VIRUS-L Digest Friday, 24 Jun 1994 Volume 7 : Issue 44 Today's Topics: Re: Integrity Checking Re: ARJ-, ZIP-viruses ? Re: Bad and good viruses... Re: Fred Cohen and computer viruses Re: The truth about good viruses Re: Nomenclature Re: Bad and good viruses... Good viruses/Bad viruses Re: Stealth and Self-encryption Re: Stealth and Self-encryption Re: OS/2 Viruses? Are there any of those? (OS/2) Re: OS/2 Viruses? Are there any of those? (OS/2) OS/2 Viruses? Are there any of those? (OS/2) Re: FORM and SPANISH Telecom? (PC) Re: MtE Virus info wanted (PC) Re: ** Date recovery after Michelangelo virus infection ** (PC) Re: Thunderbyte Antivirus (PC) Re: Help: W-boot or Swiss Variant Virus (PC) Re: Help! Checksums keep changing .......... (PC) Re: HELP: How add code into .EXE ? (PC) Re: WARNING: VALIDATE.COM and VALIDATE.EXE can be cheated. (PC) Re: Thunderbyte Antivirus (PC) Re: Monkey Virus (PC) FLIP and CANSU (V-SIGN) viruses (PC) Re: Thunderbyte Antivirus (PC) Re: Computer viruses for Sale (PC) Re: MtE Virus info wanted (PC) Re: Thunderbyte Antivirus (PC) Re: Help! Checksums keep changing .......... (PC) Re: Monkey Virus (PC) Natas Virus Test AVP 2.0 update D (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 21 Jun 94 14:51:01 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Integrity Checking sikkid@axpvms.cc.utexas.edu (sikkid@axpvms.cc.utexas.edu) writes: > programs... I noticed that Vesselin stated that TBAV's integrity > checker was "mediocre." I was just wondering why he said that, and I meant that it does the basic job (computing CRCs of the executable objects, watching for modifications) but that it is neither cryptographically strong, nor designed to withstand against some possible virus attacks against this kind of anti-virus products. In short, it works, and probably will catch a lot of viruses. I am convinced, however, that I can design a virus that will be able to bypass it (and even several different types of viruses). Also, I wouldn't be surprised if some of the already existing viruses are able to bypass it - but I haven't checked and this is something rather difficult to test. > what makes for a good CRC checker... I know a lot about viruses, but > my knowledge of CRC calculation techniquesw is pretty limited... You need a few basic documents, all available in electronical form: 1) ftp.informatik.uni-hamburg.de:/pub/virus/texts/security/crc.zip. The is the ultimate guide to CRCs. Everything you always wanted to know about CRCs (but were afraid to ask). :-) Well, not everything really. It lacks a detailled guide how to break them. :-)) 2) ftp.informatik.uni-hamburg.de:/pub/virus/texts/crypto/md[45].zip. Those are two files, describing two cryptographically strong hash functions (sample C source is included). A third such function can be found in the file shs.zip in the same directory. 3) Yisrael Radai's paper on integrity checking. It's a huge paper, more like a small booklet (54 pages) and explains about everything you need to know about using integrity checking for anti-virus purposes. Contains excellent discussion about how to design fast, yet still secure (for virus protection purposes; not secure from the cryptographical point of view) integrity checkers. The paper is in PostScript form, but is not yet available for distribution; you'll have to kindly ask Yisrael about it. 4) ftp.informatik.uni-hamburg.de:/pub/virus/texts/viruses/attacks.zip. A paper of mine, which nicely complements Yisrael's and explains how NOT to design an integrity checker - i.e., what are the different kinds of attacks that a virus could use against it and how to thwart them. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 21 Jun 94 14:58:33 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: ARJ-, ZIP-viruses ? Kazatski Oleg Nikolaevitch (kazatski@kartaly.chel.su) writes: > Are there scanner which scan viruses in incompressed, > self-extracting programs and .ARJ (.ZIP) files ? What is his name ? Yes, there are several. Two of the best I've seen are AntiVirus Pro and UTScan (from Untouchable). The first program is Russian, BTW, and is excellent in almost any other way. (Well, the integrity checker is not good enough, and it doesn't include a resident scanner.) It is shareware and is availabe from our ftp site: Site: ftp.informatik.uni-hamburg.de IP: 134.100.4.42 Dir: /pub/virus/progs Files: avp_200.zip, avp_200c.zip, avp_200d.zip, dr_et.zip, pm940506.zip (you need all of them) > Are there viruses which really infect .ARJ and .ZIP files ? I know of only one such virus - the Russian virus Archive_Worm, which infects ARJ archives. However, it is not the existence of such viruses that creates the need to scan inside archives - it is the fact that many packages are distributed in archived form, and people want to be able to scan them for viruses, without having to manually unpack them first. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 21 Jun 94 15:02:20 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Bad and good viruses... Kazatski Oleg Nikolaevitch (kazatski@kartaly.chel.su) writes: > Tell me please about Potassium Hydroxide virus. This is a master boot record infector, variant of Stealth_Boot, written by Mark Ludwig. It encrypts the volume it infects, using a cryptographically strong algorithm (IDEA) with a user-supplied passphrase. Some people claim that it is "beneficial", because it does something useful (protects the information on your disks from prying eyes) and because it asks your permission before infecting a disk. Of course, such claims are completely bogus, as I have explained in one of my previous messages here. (Hmm, I didn't see it appear, but there have been some problems with this newsgroup lately...) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 23 Jun 94 10:03:04 -0400 From: CELUSTP@cslab.felk.cvut.cz Subject: Re: Fred Cohen and computer viruses Hi all, bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) wrote: S: 1. Who are "we"? VB: We, the users. We, the anti-virus researchers. We = users; We = anti-virus researches; => users = anti-virus researches Is that true? S: 3. Does any statistical data exist about bugs per byte of code in computer S: virus ("real" or not) code in comparison with bugs per byte of code in S: "normal" application code? VB: No, I am not aware of any, but 98.47% of all statistics are made up VB: anyway. :-) Well, you can create some yourself. One of the buggiest VB: commercial packages around - Microsoft Word for Windows - has about VB: 8,000 bugs and occupies several megabytes (forgot how much). Most VB: viruses I have seen are 200-4000 bytes long and about half a dozen VB: bugs each. A (*very*) rough computation shows that the average virus VB: has more bugs per byte than the buggiest commercial package. For valid statistics one should compare the sample of random chosen viral programs with the sample of random chosen non-viral programs. The programs in both examined group should be of similar length, i.e. if viruses are 200- 4000 bytes long, the length of non-viral programs should variate in those limits too. After the bugs in every group are counted and the same statistical analysis is performed for every group, the obtained results can be compared. VB: In that definition Vesselin Bontchev was trying to make sense from a VB: scientific point of view. Dr. Cohen's definition also makes sense from VB: a scientific point of view. However, the average user doesn't give a VB: dime for the scientific point of view and stands on practical VB: reasoning. Scientific point of view is not good for practical reasoning? S: 5. Consequently, one could conclude that "real viruses" are not computer S: viruses. What they are? VB: I lost you here. How exactly did you conclude the above from the VB: premises listed? The most one can conclude is that the "real viruses" VB: are not the benevolent viruses Dr. Cohen is talking about - which is VB: exactly what I am trying to point out. The "replication", "reproduction" or "infection" is an essential characteristic of computer virus. In the simplest definition computer virus is "a program that reproduces" (by Fred Cohen). Let denote computer virus with A and reproduction with B. Then we can say : A has feature B. By what is said on this forum about "real viruses", the simplest definition of real virus is "a program which sneaks around and infect people's computers without their knowledge and authorization" (by Vesselin Bontchev). If we denote real virus with C and "sneaking around...etc." with D, then we can say: C has feature D. Comparing B with D it is obvious that B is not equal D (assuming that words used follow the logic of natural language). If B is not equal D, it implies that comparing A and C, A is not equal C, because the "operation" - "has feature" is the same between A and B, and C and D. (Of course, if the language used is such that "sneaking around..etc." has the same meaning as "reproduction" then A is equal to C). VB: Performing experiments is a completely different thing. I also have VB: about 4,300 viruses on my machine, but wouldn't like to run even a VB: single one while I am using the machine for normal work. So, let me VB: ask again - would you want a virus running on to computer you are VB: using every day for work unrelated to virus experiments? Yes, the benevolent one(s). S: The other "beasts" could be S: called "real viruses", "malicious software" or something else, why not? VB: That's why I (Dr. Solomon, actually) proposed this term. Vesselin Bontchev = Dr. Solomon? Why Dr. Solomon does not speak for himself? S: The understanding S: requires sometimes particular knowledge of mathematics. VB: The general public doesn't have one, which is why they don't VB: understand him. What is "general public"? If word "general" denotes the diversity in education of people meeting viruses on this or that way, then it is reasonable to think that some of them will have some knowledge of mathematics. Besides, to understand Fred Cohen's work one needs some knowledge of theory of sets and basics of mathematical logic. I think that most of technically oriented educational organizations cover this area. If not, the books with basics of set theory are widely available. VB: I am tempted to quote the FAQ of a sceptics' newsgroup: Yes, they VB: laughed at Gallileo, and they laughed at Einstein - but they also VB: laughed at Coco the clown. Was Coco the clown talking about general theory of relativity or Einstein was making funny tricks? Anyway, I agree with Fred Cohen's proposal about discerning between benign and malign viruses. In fact there is an article, An Abstract Theory of Computer Viruses by Leonard M. Adleman, which introduces more differentiated notation. He derives from basic mathematical definitions the following features of virus: "is pathogenic", "is contagious", "is benignant", "is a Trojan horse", "is a carrier", "is virulent". According to these features there are four types of viruses: "benign", "Epeian", "disseminating" and "malicious". Good for start. Cheers, Suzana ____________________________________________________ / / | | / |\__/| / | If you know what you are | /~~~~~~\ / \ | talking about, you have | ~\( * * )/~~\( 0 0 )/~ | something more valuable than | ( O ) ( O ) | gold or jewels. | \______/ \______/ | - Proverbs 20.15 - | @/ \@ @/ \@ |______________________________| - --------------------------------------------------------------------------- Address: Suzana Stojakovic-Celustka e-mail addresses: Department of Computers celustka@sun.felk.cvut.cz Faculty of Electrical Engineering celustkova@cs.felk.cvut.cz Karlovo namesti 13 celust@cslab.felk.cvut.cz 12135 Prague 2 phone : (+42 2) 293485 Czech Republic fax : (+42 2) 290159 ------------------------------ Date: Thu, 23 Jun 94 10:05:03 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: The truth about good viruses Scott Ste Beardsley (39534@chopin.udel.edu) writes: > By this token MS-Windows is a > horridly evil virus, and much of what people use today are > "unquestionably a bad thing." \jokemode=on Uhm, I wouldn't disagree with that... :-) Lessee: Pro: 1) It is very widespread. 2) It steals the control on your machine from you. 3) It displays funny messages on the screen. 4) It eats up disk space and memory. 5) It slows down your computer to a crawl. 6) It randomly crashes your machine Yep, must be a virus... Con: 1) Computer viruses actually *do* something. 2) The authors of computer viruses support their products and regularly release new versions. Nah, it probably ain't a virus after all... Hey, you can use it to create a copy of it, so it is a virus even according to Dr. Cohen's definition! \jokemode=off > Most of the users outthere have no > idea of what code does, they can't knwo what things do in their > instruction set, they don't know how to give authority, they just put > a diskin and type "install" In this way the majority of commercial > software is evil... However, all this "evil software" is produced by known companies, with tech support lines. If a virus screws up your hard disk, you can't call the author and request an upgrade. > BUT, I think beter judgment would be to throw out the idea of > good/bad and go with helpful, or hurtful, and leve behind the > connotations of good and bad, after all can a 1 or 0 be bad or good? By itself, it cannot - it is neutral. However, its *usage* can be a bad or a good thing. The fact that computer viruses exist is not a good or a bad thing per se (except in the "tough luck" sense) - but the fact that they can and are used to destroy other people's data and/or waste their time, efforts, and money *is* a bad thing. > Someone already mentioned the KOH virus, that encrypts and > protects your HD. It is a virii but it's replication and it's > infection, even tho it is a cntrolled infection, you could say it is > like a vaccine, tho it doesnt protect against itslf as a vaccine > would, but it is a controlled infection designed to be helpful. The Nonsense. I keep hearing about this "beneficial KOH virus". This is TOTAL NONSENSE (and I am tempted to use a stronger word). I already posted a message explaining why it is so - didn't it made it? Maybe I should post about it again? > I think the way that I look at it is that "virus" is not good or evil > or any connotaion liek that, those are judgment calls of the > particular user/victim/whatever. It's just another string of code > that can either do things good or bad. If you don't want your systm > executing that code, than you may see it as bad, but if you want your > system to execute it(KOH) than it might be good to you. BUt if yor I tend to agree with this. If you don't want it to run on your system and it still runs, then this is bad for you - yes, I definitely agree. My point is that this is so for almost every user - they don't want viruses to run on their systems (anybody volunteering to run that Super Duper Destructive Virus on their hard disk? Anyone?), but those viruses try to, nevertheless. That's why, computer viruses are considered as bad by most people. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 23 Jun 94 10:05:31 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Nomenclature Fredrick B. Cohen (fc@Jupiter.SAIC.Com) writes: > How about this for a way to differentiate different types of viruses: > Malicious viruses OK, I can give you about 5,000 examples of this category. > Benevolent viruses Care to provide some examples of this category? And convince us that they are really benevolent, do not cause harm, and do a job that cannot be done (or not so effectively) by non-viral means? Mind you, I'm confident that you can come with a couple of valid examples. Heck, even I can come up with at least one. Now, isn't that second category a bit small? Too artificial? Not worth even mentioning, considering the overhelming majority of the first cathegory? Even harmful to mention and promote, because its sole existence will be used by irresponsible twits to create viruses of the first category? Think again. > I think this is less misleading than the term "Real viruses", and it clearly > indicates both the meaning (which Real does not) as well as educating the > reader (there may be either kind) and retaining a short and readable text. I think not. The term "real viruses" emphasizes that those are the viruses you are likely to meet in reality - unlike the purely theoretical constructs some scientists like to play with. > The problem with the term Real is that it is misleading in the sense that > it somehow implies that benign viruses are imaginary, which they are not. It is not misleading. Decribe one of your "benign viruses" and lots of people will wonder - "But is it *really* a virus?". DISKCOPY is a virus, according to you - but is it *really* a virus? Is it a Real Virus? Nope. > As to the person who posted that this stuf isn't interesting compared to which > new strain of Jerusalem MacAfee's virus defense gives a false positive for in > scanning version 3.4.5 of the newest package by Xray Inc, I disagree. Yep, that stuff is terribly boring - quite unlike playing with theoretical concepts. Unfortunately, it is boring, but *important* stuff - representing *real* problems that *real* people have every day with *real* viruses. > As to the difficulty of teaching people about two kinds of viruses, try this > little bit of text: > Computer viruses are computer programs that reproduce. Some of these viruses > are intended to harm people by damaging their information systems, and we call > them malignant. Other viruses are intended to demonstrate a concept, to > explore issues in artificial life, or even to do useful functions. We call > them benign. Nope, it's wrong and not good for educating people. It implies that if a virus is not intended to do harm, then it is "an OK thing". This is wrong; most of the Real Viruses are not intended to cause harm - but they do nevertheless - because of incompatibilities, bugs, and because of the time, resources, and money wasted to detect and remove them. Therefore, I prefer to speak about viruses that are intentionally destructive and viruses that are not intentionally destructive. I tend to avoid words like "benign" and "harmless" when applied to computer viruses. Real computer viruses, that is. > This doesn't seem much harder to understand than this version which is wrong: > Real viruses are malicious little programs that, unbeknownst to the user, > enter their computer system, modify their programs, and destroy their information. It *is* wrong (doesn't mention the most important property of the virus - its ability to replicate), but then I was not trying to give an exact definition. I was merely trying to express what most people understand when they hear the term "computer virus". > The point is, we can present the right information in a readable way if we > just try to. We certainly can, and I am sure that we all are trying to. But, hey, Dr. Cohen, even you made a mistake in your definition above. You made another one, in one of your first papers that contains the so-often-cited natural-language definition of the term "computer virus". Now, if even *you* are making such mistakes, what about us, the mere mortals? :-) My point is that it is *easy* to make a mistake when trying to explain computer viruses to people that know nothing about it and that we should take extreme care and think how our words could me misunderstood and/or misinterpreted. In particular, virus writers often misinterpret your words about "benign viruses" to make up and excuse of their unethical and often criminal acts. > I too have been a hacker (as opposed) > to a cracker) and hope to change the usage of those terms just as I hope to > get people to use the correct usage of virus. Good luck. You will fail, in both cases. :-) I am also using the terms "hacker" and "cracker" in the way you understand them, but I have long given any hope to change the general public's oppinion about this. > And the best way to do this is > to get the members of this group to start using the terms correctly, because > this group is influential, and you have to start somewhere. I'd agree with the above, *if* the change was not harmful. And saying that there are "benign" viruses, without carefully explaining what you mean exactly, *is* harmful, IMNSHO, for a reason I've stated multiple times - it is misused by the crowd of virus writers to excuse their deeds. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 23 Jun 94 10:07:37 -0400 From: umchu023@cc.umanitoba.ca (Andy Hon Wai Chu) Subject: Re: Bad and good viruses... > Hi ! > 12 May bradleym@netcom.com (Bradley) wrote: >> How about KOH? Also the Potassium Hydroxide virus. It will encrypt your >> HD for you using the IDEA algorythm. > Tell me please about Potassium Hydroxide virus. >> A virus by nature is what? It's intention is to produce copies >> of itself and attach these copies to your programs (without you >> knowing) and either display a message, play a tune, fill up your >> disk, destroy data etc... How can this be good? NOT POSSIBLE!!! It is funny that there is a virus called "Good virus" (Virus - Allan Lundell 1989) original written in West Germany, a virus that won't let "unkown" programs run on one's machine. If the programs to be run aren't already infected with this virus, they won't be allowed to run at all. Sounds like a Anti-virus Virus !!! - -- - -------------------------------------------- Andy Hon Wai Chu email: umchu023@ccu.umanitoba.ca ------------------------------ Date: Thu, 23 Jun 94 10:08:20 -0400 From: iolo@mist.demon.co.uk (Iolo Davidson) Subject: Good viruses/Bad viruses > it is unethical > to let anti virus vendors sell millions of copies of their > software on the basis of people's ill founded fears. The fears are well founded. Businesses that suffer a virus attack lose a lot of money just in the clean up. Anti-virus software is a minimal expense, comparable with paying to put locks on the doors of the company premises. > >You will discover that most of them understand a computer virus > >as "something that came when I didn't want it". > > Or "something that came when I was leeching several megs of > software that I didn't pay for". There seems a much higher > incidence of viruses transmitted in pirated software than in > original copies, who are we protecting here? Not in my experience. Viruses "come" with any source of software including shrink wrapped products, brand new computers straight from the manufacturer, and bulk supplies of "blank" preformatted disks. You complain that anti-virus researchers are motivated by their making a living off their work. Apologists for virus writers have a motivation too. The fact that no money is involved does not make it noble. - -- PUT YOUR BRUSH NEEDS A BACK ON THE SHELF SHAVE ITSELF THE DARN THING Burma-Shave ------------------------------ Date: Thu, 23 Jun 94 10:10:43 -0400 From: buster@klaine.pp.fi (Kari Laine) Subject: Re: Stealth and Self-encryption itxcs@upsyc.psychology.nottingham.ac.uk (Chris Sexton) writes: >From: itxcs@upsyc.psychology.nottingham.ac.uk (Chris Sexton) >Subject: Stealth and Self-encryption >Date: Tue, 21 Jun 1994 10:23:12 EDT >Hi, >This may be an ignorant question, but can anyone please explain >the difference between stealth techniques and self-encryption? Stealth is the technique to hide changes virus makes when it infects the host files and/or boot and/or partition sectors. For example if you try to look infected boot sector virus makes sure you see the original one it has put aside to be shown you if you come around asking for it :-) This requires virus to hook many interrupts of the bios and DOS. Encryption (polymorphism) is used to make virus look different each time it infects a file and thuss make seeking of it more difficult. So actually these are totally different things and the aims what virus authors (scumheads) try to achieve with these are quite different. >Is either one something to do with making a DIR command (for >example) not include the extra size due to the virus? Stealth would do it. Regards Kari Laine ------------------------------ Date: Thu, 23 Jun 94 10:10:27 -0400 From: v922340@si.hhs.nl (Snaaijer, I.H.) Subject: Re: Stealth and Self-encryption itxcs@upsyc.psychology.nottingham.ac.uk (Chris Sexton) writes: - ->This may be an ignorant question, but can anyone please explain - ->the difference between stealth techniques and self-encryption? - -> - ->Is either one something to do with making a DIR command (for - ->example) not include the extra size due to the virus? That's a typical example of a Stealth technique, others are hooking int13 and when asked for replace the infected bootsector with an original one. the idea is to make the virus invisible for the user or user programs (scanners) The idea behind encription is not hiding, but making the code unrecognizable, so signature seekers won't help you finding the virus. If you combine the two techniques you can create code that is rather hard to find, and unfortunaly it also happens. - -> - ->What does either method involve? Hope I heled you. - -> - ->Thanks in advance, - -> - ->Chris Ivar. +---------------------+-----------------------------------------------------+ | uu uu sssss sssss | Ivar Snaaijer. E-mail : v922340@si.hhs.nl | | uu uu ss ss +-----------------------------------------------------+ | uu uu sssss sssss | "Violence is the last refuge of the incompetent" | | uu uu ss ss | -Asimov | | uuuuu sssss sssss | -= This space is for $ale =- | +---------------------+-----------------------------------------------------+ ------------------------------ Date: Tue, 21 Jun 94 15:06:05 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: OS/2 Viruses? Are there any of those? (OS/2) (AMIR77@taunivm.tau.ac.il) writes: > I'd like to know if there are any OS/2 viruses? Yes, I am aware of at least two OS/2-specific viruses. Also, many of the MS-DOS viruses can work perfectly in a DOS emulation box under OS/2. > As far as I know, DOS viruses use TSR in order to stay in memory > and infect other programs. Those two viruses are not memory resident. The first is a silly (and rather buggy) overwriting virus. The second is a non-resident virus, which spawns a copy of the original file on execution and then executes it as a subprocess. > OS/2 doesn't have TSRs so any "out-of-the > ordinary" apps can be detected by task-list. I know I am by no means an OS/2 expert, but I tend to disagree with the above. I think that there *are* ways to make viruses for OS/2 that will be far from trivial to spot. However, until such viruses begin to appear, I prefer to keep those thoughts of mine for myself. > that it is possible to write trojan horses for OS/2, but is it > possible to write viruses? It is possible to write viruses for almost any kind of general-purpose computing system. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 23 Jun 94 10:04:25 -0400 From: ykchung@Winkie.Oz.nthu.edu.tw (Jimmy Chung) Subject: Re: OS/2 Viruses? Are there any of those? (OS/2) (AMIR77@taunivm.tau.ac.il) wrote: > Hi, > I'd like to know if there are any OS/2 viruses? Yes. There are 2 os/2 viruses now, as I know. :)) JImmy - -- ------------------------------ Date: Thu, 23 Jun 94 10:09:11 -0400 From: iolo@mist.demon.co.uk (Iolo Davidson) Subject: OS/2 Viruses? Are there any of those? (OS/2) > I'd like to know if there are any OS/2 viruses? Yes. > As far as I know, DOS viruses use TSR in order to stay in memory > and infect other programs. OS/2 doesn't have TSRs so any "out-of-the > ordinary" apps can be detected by task-list. Many DOS viruses don't go TSR, but just infect another program, or directory full of programs, everytime you run an infected executable. - -- PUT YOUR BRUSH NEEDS A BACK ON THE SHELF SHAVE ITSELF THE DARN THING Burma-Shave ------------------------------ Date: Tue, 21 Jun 94 15:23:04 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: FORM and SPANISH Telecom? (PC) Jerry Gerace (gerace@ucsu.Colorado.EDU) writes: > I just got done disinfecting several PC's that had the Form virus on it. > Happy to say, it's a pretty tame virus. No stealth at all, isn't harmful, > just sits there duplicating with itself. "Just"? Uhm, well... sort of... When it infects the hard disk, Form overwrites the last cluster of the bootable partition with the second part of the virus body, without bothering to check whether the cluster is free, or even whether this is a DOS partition. Results? If you had a file that includes this last cluster (e.g., if your disk is nearly full, or fragmented), you can say "bye-bye" to that file. Surprise, surprise, many "unformatting" programs save a vital part of their disk recovery information in a file that occupies guess what? - right, tha last cluster of the volume. Also, removing Form from a OS/2 system that has BootManager installed and is using HPFS volumes is a *very* tedious procedure. Remember, there ain't no such thing as a "harmless" computer virus. A "harmless" *real* computer virus, that is. > I did a warm boot and it just couldn't make it. Easily disinfected with > F-prot, although apparantly (before I arrived on the scene), Norton Anti-Virus > screwed up a few floppies while attempting to disinfect (it somehow screwed > up the MBR instead of just using the stored copy the virus makes) but the > disks were fairly easily recovered. Hm, strange. NAV is generally one of the worse anti-virus products around, but even it should be able to cope with the most widespread viruses like Form. Are you sure you have used the latest version? Have you contacted the tech support? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 21 Jun 94 15:25:08 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: MtE Virus info wanted (PC) Jeff E. Lewis (U12585@uicvm.uic.edu) writes: > I would appreciate information on "MtE" which I "found" on my > machine with Norton Antivirus 2.1. THis was NOT indicated by This is quite probably a false positive from an obsolete version of NAV. Older versions of NAV are known to have had this problem. > but there was no doubt that something was present since scandisk > recovered 90 mb of hard disk space 11 days after I started using > the indicated infected program. This *might* be caused by a virus, but unlikely. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 21 Jun 94 15:27:50 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: ** Date recovery after Michelangelo virus infection ** (PC) Fridrik Skulason (frisk@complex.is) writes: > Maybe this should go into the FAQ.... Maybe not, having in mind that it is incorrect. :-) > When the Michelangelo virus activates, it overwrites the first 9 sectors > on heads 0-3 on every track of the hard disk. Nope. When the Michelangelo virus activates, it overwrites the first 17 sectors on heads 0-3 on the first 256 tracks of the disk it has been booted from. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 21 Jun 94 15:35:33 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Thunderbyte Antivirus (PC) KMJ Enterprises (iiggii@mixcom.mixcom.com) writes: > Has anyone heard of/used thunderbyte antivirus? Yep, it's a rather popular shareware anti-virus product. > How does it compare > (reliability, speed, etc) to some of the others - McAfee, SP, Norton, > etc? I don't know what "SP" is. The scanner in TBAV is the definitely the fastest scanner around. It's closest competitor is more than two times slower than it. Its detection rate is *much* better than NAV and rather better than SCAN. The package also contains a more complete set of anti-virus tools. However, there *are* scanners with even higher detection rate (F-Prot, AVP, and several others). The disinfector included in the package shouldn't be relied upon, unless you also use the integrity checker - but then, my oppinion is that virus disinfection shouldn't be relied upon in principle. Also, the scanner has its share of bugs; it keeps crashing when scanning some weird boot sectors (but then, so does SCAN). In short, the packge is definitely better than any of the two products you mentioned, but I wouldn't call it the best around. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 23 Jun 94 10:02:28 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Help: W-boot or Swiss Variant Virus (PC) Fridrik Skulason (frisk@complex.is) writes: > >F-Prot 2.12 identifies it as "W-boot - unknown" and apparently > >cannot get rid of it. The docs also say it cannot be > >disinfected. > My guess is that this is a slightly modified W-boot variant - the "unknown" > part simply means that the checksum doesn't match, but it appears to be > more-or-less like the original. Uhm, Frisk, sorry to contradict you, but you are wrong on this one. First, the original poster is right - according to the documentation, F-Prot 2.12 is unable to remove even the "original" W-Boot virus. (Version 2.12c is able to remove it.) Second, my latest tests show that F-Prot says "- unknown" about viruses it should know about a bit too often. It says so about 63 viruses out of the 356 boot sector viruses in my collection. I guess, you checksums need to be fixed a bit. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 23 Jun 94 10:02:51 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Help! Checksums keep changing .......... (PC) vcurtis (vcurtis@relay.nswc.navy.mil) writes: > The checksum had been changed on nearly every .exe, .com, & .dll file on > my system. The scan showed no virus however. One other strange problem > occured. About 75% through the virus scan, the program quit with this > message: "MWAV caused a General Protection Fault in Module MWAVSCAN.DLL > at 0001:0C77." It threw me out of the program and back to program manager. > I tried to execute the Anti-Virus program again, and all it would do is > give me the following message "Unable to lock conventional memory." It > would not even try to run. MSAV is total junk. It keeps crashing, does not detect viruses, causes false positives... In short - delete it and don't trust anything it says. Get a better anti-virus product - there are a few pretty good ones out there, but MSAV/CPAV is not one of them, definitely. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 23 Jun 94 10:03:45 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: HELP: How add code into .EXE ? (PC) Michael Cale' (cogni@actcom.co.il) writes: > Now i try write basical ANTI-viral program that add to user program short > code that will check CRC (or somethink same) before running program. Add any That's a *very* bad idea. Don't do it. Modifying other people's programs is always wrong and often causes problems. Think about all those self-checking programs (i.e., most anti-virus programs) that will suddenly stop working after you "immunize" them. Think about all those integrity checkers that will scream "Virus!" when the user uses your program and modifies all of his/her programs. Think about all those heuristic analysers that will go bananas when they see a piece of code attached to the programs much like a virus. Think about all those stealth viruses that will happily bypass your check and continue to infect. In short - forget it. > code to .COM is trivial, but with .EXE i have some problem. I think that i > forget some needed actions and do part only. I add my code INSTEAD OF starting > part of .EXE (after header part) and try change back it at run time, and also > change relocation table but... have problems. :( Oh-la-la... :-( Even the viruses are doing it in a better way. They do not mess with the beginning of the code nor with the relocation items. Instead, their code is fully relocatable, is appended at the end of the EXE files, and the CS:IP field in the header are changed to point to the appended code. After the code finishes with its work, it transfers control to the original entry point - usually by pushing the original CS/IP values on the stack and executing a RET Far. But don't do that - it's a bad idea, as I explained above. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 23 Jun 94 10:04:03 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: WARNING: VALIDATE.COM and VALIDATE.EXE can be cheated. (PC) Olivier Montanuy (montanuy@lsun75.cnet) writes: > VALIDATE.COM and VALIDATE.EXE are currently used to authentify the > files contained in McAfee shareware packages, so as to prevent any > insertion of virus or trojans while they stay on public BBS or FTP > servers. They are inadequate and may be misleading. Yep. This is a known problem. Has been reported to McAfee years ago. Their answer (besides "So what?") is essentially that there is no easy way to do it right. You see, it is trivial to use a cryptographically strong hash function (e.g., MD4, MD5, SHA, etc.) instead of a CRC. But this just means that the forger will not try to forge it, but instead will modify the documentation that lists the correct values. In fact, this is what the forgers do even now, because it is still easier than forging CRCs - something that few crackers know how to do. A *real* solution would involve using of public key authentication. There is an archiver that provides such means - HPACK - but it is not as popular as PKZIP. Besides, almost anything related to public key cryptography has patent problems in the USA, where a company called Public Key Partners owns all patents in this area. And one of those patents contains claims that cover all possible public-key systems - even the ones that are not invented yet. If you think that this is ridiculous, I agree with you. BTW, even if a public-key authentication mechanism is used, it will work only for people who already have the public key. First-time users of the product will still be vulnerable to a key spoofing attack. But I digress; this topic is more appropriate for sci.crypt. > I won't publish the source code or the executable of my cheating program, > and I will not discuss details of the cheating method, except with > McAfee associates or trusted comp.virus contributors (if they care :-) I'll be very interested to discuss (in private) the method you are using. > VALIDATE.COM performs a double 16-bit CRC and VALIDATE.EXE a 32-bit > (and somehow unorthodox) CRC. The frist two 16-bit CRC poynomials are public (and rather easy to determine anyway). How did you determine the 32-bit polynomial? Or does your attack involve determining the polynomial at all? > I don't have a replacement of VALIDATE.COM and VALIDATE.EXE. There can't be any. MD4, MD5, and SHA implementations are available from our ftp site, but as I explained above, this does not solve the problem. > Anyway, it should be sufficient to authentify only the length of > the files in the compressed package (using 'pkunzip -l'). Cetainly not! > As a matter of fact I seriously doubt it is feasible to modify > a file without affecting either the normal file length, or the > compressed file lenght, or the compression method. Alas, it is perfectly possible to modify the file without changing any of those. In fact, you can make the file contain anything you want, and just reserve the last 4 bytes of it, in which you put a special, computed value, in order to preserve the original CRC. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 23 Jun 94 10:08:13 -0400 From: tracker@netcom.com (Craig) Subject: Re: Thunderbyte Antivirus (PC) KMJ Enterprises (iiggii@mixcom.mixcom.com) wrote: : Has anyone heard of/used thunderbyte antivirus? How does it compare : (reliability, speed, etc) to some of the others - McAfee, SP, Norton, : etc? Vesselin Bontchev of Germany holds it in very high regard in his testing, right up there with F-Prot. It certainly stomps all over Norton, definitely McAfee, and even CPAV. ------------------------------ Date: 22 Jun 94 08:49:19 +0000 From: virusbtn@vax.oxford.ac.uk Subject: Re: Monkey Virus (PC) Steve Hathaway writes: > A strain of Monkey Virus has been reported in Heppner, Oregon. > This virus infects the boot block of disk drives and the disk partition > table of hard disks. The FORMAT command cannot create a good format > of any floppy disk in the presence of the Monkey Virus. The only way > to eradicate the Monkey Virus is boot a virus-free DOS and recreate > a new partition table and FAT tables on your hard disk (preferably > after low-level format) Presumably the disk is then cut into 1-inch size chunks, buried in soft peat for a year and recycled as firelighters, yes? :-) I posted a way to get rid of most Master Boot Sector infectors here a couple of months ago. If anyone wants it, I'll post it to them. Remember, there are very few common viruses which require you to low-level format your hard drive, though I guess if you haver a backup it's one way. If the machine still boots DOS when its infected, it is probably easily recoverable. Regards, Richard Ford Editor, Virus Bulletin ------------------------------ Date: Thu, 23 Jun 94 10:08:55 -0400 From: iolo@mist.demon.co.uk (Iolo Davidson) Subject: FLIP and CANSU (V-SIGN) viruses (PC) > My 260Mb h/d suddenly became 33Mb, and unreadable, and I can't > work out which of these viruses actually did the damage. I've > got a feeling it was FLIP Yes, Flip puts hex FA FF in offset 13h and 14h of the dos boot sector. Edit these back to 00 00 and your disk will be 260Mb again. Incidentally, this is an example of a "harmless" virus that does damage, for those who believe in harmless or benign viruses. The virus was written before DOS4 came along with the extended boot record. It alters the size of the disk in the DOS3 style boot record, which is incompatible with the way drives larger than 32Mb are described in the DOS 4 to 6 boot record. This caused no problems under DOS3. If this were a "beneficial" virus, how would the author withdraw the old version that truncates disks when he updates it to the new, improved version? - -- PUT YOUR BRUSH NEEDS A BACK ON THE SHELF SHAVE ITSELF THE DARN THING Burma-Shave ------------------------------ Date: Thu, 23 Jun 94 10:10:09 -0400 From: martijnl@sci.kun.nl (Martijn Leisink) Subject: Re: Thunderbyte Antivirus (PC) iiggii@mixcom.mixcom.com (KMJ Enterprises) writes: >Has anyone heard of/used thunderbyte antivirus? How does it compare >(reliability, speed, etc) to some of the others - McAfee, SP, Norton, >etc? >advTHANXance > ...Hank hobbes@mixcom.mixcom.com > >- -- Thunderbyte is one of the best antivirus-packets! It is the fastest, I think. And it scans better than for example McAfee (since it is able to scan heuristic). No doubt, Thunderbyte is better than all others I know. Martijn Leisink ------------------------------ Date: 22 Jun 94 08:43:51 +0000 From: virusbtn@vax.oxford.ac.uk Subject: Re: Computer viruses for Sale (PC) dhull@nunic.nu.edu (Dr. David B Hull) writes: > At any rate, I just received a nice little CD -ROM from > American Eagle Publications. It is really a knock out, with > 527 major virus source codes and pleanty of other interesting > things. I happen to need it for my research into the > morphology of computer viruses. But if my serial number of > 001126 is true - oh boy ! I in one sense congratulate > Mark (see sig), but it really does tread on dangerous ground. > a well - I live in a main frame enviroment practicing > "security by obscurity" - so I don't tell nobody nothin. Mark Ludwig's CD-ROM is in some ways a major nuisance, and in some ways a minor annoyance. Firstly, nobody in the anti-virus industry wants to purchase it, because we (I think this is pretty much an industry wide view) would rather spend our money on other things. It sets a pretty bad precedent if we start paying for virus code. Heck, we would be getting close to commisioning the damn things. Other than that though, I don't think we are going to see a virus explosion. Most of the people who are willing to cough up the money for the CD-ROM will probably be in a position to get hold of most of its contents anyway. Sure, we will see a few wierd and wonderful viruses in the wild, and it will make it easier for those who want to hack a virus to do so, but on the whole (Please let me be right :) it won't make a big difference. I do however think it is unethical. > OK if this newsgroup is alive - what happens next ! The > man has just yelled fire in a crowded theater ! But what can we do about it? The anti-virus industry is powerless to intervene - the only way you can change things is to get the US government to do something. Getting them to listen is really in the hands of the large US businesses. If they get enough complaints from the heavyweights they will listen. If not, then we can all go on living with it. It is really our own choice. Regards, Richard Ford Editor, Virus Bulletin ------------------------------ Date: Thu, 23 Jun 94 10:11:09 -0400 From: v922340@si.hhs.nl (Snaaijer, I.H.) Subject: Re: MtE Virus info wanted (PC) "Jeff E. Lewis" () writes: - ->I would appreciate information on "MtE" which I "found" on my - ->machine with Norton Antivirus 2.1. THis was NOT indicated by - -> - ->cpav (1991?) - ->microsoft anti-virus (1993) - ->mcafee scan 106 - ->mcafee scan 108 - -> IF only NAV finds it it's most likly to be a false alarm . See also more articles with comments on NAV - ->but there was no doubt that something was present since scandisk - ->recovered 90 mb of hard disk space 11 days after I started using - ->the indicated infected program. I don't know witch program it is or what it's purpose is but most applications written in clipper are known to create lots of lost chains if you reboot when the programs are running. (this isn't a bug, just a matter of using a lot of large files) Most applications do this to some extent. I know that 90MB is a lot of space, but if no other program is reported to have a MtE disgized virus aboard, it must be a misculous application. Try TBAV (v6.20) and F-PROT (don't know the last version) to be shure. Since the programs use diffrent algoritms to detect MtE it's almost impossible it comes throug the 0.1% of both of them. (I don't know how Macaffee detects MtE, but I Haven't heard about algoritm checking in the other three). - ->Thanks, - ->Jeff E. Lewis - -> Hope it will help you, Ivar. +---------------------+-----------------------------------------------------+ | uu uu sssss sssss | Ivar Snaaijer. E-mail : v922340@si.hhs.nl | | uu uu ss ss +-----------------------------------------------------+ | uu uu sssss sssss | "Violence is the last refuge of the incompetent" | | uu uu ss ss | -Asimov | | uuuuu sssss sssss | -= This space is for $ale =- | +---------------------+-----------------------------------------------------+ ------------------------------ Date: Thu, 23 Jun 94 10:11:20 -0400 From: v922340@si.hhs.nl (Snaaijer, I.H.) Subject: Re: Thunderbyte Antivirus (PC) iiggii@mixcom.mixcom.com (KMJ Enterprises) writes: - ->Has anyone heard of/used thunderbyte antivirus? How does it compare - ->(reliability, speed, etc) to some of the others - McAfee, SP, Norton, - ->etc? - -> I have been working with it for quite a while now. All the virusses I ever had an eye on were detected by TBAV, derectly (signature+huristics) or inderectly (huristics and common sence). The speed is incredible, and the other utility's are quite good IF you use them. It also has a rather low number of false alarms, witch is quite an effor d with huristics. - ->advTHANXance - -> ...Hank hobbes@mixcom.mixcom.com - -> - ->- -- - -> Hope I helped, Ivar +---------------------+-----------------------------------------------------+ | uu uu sssss sssss | Ivar Snaaijer. E-mail : v922340@si.hhs.nl | | uu uu ss ss +-----------------------------------------------------+ | uu uu sssss sssss | "Violence is the last refuge of the incompetent" | | uu uu ss ss | -Asimov | | uuuuu sssss sssss | -= This space is for $ale =- | +---------------------+-----------------------------------------------------+ ------------------------------ Date: Thu, 23 Jun 94 10:11:38 -0400 From: v922340@si.hhs.nl (Snaaijer, I.H.) Subject: Re: Help! Checksums keep changing .......... (PC) vcurtis@relay.nswc.navy.mil (vcurtis) writes: - ->I ran the Microsoft Anti-Virus program in DOS 6.2 with the following - ->options selected: Verify Integrity, Prompt While Detect, Anti-Stealth, - ->and Check All Files. - -> - ->The checksum had been changed on nearly every .exe, .com, & .dll file on - ->my system. The scan showed no virus however. One other strange problem - ->occured. About 75% through the virus scan, the program quit with this - ->message: "MWAV caused a General Protection Fault in Module MWAVSCAN.DLL - ->at 0001:0C77." It threw me out of the program and back to program manager. - ->I tried to execute the Anti-Virus program again, and all it would do is - ->give me the following message "Unable to lock conventional memory." It - ->would not even try to run. I can't think up a senario why the CRC of all those file's at the same time and nothing realy happens. The only thing I can think of right now is a virus capable of dwelling undetected by MSAV, witch is not unlikely because MSAV is rather wide spread. - -> - ->I rebooted and tried again. Got same results as first time, changed - ->Checksums, and GPF message, followed by conventional memory message on - ->retry. - -> - ->I ran McAfee and F-Prot (April '94) on the system and they showed nothing. This makes it unlikely that there is a REAL problem but MSAV, try a newer version F-PROT or try TBAV (6.20). If both the programs don't come up with something delete MSAV and you don't have an infection anymore. - -> - -> [...] - ->If I turn off Anti-Stealth checking, I still get checksum changes, but - ->no GPF message and the program completes it scan. This is probably caused by a bit flaky implementation (my words only) of the BIOS-browser witch give windows the hickup's. - -> - ->I don't know if this is symptomatic of some virus or what. I am very - ->uncomfortable with this constantly changing checksum situation. I can understand that. Try INTEGRETY MASTER to realy find out What is changing. - -> - ->Can anyone offer any suggestions? - -> Hope I helped, Ivar. +---------------------+-----------------------------------------------------+ | uu uu sssss sssss | Ivar Snaaijer. E-mail : v922340@si.hhs.nl | | uu uu ss ss +-----------------------------------------------------+ | uu uu sssss sssss | "Violence is the last refuge of the incompetent" | | uu uu ss ss | -Asimov | | uuuuu sssss sssss | -= This space is for $ale =- | +---------------------+-----------------------------------------------------+ ------------------------------ Date: Thu, 23 Jun 94 10:12:13 -0400 From: Henrik Stroem Subject: Re: Monkey Virus (PC) > Article 14072 of comp.virus: > Newsgroups: comp.virus > From: Steve Hathaway > Subject: Monkey Virus (PC) > Sender: virus-l@lehigh.edu > Date: Tue, 21 Jun 1994 10:23:12 EDT > A strain of Monkey Virus has been reported in Heppner, Oregon. > This virus infects the boot block of disk drives and the disk partition > table of hard disks. The FORMAT command cannot create a good format Eh, not quite correct. It infects the Master Boot Record of harddisks, not the partition table. The partition table is a 64 byte small data area near the end of the Master Boot Record. Viruses usually infects code, not data. > of any floppy disk in the presence of the Monkey Virus. The only way > to eradicate the Monkey Virus is boot a virus-free DOS and recreate > a new partition table and FAT tables on your hard disk This is far from the only way of disinfection... > (preferably > after low-level format), then restore a bootable operating system > and then your last good backup. This is NOT the way to do it! You never need to format in order to get rid of a boot infector. > If you are lucky enough to have your computer on a network with a file > server, you may copy all of your application files to the server, and > restore them from the server after you have a newly formatted and > bootable hard disk. The Monkey Virus appears not to infect the structure > of remote network disks. It is a bootvirus, not a filevirus. Bootinfectors cannot infect network disks. Network disks are not bootable, so there is no point, even if the bootsector of the network disk was available AND readable. I think you should read the FAQ for comp.virus, available by ftp from cert.org in directory /pub/virus-l as the file FAQ.virus-l > If you boot a virgin DOS from diskettes and look for the hard disk, > the absence of a recognizable partition table causes the hard-disk > not to be recognized. The PCTOOLS DiskFix program can usually > examine the appropriate contents of saved system configuration > to rebuild a new partition on the hard drive, allowing recovery > formatting to continue. Check out the file killmnk3.zip available by ftp from 141.210.10.117 in the directory /pub/msdos/virus. It contains correct and detailed information about this virus, as well as a working disinfection program. No needs for backups or formatting. Sincerely, Henrik Stroem Stroem System Soft ------------------------------ Date: Thu, 23 Jun 94 11:51:50 +0100 From: Luca Sambucci <93647758S@sgcl1.unisg.ch> Subject: Natas Virus Test - -----BEGIN PGP SIGNED MESSAGE----- > NATAS VIRUS TEST > Copyright (C) 1994 Luca Sambucci > All rights reserved. > Italian Computer Antivirus Research Organization In the past few months a new, polymorphic, stealth, multipartite virus appeared in the wild: the "Natas" virus. A lot of antivirus producers have soon updated their antivirus software to implement the detection algorythm for this virus. There is also a "special Natas version" of the McAfee's VirusScan utility (VirusScan v.2.1.0). Well, let's see how good the newest versions of some antivirus products can detect it. The option used are the same used for the June 1994 edition of the General Antivirus Test, except for the "/CPL" option for the AVScan (this product now scans inside compressed files by default). For all other information (product/producer information, legal issues etc.) please refer to the June 1994 edition of the General Antivirus Test (always available at request or at our official distribution sites). The following products have been tested: Name Version Date (MM/DD/YY) Producer =-----------------------------------------------------------= AVScan 1.57 06/08/94 H+BEDV GmbH AV Toolkit Pro 2.00d 06/20/94 KAMI Ltd. F-Prot 2.12c 06/16/94 Frisk Soft. Int. Sweep 2.63Beta 06/06/94 Sophos Plc ThunderByte AV 6.20 05/06/94 ESaSS BV ViruScan 9.28V116_ 06/02/94 McAfee Inc. VirusScan 2.0.2 06/02/94 McAfee Inc. VirusScan (special "Natas" edition) 2.1.0 06/08/94 McAfee Inc. TEST RESULTS For the test I've infected 1200 files (600 COM, 600 EXE) with Natas replications. Here the results (1200 replications): | Antivirus | Rel. | Unrel. | %Total | | product | Detected | Identif. | Detected | =----------------+----------+----------+===========+--= AVScan 1.57 | 0 | 2 < 0.17% > =----------------+----------+----------+===========+--= AVP 2.00d | 1200 | 0 < 100.00% > =----------------+----------+----------+===========+--= F-Prot 2.12c | 1196 | 1 < 99.75% > =----------------+----------+----------+===========+--= Sweep 2.63_ | 1197 | 1 < 99.83% > =----------------+----------+----------+===========+--= TbScan 6.20 | 0 | 1200 < 100.00% > =----------------+----------+----------+===========+--= ViruScan 116_ | 0 | 31 < 2.58% > =----------------+----------+----------+===========+--= VirusScan 2.0.1| 0 | 0 < 0.00% > =----------------+----------+----------+===========+--= VirusScan 2.1.0| 1191 | 0 < 99.25% > =----------------+----------+----------+===========+--= Note: AVScan identified one replication as "MtE", and another as "TPE". F-Prot identified one replication as "Possibly new variant of Semtex". Sweep identified one replication as "MutaGen -> 1.10". TbScan detected all replications with the aid of the heuristic analyser (remember: used with the -noautohr switch). ViruScan 116Beta identified 30 replications as "TPE", and one as "MtE". Best Regards, Luca Sambucci - -----BEGIN PGP SIGNATURE----- Version: 2.3a iQCVAgUBLgmuseZQNzkHaA4JAQHDtAP/YvhG4Y+ale+Q3ylUaS9vx4yhjGPJhjIM gzuEWr6WL4pv3s6TKxkZuSLWqDPxXwSWxyjFtH+APM1/UyuNqWOcPp4Ur2UGzH4e xziaKTCeTkXogcvd18hqHXj2pBkUkIv4cr8Sytra5L8fRCaCKk8wRVy4eoqRpyLQ ojkpGgck1ZQ= =8wZP - -----END PGP SIGNATURE----- ------------------------------ Date: Wed, 22 Jun 94 18:09:34 +0400 From: eugene Subject: AVP 2.0 update D (PC) Hello all! Update D for Antiviral Toolkit Pro (AVP) ver. 2.0 is available on anonymous ftp site (Germany): ftp.informatik.uni-hamburg.de:/pub/virus/progs/avp_200d.zip Virus Help Centre BBS (Sweden): Line #1 +46-26-275710 USR DS Modem 2:205/204 Line #2 +46-26-275715 V32 Modem 2:205/234 Best regards, Eugene Kaspersky - --- - -- Eugene Kaspersky, KAMI, Moscow, Russia - -- eugene@kamis.msk.su +7 (095)278-9412 ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 44] *****************************************