VIRUS-L Digest Friday, 24 Jun 1994 Volume 7 : Issue 43 Today's Topics: Re: Hobbes McAfee File Infected??? (PC) GOOD vs. BAD HUH? Viruses = Commercial Opportunity? Re: GOOD vs. BAD HUH? Anonymous FTP Site Distributing Viruses? re: Stealth and Self-encryption Benign viruses Re: Stealth and Self-encryption Re: Stealth and Self-encryption re: OS/2 Viruses? Are there any of those? (OS/2) ANSI bomb (PC) Crusander Virus on CD (PC) What is name of Newest F-Prot? (PC) Viruses - Pathogen (PC) New Viruses (PC). Re: tbav620.zip - Thunderbyte anti-virus pgm (complete) v6.20 (PC) Re: Gateway 2000 Europe preloaded virus report (PC) Re: What about long partitions (PC) VirStop and IBM model 40SX (PC) Re: antivirus products (PC) Re: Aragon Virus (PC) What about long partitions (PC) Re: FYI: New PC Virus alert (PC) Re: Gateway 2000 Europe preloaded virus report (PC) Re: Virruses - Pathogen (PC) Re: antivirus products (PC) Re: Help re Genb (PC) Re: good virus protection (PC) Why so many Leprosy viruses? (PC) Re: SCAN V115 gives false Budo (B2) alarm with IBM PC DOS 3.3 (PC) Possible D-Day Virus? (PC) re: FLIP and CANSU (V-SIGN) viruses (PC) re: Monkey Virus (PC) Re: HELP: How add code into .EXE ? (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 23 Jun 94 10:16:17 -0400 From: ldhagen@crl.com (Lance D. Hagen) Subject: Re: Hobbes McAfee File Infected??? (PC) MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM M [Moderator's note: Since this message was posted several days M M ago, I presume that the problem - if there was indeed a problem - M M has been fixed. I'd appreciate it, however, if someone could M M follow-up with a verification.] M MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM I can confirm the problem has been addressed on the Hobbes site. I E-mailed the site immediately and they also reproduced the "Scum of Europe" PKUNZIP wrapper (authentication) message. No mention was made of the lock-up I experienced, (apparently, associated with a change in my DOS (running under OS/2) path---until I cleaned up, the subdirectory containing PKUNZIP, which is in my path statement, was unrecognized by the OS). Can't say this was a virus (system scans clean now), but both the Hobbes site and I have vaporized that file. /<<<<<<<<<<<>>>>>>>>>>>\ / Lance D. Hagen \ / 73500.2276@compuserve.com\ | ldhagen@crl.com | \ San Antonio / \ (210) 366-3382 / \>>>>>>>>>><<<<<<<<< it seems to me that recently there is a lot of interest in the > concept of "good viruses". There are a lot of posts by people who wish to promote the idea of "good viruses" for one reason or another (my guess is self-justification or trying to deal with guilt feelings) and there are a lot of other posts saying "Rubbish, there's no such thing as a good virus". I don't call either of these "interest". The first is self serving and the second is negative, a denial of interest. Show me a "good virus" that people are clamouring to have on their computers for the benefits it brings, and I will concede there is interest. - -- Iolo Davidson - "My boss made me say it. She dares you to sue." ------------------------------ Date: Fri, 03 Jun 94 03:28:19 -0400 From: tluten@news.delphi.com (TLUTEN@DELPHI.COM) Subject: Viruses = Commercial Opportunity? First, my greetings and apologies to the regulars in this area. I'm new to the net, and came principally because I thought I'd find a group of accessible experts here. I think I have. I may have an opportunity to do some work with a start-up that wants to market a new(ly available in the US) anti-virus package. The thing that puzzles me about the market is that a few years ago, I was acutely aware of viruses: Michaelangelo, Stoned, etc., etc. I read about 'em in the SF Chron regularly. Now I don't see the coverage. Partly my reading has changed. But has the environment too? I read that Windows viruses basically don't work (they crash the system?). Has the success of Windows made viruses a non-issue? I read that three dozen viruses do all the damage (Jerusalem, Dark Avenger, etc. etc.) Has the world gotten used to that? Three years ago when Michaelangelo's birthday was nigh, I bought Flu-Shot and Norton AV. Haven't had problems since. Did everyone else too? The thrust of my question, is does the world want/need another AV product, even one that's betterfastercheapersmarter? Obviously, there are always some buyers for almost anything you can think of. But that doesn't make a business. All reactions welcomed. ------------------------------ Date: Fri, 03 Jun 94 14:43:34 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: GOOD vs. BAD HUH? vfr (vfr@netcom.com) writes: > why? i may tend to agree, in my personal opinion, such things are > more efficiently, in some cases, done by non replicating programs. > but then, there is the definition of 'efficiently' :) why > do you think it *must* be done better (define better please) > by a replicating program in > order > to be "good" virus; and, why must this be the case to make it economically > effective? If a non-viral program is going to do a better job, what is the point of using a virus in the first place, even if it claims to be a beneficial one? > it seems to me that recently there is a lot of interest in the > concept of "good viruses". i have read dr. cohen's posts and think > again, its a problem of definition. Yep, this is what I am saying all the time. What he understands under the term "computer virus" and what most users understand under the term "(real) computer virus" are two very different things. > we hear the word 'virus' and then > get frantic. 'not another of those viruses!'. Indeed. That is why, any beneficial program that use some self-replicating mechanism should call itself something else - "agent" or "vitamin" or whatever, but not "virus" or "worm", because those terms are already loaded with negative meaning in the point of view of the general public. > what i see you saying above, and correct me please if i am wrong, > is that you agree there can be good viruses, depending on the > definition of virus. Yes, I do. I know several useful programs that do fit in Dr. Cohen's definition of the term "computer virus". DISKCOPY is one of them. :-) > if the definition is solely that it must > be capable of replicating, then are you saying such a virus is possible? If the definition is that "it must be able to replicate itself UNDER SOME CONDITIONS", then yes, I am saying that such a beneficial virus is possible. However, I do not think that such definiton is very useful for practical purposes. It is too broad and it includes the nasty little programs that we are calling "real viruses" and which can NEVER be beneficial. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 03 Jun 94 17:02:26 -0400 From: Rick Schott Subject: Anonymous FTP Site Distributing Viruses? One of our system programmers saw and heard part of a news article on the Detroit NBC TV affilaiate last night (Th 06/02/94, 6 pm), about an anonymous FTP site that has virus samples. Unfortunately, he didn't get any further details. Does anyone have any details about this? Thanks. Rick ------------------------------ Date: Tue, 21 Jun 94 12:36:29 -0400 From: "David M. Chess" Subject: re: Stealth and Self-encryption >From: itxcs@upsyc.psychology.nottingham.ac.uk (Chris Sexton) >This may be an ignorant question, but can anyone please explain >the difference between stealth techniques and self-encryption? >Is either one something to do with making a DIR command (for >example) not include the extra size due to the virus? See (B4) and (B5) in the VIRUS-L/comp.virus FAQ list. There are various degrees of stealth, ranging from a simple length-stealth that just makes DIR lie about the length of infected files, to a full content-stealth that makes the file look clean if you read it with the virus active. The more complex the stealthing, in general, the less likely infected systems are to run correctly for very long (i.e. complex stealthing tends to lead to buggy virus behavior). Self-encryption, on the other hand, attempts to hide the virus from scanners even if the virus is not active in memory, by making every infected file look very different from every other. DC ------------------------------ Date: Tue, 21 Jun 94 12:37:25 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Subject: Benign viruses From: "Fredrick B. Cohen" >Computer viruses are computer programs that reproduce. Some of these viruses >are intended to harm people by damaging their information systems, and we call >them malignant. Other viruses are intended to demonstrate a concept, to >explore issues in artificial life, or even to do useful functions. We call >them benign. I have no problem with this except would make a tensy change: "Other viruses are intended to demonstrate a concept, to explore issues in artificial life, or even to do useful functions and do not deliberately cause damage. We call them benign." ^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^ STONED is probably a good example of a virus that does not cause any deliberate damage and you could say that it was intended to demonstrate a concept so "we" could call it benign ? Still have yet to see a virus that does not screw something up (am willing to entertain the concept, just have not seen any in practice). Have not even had to leave home to find something that every virus I have seen screws up. (usually need go no further than Windoze or Word Perfect) Further, I do not consider the average user capable of deciding if something is safe or not (and most that I have asked agree with me). *They should not have to be* any more than the driver of a car needs to be able to decide what is a sufficient brake rotor size is for their car. Of course there is no NHTSA, SEMA, or SAE for PCs. Bemusidly, Padgett ------------------------------ Date: Tue, 21 Jun 94 12:46:25 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Stealth and Self-encryption itxcs@upsyc.psychology.nottingham.ac.uk (Chris Sexton) writes: >Hi, >This may be an ignorant question, but can anyone please explain >the difference between stealth techniques and self-encryption? totally different. stealth: involves intercepting open/read/findfile requests, in order to return information indicating no virus is present...subtract virus size from (real) file size, for example. primarily effective against integrity checkers...does not bother scanners. self-encryption: the virus code is encrypted so that samples look different, if the encryption is polymorphic the different samples have no search string in common. Does not bother integrity checkers, but complicates things for scanners. - -frisk ------------------------------ Date: Tue, 21 Jun 94 14:34:14 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Stealth and Self-encryption Chris Sexton (itxcs@upsyc.psychology.nottingham.ac.uk) writes: > This may be an ignorant question, but can anyone please explain > the difference between stealth techniques and self-encryption? Both techniques, as well as many other interesting and useful topics are addressed in the FAQ. Get it and read it - it's worth the effort. In short, "stealth" is the capability of a virus, when active in memory, to intercept the access requests to the objects infected by it and to modify them in such a way, as to make those objects look uninfected to the originator of the requests. Encryption ("encoding" is probably a more exact term) is the capability of a virus to scramble its code in a way that makes it look different from the original, in order to obfuscate its contents. > Is either one something to do with making a DIR command (for > example) not include the extra size due to the virus? Yes, this is stealth, or more exactly, a (minor) degree of it. Viruses that have only this property are called "semi-stealth". "Full-stealth" viruses also return the original (uninfected) object (file or boot sector), regardless of how you access it - Read, Write, Seek, etc. > What does either method involve? Stealth involves interception of some DOS functions and/or interrupts and modifying the result that they return. Encryption involves applying a (usually simple) scrambling function (like XOR with a key) to the virus body. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 21 Jun 94 12:36:55 -0400 From: "David M. Chess" Subject: re: OS/2 Viruses? Are there any of those? (OS/2) >From: "." >I'd like to know if there are any OS/2 viruses? >As far as I know, DOS viruses use TSR in order to stay in memory >and infect other programs. OS/2 doesn't have TSRs There are two known OS/2 viruses, both distributed as source code, and (IMHO) unlikely to spread beyond the first generation. Both are non-resident viruses, of the "replace every EXE file in the current directory with a copy of me" variety (one of them preserves the original function of the infected EXE, one does not). In the DOS world, such viruses rarely if ever become real problems. DC ------------------------------ Date: Thu, 02 Jun 94 18:07:06 -0400 From: id@mist.demon.co.uk (Iolo Davidson) Subject: ANSI bomb (PC) > A virus must be able to replicate. An ANSI bomb isn't. I believe Dr. Solomon has seen an ANSI bomb which could launch an executable contained in part of the ANSI "text" file. I don't remember if the example he had contained a virus or not, but it could easily have done so. It would not have been self-replicating for the ANSI bomb itself perhaps, but could have been a dropper for a virus. - -- Iolo Davidson - "My boss made me say it. He dares you to sue." ------------------------------ Date: Thu, 02 Jun 94 21:08:24 -0400 From: pi@EUROPE.pha.oche.de (P. Immond) Subject: Crusander Virus on CD (PC) Crusander Virus on CD Name of CD: ,,Die DFUe-CD - die Welt der DatenFernUebertragung'' Publisher : mediaplex where? : Subdir *19* File *sport21c.zip* What? : sport21c.zip should be a program to test the serial port in this ZIP are packed install.com document.co_ sports.co_ sport21c.exe document.co_ and spots.co_ are with PKLITE compressed COM-files which have the Crusander (Butterfly-Virus) As they are compressed COM-files by PKLITE they were not detected. After De-compressing the words ,,Hurray the Crusaders'' are readable by hexeditor and the virus will be detected. Additional problem: The CD has a pre-installed version of RemoteAccess Mailbox which uses that files in sport21c.zip direct from CD as filebase. So every installation of that BBS-program direct from CD will push the virus. (Original by Hein(t)z Mueller Tel: (+49) 5251 835137 Fax: (+49) 5251 835104 Email: hmueller.pad@sni.de | USA: hmueller.pad@sni-usa.com) Regards, Peter AACHEN/GERMANY: EUROPE.pha.oche.de +49-241-922444 V32b/V42b 19.2 X75 + FAX AVN AntiVirusNetwork Host & Archive MyBOX 0.9e: Z3.8 * JANUS2 * QM * GSMAIL HUERTH/GERMANY: FREEPORT.pha.oche.de +49-2233-66968 V32b/V42b ZyX 19.2 + FAX ------------------------------ Date: Thu, 02 Jun 94 23:07:41 -0400 From: rniess@whale.st.usm.edu (Rick Niess) Subject: What is name of Newest F-Prot? (PC) Hi All, Ok, for weeks now my copy of VIRSTOP has been screaming about being outdated, but after several uneventful archies as well as several questionings of friends, I have been unable to locate the latest version of the F-PROT package. Could someone PLEASE clue me in as to where to get it from (FTP site, would be nice)? Thanx... ~ Rick Niess ~ -- IMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM; :\_\_\_ \_\_ \_ \_ \ || / Rick C. Niess : : \_ \_ \_ \_ \_\_ \_ \/DD\/ rniess@whale.st.usm.edu : : \_\_\_ \_ \_ \_ \_ ---3 ww 3--- "Press any key to continue,: : \_ \_ \_ \_ \_ \_\_ /\AA/\ "or any other key to quit.": : \_ \_ . \_\_ . \_ \_ . /UMOMMOM8\ -anonymous: HMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM< ------------------------------ Date: Fri, 03 Jun 94 03:30:19 -0400 From: riordan@tmxmelb.mhs.oz.au (Roger Riordan) Subject: Viruses - Pathogen (PC) Subject: Re: Virruses(!) - Pathogen (PC) datadec@ucrengr.ucr.edu (Kevin Marcus) writes > BRAYMANR@DELPHI.COM wrote: > >Can anyone give me the specs on the Pathogen virus. I am studying it > >and collecting information eventually so that I might write a virus > >disinfectant. > > Well, I have not personally gotten around to analyzing this virus, but > from what I have seen/heard: > > It uses a polymorphic engine called, "SMEG", and I believe there are > currently two viruses out there using the engine. It is supposed to be > a lot more nasty than, for example, MtE, throwing in bogus calls to dos, > like "get version number" and similar "real program like" code segments. > Apparently, it was generated with the purpose of causing false > positives. SMEG was no doubt designed to be difficult to detect, but the designers went way overboard, with the result that it is in fact quite easy to detect (and far less nasty than TPE). It uses an extremely variable (and extremely long) decryptor, but this consists almost entirely of instructions like MOV, INC, DEC, ADD, ROL, SHR. Some of these read from memory, but in almost all cases the destination is a register, and the results are almost always ignored. There are fairly frequent forward jumps round small do-nothing subroutines, which are called from further on. The decryption loop is closed in a variety of non-obvious ways, such as MOV DX,XXXX .... JMP DX, and PUSH CS ... PUSH AX ... RET FAR. The decryption loop can contain more than 400 instructions, but only about nine of these actually do anything, and only two or three write to memory. There are no calls to DOS, or "real program like" code segments of any sort. VET 7.71 will reliably detect SMEG based viruses. At this stage we have not added disinfection procedures. With Best Wishes, Roger Riordan Author of the VET Anti-Viral Software riordan.cybec@tmxmelb.mhs.oz.au CYBEC Pty Ltd. Tel: +613 521 0655 PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727 ------------------------------ Date: Fri, 03 Jun 94 03:30:30 -0400 From: riordan@tmxmelb.mhs.oz.au (Roger Riordan) Subject: New Viruses (PC). We have just received samples of two new viruses found in the wild. Both of these have simultaneously been reported from the US and/or Europe. Junkie Virus; A new multipartite virus from Sweden. Junkie is an apparently new encrypted multipartite virus claiming to be written in Sweden. It infects .COM files only. When you run an infected file it infects the Master Boot Record (which includes the partition record) on the hard disk, but does nothing else. The next time you reboot the virus goes resident in memory, and then infects each .COM file accessed. The virus contains the messages Dr White - Sweden 1994 & Junkie Virus - Written in Malmo...M01D. The virus infects all 3.5" disks, but only 1.2M 5.25" disks. It does not contain any warhead. Our sample was in a file downloaded from a Melbourne BBS. Mongolian Virus; A destructive new BS virus from Mongolia. This is a fairly primitive boot sector virus. It is fairly obvious, as it causes a great deal of additional disk activity when running programs from floppy disks, but it has a nasty warhead. If the PC is switched on on May 30th the virus overwrites the first 17 sectors of each partition on the hard disk, and then overwrites the Master Boot Record. Finally it displays the message Mongolain Virus VERSION 1.00 Mongolian Brain Co.Ltd 1992 Today is birthday of my babby!!! Our sample was on a 1.44M disk, & we could not infect a 720K disk. (Dave Chess, of IBM, has pointed out this is due to a bug in the virus.) Only a small section of the normal boot sector is overwritten, and the boot sector appears normal if viewed with a disk editor. Our sample was found in Canberra. VET 7.713 can recover files/disks infected with both viruses. With Best Wishes, Roger Riordan Author of the VET Anti-Viral Software riordan.cybec@tmxmelb.mhs.oz.au CYBEC Pty Ltd. Tel: +613 521 0655 PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727 ------------------------------ Date: Fri, 03 Jun 94 16:56:27 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: tbav620.zip - Thunderbyte anti-virus pgm (complete) v6.20 (PC) Banther (sikkid@bga.com) writes: > : a signature, heuristic and CRC scanner. It detects known, unknown and > : future viruses. TbScanX is the resident version of TbScan. TbClean is > ^^^^^^^^^^^^^^ > What's a future virus? :) A known virus is an existing virus which is known to the author of the scanner. An unknown virus is an existing virus which is not known to the author of the scanner. A future virus is a virus that does not exist yet. The above statement ("detects known, unknown, and future viruses") is a commonly used marketing trick. The idea is to fool the user to think that the product can detect ALL possible viruses. The statement is formally correct (i.e., it is not a lie), but should be understood as "The product detects SOME of the known viruses, SOME of the unknown viruses, and will detect SOME of the viruses written in the future". However, no marketoid worth his/her salt is going to state it in this way... :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: 06 Jun 94 10:43:08 +0100 From: virusbtn@vax.oxford.ac.uk Subject: Re: Gateway 2000 Europe preloaded virus report (PC) chl@dmu.ac.uk (Conrad Longmore) writes: > PC Week has reported that Gateway 2000 has accidentally shipped some > machines with the Smeg polymorphic virus. According to the report, > Gateway have recalled some of the machines that were shipped. Text from the article actually reads: Gateway 2000 admitted last week that it recalled 70 machines... ... but the infection was not the so-called Smeg polymorphic viruses which ^^^ (I know, I had to read it twice too :) There seems to be some confusion over exactly what happened, but as far as I know, there was a *bug* in the pre-loaded software. This was confused in a game of chinese whispers to a virus. Sigh. If you have a Gateway machine, don't panic. Regards, Richard Ford Editor, Virus Bulletin ------------------------------ Date: Fri, 03 Jun 94 17:04:31 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: What about long partitions (PC) DE KERPEL SVEN (we34329@vub.ac.be) writes: > A virus (flip) messed with my HD now It claims that i have now long partitions > (116MB) is reduced to 33MB (the max for normal partitions. There was recenlt an article here, explaining what to do in exactly those cases. In short, check the two bytes at offset 13h and 14h of the boot sector (*not* the MBR!). If they are 0FAh, 0FFh - change them to 00, 00. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: 03 Jun 94 14:40:28 -0500 From: sullivan@cobra.uni.edu Subject: VirStop and IBM model 40SX (PC) Hi, I am using F-Prot 2.12 and Virstop on our workstations on campus. In attempting to improve the level of protection we're getting, I am adding some parameters to the virstop load. I have been using the switches /disk (if there's a hard drive) /boot, /warm, and /rehook (if they're connected to a Novell network). This is fine in most cases. However, on the few model 40SX's that I have encountered, when I have the /warm option, the diskette drive light comes on and it displays the message that it's checking the diskette drive. It stays that way until you power off. We've also seen this on one model 50, but I wasn't there and don't know that it was really narrowed down to the /warm parameter. We're running DOS 5.0. I cut the autoload down to the bare bones to be sure the problem wasn't in the ordering of the drivers or devices. When I boot fresh with only himem.sys, ansi.sys, setver, and emm386 and then load just virstop, the same problem happens, so I'm confident it isn't anything else I'm doing. I can continue with all of the other parameters, so it must be the /warm. Has anyone else found this? Is it a problem with the model 40? Is there a work-around? I'd really like to be able to use this option, so if anyone has an answer, I'd appreciate the help. Thanks Diane ============================ sullivan@uni.edu Diane Sullivan ISCS NTS University of Northern Iowa Cedar Falls, Iowa 50614-0121 (319) 273-6814 ------------------------------ Date: Sat, 04 Jun 94 06:41:27 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: antivirus products (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >F-Check - a program from an obsolete version of the package F-Prot. Uh, Vess, did you get a heat stroke or something in the Caribbean ? :-) F-CHECK is in fact the major difference between the shareware F-PROT and the (regular commercial) F-PROT Pro ... it is an integrity checker with generic disinfection. - -frisk ------------------------------ Date: Fri, 03 Jun 94 14:34:23 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Aragon Virus (PC) Littlewood A (litta@esl2.NoSubdomain.NoDomain) writes: > After downloading McAfee's latest version of scan113 The latest version is 115b, I think. > Next I tested high memory with the flag /chkhi, after which > scan return that it had in fact found the "Aragon" virus > and informed me to reboot from a clean disk and rerun scan > (also from a new clean disk). There was a version of McAfee's SCAN in the past (I don't recall the exact version number), which gave such a false positive when scanning one of the DOS standard programs (MODE, I think). It is just possible that you don't have a virus, but are a victim of a badly selected scan string. I would advise you to upgrade to a newer version of SCAN and try again. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 03 Jun 94 18:00:48 -0400 From: iolo@mist.demon.co.uk (Iolo Davidson) Subject: What about long partitions (PC) > A virus (flip) messed with my HD now It claims that i have now long partitions > (116MB) is reduced to 33MB (the max for normal partitions. > > FDISK reports 116MB > Norton Disk Doctor and DOS say 33MB > > Need help. Flip subtracts six sectors from the number of total sectors stored in the word at offset 13h in the DOS boot sector when it infects. This only makes sense for drives 32Mbyte or smaller. On larger volumes, this number is stored elsewhere and offset 13h holds zero. If it has anything else than zero, DOS assumes it is a less than 32Mbyte disk and this *is* the number of sectors, hence the reduction in the size of your disk. Cure- with a disk sector editor, change the hex "FA FF" at offset 13h in the DOS boot sector to "00 00". If you don't understand how to do this, seek expert help. - -- Iolo Davidson - "My boss made me say it. He dares you to sue." ------------------------------ Date: Fri, 03 Jun 94 13:28:08 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: FYI: New PC Virus alert (PC) sweeneyp@pspdpc89.wal.ab.com (sweeneyp@pspdpc89.wal.ab.com) writes: > CD-ROM manufacturer Chinon America, Inc. says computer vandals have > illegally put its name on a virus-ridden file and released it on the > Internet. Oh, no not again! We've already got this message twice. It is typical journalistic junk. First, it is not a virus (it is a trojan horse), second, it is not "undetectable" (I know at least two scanners that have been detecting it for years), third, it was not "released on the Internet"... Just ignore it. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sat, 04 Jun 94 16:35:18 -0400 From: buster@klaine.pp.fi (Kari Laine) Subject: Re: Gateway 2000 Europe preloaded virus report (PC) chl@dmu.ac.uk (Conrad Longmore) writes: >From: chl@dmu.ac.uk (Conrad Longmore) >Subject: Gateway 2000 Europe preloaded virus report (PC) >Date: Thu, 2 Jun 1994 11:51:03 EDT >PC Week has reported that Gateway 2000 has accidentally shipped some >machines with the Smeg polymorphic virus. According to the report, >Gateway have recalled some of the machines that were shipped. Smeg is >reported to be a polymorphic virus written in the UK by the virus >write called the Black Baron. >The report indicates that the virus can be picked up by the June >update of Sophos Sweep. It can be found and killed also with the Dr Solomon's Anti-Virus Toolkit and I bet with several others. Regards Kari Laine / buster@klaine.pp.fi LAN Vision Oy ------------------------------ Date: Fri, 03 Jun 94 16:15:17 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Virruses - Pathogen (PC) Kevin Marcus (datadec@ucrengr.ucr.edu) writes: > It uses a polymorphic engine called, "SMEG", and I believe there are > currently two viruses out there using the engine. It is supposed to be > a lot more nasty than, for example, MtE, throwing in bogus calls to dos, > like "get version number" and similar "real program like" code segments. Hmm, I have not analysed the virus either, but I do not think that the above is correct. First, I disagree that it is more difficult to detect than the MtE. TPE 1.4 - yes, but not SMEG. Second, I do not think that it uses GetDOSVersion calls in the decryptor - are you sure that you are not confusing it with Phantom_1? But maybe I have missed something. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sat, 04 Jun 94 06:36:01 -0400 From: tracker@netcom.com (Craig) Subject: Re: antivirus products (PC) Vesselin Bontchev (bontchev@fbihh.informatik.uni-hamburg.de) wrote: : Untouchable - commercial, latest version I have seen was 30.01, the : company that used to sell it was aquired by Symantec. Status - : unknown. Untouchable is no longer made. I called and asked Symantec about it. If Symantec still made it or even incorporated the integrity checking part of it into the next major version of NAV, they'd make mucho sales. I sure hope Jimmy Kuo of Symantec reads this and influences Symantec to follow through on this. People in the US need an excellent inegrity checker like Untouchable provided. Hopefully some US company will come to the rescue. ------------------------------ Date: Fri, 03 Jun 94 16:09:28 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Help re Genb (PC) Kevin Marcus (datadec@ucrengr.ucr.edu) writes: > This is SCAN's generic boot infector id. Basically SCAN is telling you > that it thinks you have got a virus, but it doesn't know which one it is. This is correct. > This represents a somewhat serious problem; if you don't know what virus > you have, you probably can't get rid of it. While CLEAN usually does a > bit more checking before trying to disinfect, most likely, it is > something clean can't handle. This is also correct in principle, but it doesn't apply in this particular case. You see, when you tell CLEAN to remove a GenP or GenB virus, it begins to scan the disk until it find something that looks like an original MBR or DBS respectively, and then moves it to replace the infected one. Therefore, it is not important whether SCAN can correctly identify the virus. What is important is whether CLEAN can find the correct boot sector. For instance, if it is encrypted somehow, this method will not work. But in many cases it does. Curiously, if some of the virus-specific removal procedures in CLEAN are buggy (as the Michelangelo remover used to be - it used to trash 1.2 Mb floppies during disinfection), you can often use the generic disinfection (or is it heuristic disinfection?) routines of GenB/GenP. > You should try another software package, or one that performs more exact > identification, such as NAV 3.0 or F-Prot. Uhm, the last time I tested it (which was damn difficult, because NAV 3.0 does not seem to be designed to be tested), NAV didn't seem to perform exact identification of *any* virus (and F-Prot identifies exactly only about 30% of the viruses it detects). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 03 Jun 94 16:46:45 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: good virus protection (PC) Kevin Marcus (datadec@ucrengr.ucr.edu) writes: > Let's say that virus scanner A detects 1000 viruses. However, of these > 1000 viruses, they are all mostly available from virus BBS's, and not a > single one has been found in the wild, ever. It is capable of removing > each one perfectly. > Now, comes along scanner B. Scanner B only detects 50 viruses. However, > these viruses have all been found in the wild, there are no others that > have ever been found in the wild which it doesn't detect [to date], and > it is capable of removing each one perfectly. Your mental experiment is flawed and unrealistic. In reallity, the things are *never* as you describe above. The producer of a scanner that is able to handle very well a lot of viruses, will never select to handle only uncomon viruses. Never. Similarly, almost nobody who bothers to enter the anti-virus market, will select the B approach. I know of only one who has tried - Jim Bates has produced a scanner in the UK, which can handle *only* the viruses reported to the Computer Crime Unit at the Scotland Yard. As far as I know, the scanner doesn't sell well, regardless that it is relatively cheap. Obviously, the users prefer to use better solutions, and there are solutions which are better, yet cheaper (F-Prot). > To your end consumer, which one is best? Neither. Both are flawed, for different reasons. I wouldn't advise anybody to rely on either of them. > The point: If someone claims a product has poor identification and poor > disinfection, does that necessarily mean that their product is no good? > Absolutely not! The types and kinds of viruses detected are what matters. Yes, it does. You cannot have good disinfection without identifying the virus you want to disinfect well enough. Therefore, someone who is making such claims is either doing false advertising, or doesn't know what s/he is talking about. In both cases it is extremely unlikely that s/he is able to produce a good anti-virus product. I have yet to see such case. > Additionally, scanner B will benefit from having faster scan speeds, and > less false positives (most likely). Not really. Let's use a reallistic example. F-Prot. It detects about 96% of the 4,300 viruses in my collection, yet is extremely fast - takes only about 20 minutes to scan about 16,000 files. And this is 16 thousand *infected* files. As you should know, scanning of an infected file (if one of the modern scanning methods are used) takes more time than scanning a clean file. On clean files F-Prot is much faster. An even faster scanner is TbScan - it achieves the above in about 5 minutes. Indeed, it's detection rate is noticeably lower than F-Prot's, but it is still excellent (i.e. - above 90%). Therefore, it *is* possible to create a scanner that is both good and fast. Shall we take another reallistic example? How about NAV 3.0? Even if we ignore for a moment its brain-damaged design, which makes testing it a nearly impossible task, it scores some miserable 64% detection, yet is noticeably slower. I didn't bother to measure how much slower exactly; besides scanner speed should not be measured on an infected system as a matter of principle. Look, most scanners are either very good, or very bad - both in detection and speed. There are very few which are almost as good as each other and this makes it difficult to chose between them. However, there is another factor, unrelated to how well a scanner protects you from viruses. This is the user interface, the "easy to use", and the marketing of the product. Often good anti-virus products are made by small companies and by people who are hackers (in the good sense) and don't really care about the user interface. In the same time, the big companies tend to develop niceley looking products (they have a *lot* of experience and resources to design attractive user interfaces), which are often miserable from the anti-virus point of view, because the developpers are lacking anti-virus experience, or because the few good anti-virus experts in the company are overhelmed by the general bureaucracy in the (big) company and by the marketoids. Oh, yes, and those big companies have a lot of money for their marketing deparments, so their products are marketed very agressively. As a result, we are seeing some very bad anti-virus products to become dominant on the market. The hackers, and those in-the-know, use better products, but they are the minortiy; Joe User tends to select the nicely looking product, the one that is marketed better. That's why computer viruses continue to proliferate. If Micosoft had included Padgett's freeware utiltites in their new DOS, they would have dealt with almost all existing boot sector viruses and with a large class of the future ones. Instead, they have selected to include a stripped-down version of an already inferior scanner. As a result, people who are using it have more problems (because it is causing false positives, on the top of everything) than if not using anti-virus programs... > In the event there should be a new virus created that is thrown into > the wild, neither scanner will be helpful. This does happen, every now and then. The latest well-known cases are Satan Bug and the SMEG viruses. > The only time when Scanner A is more valuable is when a currently existing > virus is thrown into the wild. This does happen too. The problem is, you can't know in advance which of the known viruses is going to be "thrown in the wild", so you should better rely on a scanner that protects against as many of them as possible. Of course, even better is not to rely on a scanner alone. > So, the question: Who has some statistics on how many viruses have gone from > "just another virus" to a "in the wild virus?" Hmm, difficult question. We have trouble even to list all viruses that are in the wild... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sun, 05 Jun 94 05:35:38 -0400 From: pcm2@netcom.com (Neil McAllister) Subject: Why so many Leprosy viruses? (PC) I was recently reading the large virus summary in Hypertext form put out by Patricia Hoffman (I think that's right) and I noticed a rather extensive "family history" listing for the Leprosy virus. I was wondering, for a virus that is so easy to defeat, and which does so little to corrupt systems, why are there so many variants on this program? As far as I can tell from the virus listing, all the different variants are pratically identical, though they all come from different sources and points of origin. What is the interest in this virus? I've never heard of a significant infection caused by it. Just curious, - -- +----------------------------------------------------------------+ | Neil McAllister / pcm2@netcom.com | | Director of Special Operations, Bladder Control Central | +----------------------------------------------------------------+ ------------------------------ Date: Mon, 06 Jun 94 08:26:34 -0400 From: hazen@phoenix.cs.uga.edu (Mark) Subject: Re: SCAN V115 gives false Budo (B2) alarm with IBM PC DOS 3.3 (PC) wrote: >McAfee's beta test scanv115.zip from /pub/msdos/virus on >oak.oakland.edu indicates that my machine running IBM PC DOS 3.3 >has the Budo (B2) virus in COMMAND.COM. However, it reports >the same thing about COMMAND.COM on the permanently write protected >installation diskette. I suspect this is a false alarm. I can confirm this error! Here at my job we had a sudden outcropping of the Budo virus which we only noticed on four machines, and which also showed up only after the new version of Scan and Clean were in public distribution. I never noticed it before, but those are the only machines out of 100 or so here in the building which were running on DOS 3.3, which we updated to 5.0 when we found the errors. - -- :Mark Hazen hazen@phoenix.cs.uga.edu :Family & Consumer Sciences mhazen@hestia.fcs.uga.edu :All I ask is a chance to prove that money can't make me happy. ------------------------------ Date: Mon, 06 Jun 94 14:11:31 -0400 From: c23jrg@kocrsv01.delcoelect.com (John Goodrich) Subject: Possible D-Day Virus? (PC) Does anyone out there know of any viruses that trigger on D-day, similar in nature to the much-heralded Michelangelo virus of a couple years ago? My PC keyboard locks up in Windows only since this morning, and the date seems like it could be more than a coincidence. Any replies (the speedier the better) would be appreciated. Thanks. John Goodrich ------------------------------ Date: Tue, 21 Jun 94 12:37:46 -0400 From: "David M. Chess" Subject: re: FLIP and CANSU (V-SIGN) viruses (PC) >From: itxcs@upsyc.psychology.nottingham.ac.uk (Chris Sexton) >My 260Mb h/d suddenly became 33Mb, and unreadable, and I can't >work out which of these viruses actually did the damage. Yep, that was FLIP. It doesn't know about partitions bigger than 32K, and when it tries to shrink a partition to make some room for itself, it assumes that the partition is <32K. You can probably fix this by using some low-level editor to find the boot record of the DOS partition, find the word at offset 0x13, and set it to zero (it's probably 0xFFFA now). A value of zero means "more than 32K, go look at the doubleword out at 0x20 for the real number". But FLIP doesn't know this, and just blithely subtracts 6 from the 0000, resulting in FFFA, which then becomes the new apparent size of your partition. DC ------------------------------ Date: Tue, 21 Jun 94 12:38:29 -0400 From: "David M. Chess" Subject: re: Monkey Virus (PC) > From: Steve Hathaway > The only way > to eradicate the Monkey Virus is boot a virus-free DOS and recreate > a new partition table and FAT tables on your hard disk (preferably > after low-level format), then restore a bootable operating system > and then your last good backup. Good heavens, no! The best and simplest way to remove the Monkey virus is just to use some anti-virus program that can find the original master boot record, and put it back for you. No data loss, no reformatting, no restoring from backups. Even without an anti-virus program, you can generally trick the virus into showing you a copy of the real MBR, save that to diskette (of course remembering that the diskette will become infected in the process), then reboot from a clean diskette, restore the saved MBR that you fooled the virus into giving you, and you're done. (This is for hackers only; it's much simpler to just run a good antivirus program.) Unless a virus has actually -gone off- and overwritten data, it's never necessary to reformat to get rid of a virus. If your system boots correctly while infected, it should be possible to just slice the virus out of the loop, restoring a clean boot. That's what anti-virus programs do. - - -- - David M. Chess | IBM Computer Virus Information Center High Integrity Computing Lab | gopher://index.almaden.ibm.com IBM Watson Research | http://index.almaden.ibm.com ------------------------------ Date: Tue, 21 Jun 94 12:42:08 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: HELP: How add code into .EXE ? (PC) cogni@actcom.co.il (Michael Cale') writes: >Hello all. >Now i try write basical ANTI-viral program that add to user program short >code that will check CRC (or somethink same) before running program. My advice: Forget it! - ------------------------------------------------------------------------------ Frisk Software International - Technical note #11 Why external self-checking is a bad idea Every now and then somebody gets the bright idea of adding a small piece of code to existing programs, which will check for virus infection when the program is executed. The idea is that this will detect any virus infection immediately, and is also effective against unknown viruses. There are some serious flaws with this approach, however. 1) This method cannot prevent the program from getting infected in the first place, and whenever an infected program that has been protected this way is run, the virus code will be activated first. The virus might be able to detect or even remove the self-checking code, but it might also make it totally ineffective by using stealth techniques, so the self-checking code only "sees" the original, non-infected program. 2) Some program contain an internal self-check - F-PROT.EXE is an example. That internal code might also be unable to detect stealth viruses, but unless the external self-check code uses stealth techniques too, the result will be a conflict, where the internal check will notice the newly added code and determine that the application has been infected. 3) This method is ineffective against "companion" viruses that don't modify the applications they infect. 4) It may not be possible to protect all programs this way. It is relatively easy to add code of this type to most .COM files, unless the original program was slightly less than 64K, and the resulting file would break that limit. EXE files are more of a problem, in particular containing internal overlays, where one cannot append the code to the file, as the resulting file might become too big to load. Windows applications are also a problem, as they have two different entry points, and special care has to be taken to handle that correctly. On the other hand, adding internal self-checking to programs is a good idea, although it has the same limitations regarding stealth viruses, it does not cause the conflicts described above, and can be put in any program at compile-time. It is also much more difficult for viruses to bypass. - -frisk ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 43] *****************************************