VIRUS-L Digest Wednesday, 17 Aug 1994 Volume 7 : Issue 69 Today's Topics: Re: Mutating viruses? Re: Bad and good viruses... Re: Re| Viruses = Commercial Opportunity? Re: virus in jpgs Re: Naming of Viruses Re: virus in jpgs Re: Info Re: Questions for anti-virus community Re: Mutating viruses? viruses on MAINFRAMES (VAX,IBM,UNIX)? Re: Network virus protect (PC) Re: Dr. Solomon Virus Signature Update (PC) Re: WARNING: VALIDATE.COM and VALIDATE.EXE can be cheated. (PC) Re: WARNING: VALIDATE.COM and VALIDATE.EXE can be cheated. (PC) Re: Tamsui/Christmas-1694? (PC) Re: Network virus protect (PC) Re: Smeg viruses (PC) Viruses & TSRs (PC) Re: How to save a boot sector (PC) Re: Need Help on "V-SIGN" virus (PC) Re: Info on AntiEXE needed (PC) Re: Fixing the boot sector of a floppy? (PC) Re: HK Vtech virus & Amoeba (PC) Re: Stealth.B Pain (PC) Re: Virus Source code on CD ROM? (PC) Re: Q/A about Norman Virus Control (PC) Re: Viruses & TSRs (PC) Re: Smeg viruses (PC) Re: Virus Scanners, Detectors, etc. (PC) Re: please send me info on Mr-D (PC) Re: Best Anti-virus software (PC) Re: Satan Virus (PC) Re: B1 virus on Chicago (PC) Re: need help with possible filler virus infection (PC) Re: Form virus on DOS (PC) Re: AntiExe / Genp /Genp info needed.... (PC) Re: Mummy Virus (PC) Re: Need info about "Ripper", "Keypress", "Kampana" viruses (PC) Re: Help on Budo Virus (PC) Re: Mummy Virus (PC) New AV products for the tests (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 16 Aug 94 08:23:58 -0400 From: s4mwh@csc.liv.ac.uk (M.W. Holcroft) Subject: Re: Mutating viruses? c0900238@techst02.technion.ac.il (Dimerman Dan ) writes: > Hi! > > In some antiviruses I noted that under the comment about certain virus, > goes something about a "mutation" of some original virus. This type of mutation sounds a little strange... they would have to be variants of some virus, rather than mutants, because if a virus mutates properly, it should be unrecognisable from its 'parent' or source. Of course, you might check for percentage similarity.... > Besides of the human touch to some part of the virus code, can it be that > taking in account the exponential rate of propagation and some kind of "noise" > in the process of propagation, be analogous to the biological viruses > propagation and mutation processes? Set aside the complexity of the latter > against the former... > I mean, if not now perhaps in the future, can a piece of self-replicating > code be changed in a way that in some cases it's still runnable? > > Thanks for your time... > > Dan. > It doesn't make a great deal of sense to talk about computer viruses in the same way as biological viruses. They are of course subject to the 'laws of evolution' (fitness) but that is all... they do not mutate at random, they mutate in an entirely determined way (and the means of mutation is included in the code!); and most of all they do not evolve. They do not gain new features or new abilities, they just present to the virus detector a different face, so that the virus detector has to come up with an entirely new way of locating them (it is no longer possible to have a search pattern associated with a virus). The 'fit' viruses therefore avoid detection for longest. There is no need to create a mutant replica of a piece of code and just HOPE that it will work... it is possible to alter a piece of executable in an entirely determinable way (before hand, that is) which will then be so dissimilar to the original that it can never be traced by any pattern matching algorithms. You might take en existing executable from the "system as it is" (from an old Kant volume (Critique of formal systems)), and insert your code into it so that the vast majority of the new file is "the file as it was". You would do this by inserting one instruction and a branch (unconditional, or conditional on some condition that you have just set - so the branch always occurs) or a jump (the more opcodes a processor has for this the better - DBRA BRA BREQ BRNEQ & so on, because it means you can select from these rather than use the same few over and over) to the next instruction of viral code.... in between viral code you have the existing code, and jumps over, around, under (hoho) the viral code so the new executable becomes the virus..... and it will still work as the executable it once was, just infecting other executables (maybe itself....??) every n occasions... to some piece of code that runs over a network.... (yum?) You might just tell your virus mutate function to introduce NOPs all over the place, and ADD 0, and MUL 1 and so on into the new viral code, introduce random opcodes and operands, but branch over them, so that the viral code is entirely different from the original. From To ----------------------- ------------------------- MOVE.B #255, d0 NOP a MOVE.L (a0)+, -(a7) a MOVE.L (a0)+, -(a7) DBRA d0, a ADD.Q #0, a7 JSR d MUL a7, 1 MOVE.L (a7)+, d0 NOP MOVE.W #5, -(a7) DBRA d0, a MOVE.L d0, -(a7) NOP SUB.W $FFFF, d0 BRA b MOVE.L do, -(a7) MOVE.L 25356, d0 MOVE.W #-1, -(a7) MOVE.L 25, d4 TRAP #14 NOP MOVE d0,-(a7) JMP a7 b JSR d ADD.Q 1,d MUL d,1 MOVE.L (a7)+, d0 etc etc. You might rearrange the viral code From To ------------------ ------------------ a opcode operand JMP a opcode operand c opcode operand b opcode operand opcode operand opcode operand JMP d c opcode operand a opcode operand opcode operand opcode operand d RTS JMP b d RTS b opcode operand opcode operand JMP c Less than effective???? Rapid growth in size??? maybe mimicing behaviour of some data file??? you might make it more sophisticated, so that it can grow and shrink, the problem being that the mutate function works off itself, so there would have to be some way of tracing the flow of a program and rewriting it in a single sequential block. How does the mutate function recognise loops??? You might specify some instructions as being equivalent to others... so MOVE.W a,b = MOVE.W a,c MOVE.W c,a MOVE.L a,b = MUL b,0 ADD a,b ADD.W a,b = MOVE.W a,c SHR c,#1 ADD.W c,a ADD.W c,a (not quite???) etc etc And, of course, you might combine them. Otherwise known as code obfuscation. > I mean, if not now perhaps in the future, can a piece of self-replicating > code be changed in a way that in some cases it's still runnable? As I said, it's not necessary to mutate randomly.... however, any code is executable..... try executing a bitmap image from a screen.... it will more likely than not try a divide by zero, or jmp out of range or some other such, so that it will not run for very long... at least in a multitasking operatin system, the executing process will be removed. But nice behaviour is hardly expected of a virus? These 'viruses' wouldn't reproduce very well though. They would be sterile offspring (to talk in the biological sense, that I said shouldn't be used....) You are thinking of something entirely diferent, being genetic algorithms (which DO take their terms from biology - programmes are written on an environment (like a RISC in someways) where the opcodes all take the same form. Algorithms are mutated, and their behaviour compared to the desired behaviour. It might be nothing like, in which case it is unfit; it might be the same, in which case it is fit; it might be 'the same, but better' (more efficient, more generalised, more stable, whatever), in which case it is superior. Evolution is biased in favour of 'fit' and 'superior'. The choice of fitness is arbitrary. Not like real evolution at all, where an 'inferior' organism might survive at 'bubble over' until a dramatic change in the environment makes it more suited than any of its (previously superior) competitors; and where perfectly fit organisms can become extinct by chance (dinosaurs, etc). It can be seen from this that it (is / will be) impossible to trace a virus by its byte appearance on some 'storage device' (possibly RAM), but only by its behaviour. You would have to monitor certain parts of a system (writing executable files for example), and log them carefully, then notify the administrator (user on a PC). Normally executables SHOULDN'T alter very often at all, created by COPY perhaps, or by a compiler. Processes (writing / writing to) executables should be logged. It would be easy for the admin to see whether a process should be allowed to write an executable. You might have an OS call that registers processes able to write executables, and bar all others from doing so... but what about executables introduced from (say) an install disk???? Or across a WAN, via a modem???? What about viruses that log themselves?? What about some system (can't think of one :) ) that constantly writes executables (propagation, garbage collection???) maybe presenting such a list to a person would be completely overwhelmed by such a list. What about a merge-mutate virus (as described above) infecting a compiler? What happens if your OSs write to device function is infected (unlikely, but possible) so as to insert 'obfuscated' code into the file it is writing to under certain circumstances???? This applies fairly easily on a standalone system that makes a clear distinction between "executables" and "data", but what about object oriented systems, where data comes with methods to alter it??? The 'object broker', 'object server', whatever has to be trusted to maintain virus free objects... How do you disinfect a compound object, in which a low level object has been infected? What about distributed OSs, where the virus might be lurking somewhere where you have no way of verifying correct behaviour??? What about DLLs (dynamic link libraries) where an executable is thrown together (nomore here's one I made earlier :( ) at load time????? What about distributed DLLs??? On another track: why encrypt a virus???? To execute, it must decrypt. It must therefore either use some OS decryption routine, or include unencrypted decryption code, which will be the pattern to search for (might use some autodecypt function shared with compacted programmes - I DO NOT use auto decrypting executables for this reason. It IS a pain decrypting to run, but you KNOW about it). Encrypted code cannot mutate (the chance of altering a block of meaningless data, and expecting it to mean something at some later stage AFTER the random alterations is tiny) so it too can be used as the pattern to search for in a virus detector. Encryption is useless; although it does mean that you cannot find calls to certain routines (XBIOS calls, or whatever) so locating it in the first instance is made more difficult, but once someone has done that, a virus detector can be updated and the virus is no longer any more difficult to find than eny other. ------------------------------ Date: Tue, 16 Aug 94 09:56:34 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Bad and good viruses... Sam Wilson (ercm20@festival.ed.ac.uk) writes: > [[[ US export control laws apply to virus!? ]]] > And in the case of a virus I can't help wondering just who they'd > prosecute... The person they happen to catch exporting it. :-) That was one of my objections against such software being implemented as a virus - it makes a criminal from the US citizen who is crossing the border with an infected diskette forgotten in their luggage. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 10:31:28 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Re| Viruses = Commercial Opportunity? kazatski@kartaly.chel.su (Kazatski Oleg Nikolaevitch) writes: > Are there the antivirus programm that can find nearly 4500 viruses ? Sure. Today's version of F-PROT (2.13c-internal) can distinguish between 4350 different viruses, and in addition there are somewhere over 100 variants that I have but don't identify ... they are currently only reported as new variants of some other virus....thats over 4450 ... I guess you can call that "nearly 4500". - -frisk ------------------------------ Date: Tue, 16 Aug 94 10:48:16 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: virus in jpgs bob kwiatkowski (anaconda@gagme.wwa.com) writes: > > The long answer... Well, it is possible to hide a message in a > > graphical image, but distributing it over the least significant bits > > that code each pixel. This message could contain anything, including a > > virus. Of course, it is not possible to activate the virus (i.e., make > > it infect) by juts viewing the image; you'll have to extract the virus > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > to an executable file first and then run this file. > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > Does anyone know of any cases where this has actually happened? Where a > virus was dormant in a JPEG or any non-exectuable for that matter ?? The expression "was dormant" is probably not very correct - it seems to imply that the virus can somehow "wake up" and begin to spread. It cannot. I don't know of any case of such thing happening, but there are publicly available steganography tools, which can be used to hide messages in pictures - maybe someone somewhere has used this method to communicate a virus secretly to somebody, although I don't see the sense in this. As to the other part of your question, yes, there are many known cases when a virus has infected a data file. Frodo is a very good example for this. Of course, the virus cannot spread from there. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 11:10:49 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Naming of Viruses Michael D. Jones (michael_d_jones@ccm.hf.intel.com) writes: > This may be a trick question, or a useless one depending on your > point of view, but what determines the correct "official" name > for a virus. It *is* a tricky question. In general - nothing determines how a virus will be named, I mean there is no "official" way. Usually there is a lot of anarchy in this area - every anti-virus researcher calls the virus they discover the way they like it. A couple of years ago, by a suggestion from two guys from NIST, a subgroup was formed within CARO. The goal of this group (consisting of Dr. Alan Solomon, Fridrik Skulason, and me) was to produce a set of guidelines about how to name viruses and to agree on a common set of names for the existing viruses. We did the best we could and the resulting naming scheme is available from ftp.informatik.uni-hamburg.de:/pub/virus/texts/tests/vtc/naming.zip Mind you, our naming scheme is far from perfect. One of its worst flaws is that the names of the viruses change from time to time. Still, it is the best thing I have seen so far. All anti-virus producers are encouraged to use it and indeed many are already doing so. The names used by F-Prot are the closest to the CARO virus names. > For example, say I have two different virus > scanners and they both catch the same virus, but they report it > as being a different virus, what virus did I just catch? I This does not depend on the virus naming scheme - it depends on whether your scanner can do exact virus identification or not. Very few scanners can do this for closely related variants of the same virus. Dr. Solomon's scanner is unarguably the best in this aspect, although several others (AVP, F-Prot) also perform identification to some aspect (AVP) or for some viruses (F-Prot - of about 1/3 of the viruses it recognizes). > know the easy answer is: who cares, you caught it!, but what if > I didn't catch a virus that this particular scanner said that it > should catch, because one or both of us used the "unofficial" > and not the "official" name. Do you see where I'm going with > this? Yep. Most scanners do not distinguish between Cascade.1704.A and Cascade.1704.Format - yet the first will probably never activate on your machien, while the second might format your hard disk. > I've heard people talking about the CARO names, although I > don't recall this ever being explained on the list and I can't > find my copy of the FAQ right now. It's not in the FAQ... probably because this question is not asked very frequently. Most people are asking what a virus does or how to get rid of it, and not how to name it. > so is there some type of criteria by > which a virus is named and if so, why do different scanners > sometimes report the same virus as being different? I think I The different scanners report the same virus under different names either because they are unable to identify it exactly, or because they are using a different naming scheme. Regarding the naming criteria, I can speak only about the CARO naming scheme. It conists of several rules how *not* to name a new virus. Also, we group the viruses into families with hierarchical structure, based on the similarities of their code (and not, for instance, on where the virus has been found, who has written it, and so on). > I would still be interested in seeing a finger, gopher, WWW > source for virus info. Check IBM's gopher site and Data Fellows' WWW site. I think they were posted here recently. > Concerning the FAQ. The FAQ says, "The FAQ is a dynamic > document, which changes as people's questions change." But the > FAQ also says that it was last updated on 18 November 1992. So > either the date has not been updated since 1992 or people have > been asking the same questions since 1992. It's not really that > bad is it Vesselin and Frisk. :) It is bad enough. Yes, you are right - the FAQ has not been updated in the last two years, and yes, people are asking one and the same questions, and yes, few people read the FAQ in the first place. :-) But we are currently working on a new version of the FAQ - some things in it really need updating. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 12:46:19 -0400 From: cdibona@mason1.gmu.edu (Chris J DiBona) Subject: Re: virus in jpgs On virus-infested Jpegs. The origin of this rumor is a combo of stuff, I think. There are a few programs floating about on the internet that will imbed a file using the least-signifigant bit of a pixel as a storage space for data. This method works for non-destructive compression only. I.E. If you have picture that is compressed using a gif or a tiff type compression (Which is Lemple -Ziv (sp) or Run- length encoded) then you can store data within the picture. If you have amethod like JPG which, for all it's benefits of smaller files and such, really effects color depth, then it is in reality squishing away the bytes that mattered. Either way, I don't see how it could infect a machine, I mean unless you've read too many copies of snow-crash, anyhow. Chris DiBona (Does that help at all?) - ------------------------------------------------------------------------------- To subscribe to the Terrorist Profile Weekly, send email with "subscribe terror ist" in the header (no caps) to cdibona@mason1.gmu.edu. to Unsubscribe, send "unsubscribe terrorist" to the same address. Free the Mad-Dog Forty!!!!! - ------------------------------------------------------------------------------- - ---------> As far back as I remember I wanted to be a gangster. <------------- - ---> If you're a newbie and want to ask a question about the net, email me <--- - ------------------------------------------------------------------------------- ------------------------------ Date: Tue, 16 Aug 94 12:52:31 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Info Stanley E Ridenour (stanr@mdhost.cse.TEK.COM) writes: > I would > like to see statistics on the incidence of viral attacks by type and > geographical location, as well as trends on the spread of each type. > Does such a clearinghouse exist? Unfortunately - no. Several organizations and anti-virus researchers are gathering such information for themselves (based on the reports from their customers), but no central clearing house for collecting such information exists. I wish it existed... But there are many problems with this - the different scanners report one and the same virus by different names, do not identify the particular variant exactly, and so on. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 13:05:23 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Questions for anti-virus community Chris Henderson (cvhender@csn.org) writes: > Is there a finite number of viruses as yet to guessed at for each > of the systems: os/2 windows unix dos ect...? I am not sure that I understand your question. Are you asking whether the number of possible viruses on those platforms is finite? Yes, it is. Or are you asking about the number of known viruses on those platforms? If this is your question, then we have 2 OS/2-specific viruses, 4-5 Windows-specific viruses, 3-4 Unix-specific viruses (and one worm), and about 4,600 IBM PC viruses. There are viruses for other platforms as well - Amiga, Atari ST, Macintosh, Acorn Archimedes, Commodore 64, Apple ][... > Where seem to be the most viruses being made, {geographical} > and field.. {BBS Lan r&d} Geographical - mostly in the USA and Russia. Field - dunno... They are written mostly by irresponsible teenagers, so I guess it would be in the educational institutions. Countrary to the popular belief, the BBSes are not a major source of virus infections, except those that specialize in virus exchange. > Does a dos based BBS have any concerns if using "THDPRO9.01 w/ tbav, > scan117, f-prot213a. I don't know what THDPRO9.01 is, but the others are an excellent combination of scanners. However, I would advise you to use some other kinds of defense too - mostly an integrity checker and an automatic boot sector restoring program. If you can configure your machine to always boot from the hard disk, that's a pretty good thing to do too. > Does a dos based BBS have any concerns of being online 24h/7d a week > towards viruses.. Yes, two concerns. First, no files uploaded by the users should be executed on the machine that runs the BBS. Second, the SysOp should take care to make sure that the BBS is not used as a carrier of an infected package. Unfortunately, the most that can be done in this aspect is just to scan all incoming programs with up-to-date scanners. > I also run full system b.u.'s a week, not much activity, but want to start > porting rfc822 messages and fidonet {fts-1?} in on a daily basis. Should I > be scanning the mail packages? No, that would be a waste of time. If somebody really wants to post a virus, they could encode or encrypt it. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 13:12:29 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Mutating viruses? Dimerman Dan (c0900238@techst02.technion.ac.il) writes: > In some antiviruses I noted that under the comment about certain virus, > goes something about a "mutation" of some original virus. By this they probably mean the number of variants of a particular virus. > Besides of the human touch to some part of the virus code, can it be that > taking in account the exponential rate of propagation and some kind of "noise" > in the process of propagation, be analogous to the biological viruses > propagation and mutation processes? Yes, it can, and several such cases are known. Of course, in most cases the virus simply gets corrupted, becomes unable to replicate further and just "dies". However, in some cases the random corruption can occur at a place in the virus body that is not vital for the replication process. A typical example is the Cascade.1704.Y virus, although there are other, less well-known cases. Roger Riordan has a paper about this in the last year's proceedings of the Virus Bulletin conference. > I mean, if not now perhaps in the future, can a piece of self-replicating > code be changed in a way that in some cases it's still runnable? Yes, it can, and it sometimes does. However, the chance that it gets randomly modified in a way that actually is an improvement (as sometimes happens in the evolution of the biological organisms) is vanishingly small. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 11:07:51 +0000 From: rakesh@kuc01.kuniv.edu.kw Subject: viruses on MAINFRAMES (VAX,IBM,UNIX)? Recently we had our PCs & Novell servers infected by some virus (possibly called IM). We also have UNIX machines & IBM & VAX Mainframes. Now, after this virus incident we are worried abou our UNIX machines & Mainframes. We have heard that there are no known viruses for UNIX,MVS & VMS. Is it true? If it is true, then why viruses don't exist or can't exist for these type of machines & operating systems. If they exist, then from where can I get a list of known viruses & how can we protect these machines (UNIX,MVS,VMS) from viruses? Lot of our users including system managers on these machines use FTP to pull & install freeware software. Can this lead to some sort of viruses or what other type of risk is involved? The main point here is if main frames can be infected by viruses & how? You may reply on my E-mail address: rakesh@kuc01.kuniv.edu.kw Thanks in advance, RAKESH ------------------------------ Date: Tue, 16 Aug 94 08:32:15 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Network virus protect (PC) Mikko Hypponen (mikko.hypponen@wavu.elma.fi) writes: > > It's better to use a program like this on a LAN, rather than siply > > running stand-alone scanners on the workstations. > No, no. It's a common misunderstanding that an anti-virus NLM running > on a Novell server could replace workstation-based virus protection. > The reason a NLM by itself does not provide sufficient protection is > the existance of the boot sector viruses. Maybe he meant to use them to protect the *server*. The NLMs are indeed more suitable for this purpose than workstation-only based protection, and boot sector viruses are irrelevant for this, because they don't spread accross the network anyway. Of course, it is always better to deploy both lines of defense - use an NLM to protect the server and workstation-based protection to protect the workstations. > Stealth viruses are not able to stealth themselves in memory, so the > PC-based scanner would find them before it would be fooled by it. Not necessarily. There are a few viruses which are polymorphic even in memory - and unsurprisingly many scanners cannot find them there. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 08:32:30 -0400 From: gcluley@sands.co.uk Subject: Re: Dr. Solomon Virus Signature Update (PC) hkueee2!h9114644@uunet.uu.net (CHAN TAK YIN) writes: >Can anyone tell me where can I ftp the signature update of Dr. Solomon >Toolkit? I don't think we (or any of our worldwide distributors) make our signature files available via anonymous ftp. They are available from BBSes and the like. Its important to realise, however, that just an update of the signature file is not enough. You will need regular updates of the FindVirus engine (FINDVIRU.EXE) to make sure you are detecting the latest viruses. Remember, Dr Solomon's Anti-Virus Toolkit is a commercial product. If you're a registered user of the Toolkit you will probably be receiving updates already on a quarterly or monthly basis. Our distributors in your area, handling Hong Kong, are: Digitus Computer Systems 11 Dhoby Ghaut #09-01 Cathy Building Singapore 0922 Tel: +65 337 1945 Fax: +65 336 9672 Regards, Graham Cluley - --- Graham Cluley [gcluley@sands.co.uk] S&S International PLC Product Specialist Alton House, Gatehouse Way Dr Solomon's Anti-Virus Toolkit Aylesbury, Bucks HP19 3XU Tel: +44 (0)296 318700 United Kingdom ------------------------------ Date: Tue, 16 Aug 94 08:32:23 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: WARNING: VALIDATE.COM and VALIDATE.EXE can be cheated. (PC) Mikko 'Hermanni' Hypponen (mikko.hypponen@wavu.elma.fi) writes: [about CRC forging] > Or, just replace the VALIDATE.COM file in the archive with a > bogus copy written in DOS batch language and compiled to a COM; > @echo off > echo VALIDATE 0.4 Copyright 1988-92 > echo. > echo File name: %1 > echo Size: 164,319 > echo Date: 7-15-1994 > echo File authentication: > echo Check Method 1 - 064C > echo Check Method 2 - 0AA2 This won't work, because it will print one and the same result for every file checked. > I've never understood why > some packages come with the validation program included. In order to provide the validation program to those who are getting the package for the first time. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 08:32:39 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: WARNING: VALIDATE.COM and VALIDATE.EXE can be cheated. (PC) David_Conrad@MTS.cc.Wayne.edu (David_Conrad@MTS.cc.Wayne.edu) writes: > I wasn't talking about putting the hashes in the documentation. I meant > publishing them in comp.virus/VIRUS-L and other places. I specifically > *would* *not* put them in the docs, since this is worse than useless, and > I can't for the life of me imagine why McAfee does so. Because SCAN is *very* widely used/distributed. Many people would get a copy from a BBS, or from a friend, etc. They still have to have at least some way to check that the package is not corrupted. Of course, the current procedure provides absolutely no security against a malicious forgery. > I know that some users don't have access to the net, but consider this: > Let's say you publish a public key and include a detached pgp signature > for every file in an antiviral. All the attacker needs to do is modify > the files, create his own private key/public key pair, sign the modified > files with the private key, include the public key in the zip file along Yep, key spoofing. It's the main problem with public-key cryptosystems. I'll deal with it below. > with a message saying, "Our old key wasn't secure enough or accidently > got stolen or whatever, please use this key from now own." This would Actually, it will be more clever not to put any message whatsoever. Most naive users will either use the key that it in the package, or not bother to check the authentication at all. Or not have PGP in the first place. :-) Nothing can be done for such people. The idea of using public-key crypto to authenticate shareware-distributed packages is only for those who take due care to do the necessary checks. OK, now about the key spoofing. Yes, as I said, the danger exists. However, public key cryptography still makes out life much easier. For instance, the user of a particular package will have to get the public key of the producer via a tamper-proof channel only *once*. As it is now, he has to get the checksums via such a channel *each time* a new version of the product is issued. And, if the public key of the producer becomes invalid for some reason, they can issue a key revokation certificate, generate a new key signed with the old one, and so on. In short - it doesn't solve all problems, but certainly introduces more security for those who care about it. (The others deserve what they get. ) > I believe the RSA patent expires on 20 September 1997. Before that there > will be too many legal problems for any company that wants to do business > in the U.S. to go this route. Only if they want to use it commercially for free. They still can use MIT-PGP 2.6 for non-commercial applications in the USA, or ViaCrypt PGP 2.7 for commercial applications. Additionally, according to the US Gevernment, DSS (which is only an authentication public-key algorithm; not good for encryption) does not infringe on RSA's (actually PKP's) patents. Anyway, this topic is more appropriate for alt.security.pgp or sci.crypt; we got carried away from the virus topic... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 08:42:32 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Tamsui/Christmas-1694? (PC) Kevin Kenney (kenney@netcom.com) writes: > Ran into the virus F-Prot 2.13 calls Tamsui and can disinfect, > and that Nav 3.0 with 7/94 definitions (30a09) calls Christmas-1694 > (the correct file size increase) and can't disinfect. It is one and the same virus and its infective length is indeed 1694 bytes. > Can somebody send some background data? Memory resident virus. Activates between December 23 and December 27, displaying the message you have seen (and playing with the speaker - some tune, I suppose). Infects on file execution. Infects only EXE files, recognized by 'MZ' in their first two bytes. Not intentionally destructive. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 08:56:04 -0400 From: mjb@doc.ic.ac.uk (Matthew Jude Brown) Subject: Re: Network virus protect (PC) mikko.hypponen@wavu.elma.fi (Mikko Hypponen) writes: >Robert Schifreen (hex@cix.compulink.co.uk) wrote: >> It's better to use a program like this on a LAN, rather than siply >> running stand-alone scanners on the workstations. > >No, no. It's a common misunderstanding that an anti-virus NLM running >on a Novell server could replace workstation-based virus protection. >The reason a NLM by itself does not provide sufficient protection is >the existance of the boot sector viruses. This is why at least some of the NLM products these days work in association with a small TSR on each workstation that sends the boot sectors of disks to the NLM for scanning. Of course, stealth boot-sector viruses can defeat this, but the situation is better than you describe. I'd still advise everyone to use a workstation-based scanner (booting off a clean disk) every so often -- both TSRs and NLMs have their drawbacks. - -Matt - -- ____ Morven -- mjb@doc.ic.ac.uk -- m.brown@ic.ac.uk -- Matthew Jude Brown \ _/__ Sophos PLC, 21 The Quadrant, Abingdon, Oxon OX14 3YS - (0235) 559933 \X / 32 Goldsmiths Lane, Wallingford, Oxfordshire OX10 0DN (0491) 833990 \/ | We are the people our parents warned us about | ------------------------------ Date: Tue, 16 Aug 94 09:01:55 -0400 From: mjb@doc.ic.ac.uk (Matthew Jude Brown) Subject: Re: Smeg viruses (PC) cudat@csv.warwick.ac.uk (J M Hicks) writes: > panther!jaguar!cmeli@relay.iunet.it (Clyde Meli) writes: >>...The viruses, Queeg, named after a character in a television >>science fiction series, Pathogen and Germ, destroy data >>on a computer's hard disk and can disable the external disk >>drive, meaning victims have to take their computer apart to >>fix it... > >Is it really true that the computer has to be taken apart? If so, >how does the virus disable the disc drive? The virus disables the floppy drive in the CMOS and then trashes the first partition on the first hard disk (if I remember correctly). This generally means that the machine cannot be booted from the floppy drive (since the BIOS thinks one isn't there) nor the fixed disk. The hardware itself is not damaged, merely the BIOS configuration. - -Matt - -- ____ Morven -- mjb@doc.ic.ac.uk -- m.brown@ic.ac.uk -- Matthew Jude Brown \ _/__ Sophos PLC, 21 The Quadrant, Abingdon, Oxon OX14 3YS - (0235) 559933 \X / 32 Goldsmiths Lane, Wallingford, Oxfordshire OX10 0DN (0491) 833990 \/ | We are the people our parents warned us about | ------------------------------ Date: Tue, 16 Aug 94 09:19:08 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Subject: Viruses & TSRs (PC) From: "Mark J. Miller" Subject: Viruses, TSRs (PC) 1. What antivirus products are available for scanning in compressed partitions? (dos) Virtually any scanner will scan inside a mounted compressed partition. It only gives trouble to those that do not use DOS (to avoid stealth) and that can usually be turned off. 2. How easy is it for a virus to defeat an antivirus product loaded as a tsr? (dos) Depends on how deeply integrated the a-v product is. In simplest terms, any single phase program can be defeated by a directed attack (some like MSAV make it too easy IMHO). However the single-state nature of DOS can also work in favor of the a-v in that if the virus is not resident, it cannot keep a followup program from detecting that the a-v is turned off and if it is resident in memory, the virus cannot protect itself from being detected. (BTW re Norman's TOAST: they are not the only a-v to detect such things, my old freeware CHKMEM (in FixUtil6) that just checks 6 bytes will reliably detect it when resident). 3. Given the following scenario: - fprot's virstop is loaded as a device driver. - netware is loaded - virstop is "rehooked" using the /rehook option How easy is it for a virus to circumvent virstop's protection? Cannot talk about FPROT but my DiskSecure uses two separate mechanisms to protect from attack - the first is the DS2MOVE.SYS function which, when run from CONFIG.SYS moves the driver out of what I consider an exposed location in high memory "somewhere else" after running a number of checks. This also frees all memory not used for code and verifies that the DS2 intercept is operational. Second is the DS2CHK program which simply verifies again that the intercept is operational using quiter rigorous checks including detection of "tunneling". This program may be run as part of a LAN login script. The bottom line is that a long time ago (see the safe PC model I described here a number of years ago) I came to the conclusion that any single product can be bypassed and two layers could in theory, but three layers I felt was "good enough". DiskSecure was written as a "proof of principle" I had hoped that the OS MFRs (Microsoft, IBM, and Digital Research now Novell) would pick up on since all would be easy to incorporate at the OS level. I was rong. Having proven to my satisfaction that this can be done and that all BSI, MBR, and DBR infections (which are still the leading cause of infection) could be eradicated with some simple steps and having discovered that there is evidently no commercial interest or advantage to my family or car collection in doing so, I am spending my time now designing PC based (cheap) Internet firewalls, filters, and security programs. For modems we use demon-dialers to find holes so why not use a daemon-pinger to do the same for TCP/IP ? Viruses look for openings in OSs, so why not do the same to expose open TCP/IP sockets. Since there are 63 Mb of RFCs to be examined (why She made CD-Roms) and compiling all of the libraries is needed to support datagrams is non-trivial, am shortcutting through the use of the WATTCP and FTP PCTCP SDK but this means relearning C plus all of the updates since 1977 when I first encountered it (good news is that the daemon-pinger worked this weekend so am doing something rite - bad news was that my C compiler was somewhat old so had to create my own _fmemcmp function and a few other things but nothing new). At any rate, it is fortunate that I need little sleep since free time has gone even more negative. Meanwhile back at the viruses. What I am seeing now is really boring repetition and the same tired tactics just dressed up with making lfe difficult for scanners. Said scanning was a dead end in 1989 and still believe it even though a few (FPROT, AVP, Dr. Solomon's) are very good while the integrity managers never did very well (Enigma-Logic's PC-Virus-Safe, Dr. Panda, McAfee Vshield yes ! look at the switches), IM, Virus-Buster) except in nitches but there IMHO is where the real answer is. The fact is that the first DS was designed to be used in conjunction with an IM (Enigma Logic's in particular - worked closely with Bob Bosen on that), together they are just about unbypassable in a corporate environment IMHO. Problem is that the IM products were never developed very far and even so came very close to being great. Biggest problem is 1) False Positives and 2) Excessive Ram use. Both are soluable (2) easiest and (1) with what I call "conditionals" - but require dedicated efforts and not just a hobby approach (has its advantages - no time pressure). However it is evident (TOAST) that the marketoids have taken over. Something of what I call the "Radio Shack" syndrome though it runs throughout our society. Years ago if you needed a 12AU6 you could find one in many places - - Allied Radio & Lafayette Electronics were the two biggies. Then Radio Shack took over the "high volume/high profit" end as squeezed out the competition. Then the lines started being reduced so that if you wanted the standard throwaway schlock, it was easy to get, but the good stuff got squeezed into nitches where they first could not be afforded (BTW I also collect Zenith Trans-Oceanic Radios - if you have a nice one you would like to dispose of...) then could not be found at all. Am afraid it is inevitable in a capitalistic society that once the perception of "good enough" (Quantum Economics (tm)) is reached, the market compresses amd both the high end and the low end disappear. Today, anti-virus software is a commodity and the market is compressing. The marketoids and schlock have won & is time for the pioneers to move on. Warmly, Padgett ------------------------------ Date: Tue, 16 Aug 94 09:38:14 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: How to save a boot sector (PC) Mike McCarty (jmccarty@spd.dsccc.com) writes: > )Most disk sector editors have a facility to save a sector to a file. > )Some AV software does, too. Why don't you ask the support desk for the > )AV Software company to whom you intend to send the sample how they > )handle this? > What's wrong with DEBUG? The wrong thing with DEBUG is that most users don't know how to use it, and can easily screw something up on their systems, if they don't use it appropriately. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 10:14:11 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Need Help on "V-SIGN" virus (PC) Mike McCarty (jmccarty@spd.dsccc.com) writes: > Many (most?) viruses cannot be _totally_ cleaned. *All* viruses can be *cleaned* (i.e. removed) "totally", in the sense that no trace of them would remain. What you mean is that not in all cases it is possible to recover everything that might be infected or damaged, unless one has clean backups or originals. > I had a Stoned.Azusa > infection some time back. I removed the infection. But backup discs' > data had been _damaged_ by the virus, and a few of the files were > _unrecoverable_. What kind of backup did you use? Also, V-Sign is quite different from Azusa. When Azusa infects a floppy, it overwrites the sector at Track 39, Head 1, Sector 8. This is at the end of a 360 Kb floppy (thus unlikely - although possible - to destroy something). However, it is in the middle of a high-capacity floppy, thus almost certainly destroying information there. As opposed to it, V-Sign can distinguish between the different floppy disk formats. It also uses the last sector of the root directory, thus making it less likely to destroy something. It has one bug, however (well, actually it has several, but this one is relevant to data destruction on floppies) - it incorrectly computes the end of the root directory for 1.44 Mb diskettes, destroying the information near the beginning of the data area. Of course, if the virus infects a floppy with a custom format (as the one used by some backup programs), all bets are off, because the sectors overwritten by the virus could contain just anything, including important stuff to access the data on the floppy. This is one of the arguments why even viruses that are not intentionally destructive (both Azusa and V-Sign are not intentionally destructive) are often causing damage. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 10:21:49 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Info on AntiEXE needed (PC) Scott Musser (smusser@world.std.com) writes: > Can anyone provide me with information on the AntiEXE virus (symptoms, > means of infection, history, etc.)? This virus is probably of Russian origin, infects the DOS boot sectors of the floppies and the MBRs of the hard disks. Infection occurs if you forget an infected floppy (remember, even empty or data-only floppies can be infected) in the first floppy disk drive of your machine at boot time (the boot doesn't have to be successful). Symptoms... well... Windows might refuse to work in 32BitAccess mode on an infected machine - as it does with most (all?) boot sector viruses. But the best way to diagnose it is to use a good scanner. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 10:29:28 -0400 From: padgett@141.240.2.145 (Padgett 0sirius) Subject: Re: Fixing the boot sector of a floppy? (PC) rtulloch@lynx.dac.neu.edu (renrick tulloch) writes: >EX: I know you can fix the boot sector of the hard drive with the >command fdisk /mbr but is there a command for diskettes that will do >this? Yes: SYS or use my FixFBR (v2.0 has a bug, use 2.1) A. Padgett Peterson, P.E. Cybernetic Psychophysicist We also walk dogs PGP 2.4 Public Key Available ------------------------------ Date: Tue, 16 Aug 94 10:31:39 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: HK Vtech virus & Amoeba (PC) Mikko 'Hermanni' Hypponen (mikko.hypponen@wavu.elma.fi) writes: > > A new virus was being found at HK. This new virus is called HK > > Vtech virus. > Well, depending on the exact variant, this virus is not so new. > We received our first sample of the Jerusalem.Vtech virus from > our Hong Kong distributor (Yui Kee Company Ltd) during March 1994. > F-PROT has detected this virus since version 2.12 (April 1994). He probably means the virus that we are calling Lunacy (because it is such a pathetic attempt to write a polymorphic virus). I currently have it in a separate family, but you are right - after decryption it does look Jerusalemish... although it infects only EXE files and is encrypted... BTW, F-Prot 2.13a still does not identify it by name - it says "New or modified variant of Jerusalem". > After that two additional variants of this virus has been found; > both of them are detected by the latest version of F-PROT, version > 2.13a. How are they reported - I mean, under what names? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 10:37:30 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Stealth.B Pain (PC) Mike McCarty (jmccarty@spd.dsccc.com) writes: > Even so, I stand by what I said. And I do not care one whit whether Mr. > Bontchev gets annoyed. He is not annoyed... Only mildly amused... :-) Has seen enough people like you on the net. :-)) [Mark Ludwig making money with his viruses] > Even if he did it only to make money and not to encourage others to > destroy persons data, I still think that what he did was good. Well, most people seem to disagree with you on this point. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 10:41:35 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Virus Source code on CD ROM? (PC) Mike McCarty (jmccarty@spd.dsccc.com) writes: > I take it you do not live in the USA, understand the concept of liberty, > or believe in it if you do live here and understand it. I take it he just has a better grasp of the concept that every liberty comes with responsability. I've often seen people in your part of the world to be lacking the grasp of this concept... > Controls placed on sale of source code? > Give me a break! Sounds strange to you? To me it doesn't... How about selling some biological viruses that cause human diseases? I guess that should be OK, no? After they will be educating the public that protections have to be taken against those diseases... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 10:45:57 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Q/A about Norman Virus Control (PC) >Bognaes replied: >: How would you like us to prove it? At the time we made the claim, none of the >: better known current scanners would detect Satan Bug. I can get you the exact >: date and the name of the other products that we tested if that helps. It seems to me that your claims regarding which (other) products detect which viruses are not 100% accurate. Take for example Norman's Newsletter from August 2nd. It said F-PROT 2.13 and prior does not detect the Natas virus at all. THAT IS AN OUTRIGHT LIE. Whay don't you spend your time writing a better product instead of distributing misleading and inaccurate "facts" about the competition ? - -frisk ------------------------------ Date: Tue, 16 Aug 94 10:48:28 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Viruses & TSRs (PC) mjm@tardis.svsu.edu (Mark J. Miller) writes: > Would someone please address themselves to the following questions. >1. What antivirus products are available for scanning in compressed > partitions? (dos) most of them are....in fact, I am not even aware of one that is unable to handle them. >2. How easy is it for a virus to defeat an antivirus product loaded as a tsr? > (dos) Rather easy ... tunnelling viruses, slow viruses, viruses that disable the TSR, and viruses that use methods not anticipated bu the TSRs authors are able to do so. >3. Given the following scenario: > - fprot's virstop is loaded as a device driver. > - netware is loaded > - virstop is "rehooked" using the /rehook option > How easy is it for a virus to circumvent virstop's protection? Assuming the virus is not already resident ... any virus that is detected at all by VIRSTOP will be stopped, unless it is disguised somehow...for example PKLITEd ... most "new" viruses will bypass it easily. >4. Is a product like fprot's virstop susceptible to the same weakness, when > it's loaded as a device driver without netware being loaded. more-or-less, yes... - -frisk ------------------------------ Date: Tue, 16 Aug 94 10:50:34 -0400 From: peprbv@cfa0.harvard.edu (Bob Babcock) Subject: Re: Smeg viruses (PC) > From: cudat@csv.warwick.ac.uk (J M Hicks) > > panther!jaguar!cmeli@relay.iunet.it (Clyde Meli) writes: > >The following is taken from a Maltese newspaper, The Times > >of Friday, July 22, 1994. The report is provided from > >Reuters. > > >...The viruses, Queeg, named after a character in a television > >science fiction series, Pathogen and Germ, destroy data > >on a computer's hard disk and can disable the external disk > >drive, meaning victims have to take their computer apart to > >fix it... > > Is it really true that the computer has to be taken apart? If so, > how does the virus disable the disc drive? > > I'm always disturbed by reports that software can damage hardware. I suspect that the reason the computer needs to be taken apart is to disconnect the CMOS battery. Suppose the CMOS says there are no hard or floppy drives; how can you boot to fix this? The BIOS might have an option to hold down a particular key during boot to reset the CMOS to standard values, but if not, the only solution is to erase the CMOS by disconnecting the battery. Of course, some motherboards now use a CMS chip with an internal battery. I believe these have a jumper setting to clear the CMOS memory, but how many users have documentation for their motherboard jumpers? ------------------------------ Date: Tue, 16 Aug 94 10:57:19 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Virus Scanners, Detectors, etc. (PC) ykchung@Winkie.Oz.nthu.edu.tw (is2a) writes: >> where can I get the latest version of the F-PROT? > complex.is please don't. it *is* available there, but our link to the rest of the world is rather slow ..... Iceland has only a single 128K sattellite link connecting it to Europe, and no direct connection to the US. We upload the program to oak.oakland.edu and it is available on most major FTP sites....so, you *can* get it here, but patience is recommended. - -frisk ------------------------------ Date: Tue, 16 Aug 94 11:27:57 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: please send me info on Mr-D (PC) Jack Roberts (jroberts@ripco.com) writes: > my system was recently infected my a virus that TBAV called Mr-D or > something of that sort. i would be interested in info on this virus. The Mr_D family consists of several members. TBAV detects only the 1536-byte variants, not distinguishing between the two of them. You probably have the first of them, but I can't tell for sure, unless you try a scanner that can distinguish between them (e.g., F-Prot). Here is some information about it: Memory resident, 1536-byte EXE-only infector. Infects on file execution (i.e., not on copying) the files that contain 'MZ' in their first two bytes. Pads the infected files to a paragraph boundary, thus adding up to 15 additional bytes of garbage to them. Will not infect files with internal overlay structure. Will not infect files with "VIR" in their name - probably an attack against the popular Polish virus scanner MKS_VIR (the virus is of Polish origin). After infecting a file, it attempts to delete a file with the same name and the first character of the extension replaced by '_'. Recognizes the infected files by their time of last modification - the seconds field is set to 4. Contains some routines that seem to play with the screen and which are activated on 31st of any month, some time after the virus is installed in memory. Does not infect before March 18, 1993. Contains the string "Mr. D" unencrypted. > please email. thanks! I am CC-ing this message to you, but posted it publicly, in case somebody else is interested too. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 11:54:35 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Best Anti-virus software (PC) Bob Janacek (74431.1646@CompuServe.COM) writes: > Besides F-Prot Professional, you should also look at VirusNet > from Safetynet, Inc. It is based on the F-Prot scanner, but adds > new DOS and Windows interfaces. The LAN version has software > distribution and VERY powerful distributed scheduling. A word to the wise: beware of using two scanners that contain the same scanning engine. While F-Prot *is* an excellent scanner, using both F-Prot Pro and VirusNet won't yeld in a better detection rate, because they are using the same scanning engine, with the same scan strings. People who want to use more than one scanner should make sure that their scanners are indeed different. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 11:58:49 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Satan Virus (PC) Joseph Gerrity (s0ujgg@fnma.COM) writes: > Can anyone give us information on getting rid of the Satan Virus. Are you sure that you *really* mean the Satan virus? There are several viruses from this family, with infective lenghts 512, 599, and 612 bytes, but, as far as I know, none of them is widespread. There are several other viruses that contain the word 'satan' somewhere in their name, and even one that contains it in reverse (Natas). I suspect that what you really mean is the Sat_Bug virus (reported as Satan Bug by some scanners). Anyway, regardless of which one is your case, I tested F-Prot 2.13a and it seems able to disinfect all of those; so I suggest that you give it a try. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 12:13:57 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: B1 virus on Chicago (PC) juan_e@spcvxb.spc.edu (juan_e@spcvxb.spc.edu) writes: > I have a problem with a virus that McAffee has identified as BOOT.1 > or B1. Now, that's amusing... :-) The name B1 was proposed by CARO (by Dr. Alan Solomon, I think). However, the virus began to get relatively widespread, and everybody was reporting as NYB (New Yorker Boot virus) - - the way that McAfee's SCAN reported it. Since this name seemed to stick more than B1, we recently decided to accept it, instead of B1. The funniest thing is that SCAN 117 is still calling it NYB, while SCAN 2.10 is calling it B1. I am really at loss how to name this virus... :-) > Chicago Beta. It unformats a disk in the A: when the Format function What do you mean by "it unformats a disk"? The virus doesn't do any such thing... Do you mean that it *infects* a disk when you are formatting it? > the hard drive. The virus doesn't appear until a few weeks after > installment of the Beta and does not go away easily after we have > disinstalled Chicago. I suspect that the virus has nothing to do with the product you are testing, and of course it will not go away after you uninstall the product. > We're looking for a disinfector that works or a solution to this > problem, if anyone has any idea would appreciate it very much. Please Hmm... F-Prot doesn't seem able to disinfect it. I don't recall right now whether the virus encrypts the original MBR, but you could always try to use McAfee's CLEAN - tell it to remove the [genp] virus (from the hard disk) or the [genb] virus from the floppies - it might work. If it doesn't, try booting from an uninfected write-protected MS-DOS version 5.0 or higher system diskette. Try to access your disk (e.g., DIR C:). If you can't, STOP HERE! If you can, run the command FDISK/MBR (from the floppy you booted from) - this should remove the virus from the hard disk. Also, if you tell me which scanners you have, I could test to see which of them is able to remove this virus. > E-mail your suggestions to me -due to memory constrictions, the server > gets purged on a weekly basis. I am sending you a copy of this message. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 12:16:04 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: need help with possible filler virus infection (PC) Johnny Chien-Min Yu (caesar@strauss.udel.edu) writes: > I am getting the message "Virus found in memory [Filler]" just about > every time that I scan my computer. But, when I reboot my computer > from a disk and rescan my hard disk, the virus detection program from > mcafee says that no virus is founded. > Any suggestions? Check your CONFIG.SYS and AUTOEXEC.BAT files. Look for a line starting a program with the name VSAFE. If you find it, remove this line and the problem will go away. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 12:23:44 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Form virus on DOS (PC) Kirk Lipscomb (kirk@ix.netcom.com) writes: > One of my clients called earlier and said he had the Form virus on his machine > It was detected by his copy of Central Point Anti-Virus. He ran CPAV against > floppy disk to remove the virus and it scrambled the disk so that it couldn't > read. Moral of the story: don't use CPAV. Even better: don't attempt to remove viruses with programs that are unable to identify them exactly, unless you know perfectly what you are doing. > Now he's afraid to use it to try to clean the hard disk. He is right to be afraid. The problem is caused either by a bug in CPAV's disinfection routine for this virus, or because CPAV is misidentifying a different virus (that needs a different disinfection routine) for Form. In both cases his hard disk is in danger, if he uses CPAV on it. > Can anyone give me more info on the Form virus? This is the most widespread virus in the world. It is described in our Computer Virus Catalog. (The description contains a mistake - the virus activates on 18th of every month, not on 24th.) See the FAQ for information how to get the CVC and for pointers to other sources of such information. > Should CPAV be able to clean it off > of the hard disk without damage? It definitely should - this is the most widespread virus around, and it is inexcusable for an anti-virus program to be unable to handle it properly. Now, whether CPAV *is* able to clean it off of the hard disk without damage is a completely different question. I wouldn't bet on a positive answer... > Is another product (ie. McAfee etal) better for > cleaning it out? Almost every product around should be able to handle this virus properly, including McAfee's CLEAN. As usual, I would recommend also F-Prot, because I *know* that it removes it correctly, and it also identifies it exactly, so it will tell you if you have a different variant (instead of corrupting your hard disk by blindly trying to remove the wrong variant). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 12:33:07 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: AntiExe / Genp /Genp info needed.... (PC) Craig Mason (cmas@gwl.com) writes: > Can someone send me/tell me where/ tell me about AntiExe? I just posted a short description in reply to another message. > Also, we used McAfee clean and it thinks it worked - is > it true? Did it really remove the virus? Yes. > Vesselin answered a question about someone getting a genb/genp virus - > he responded by saying that SCAN (McAfee I assume, that's what I use v114) > (I also use v2, but that's a whole nother story....) did not know > what type of virus it was - merely that it was generic in nature > and it knew something was amiss... Exactly. However, I was referring to the names "Generic Boot [GenB]" and "Generic MBR [GenP]". Those are the cases when SCAN has no idea which particular virus it is (but knows that it is a virus). In your particular case (AntiEXE), the virus is reported as "NewBug [Genb]" (or [Genp], depending on whether it is found on a floppy or on the hard disk) by SCAN. This is a completely different story - it means that SCAN has recognized the virus by name (NewBug - this is how it calls the AntiEXE virus), but tells you to use the generic boot sector removal routine in CLEAN (by telling it to remove the [Genb] - or [Genp] - virus). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 12:40:40 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Mummy Virus (PC) Fridrik Skulason (frisk@complex.is) writes: > There is no such thing as "the Mummy virus". Mummy is a group in the > Jerusalem family, which contains three variants, 1364, 1399 and 1489 bytes > long...or at least F-PROT recognizes and disinfects those three Mummy variants Actually, the 1364-byte varian exists in two minor variants, which differ only by a text string. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 12:46:27 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Need info about "Ripper", "Keypress", "Kampana" viruses (PC) Kazatski Oleg Nikolaevitch (kazatski@kartaly.chel.su) writes: > Need the information about this viruses: > 1. Jack Ripper > 2. Keypress > 3. Kampana > What are the basic characteristics ? Are these viruse boot or file ? 1. Ripper: A boot/MBR virus of Bulgarian origin. Very destructive - causes small and unnoticeable corruptions, so when you notice that something is wrong it is usually too late - lots of stuff is corrupted (probably some of it has been backed up, thus corrupting your backups) and you have no way to tell what is corrupted and what not. 2. Keypress: A family of memory resident COM & EXE infectors with different infective lenghts. None of them is intenitonally destructive, if I remember correctly (there are just too many of them, so I might be wrong), although the different ones have different effects (I think). 3. Kampana: You probably mean a family of stealth, boot/MBR infectors, dropped by a COM-infector. The file infector itself is not widespread, but the boot infectors are, because they are able to replicate by themselves (without infecting files). The viruses are destructive - they overwrite the disk after 400 reboots. All the three viruses are in the wild, although not all variants of them are. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 12:52:24 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Help on Budo Virus (PC) ibaminformat@ax.apc.org (ibaminformat@ax.apc.org) writes: > I'm looking for in how we finish with the Budo Virus. Unfortunately, if this is really the Budo virus, the only way to "finish" it is to delete the infected files and replace them by clean copies. This virus is of the overwriting type and therefore the infected files cannot be "disinfected". Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 13:03:21 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Mummy Virus (PC) JUNAIDN@ctrvax.Vanderbilt.Edu (JUNAIDN@ctrvax.Vanderbilt.Edu) writes: > I have just encountered the Mummy Virus on m IBM PC. This is a group of 4 viruses of the Jerusalem family. > So far as I know > it only infect Executable files(.exe). Correct. All of them infect only EXE files. > Has anyone heard of it or know > where I should go for an antidote? F-Prot can disinfect all of them, although it does not distinguish between two minor variants. > Please mail me. Thanx in advance. I am e-mailing you a copy of this message. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 13:42:22 +0100 From: Luca Sambucci <93647758S@sgcl1.unisg.ch> Subject: New AV products for the tests (PC) - -----BEGIN PGP SIGNED MESSAGE----- FOUR NEW ANTIVIRUS PRODUCTS FOR THE TESTS Beginning with the next one, I'll include in my tests four new antivirus products: - Dr. Solomon's AntiVirus Toolkit (S&S) - IBM-Antivirus (IBM) - Integrity Master (Stiller Research) - Virex PC (DataWatch) Best Regards, Luca Sambucci - -----BEGIN PGP SIGNATURE----- Version: 2.3a iQCVAgUBLk6UD+ZQNzkHaA4JAQFo0QP/Z57UpItychthRTleCVUVK6Y1R+q5a0Ij NiNtyj/8s5XflZNwoj0P5mV0Mjnr7Wh4MjCm54/DjvxyeOH2yuDjlCf9PHE+UOrt CwOpP5/DFuUyQZ5FZDrQbb0rqkZsRI89OfgMdxEheMiFA/4ALfGznOCF8RTC69yU utqRYRrKDpQ= =Enp1 - -----END PGP SIGNATURE----- ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 69] *****************************************