and then the text became visible, sometimes we saw a lot of ascii rubish. Use DIR /AH /S from the root to see possible COM files with the same name as the EXE files. Delete the COM files, remember they are hidden so boot from a clean DOS boot flop before using attrib. One of our researchers made a little disinfector for this virus, called K-MAAIKE.ZIP. Freq it at 2:281/552 or 9:3110/0. Or call the BBS at +31703857867. We will try to spread the disinfector as fast as possible. Please feel free to help us doing that. <----- Quoting the doc file in the package -----> RAUSER v 1.0 ============ Hello, Hackers! So you're screaming for a new method of getting the USERS.BBS-File of a Remote Access BBS. We first had some boss-key, that got solved, then we had the BiModem trick, was already easy to solve, and worked only on Lame RA-Boards. This method is totally new, and works on all BBS' with RA 2.xx and former versions. The trick is that RA Already has a thing like that written in the program, it just requires a very precise timing. A precognized code is NOT'd and then at the time of up- load sent, RA will recognize this and spontaneously begins to send, but because your terminal is going to send, it will not download anything so you'll need a trick to download the USERS.BBS. That trick is exactly the trick RAUSER.COM does. RAUSER.COM is a TSR that will hook onto INT 21h, it does not self-detect the upload, so you have to press a key. I reserved ALT-F12 for this program, if you don't like that, than contact me at 1-408-244-0813 and send a msg to Edward Carnby. So, I hear asking you, what do I have to do to get that file. Well it's actually very simple, first you load the TSR, be sure no KF-21h Shell is Loaded, when you load the TSR (a KF-21h shell is a shell that hooks on Int 21h, 4bh, Like Pc-Tools, Norton Commander, DiskEdit, etc. etc), then you contact a BBS, Upload a file called RAUSER.GIF, only the name is important, not what's in it, but it should be a file bigger than the size of the USERS.BBS on the BBS you wish to hack, let's say 100k. Then at the moment the upload begins, press on ALT-F12, it MUST be within the first 128 bytes loaded, a good way to be sure of it, is to contact the BBS, using a speed of 300 Bps. You'll see nothing happen, but in fact, the USERS.BBS is currently being downloaded, and the RAUSER.GIF-File will only contain Crap (the NOT'd USERS.BBS in reality, but the sysop doesn't know that because it's absolute garbage to a normal human being). Ok, now you have the USERS.BBS-file on your hard-disk (in the up- load directory), you can very easy prevent this way of hacking your BBS if you're a SysOp, by making an area call RA_USER_X@F, and put a file called RAUSER.GIF in that area, the TSR will not work, but luckily for us, most SysOp don't know this trick... Be Sure no KF-21h Shell is loaded when the TSR is in memory, that can cause Severe damage to the system, it is recommended that you, after doing this trick, load SMARTDRV.EXE, then WIN.COM (windows) and from Windows you can go to DOS, Looking at the USERS.BBS you downloaded, sometimes, if the ES differs from the CS on Upload, the USERS.BBS is not created, or contains total crap, in that case use a compatible terminal (Like Telix 3.20 or 3.21). <----- end RAUSER doc -----> The file-id.diz HACK any RA-BBS (all RA-versions!) Totally new method! Backdoor! As far as I know MAAIKE is a typical Dutch name for a girl, so it is possible the origin of this virus is The Netherlands. I am not sure of this. Regards, Rob Vlaardingerbroek. - --- GEcho 1.01+ * Origin: Virus Research Centre Holland LAB (9:3110/0) ------------------------------ Date: Mon, 11 Apr 94 20:24:00 +0200 From: Harry_De_Jong@f0.n462.z9.virnet.bad.se (Harry De Jong) Subject: Virus found on CD. (PC) One of my users found a virus on one of my cd-rom's. It's CD 1 of shareware overload trio. It's in dir 3 and is file sport21c.zip. the virus is civil war virus according DR. Solomons. Take the file oofline if you have the CD. Greeting Harry. - --- DB 1.58/020016 * Origin: HDJ-BBS * Deest (+31-8870-13812) (9:318/121) ------------------------------ Date: Fri, 15 Apr 94 09:42:09 -0400 From: "Dr. Martin Erdelen" Subject: F-PROT 2.10c and Tremor (PC) Gesundheit! *) Ol' Tremor seems to be back again :-( Not much of a surprise, but one of our users reports that an infection succeeded in getting by VIRSTOP v. 2.10c (in fact, even infected VIRSTOP.EXE), and that the infected files could not be cleaned by F-PROT. The latter seems in order, but is version 2.10c not supposed to detect Tremor reliably? IMO the NEW.210 doc (as well as earlier reports on version 2.09) imply this. Could it be that the well-known Tremor polymorphism is getting ahead of F-PROT (and probably others) again? Regards, MArtin - ------------------ *) The thing to say (in German) when someone sneezes; seemed an apt greeting for a list on viruses :-) (~ , , (___/__/__-_ Dr. Martin Erdelen EARN/BITNET: HRZ090@DE0HRZ1A.BITNET - -Computing Centre- Internet: erdelen@hrz.uni-essen.de University of Essen Tel.: +49 201 183-2998 Schuetzenbahn 70 FAX: +49 201 183-3960 D-45117 Essen 1 Binary: . .-. -.. . .-.. . -- (~~ Germany (()~~ +-----------------------+ Smoke: ()))) ((()))~~~ ())~~~ | Remarkably | ())))) ~~~ | remarkless | (())()~(())()) | room | (())()) +-----------------------+ ((()()()))) ------------------------------ Date: Mon, 11 Apr 94 13:42:45 -0400 From: hstroem@ed.unit.no (Henrik Stroem) Subject: Re: Avoiding floppy boot (was: FORM problems) (PC) David M. Chess writes: >>From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) > >>3) Third, check if your computers have the new AMI BIOSes, which allow >>them to be set up to attempt to boot from the hard disk first, instead >>of from the floppy. > >As a sidenote, it's not just AMI BIOSes that allow this; various >IBM PS/2s, for instance, also have a configurable boot order... And also the other two major BIOS brands: Award and Phoenix. So, in short, most new BIOSes have this option. But CMOS is writeable, droppers exists, and the need to boot from floppies still exist, so this solution is not enough by itself. Henrik Stroem Stroem System Soft ------------------------------ Date: Mon, 11 Apr 94 15:40:04 -0400 From: tf@wam.umd.edu (Thomas Michael Foley) Subject: "Sticky" Virus - File damage??? (PC) THIS IS POSTED IN SEVERAL PLACES. SOME MORE APPROPRIATE THAN OTHERS, BUT ALL APPLICABLE TO SOME DEGREE. I'm asking for help, suggestions, real experiences, wild guesses, etc. In the interest of time, I ask two things: Do your best with the info provided, and provide a brief summary (25 words or less) at the top of your answer if it is longer than a page. I have provided below a description of the environment, description the problem, troubleshooting to date, and the suspected cause below. ENVIRONMENT DESCRIPTION: Network OS: Novell NetWare 3.11 Hardware Description Server: IBM Model 8595-OMT (50 MHz) Duplexed with IBM SCSI cards & IBM 1GB SCSI drives 3Com 3C523 LAN Card 16 MB RAM Cabling: TP 80 Workstations: 486 ISAs and PS/2s Networked Applications Involved: Clipper and FoxPro database apps PROBLEM DESCRIPTION: Ten files or so (.dbf xbase database files and Novell error log text files - SYS$LOG.ERR/VOL$LOG.ERR) were damaged in one of two ways: Full or partial sectors (512 byte sectors) of the text files and most of the database files, which previously contained data, were replaced with a 512 byte to 4K byte section (it varies) of nulls (hex 00). Another database file has a sector containing data duplicated later in the file. This type of damage seems to be limited to the files mentioned above. As accurately as can be determined, this damage occurred on only two occasions: 1) Between 5/5/93 and 6/8/93, and 2) sometime since 7/8/93. Damage was discovered in Feb 94. On two occasions, May 93 and Oct 93, the virus "Sticky" (Multi-2) was found on the server and removed. TROUBLESHOOTING: I have investigated five basic components to varying degrees: 1. Xbase applications (code) 2. Commercial Xbase software (Clipper/FoxPro) 3. Hardware 4. NetWare operating system 5. Virus 1. XBASE APPLICATIONS (CODE) CHANCE OF INVOLVEMENT: None REMARKS: A Clipper/FoxPro programmer cannot access data at the hex level and cannot influence data storage location decisions (which sector), on purpose or by accident. 2. COMMERCIAL XBASE SOFTWARE (CLIPPER/FOXPRO) CHANCE OF INVOLVEMENT: None REMARKS: Even if hypothetically involved in the damage of their own .dbf files, cannot damage unrelated Novell error logging text files. 3. HARDWARE CHANCE OF INVOLVEMENT: Possible REMARKS: (Going from cable to hard disk - Chance of involve- ment directly after hardware component title) CABLE: None. Believe cyclic redundancy check is performed on NIC and would detect corrupted packets coming off the cable. More important, cable cannot affect Novell error log text files as they are never transmitted over the cable (server OS to server hard disk only). NETWORK INTERFACE CARD: Uncertain. Have had intermittent problems with server losing comm with other servers/networks (sees only itself). Fixable by reloading LAN driver only. If involved, problems would likely be more widespread and frequent. Likelihood reduced by same comment as under CABLE above re: Novell error log files. DATA BUS: Unlikely. Not much to break. If involved, problems would likely be more widespread and frequent. RAM: Same as DATA BUS. SCSI CONTROLLER CARDS: Very unlikely. Due to duplex set-up, both cards would have to be broken/faulty in the same exact way, otherwise "disks out of sync/non- mirrored" error messages would result. None have and chance of dual, identical hardware faults is nil. HARD DISKS: Very unlikely. Due to duplex set-up, both disks would have to be broken/faulty in the same exact way, otherwise "disks out of sync/non-mirrored" error messages would result. None have and chance of dual, identical hardware faults is nil. 4. NETWARE OPERATING SYSTEM CHANCE OF INVOLVEMENT: Possible REMARKS: Believe this based on fact that it is the primary component involved in storage location decisions (which sector), and that I can't rule it out yet. 5. VIRUS CHANCE OF INVOLVEMENT: Probable REMARKS: As I mentioned in the problem description at the beginning of this note, data was only damaged twice and within a few weeks of the discovery of the Sticky virus in the first case, and not sure in the second. Sticky was found on the server a second time. Sticky has been found at different times on various workstations as well. People in McAfee's office and Patricia Hoffman's office (VSUM) were very helpful, but had not seen a virus that does this type of damage and were unable to provide more info on the effects/symptoms of Sticky. They did allow as how Sticky might have unexpected effects when interacting with various types of software. Supposedly Sticky cannot enter the server memory or the server boot sector, so that leaves the server in the mode of "infected program storage device" versus active spreader (on server itself). It could spread to other workstations although that type of spread wasn't noticed. SUSPECTED CAUSE: Feel like it is one of the following: 1. Hardware problem which only shows up once every six months 2. Virus interacting with Novell OS or Clipper or Foxpro First one seem very unlikely as it is so infrequent. Second one is only guess that I have left. SUMMARY: As we are very actively taking several types of network security steps, I'm much more in need of "what happened" type of info than I am in need of "general network protection" info. Please take your best guess. I will appreciate any information. TOM FOLEY DPP/Automation University of Maryland, USA Phone: (301) 405-1991 or 3212 Fax: (301) 314-9185 E-Mail: tfoley@umdacc.umd.edu CompuServe: 73233,410 ------------------------------ From: ah8784@dclipc22.cen.uiuc.edu (Andrew Patrick Hall) Subject: Is this a virus? Please help... (PC) Hello... I am new here so I scanned recent messages but could find no mention of this, so here goes: On several machines I have noticed an odd tendency for there to be files with names like ABBCFHGC , and ther are always of size zero. after some discussion with others, I thought it was a by-product of some program that made random temporary files, deleted the contents but left the files behind. (a guy I know thought windows did this) Poor programming practice, I know, but what do you want, it was a PC. Anyway, I became suspicious when I noticed that if you make two consecutive dir statements, the names are different. I'd noticed this before, but assumed the program was doing its thing. However, even with nothing running, it does this. It seems to update the name on clock cycles, because two consecutive dirs might give the names AABADGHR and AAFGTHJA as if it was cycling alphabetically. The upshot, of course, is that the files are impossible to delete. I thought this seemed to smack of a virus. the files don't cause that much trouble, but if left unattended, anumber of them tend to develop, and on at least one machine, this messed up the spacing (partitioning, or whatever, I let my friend handle this stuff) on the hard drive, to the extent that we had to wipe it and install everything from backup. I've seen this effect on a couple of different machines, separated by several months, but which have had contact w/each other, and one of which does a fair amount of bbs'ing and internetting (though I can't believe this would have come from the net). Also, I ran a couple of scanners and checkers on it, but found nothing. I also asked some local PC hotshots who knew PCs but not necessarily viruses, and they'd never seen it before. So I'd thought I'd take this to the experts. I don't normally read here, so I email would be welcomed, but I'll try to keep up in this group if there is some discussion necessary. Thanks to all in advance! Andy Hall ap-hall@ux4.cso.uiuc.edu ah8784@dclipc1.cen.uiuc.edu andyhall@rel1.cen.ncsa.uiuc.edu ------------------------------ Date: 14 Apr 94 16:22:32 +0100 From: virusbtn@vax.oxford.ac.uk Subject: Re: top 10 anti virus s/w? (PC) thssamj@iitmax.iit.edu (jani) writes: > What are the top 10 virus detection/cleaner programs for the PC Whoa - big question. > [Moderator's note: "top 10" in sales? in quality? in what?] :) The top ten virus programs are *extremely* hard to identify, and will depend upon several factors. By top ten I will assume you mean "best" (ie most suitable for you). This will depend on where you are; for example, if you were in Australia, Cybec's VET (or any one of the Oz products) might be the "best" because of technical support/local knowledge reasons - however, if you were in Iceland, there would be other more obvious choices ;-). If you represent a large, heavily networked corporate, products which are supported on many different platforms are useful. Once again, the balance changes. There are some great products out there, and there are some lousy products out there, but the *best*... well, why not rephrase the question, and I'm sure that many will pitch in their opinion. If you want specific information Email me direct. Regards, Richard Ford Editor, Virus Bulletin VIRUSBTN@uk.ac.ox.vax or vax.ox.ac.uk ------------------------------ Date: Fri, 15 Apr 94 10:07:40 -0400 From: ue805@freenet.victoria.bc.ca (James Strapp) Subject: chklist.ms? (PC) Has anyone experienced the file CHKLIST.MS being propagated through their system, Each instance of the file contains different file names also present on the hard drive, but the dates are all the same. It has now been transferred to another site. It seems benign, but it's a little distressing when you don't know where it comes from. - -- James Strapp The Coopers & Lybrand Consulting Group Victoria, British Columbia Canada ------------------------------ Date: Fri, 15 Apr 94 10:09:22 -0400 From: "Steve Bonds (007" Subject: Re: Form.A (PC) Jeffrey Rice - Pomona College, California. wrote: > I'm looking for information about this virus. I know it's a boot >infector, but am unsure of its length. Some sources (McAfee) say 512bytes, >some (Vsum) seem to say 3072. How long is it? And what parts of the MBR does >it infect? Does it affect the FAT or anyother parts? I am refering to floppy >disks, not hard disks, if that makes a difference. According to CMBase (which is rarely wrong-- just a bit too brief somtimes) this virus is 1017 bytes long (i.e. two 512-byte floppy sectors.) It does not infect the MBR at all-- it infects the DBR on the first hard disk partition or on a floppy disk. It does not store the rest of itself in the FAT, rather it stores itself in sectors marked as bad on a floppy disk. I haven't seen a FORM infection on campus here for several months. Are you seeing another rise in infections down there? Right now we're busy fighting Monkey left and right... :( -- Steve Bonds - -- 000 000 7777 | sbonds@jarthur.claremont.edu and Steve_Bonds@hmc.edu 0 0 0 0 7 |----------------------------------------------------------- 0 0 0 0 7 | Childhood is short... [Calvin & Hobbes] 000 000 7 | ...but immaturity is forever. ------------------------------ Date: Fri) From: padgett@judge.ORL.MMC.COM Subject: BACLAB virus (PC) The following is a description of a new virus discovered in a church in Orlando, Florida in early April. It appears that it had been in residence since at least mid-March. Editorial: In 1988 I wrote a program called CHKMEM to detect the BRAIN virus. The heuristics used were published (the infamous "6 Bytes" - the only case I know of where a fifteen minute paper delivered at a security conference was reviewed as a commercial product & found "slightly flawed"). SInce then this simple test has revealed every virus that goes resident at the TOM including "stealth" viruses like this one (e.g. Joshi, 4096, Flip, Whale, Satan-Bug, etc. etc. etc.). Not one scanner product tried found or even warned of the possiblity of BACLAB except my old CHKMEM (FreeWare). End-Editorial Note: reply only to padgett@tccslr.dnet.mmc.com flames >nul * * * Preliminary analysis - not entirely verified * * * Entry...............: BACLAB (tentative) Alias(es)...........: T4, Griffe Strain..............: Origin..............: BACTERIOPHAGE LAB (text encrypted in body) Detected when.......: 13 April, 1994 where......: Orlando, Florida "In the wild". Classification......: TOM Resident encrypting .EXE infector using semi-stealth Length of Virus.....: In .EXE: 2128-2144 bytes (encrypted) In memory: 2560 bytes (A00h) (in clear) Operating System(s).: DOS Version/Release.....: ? (checks at start) Easy Identification.: Memory mismatch DOS/BIOS of 2560 bytes when resident Changes timestamp to 0 minutes (?) Lengthy decryption section (offset 0008 - 0062h) near beginning appears fixed. Encryption..........: Simple XOR (?) Type of propagation.: On execution of .EXE (Possibly on OPEN as well) Propagation Trigger.: Detection of .EXE Damage..............: Corruption of some .EXEs, overwrites opened files with poem/song lines Damage Trigger......: January 18th in CMOS and random (?) other times Particularities.....: Displays lengthy and rambling poem (song lines ?) "There Once Was A King, Who Called For The Spring For His World Was Still Covered In Snow But The Spring Had Not Been, For He Was Wicked And Mean ..." Similarities........: 1260 (?) Note................: Uses simple XOR encryption with a hashed XOR value based on initial data. Is not encrypted when resident in memory. Bytes 8-62h (opening & decryptor) do not appear to be scrambled. Search String.......: E8 EA FF 33 D2 B9 DA 07 D1 E9 BE 63 00 FE AD (either in file or in memory) (tentative) Documentation by....: Padgett Peterson Date................: 14 April, 1994 Information Source..: Personal observation ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 29] *****************************************