VIRUS-L Digest Tuesday, 9 Aug 1994 Volume 7 : Issue 62 Today's Topics: Re: GOOD vs. BAD HUH? Re: The truth about good viruses Re: books on virus' and their history? Re: ARJ-, ZIP-viruses ? Re: Fred should owe me a grand ? Re: The truth about good viruses Re: Stop the Madness! :-) Re: Viruses = Commercial Opportunity? Re: Disabled viruses? Re: Bad and good viruses... Re: anti virus viruses benevolent virus found ! Re: Good Viruses Immune System for PCs from IBM Unix Virus Query (UNIX) F-Prot in SHEZ (PC) Re: Why so many Leprosy viruses? (PC) Re: Why so many Leprosy viruses? (PC) Re: "New" Virus found? (PC) Re: NAV 2.0 gives false "Maltese Amoeba" alarm (PC) Re: Killing the Monkey Virus (PC) Re: generic virus question (PC) HS v3.59 Beta (PC) Can't Trace the Trouble! What Virus is this???? (PC) Re: virus terrorists (?) Re: Little Fishies? (pc) Re: URGENT: SMEG victims sought... (PC) Re: Help! (PC) Re: WARNING: VALIDATE.COM and VALIDATE.EXE can be cheated. (PC) Re: Netware & Virstop (PC) Re: Killed the Monkey Virus (PC) Need Help on "V-SIGN" virus (PC) REQ: Help (PMBS, Stealth_boot.C) (PC) Tequilla (PC) Kaos 4 Virus (PC) Re: Killing the Monkey Virus (PC) Info on AntiEXE needed (PC) NETSHLD on Novell? (PC) KAOS? (PC) HK Vtech virus & Amoeba (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 25 Jul 94 17:38:01 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: GOOD vs. BAD HUH? Jack Roberts (jroberts@ripco.com) writes: > one does have to invite KOH to install itself. to get it to set itself up > on your hard drive, you have to first install it on a floppy disk and then > boot using that floppy. it then asks you if you want it to install. its > pretty hard to do this by accident. You don't have to boot from that floppy. It is enough to *attempt* to boot from the infected floppy. That is, it is enough to forget an infected floppy in the A: drive of the computer. Not that hard to happen by accident at all. Happens all the time - that's why boot sector viruses are so widespread. And by asking you a question and waiting for a response, the virus is causing an unwanted interruption. In some situations this can be fatal - I already posted an example of how it can happen and a similar example is in the FAQ. Ergo - KOH is *not* a harmless virus. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 25 Jul 94 17:38:32 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: The truth about good viruses D.J.E.Nunn (D.J.E.Nunn@durham.ac.uk) writes: > >Since there are millions of combinations of computers and software > >there is always going to be a chance that the virus will do something > >wrong. > Would you use this argument to show that there are no good programs? Only that there are no good programs which spread by themselves and without explicit authorisation. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 25 Jul 94 17:38:12 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: books on virus' and their history? Craig (tracker@netcom.com) writes: > Dr. Alan Solomon of S&S International has one. Maybe someone here can > provide a title. Dr. Alan Solomon, "PC Viruses. Detection, Analysis and Cure", Springer-Verlag, 1991, ISBN 3-540-19691-9. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 25 Jul 94 17:38:19 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: ARJ-, ZIP-viruses ? Jack Roberts (jroberts@ripco.com) writes: > > I know of only one such virus - the Russian virus Archive_Worm, which > > infects ARJ archives. However, it is not the existence of such > how does that go about happening? From: Eugene Kaspersky, "ARJ: a Place in the Archives!", Virus Bulletin, December 1993, pp. 13-14, reproduced without permission, all typos mine: When an infected file is executed, it searches in the current and in all parent directories for any files which have the extension ARJ. If an ARJ file is found, the virus creates a temporary file with the extension COM. The filename is generated by randomly choosing four letters from the range A to V. The choice is restricted because the upper limit for letters used by the virus is 0Fh: thus, the virus has a range of fifteen letters from which to choose. Examples of typical filenames generated by this routine are BHPL.COM, NLJJ.COM, and OKPD.COM. Once such a file is created, the virus copies itself into it, and appends a random number of 'garbage' bytes. These Trojan files range in length from about 5K (the length of the virus code) to 64K, the maximum allowable size of a COM file. The virus then needs to add this file to the host archive. It does this in the easiest manner possible... by executing the archiving file, ARJ.EXE! This program allows users to compress and store one or more files (including subdirectories) in one or several archive [Colloquially known as Arjive. Ed.] files in compressed format. ARJ is one of the most popular archivers, like PkWare's PKZIP. ARJ.EXE is designed to be called from the command line, and therefore has a raft of commands and switches which can be set when it is executed. One of these, the 'a' switch, tells the program to add particular files to a named ARJ file. The virus uses this option to infect the host ARJ file, executing the following command line: c:\command.com /c arj a .com where is the name of the archive file about to be infected, and is the four bytes-long, randomly selected name described above. The '/c' switch causes COMMAND.COM to execute a program, and to exit immediately upon execution. On execution of this command, the archiver ARJ.EXE compresses and adds this Trojan program to another archive file. The virus then deletes the temporary file and searches for the next ARJ file. If there are no other archive files in the current directory, the virus will jump to the parent directory. Should the current directory be the disk root directory, the virus returns to DOS. > does it infect when you unarchive the > thing? No; see above. > why does arj let it do this? Because ARJ is designed to archive things. :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 25 Jul 94 17:38:49 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Fred should owe me a grand ? A. Padgett Peterson, P.E. Information Security (padgett@tccslr.dnet.mmc.com) writes: > This is where we differ (and why the addition above). In updating software > on many workstation from a server, the update is copied NOT the update > mechanism and this is a major difference. This doesn't contradict Dr. Cohen's definition for a virus: a program that infects other programs by modifying them to include a possibly modified copy of itself. The definition does not say that the infected programs must be able to propagate the infection further. The "possible modification" could very well be one that excludes the replicating mechanism from the virus. > The best just copy new data files. As you know, there is no real difference between code and data. According to Dr. Cohen, a virus is inseparable from its environment. Every finite (does it have to be finite?) sequence of symbols is a virus in some environment, and for every environment there is a sequence of symbols that is a virus for it (not sure about the latter). Yes, I know that his definition is too broad; I just wanted to note that what I described *is* a virus, according to his definition. > is a stand-alone process and the second is parasitic. The common point is > that both strive to become self-invoking as opposed to user-requested. > This IMHO is the dangerous part since a virus, worm, or any other programm > CANNOT determine that it is safe to be invoked at any random time given a > single state machine such as a PC. (I suspect this is provable under Turing > but am not particularly interested in doing so myself). Well, there are all kinds of processes in every multi-tasking environment, which can be invoked at any random time, without the user explicitely starting them, knowing what they do, or understanding them. The main difference, IMHO, is that the permission of this to happen is initially given by the user - by installing the multi-tasking environment in the first place. That's why I want the same restrictions on the beneficial viruses - they must be installed ("actively invited") by the owner of the system they infect. They must not sneak in unnoticed, and must not bother the user with "hey, may I come in, please, please" requests. > pps IMHO Virus-L needs a 441 error (NNTP) That's funny; I've been getting exactly this error when trying to post here in the past two weeks. Maybe somebody has installed it. :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 25 Jul 94 17:38:43 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: The truth about good viruses Ian Douglas (iandoug@cybernet.za) writes: > > Why unknown? It says "Hi! I am the SuperDuper beneficial virus made by > > BeneViral Software Inc. and here is my MD5 hash, signed with my secret > > key". You compute the MD5 hash yourself, verify the one in the virus > > using the published public key, check that the two values match and > > then you know that this is indeed a BeneViral Software's product. > Is it expected to do this everytime it infects a file or boot sector? No, of course not. As I mentioned in another of my articles, there should be ways to set the default action to "no, don't infect this system and don't ask for confirmation" (which should be the default if no action is taken to "invite" the virus), or to "yes, infect this system and don't ask for confirmation". But you again seem to be thinking about the PC case. In fact, I do not imagine a "beneficial virus" as something infecting files or boot sectors - too many things can easily go wrong, and besides it is not a good idea to modify other people's programs. I imagine the beneficial virus more like a worm. The company that produces it posts its public key (signed by the company's key) to the Internet. Every site that wants to get infected by this virus sends an invitation message, encrypted with the public key of the virus, to some public place - a server, or a newsgroup. The message contains the public key of the site that wants to get the virus and some data, specifying how the virus can get on their computers - e.g., a port number to telnet to, or a username/password combination, and so on. The virus decrypts this data from the message with its secret key, accesses the site, requests confirmation that the site indeed is the one claimed in the message (again using public-key means for authentication), and installs itself on it using the specified entry points. There are a several points that still need refining, but in general it is doable - it is some kind of software distribution system. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 25 Jul 94 17:38:55 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Stop the Madness! :-) Ian Douglas (iandoug@cybernet.za) writes: > However, that is not the same as the examples of AV programs used. > These programs offer to update themselves, but the version that they update > is not capable of further updating other copies. As I just replied to Padgett, this is irrelevant. Dr. Cohen's definition does not require that a virus must be able to recursively spread further (i.e., that all infected programs must be infective). > So the 'virus' has failed to reproduce a functionally identical version of > itself, ergo, it is not a 'virus', but an installer. I think that an installer (together with the program it installs) *is* a virus, according to Dr. Cohen's definiton. Just like DISKCOPY copying the sytem floppy, or a compiler compiling its own source. > Or am I playing with words and semantics? Simply Dr. Cohen's definition is too broad. There *is* a reason for it being so. His goals have been to prove theorems about computer viruses. In order to do this, you need a formal model of a computer. One of the most often used ones is the Turing Machine. (There are a few others, like the Post machine, the Markov chains, and so on, but they are all equivalent to a TM.) Now, the problem is that it does not make sense to talk about "programS" for a TM. A TM has only one single program - the initial contents of its tape. Therefore, in such an environment, you cannot talk about "infecting other programs" - because there are no other programs. That's why Dr. Cohen pulls a clever trick - he is considering the history of the states of the TM's tape and says that if some subsequence of symbols on this tape reproduces itself in another place on the tape in a later moment, then this sequence of symbols is a virus FOR THAT PARTICULAR TM. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 25 Jul 94 17:40:58 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Viruses = Commercial Opportunity? Kevin Marcus (datadec@corsa.ucr.edu) writes: > 2,000 per year, eh? Gee, Pakistani Brain came out in ... 1986? That > means there should be more than 10,000. I think something is wrong here. Yes - your basic premises. You assumed that the virus creation rate has been 2000 viruses per year since the very first virus appeared. This is wrong. The rate has been (almost) exponentially increasing all those years, so it has started at much lower levels before reaching the current one. > I'd suspect the growth is more expontial or logrithmic vs. linear, but > I can't say I have done any statistical analysis. I know it's not linear > though. This is correct. Although the rate is not exponential any more; at least not with the same time-constant (what is the correct English expression?). It has begun to flatten lately, although it is still high enough. > While it might take and one for a *person* to analyse a virus, it is > quite possible to: > 1) Use already existing information to your advantage. Of course, that's why I said that companies that have been around in the anti-virus field for a long time have a better chance to survive than the newcomers. Or do you mean to get this information from somebody else? Could you name an anti-virus company that will accept to share this information with a new competitor? :-) > There is a lot of information on the net, even some useful info in VSUM > that could be used to make this speed up. The difficulty is when there is Rubbish. As you perfectly know, VSUM is a huge collection of wrong, inaccurate, and incomplete information, but even if it were correct, how, pray tell, would such information help an anti-virus company to build a product that detects those viruses? VSUM contains just virus descriptions; it does not tell you how to detect, identify, and disinfect the virus (other than "use scanner X"). > 2) Even for one person, I've always found it useful/helpful to have > more than one computer. More than one hard drive might be kinda useful > if you have only one computer. This allows you to have systems with > different versions of dos -- many viruses might only work with dos 3.3, > or 5.0 or... Having two computers does not allow you to analyse viruses twice as fast, because you still can't analyse simultaneously two viruses. :-) > 3) Do you really need to detect 4500 viruses to be a useful product? There There *are* products that detect 98% of the 4,600 viruses in our collection. Have in mind that the new product has to compete with them. > are many other products which don't detect nearly that many which still sell > *quite* well. I agree here. One can still create an anti-virus product with a nice user interface and miserable virus detection, and sell it well, as the case of products like CPAV/MSAV or NAV have demonstrated. But then, I thought that we were talking about *useful* anti-virus products. :-) > 4) While you will get opposite answers from just about everyone here, > consider: Viruses in the wild are considerably more important to detect/ > remove than viruses *not* in the wild. Those should be highest priority True. > The other 4300 or so viruses not in > the wild probably won't ever get there. We can't rely on that, because they are out there - on the virus exchange BBSes, from where any moderately competent attacker can download them and use them on a target system. Therefore, a good anti-virus protection should protect from them too. > also do this... Plus, you'd benefit from smaller size, faster scans, and > a higher repair rate (since you could concentrate on repairs for some of > the nastily encrypted polymorphic viruses) All this boils down to the question: given the choice of a scanner that detects 98% of the existing viruses AND 100% of the viruses in the wild, and one that detects ONLY 100% of the viruses in the wild, which one would you buy? Most people seem to prefer the first choice. I know of at least one product that uses the second approach - Jim Bates has a scanner that is very cheap and can detect only those viruses reported to be in the wild to the Computer Crime Unit of Scotland Yard. From what I have heard, it doesn't seem to sell very well. > 5) How much can the process be automated? That's a very interesting question. I know that at least Chris Fischer from Karlsruhe, German, and the anti-virus team of the IBM's T. J. Watson Research Center are seriously working in this direction. In fact, I recently got a very interesting paper from Jeffrey Kephart of the IBM team. It is available from our anonymous ftp site as ftp.informatik.uni-hamburg.de:/pub/virus/texts/viruses/immune.zip You'll need a PostScript printer to print it. Get it and read it; it's very interesting. > 6) How much longer do you think that there will be a market for AV products? I believe that computer viruses will be with us for a long time. > With OS's other than DOS gaining a larger user base, the number of viruses > for a particular OS would be nearly reset to zero. People will only run > programs in their DOS emulator before the equivalent comes out for their > new OS. Nonsense. First of all, there will be always people writing viruses for the dominant operating system. If OS/2 becomes dominant, people will be writing viruses for it. Besides, OS/2 runs DOS programs very well in its DOS emulator, therefore, it will be able to run most DOS viruses there too. > >Do you see now why this is not for newcomers? Only a company with a > >lot of experience and an already established product in the field will > >be able to keep up with the game. > Maybe a lot of experience in ASM programming, but probably not a whole > bunch more. A whole bunch more. Designing a good anti-virus program requires some considerable knowledge of how viruses work and what they can do. Otherwise you'll end up with a nicely looking but trivial to bypass protection. > >protect you from a boot sector virus like Michelangelo, and NAV is one > >of the worse anti-virus products around. > Yeah, just because it has a smaller detection than, say, McAfee's SCAN, First, if the scanner has a worse detection than McSCAN, this indeed means that it provides worse protection than it. This alone does not necessarily mean that it is one of the worst ones - there are other components in the product too - like the integrity checker and the resident scanner and behaviour blocker. However, SCAN does not have one of the highest detection rates any more (in my latest tests it got pipiful 71%), so anything worse than it is already pretty bad, and second, the other components in NAV and not particularly good (read: easy to bypass) either. > let's say, it > possibly be any other factors that go into an AV product's reviews, eh? Oh, sure, especially concerning the reviews that are printed in the popular magazines. It seems that there such properties of the product like the nice user interface and the presence of an index in the documentation are also taken into account. Sometimes I am getting the impression that they are considered there as more important than the ability of the product to protect from viruses. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 25 Jul 94 17:40:40 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Disabled viruses? Norman Hirsch (nhirsch@panix.com) writes: > I agree with that but if the anti-virus program picks it up as a virus, at > least it gives the tester an idea of whether the anti-virus program responds > as it should. No, it doesn't - because the thing is not a virus, the anti-virus program should not be detecting it. If it is detecting it, then it is not behaving as it should. > For example, you might want to see if it deletes or moves the > file or properly displays it's results in Windows or sends a message via > NetWare or ? For those reasons, a simulated virus can be very useful in > setting up and checking your A-V program. It can also be useful in training > as a demo to what to expect if a "real" virus is found. You mean, to use it as some kind of "self-test" or "installation check" of the scanner? It's not a bad idea to have such a possibility, but it must be implemented by the producer of the scanner, because they know best how their product works. For instance, the manual of Dr. Solomon's AVTK specifies a text string that you can put in a file. When this file is scanned, the scanner displays a message that this file contains the test string designed to check whether the detector is working. F-Prot has such an utiltity to check whether the memory resident scanner is active. SCAN has something like that, called ChkShield, if I remember correctly. > Ironically, the > perfect A-V scanner will not see the simulated virus. Yep. That's why I am saying that it is not good for testing scanners. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 25 Jul 94 17:40:46 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Bad and good viruses... Roger Ertesvaag (roger.ertesvaag@thcave.bbs.no) writes: > B> Just read the KOH.readme to find the KOH directory, and DON'T take the > B> actual program out of the U.S. because it's export controlled. > A virus that's export controlled? You must be kidding! Unfortunately, he is not. The USA has some really funny export regulations, which treat any encryption programs in the same way as munitions - you are not allowed to export them without a license. And since KOH is a disk encryption self-replicating program... BTW, the penalty for breaking the regulations mentioned above is 41 to 51 months of jail time. Of course, this law is virtually unenforcable for the software made available on the 'net. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 25 Jul 94 17:41:40 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: anti virus viruses Lars Friend (larsnerd@color.ithaca.ny.us) writes: > Has anybody ever concidered that one could construct a virus that > tries to stamp out other viruses? Yes, this idea comes up here approximately every couple of months. Maybe it should go in the FAQ. In short: no, it is not a good idea. Such an "anti-virus virus" would still infect other files, thus modifying them, which in many cases will prevent them from running. There are several other reasons why this should be avoided - mostly related to the fact that you gain nothing by using a *virus* to do it (the same could be done by a non-viral program), and too many things can go wrong. Yes, implementations of this idea exist - because several people have decided to implement it, instead of thinking first, or at least asking an expert. We call those real viruses like all the others, and the scanners are detecting (and sometimes removing) them, just like the "normal" viruses. Summary: don't do it, and avoid it, if somebody does it. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 26 Jul 94 07:04:57 -0400 From: lfred JilkaILKA Subject: benevolent virus found ! hi all, the other day I came across it: it is Vernon D. Buergs "List" It is not exactl a virus by the definitions used on this list, but more a kind of worm. But for FC this would probably be a virus :-) List V7.?? has a function to clone itself. It is used to create a copy of the program, which comes up with for example altered fore- and backgroundcolors. I know, there are lots of programs out there which don't need to clone themselves just to change the default color, anyway: it reproduces on demand and even is, hmm, polymorphic (?). Greetings from HOT Austria, Alfred - -- ...^^^^^.. ******************************** A U S T R I A . Linz : * Geological Survey, Austria * : * * : * * :* Vienna: * jilka@gbaws4.zamg.ac.at * :^^^.........:. Salzburg : * * : * Innsbruck : * Phone: +43/1/712-56-74/85 * ........... HOME Graz : * Fax: +43/1/712-56-74/56 * :.. * * ...: * * :........: ******************************** BB | !BB William Shakespear ------------------------------ Date: Tue, 26 Jul 94 18:22:48 -0400 From: drcat@crl.com (David Shapiro) Subject: Re: Good Viruses I don't think comparing dependability and inter-operability issues between viruses and commercial software is 100% sound. There's an issue of consent here. If you choose to have sex with someone without a condom, and you catch a disease from it, this was partially the result of your choice to take a risk. You can take as few or as many precations as you like in this regard, from being picky about partners, insisting they get tested, using condoms, or even limiting yourself to just cuddling. Likewise, if you use commercial software, you can be selective in your choice of packages, ask friends how stable it is, read reviews, or do what I in fact do, and avoid newly released products and try to stick to those that have been out for a year or more. If you're raped, and you catch a disease... Well, there wasn't much you could do about it. Likewise, if a virus intended to be benign has a compatibility problem with something on your system and trashes some files... You did NOT lose files because you gave your "informed consent" to try and install "Shareware Super Cachem 1.0". You lost your files because someone ELSE, the virus author, made the choice FOR you (and a lot of other people) that it was reasonable to risk that his/her code would be safe to run on your system if it could manage to infect it. I favor allowing people to make their OWN choices in life as much as possible. -- Dr. Cat / Dragon's Eye Productions ------------------------------ Date: Thu, 28 Jul 94 00:26:10 -0400 From: Rich Travsky Subject: Immune System for PCs from IBM The following appeared in the July 23rd issue of Science News. (Articles in Science News are often short synopses of works from other journals and the like.) Trying to mimic the human body's ability to fight off infection, computer scientists are developing immunologically inspired systems to ward off computer viruses. Jeffrey O. Kephart of the IBM Thomas J. Watson Research Center in Yorktown Heights, N.Y., reports designingan immune system for computers that "takes much of its inspiration from nature." As in vertebrates, the new system develops and stores "antibodies," enabling a computer to stop computer virus attacks more quickly. "We are also careful to minimize the risk of an autoimmune response," he says, "in which the immune system mistakenly identifies legitimate software as being undesirable." The new immunity program detects known viruses by their computer-code sequences and unknown viruses by their unusual behaivor within the computer. Decoy programs then seek out and trap the viruses. Then the computer extracts the malevolent coding, turns on a repair program to fix damaged software, and "immunizes" itself against similar viruses. To forestall an epidemic - a virus spreading through a group of linked computers - infected machines send out "kill signals" to warn other computers of the rampant invader. The signals tell how to kill the new virus as well as similar viruses. The rate at which new viruses are created and the cost to businesses of virus damage have grown, Kephart says. More than 2,000 known viruses exist, and, on average, two or three new ones emerge each day. Of more than 100 million personal computer users worldwide, roughly 1 million, he estimates, have had their work affected by viruses. "This technology will gradually be incorporated into IBM's commercial antivirus product during the next year or two," Kephart says. Sounds interesting, but I have some doubts. My guess is it'll take a smp pentium machine and the tsrs will weigh in at several meg ;) Richard Travsky Division of Information Technology RTRAVSKY @ UWYO.EDU University of Wyoming (307) 766 - 3663 / 3668 "But here's an object more of dread than aught the grave contains A human form with reason fled while wretched life remains" A. Lincoln ------------------------------ Date: Thu, 28 Jul 94 03:55:53 +0000 From: tarnold@crash.cts.com (Terry Arnold) Subject: Unix Virus Query (UNIX) I was asked a question today about Unix virus detection utilities and how many Unix viruses were around. I am now passing the questions on to this august body. 1. How many confirmed Unix viruses have shown up? 2. What are the effective detection utilities for Unix viruses? Terry Arnold tarnold@cts.com ------------------------------ Date: Mon, 25 Jul 94 17:37:36 -0400 From: john.weiss@ctbbs.sccsi.com (John Weiss) Subject: F-Prot in SHEZ (PC) ********** Original To: ALL * CARBON * was By: JOHN WEISS * COPY * posted: On: EHVP ********** Conf: 0116 - VIRUS - ----------------------------------------------------------------------- I'm trying to switch from SCAN to F-Prot for use in SHEZ. SCAN has worked OK in the past. After I scan an archive with F-Prot, and then try to read a text file inside, I get an error message like "Error 11: Unable to find file." If I exit SHEZ and then try to read it, no problem. I scan it with F- Prot, and have the same problem. Anyone have any clues? cc: ALL in 0470 on EHVP JIM DERR in 0200 on EHVP ALL in 3091 on EHVP * RM 1.3 02116 * - ---- |---------------------------------------------------------------------------| | CTBBS - 619-371-1665 v.32bis 2 nodes available 7.0 Gb wasted space | | Ridgecrest (China Lake), CA - Home of the Naval Air Warfare Center | |------------ Other nets include: Intelec, U'NI, MetroNet, ILink ---------| ------------------------------ Date: Mon, 25 Jul 94 17:37:11 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Why so many Leprosy viruses? (PC) Kevin Marcus (datadec@corsa.ucr.edu) writes: > >You never will. A virus that is that stupid is just unable to spread > >widely. > Hm. How many Stoned, Jerusalem, or... say, Vacsina infections have you > heard of? Those viruses don't do anything at all fascinating. (unless > you consider a TSR fascinating or fixups for EXE->COM's...) Kevin, Kevin, have you ever looked at the virus we are discussing? Leprosy is an overwriter! How many overwriting viruses do you know that have spread successfully? :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 25 Jul 94 17:35:46 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Why so many Leprosy viruses? (PC) Michael Jones (Michael_D_Jones@ccm.hf.intel.com) writes: >question to you and to other individuals is: Is there a source out there that > you would recommend as being better. Patricia's is easy to use and that is a > benefit, but that doesn't make it reliable. You can find another big collection of virus description (and even demonstrations of video and sound effects of hundreds of viruses) in the help system that comes with Eugene Kaspersky's AntiVirus Pro. It doesn't list as many viruses as VSUM, but is *much* more accurate. One drawback of it is that the English language used... well, sounds Russian. :-) But I understand that this problem is being worked on. > What would be ideal, would be to > get information using something similar to "finger" where you could say: > "finger virusname@whoever.wants.this.huge.project" > and it would return the important information about the virus, i.e. type of > virus, detection, cleaning, etc. That wouldn't be a wise thing to do for two reasons. First, it would require an account to be created for each virus name. I doubt that a sysadmin would be willing to dedicate 4,600 accounts for such a purpose... :-) Second, there is the naming problem. How to design the software so smart as to figure out that when the user is asking for "Frodo", "4K", "Centry", "100 Years", etc. they actually mean the same thing? A much more practical way to implement it is to use a mail server. And indeed, several years ago, the Heriot-Watt university in the UK used to run such a server. Unfortunately, it is not active any more. At last, I recently noticed that IBM have a rather nice collection of virus descriptions on their gopher site - but I forgot the exact address; maybe Dave Chess can help. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 25 Jul 94 17:37:29 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: "New" Virus found? (PC) Kari Laine (buster@klaine.pp.fi) writes: > >the virus in question (Junkie) can be detected and removed with F-PROT 2.12c > So it can with the Dr. Solomon's Anti-Virus Toolkit. As well as a few other products (AVP comes to mind). > Btw does F-Prot remove > it from the partition sector? I think that at least version 2.12c has problems with the floppy boot sectors. Have not tested version 2.13 or the MBR disinfection. > And does it overwrite sectors 3 and 4? Very few disinfectors bother to do that with boot sector viruses; I think that Dr. Solomon's AVTK is not one of them either - the last time I looked it had a pretty generic solution to the boot sector virus disinfection problem. That is, it identifies the virus and overwrites it with a clean boot sector (possibly making the bootable floppies non-bootable). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 25 Jul 94 17:37:23 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: NAV 2.0 gives false "Maltese Amoeba" alarm (PC) Piet de Bondt (bondt@dutiws.twi.tudelft.nl) writes: > Speaking of this, is there anybody out there willing to make such a list > of 'false alarms' etc. and add this to the FAQ (and meanwhile updating the > FAQ). While such a list would be undoubtedly very useful, I do not think that it should be included in the FAQ. Instead, the FAQ should contain just a pointer to it. > FWIW, I think we start making a joke of ourselves in this field, when we > have a FAQ dated November '92 !!! Well, the basic theorems about computer viruses have been proven ten years ago, and they are still true. :-) Seriously, what part of the FAQ do you think is out-of-date? > Any volunteers ? Any reasons why the FAQ should *not* be updated ? There is a list of the FAQ contributors and we *are* working on a new version of the FAQ. If you think that you can contribute - contact the moderator and ask to join the list. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 25 Jul 94 17:40:21 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Killing the Monkey Virus (PC) Curly (hzf30@mfg.amdahl.com) writes: > I was under the impression that there are no viruses, currently known, that > can infect a system by merely using the "dir" command. If so, then your anti- Your impression is correct (and it is even in the FAQ). TC Molloy has confused something. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 25 Jul 94 17:41:22 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: generic virus question (PC) Steve Smith (sjs@crl.com) writes: > Please excuse my ignorace on the subject, but I'm trying to understand > viruses. TC Molloy recently posted about a problem with the > Monkey virus that caught my attention. He said in part: [TC Molloy's quote deleted] > How would a virus like this get activated? TC typed dir on his > machine which wasn't booted off of the customer's infected disk. There is no way a virus like this would get activated. TC Molloy was wrong and his message - misleading. I have posted a correction, but nevertheless it seems that it has succeeded to confuse several people. That's why I dislike so much when people without the necessary qualification attempt to talk "professionally" about computer viruses. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 25 Jul 94 17:37:50 -0400 From: Henrik Stroem Subject: HS v3.59 Beta (PC) Curly and Vesselin and I wrote: >> will detect all bootinfectors, and automatically remove them. It uses > Is there an option to "remove them" upon confirmation from the user, > rather than doing it automatically? You get a red box with yellow letters telling you something like: MBR infector detected! Press any key to remove virus, or turn of your machine and get expert help. >>> I do have your HS v3.58 and it is on our ftp site. The only problem is >>> that it refuses to run on my machine - something I have reported to >>> you several times in the past. As far as I recall, the problem occured >>> because the installation program was trying to trace in interrupt down >>> to the BIOS - but my machine is running QEMM in stealth mode. I have just finnished writing an HS.COM v3.59 Beta. It works with QEMM STEALTH, and probably works on your machine as well, Vesselin. > I have not been able to get this program to run on my system either. It > may have been because I have Padgett's DiskSecureII protecting the system, > but that is only speculation. Correct. HS v3.58 would not install if DiskSecure was active in memory. This beta version will work with DiskSecure, but I don't see the point. Look for hs-beta.zip. It will probably be available from Oakland and Univ-Hamburg soon. I just mailed it. Sincerely, Henrik Stroem Stroem System Soft ------------------------------ From: hmuppidi@maroon.tc.umn.edu (Himadeep R Muppidi) Subject: Can't Trace the Trouble! What Virus is this???? (PC) Hi, Have been having trouble with my PC... I have tried all I know and don't seem to be able to solve the problem. Here are the symptoms: Everytime I try to access the A or B drives through any application it destroys all the files on the disk. 1. At the DOS level (C> prompt) I can do a Copy and the files are copied perfectly on to the disk drive. 2. I go into Word Perfect and just do an F5 to check the directory on the A drive and there are no files there!! 3. I come back to the DOS prompt and check the directory and all files have vanished. 4. I copy a few more files on, confirm that they are all there by issuing the normal DIR command and of course all the files are there! 5. This time I go into Windows and try checking for the files through File Manager and the files have vanished. 6. I return to the DOS prompt and confirm that the files have vanished. 7. I try to format a brand new disk on my A drive and it fails. My understanding of the problem is that the moment I access the drive using any executable file (Copy and Dir at DOS not being executable files) it kills everything on the disk. 8. I also suspect that it progressively keeps eating up space on the disk that I have in the drive (if i do steps 1 to 7 repeatedly till it gives me the insufficient disk space message). I ran the June 1994 release of FPROT and it didn't find anything except the V-Sign virus on some of my floppies. On the hard disk and memory it didnt find anything. Also I installed virstop/boot through my Autoexec and it still didnt help. Any advice please? I am really stumped here... Is it the v-sign? If so why doesn't FPROT (June 1994) find it? Thanks, Himadeep ------------------------------ Date: Mon, 25 Jul 94 17:38:25 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: virus terrorists (?) Craig (tracker@netcom.com) writes: > I still fail to see why frustrated people would do this. Why don't they > find some hobby like fishing, some kind of sport/athletic activity, etc. > instead of causing havoc and lost work for millions of people worldwide. I can easily understand that this is something difficult to comprehend by a person educated in your part of the world. One needs to understand the whole social, political and economical situation in those countries, in order to understand it. Try reading my paper about the Bulgarian virus factories; it sheds some light on this. My paper is available from our anonymous ftp site: ftp.informatik.uni-hamburg.de:/pub/virus/texts/viruses/factory.zip > If frustrated people want to possibly exercise their intellect why not take > up chess and win several tournaments. Well, for *that* kind of frustration, I suspect that Doom is a better way to go. :-) It corresponds better to the things one wants to do after having some of the problems that are usual in those countries... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 25 Jul 94 17:40:27 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Little Fishies? (pc) Ruben Arias (ruben@ralp.satlink.net) writes: > "Stoned" is a very good example of virus that hangs PC and then show any kind "Stoned" does *not* lock the PC. > If you dont know (or hear about Stoned) I tell you its one of the most popular > Partition Table virus. Locks the PC and display "Your PC is Stoned". The most popular variant of this virus does not lock the PC at all and displays the above message only when you are attempting to boot from an infected floppy (*not* if you are booting from an infected hard disk), and even then with a probability of 1/8. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 25 Jul 94 17:41:34 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: URGENT: SMEG victims sought... (PC) virusbtn@vax.oxford.ac.uk (virusbtn@vax.oxford.ac.uk) writes: > On Wednesday 13/7/94 officers from Devon & Cornwall Constabulary Fraud > Squad together with officers from the Computer Crime Unit, New > Scotland Yard executed a number of search warrants under the UK > Computer Misuse Act in Plymouth. The investigation was in connection > with the authorship and distribution of computer viruses known as > PATHOGEN, QUEEG and GERM, together with the encryption engine SMEG. 1 > man was arrested. He has been bailed to return to a Police Station in > Plymouth at a date in November. As usual, the CCU has done excellent job. My compliments to inspector Ostin. Let's hope that the British courts will show themselves at a similarly professional level. Anyway, whatever the outcome, one thing is cerain - the "Black Baron" will not be producing SMEG viruses any more... :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 25 Jul 94 17:40:33 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Help! (PC) Matthew Osborne (mo@pineapple.apmaths.uwo.ca) writes: > Try booting up with a floppy disk that is clean,, and typing FDISK /MBR. > it MUST have FDISK on it. What is MBR? It is a Uncodumented switch To anybody who decides to take the above advice: 1) Have in mind that it works only with FDISK that comes with DOS version 5.0 or above. 2) Before running FDISK/MBR, try accessing your hard disk (e.g., "DIR C:"). If you cannot access it (e.g., "Ivalid drive C:"), DO *NOT* RUN FDISK/MBR, or you almost certainly will get your hard disk screwed up and will need a data recovery expert. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 25 Jul 94 17:41:10 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: WARNING: VALIDATE.COM and VALIDATE.EXE can be cheated. (PC) David_Conrad@MTS.cc.Wayne.edu (David_Conrad@MTS.cc.Wayne.edu) writes: > Perhaps the time has come for McAfee to give up on the CRC polynomials, > which of course can be forged, and to start using something better, like > MD5. They could publish source code for the validation program as well as > the executables. There is one problem which remains even if a cryptographically strong hash function like MD5 is used. The attacker could just modify the files, compute the MD5 hashes of the modified files, and replace the new MD5 values in the documentation. This way he will succeed to fool the user who does not have an independent way to obtain the real hash values. In fact, this is exactly what the forgers have been doing even now, because most of them don't know how to forge CRCs. The only solution to this problem would be to use public key authentication. I have been suggesting this solution to McAfee for years, but they don't want to listen. For comparison, the author of TBAV is already using this method (PGP) to authenticate his product. Frisk has generated and distributed a PGP public key, so I hope that F-Prot will contain such kind of authentication in the near future. (Frisk?) > royalties, and writing a wrapper program is a trivial exercise. The > source code to my own mdx.exe (which is in xsum10.zip and can be found > at oak.oakland.edu in /pub/msdos/fileutil) is only 114 lines, and it > also does MD4, a self-check of the executable, wildcard matching and > supports multiple patterns on the command line. A program that only > did MD5 could be kept down to a few dozen lines of C code. You mean that MDX.EXE is yours? It is amazingly fast; how did you achieve this? Are you using Phil Karn's assembly language implementation of MD5? You are saying that the sources are available; I'll check again, but I believe that the archive mentioned above contains only the executable... BTW, it would be a good idea to modify your program to display some other information - like the file size, date, and time - users often find this useful. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 25 Jul 94 17:41:04 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Netware & Virstop (PC) Norman Hirsch (nhirsch@panix.com) writes: [about how to remove VirStop from memory] > Yes, yes. But the first yes will work for any TSR. Get TSRCOM35 utilities > including Mark and Release and the network versions. You do a "Mark" before > you load the drivers you want to unload and do a "release" or a "release -K" While this would work in general for removing normal TSR programs, it WILL NOT work for the case we are considering here - VirStop. This resident scanner has been intentionally designed in a way that makes it difficult to be removed from memory - otherwise a virus could do that too. In particular, if you actually try the trick you are recommending, the computer will hang. > I would also suggest you use McAfee's VSHIELD program which is available from > mcafee.com as the TSR or choice. I wouldn't. If the original poster can afford a commercial package, I would suggest him to use Dr. Solomon's Anti-Virus ToolKit - the resident scanner there is pretty robust and has a high detection rate. It can also be unloaded from memory, if you really insist to be that much insecure (you'll have to load it with a special option, in order to enable this). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 26 Jul 94 00:26:29 -0400 From: samson@iohk.com (Samson Luk) Subject: Re: Killed the Monkey Virus (PC) TC Molloy (dd.id=msmwhq01.tmollo01@eds.diamondnet.sprint.com) wrote: : I put the disk in my PC and typed 'dir'. Immediately, the bells and Wait the minute, you mean only a 'dir' will trigger the Monkey to infect the hard disk? Regards ------------------------------ Date: Tue, 26 Jul 94 01:53:23 -0400 From: oerkul@site.gmu.edu (Oguz Erkul (CS 471)) Subject: Need Help on "V-SIGN" virus (PC) Hi, I am facing a virus which is called "v-sign" as the title says. It is messing up the partition table, it is more like cansu with some powerful stuff it sometimes doesn't let you go in to OS. Anybody having anykind of experience with this kind of virus, please write to me about cleaning it (totally). Thanx in advance..... Oguz Erkul oerkul@mason1.gmu.edu - ---------- ===================== ------------------------------ Date: Tue, 26 Jul 94 12:36:24 -0400 From: fac0294@uoft01.utoledo.edu (Colin McGinnis) Subject: REQ: Help (PMBS, Stealth_boot.C) (PC) I'm new to this group and fairly new to USENET. A friend of mine is having trouble: It started when he couldn't load MS Windows. He would get the Windows logo, and then back the C-prompt. When he used F-Prot, he got two different virus messages. "The PMBS virus search string has been found in memory." "The Master Boot Sector is infected with the C variant of the Stealth_boot virus." When he tried to disinfect the virus in the MBR, he got this message: "Virus could not be removed - Original MBR was not found" It notes two programs (SPLITTER.EXE in two different directories) as being "inoculated by Central Point Anti-Virus." He's repeated that same procedure a few times and has gotten the same messages, leading him to the conclusion that virus is still there. I feel the same way. If anyone has any information on either of these viruses (what they are and/or how to get rid of them, please post ssomething on the group or mail me. Thanks, Colin McGinnis ------------------------------ Date: Tue, 26 Jul 94 18:19:30 -0400 From: bmadan@pipeline.com (Bob Madan) Subject: Tequilla (PC) Is there any one out there who can tell me the best way to rid a PC of the Tequilla Virus. Formatting the disk is not helping and I understand from MCAfee that the boot sector is infected. I also understand that the virus can point to another sector on the disk when asked for the boot. ------------------------------ Date: Tue, 26 Jul 94 19:28:50 -0400 From: drcat@crl.com (David Shapiro) Subject: Kaos 4 Virus (PC) I just had it called to my attention late last night that a copy of a shareware product I publish, infected with the Kaos 4 virus, was posted to alt.binaries.pictures.erotica. Given that this is one of the most popular groups on the net, I've been doing everything I can think of to try and perform 'damage control' and trying to help reduce the number of people that get infected any way I can. That's my number one priority - number two is to gather more information on what exactly it does, so that I can tell people who were infected not only how to remove the virus, but how much damage (& of what kind) they might expect. I just read through most of the posts here, including the July 1st viruses in the wild report, and saw no mention of Kaos 4. Here's everything I know so far... McAfee 1.17 or 2.10 will detect Kaos 4. Earlier versions will not - it was just added in this release. A helpful individual in New York tried 3 or 4 other virus scanners, including and none of them were able to detect the virus. He contacted the authors of several of them himself, and sent them samples of the virus to study. The virus is in the file SEXOTICA.ZIP, posted in 12 uuencoded sections to alt.binaries.pictures.erotic by one yjossa@ic.sunysb.edu. On downloading and examining this file, I determined that the only file that appeared to be modified was the main executable, sexy.exe. The modified version was 93835 bytes long. My original distribution copy contains a sexy.exe file that is 93138 bytes long. If anyone wants an uninfected copy for comparison, I'd be happy to provide one. I'm also going to be posting a clean copy to that newsgroup as soon as a friend makes a version with a digital signature for me - he's more experienced than I with such matters. A clean copy can also be obtained from my BBS at (512) 343-7727. I've emailed postmaster@sunysb.edu, and posted to news.admin.policy asking if the infected articles could be canceled by someone. I've also posted multiple warnings to a.b.p.e. and a.b.p.e.d. about this. I get the impression that this is a very new virus - perhaps my shareware was used as the first place it was 'released', I don't know. The tech I talked to at McAfee was out of the country when they first found Kaos 4, so he couldn't tell me where they discovered it. I am having a friend come over tomorrow night with a dissassembler he's experienced at using so we can try to learn more. >From what I've heard from a few people that got the infected files off the net, apparently Kaos 4 replicates by attaching itself to .com and exe files. If it uses any of the other methods of replication, I haven't heard evidence of it yet. Does anybody know anything further about Kaos 4? Or have any suggestions on other steps I might take to publicize the problem and protect users of my software from it? -- Dr. Cat / Dragon's Eye Productions ------------------------------ Date: Tue, 26 Jul 94 22:52:23 -0400 From: mikedwyer@delphi.com Subject: Re: Killing the Monkey Virus (PC) We ran across the monkey and found that VIRUSACN 4.x was ableto detect and remove from both hard and floppies as well as from RAM. The real problem with this beast is that you can spend a lot of time servicing hard disk errors and boot problems. Once we tracked the devil through our shop we found that it was on every machine we had had weird disk problems on. Morale of tale. Sudden burst of disk problems means you have monkey on back, maybe. . . . ------------------------------ Date: Wed, 27 Jul 94 02:25:48 -0400 From: smusser@world.std.com (Scott Musser) Subject: Info on AntiEXE needed (PC) Can anyone provide me with information on the AntiEXE virus (symptoms, means of infection, history, etc.)? Anything at all would be greatly appreciated. Scott Musser snm@musser.com ------------------------------ Date: Wed, 27 Jul 94 17:02:29 -0400 From: hg5bfl@hg5bfl.ampr.org (Andrew Gelleri) Subject: NETSHLD on Novell? (PC) Hello! I'd like to install the NETSHLD160 but I can't do this. May I need any extra NLM or what? I've the netshld160.zip and a Novel 3.11 network. Thanks for info! Bandi hg5bfl@ha5kfu.sch.bme.hu 73' de Bandi from Budapest, Hungary (JN97MN) +--------------------------------------------------+ | IP: hg5bfl.ampr.org (44.156.0.30) | | e-mail: hg5bfl@gw.ha5kfu.ampr.org | | e-mail: hg5bfl@ha5kfu.sch.bme.hu //// | | AX.25 : hg5bfl@ha5ob.hun.euro ( o o ) | +------------------------------------oOO--(_)--OOo-+ ------------------------------ Date: Wed, 27 Jul 94 17:38:04 -0400 From: brett_miller@ccm.hf.intel.com (Brett Miller - N7OLQ) Subject: KAOS? (PC) I have been hearing about a new (?) virus called KAOS that has been transferred over the internet. Does any one have any info on it? Thank you Brett Miller N7OLQ brett_miller@ccm.hf.intel.com Intel Corp. American Fork, UT ------------------------------ Date: Wed, 27 Jul 94 23:48:55 -0400 From: Subject: HK Vtech virus & Amoeba (PC) Dear Everybody, A new virus was being found at HK. This new virus is called HK Vtech virus. For systems which had been infected by this virus, no virus scanners can detect this virus. The only discovery of this virus is after tried a DOS command several times, then a virus message appear: HK Vtech xxx Produced by Ming Lord The characteristics of this virus is infect the boot sector, MBR, and the files such that they cannot work. It also change the checkum of files. Since I have used CPAV to create the checkums before, so I used this method to check the checkums and then delect the infected files. Since it is produced in HK so that overseas scanner cannot scan out this virus! Anthony s937042@hp720a.csc.cuhk.hk ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 62] *****************************************