VIRUS-L Digest Monday, 12 Sep 1994 Volume 7 : Issue 75 Today's Topics: FTP Site Update info Re: Netcom distributing viruses Re: Netcom distributing viruses Re: Unix Virus Query (UNIX) Re: 386/486 Unix virus protection (UNIX) Anyone heard of a virus for a SCO XENIX system? (UNIX) MBR Virus and OS/2 with HPFS (OS/2) Re: Yankee Doodle Virus? (PC) Re: New Stoned Virus? (PC) Info on Bobo Virus (PC) Re: VIRUSCAN 2.x gripes & grumbles (PC) Re: backform/FAQ (PC) F-Prot scans UMBs ??? (PC) Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) What is known about a virus called int (PC) Re: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) Need Help With Trident Virus (PC) Help, unknown virus. (PC) Form virus (PC) Little Red warning! (PC) Re: Excelent virus program! (PC) GenB virus - Need Help (PC) Need help with new virus (PC) ** PC Virus ruins my life ** Help! (PC) Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) anti-exe virus (PC) Gingerbread Man Virus (PC) Re: Smeg viruses (PC) SMEG Virus Test (PC) [Info-Needed] Junkie Virus (PC) BSVs and F-PROT/VIRSTOP (PC) Re: Viruses & TSRs (PC) Can F-PROT kill Ripper then find new variant of Form? (PC) Can a virus change CMOS settings??? (PC) Flash Bios vulnerable? (PC) Integrity Checker? (PC) How can I remove a version of NATAS? (PC) No_init virus info (PC) MCafee, MSAV, and FORM? (PC) SMEG Virus Test (new) (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 24 Aug 94 02:54:23 -0400 From: mikael@vhc.se (Mikael Larsson) Subject: FTP Site Update info Hello ! I just wanted to inform you about some news about the Antivirus Archine on ftp.sunet.se ftp.sunet.se now resides on a Decserver 2100/500MP running OSF/1. With possible total number of users of 400. Archive name: ftp.sunet.se IP Number : 130.238.127.3 Directory : /pub/pc/Antivirus Max users : 400 MiL, mikael@vhc.se Virus Help Centre - --- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Virus Help Centre Phone : +46-26 275740 Internet: mikael@vhc.se Box 244 Fax : +46-26 275720 Minicall: 0746-393334 S-811 23 Sandviken BBS #1: +46-26 275710 FidoNet : 2:205/204, 2:205/234 Sweden BBS #2: +46-26 275715 Auth. McAfee Associates Agent - - send mail to pgpmil@vhc.se for automated reply with my public pgp key - ------------------------------ Date: Wed, 24 Aug 94 03:31:25 -0400 From: iandoug@cybernet.za (Ian Douglas) Subject: Re: Netcom distributing viruses Mike McCarty (jmccarty@spd.dsccc.com) wrote: > Fridrik Skulason wrote: > )Netcom's policy on making viruses available via FTP is: > ) > ) >Viruses and information relating to viruses are not, at this time, > ) >controlled code. We allow users to make available via anonymous FTP any > ) >and all data as long as it is legal, which viruses, viral source code, and > ) >newletters published by virus groups are. It is not placed there by > ) >Netcom, and it's distribution is not necessarily endorsed by Netcom. > ) > Their policy seems perfectly reasonable and legitimate to me. You left out 'irresponsible'.... I don't care if they allow someone like Vess or Frisk to DL viruses. I DO care when they allow all and sundry to do so, because that increases the potential risk to MY computer and those of people I care about. We have a problem here atm with kids messing around with VCL, and also hacking old viruses, which the UL to bulletin boards. It is a problem which we do not need. Cheers, Ian - -- - ----------------------------------------------------------------------------- Ian Douglas Lead, Follow, 34 InterNet: iandoug@cybernet.za P.O. Box 484 or get out of 1,73 FidoNet: 5:7102/119 7532 Sanlamhof the way. 57 TopNet: 225:2048/1 South Africa (Ted Turner, CNN) INTB PGP key available. - ----------------------------------------------------------------------------- ------------------------------ Date: Wed, 24 Aug 94 11:12:49 -0400 From: treeves@magnus.acs.ohio-state.edu (Terry Reeves) Subject: Re: Netcom distributing viruses ygoland@hollywood.cinenet.net (Yaron Y. Goland) wrote: > That netcom allows it's users to distribute viral code and related > information when clearly marked as such is required as a basic > characteristic of freedom as defined in the United States of America. > I for one would be happy to see the deliberate distribution of viruses & virus code - even between consenting adults, made a federal crime. A suitable punishment would be to spend time installing antivirus software, answering user calls with virus questions & fears, and maybe coming by my campus and checking the 1000 or so computers I manage to be sure no one has disabled the antivirus software on any of them today. Mr Goland's argument does not hold up. we have many laws restricting freedom in the US - some even when all immediate parties are consenting - if it is deemed harmful to the group (society) or sometime to the individual alone. Some are designed to protect children. As a US citizen and a citizen of the state of Ohio, I am not allowed to give or sell alchohol to minors. An adult cannot have sex with a minor. Some are designed to protect adults from themselves or others. Gun dealers cannot sell a gun to a known felon. Stores can't sell hypodermic needles to anyone w/o a prescription from a doctor. Various suplies, tools and devices which have little or no purpose beyond use in commiting crimes are banned or restricted. I cannot (in many states and I am fairly sure under federal law as well) deliberately cause damage to computer data wether by releasing a virus, or simply "format c:". It is a crime to let a virus loose on someone else's computer. It is not a far step, nor is it a break with the existing philosophy of our laws, to make it illegal to ditribute the virus randomly to others - since a reasonable person knows that some of those others will let it loose. its not WETHER freedom should be restricted- the US does, Iceland does, every government does.- its just a matter of exactly where we draw the line. - -- | No one I work for is willing to admit it in public, | | let alone claim my opinions. | | Terry Reeves-Technical Support Coordinator, ATS Public Sites | ------------------------------ Date: Mon, 22 Aug 94 09:47:13 -0400 From: kellogg@netcom.com (Lucas) Subject: Re: Unix Virus Query (UNIX) Terry Arnold (tarnold@crash.cts.com) wrote: : I was asked a question today about Unix virus detection utilities and how many : Unix viruses were around. I am now passing the questions on to this august : body. : 1. How many confirmed Unix viruses have shown up? : 2. What are the effective detection utilities for Unix viruses? : Terry Arnold : tarnold@cts.com Terry, I have heard of 3 known UNIX viruses; however, I don't know of any cases reported in the "real world". All of the instances that I am aware of have been produced in a test environment by researchers. I have heard of a scanner for UNIX; albeit, I do not know the name or producer of such a product. By the way, how many corporate users would like a UNIX scanner to utilize as their primary scanning mechanism to check all of the servers connected to this "scanning workstation" ? This would allow a Corporate entity to scan all of the connected servers from one location, utilizing the powers of UNIX, and scanning for known viruses on all platforms. Feedback?? What would such a product be worth? Kelly Lucas ------------------------------ Date: Mon, 22 Aug 94 10:17:05 -0400 From: kellogg@netcom.com (Lucas) Subject: Re: 386/486 Unix virus protection (UNIX) Iolo Davidson (iolo@mist.demon.co.uk) wrote: : aflynn@netcom.com "Alana Flynn" writes: : > I am looking for virus protection software for pc-based unix systems. : > : > If there is no such software available on the commercial market, then : > I would appreciate any suggestions for a convincing argument as to why : > virus protection software is not needed. : The key word above is "pc-based". Running Unix on a PC compatible makes : it vulnerable to a class of PC viruses, the boot/partition sector : infectors. These subvert the BIOS rather than the operating system, and : act before the operating system is loaded. : Inadvertant booting from an infected floppy can infect the hard disk, : regardless of operating system. I'm not sure that the computer will : operate properly under Unix afterwards, though I know of one system with : both DOS and Unix partitions which was infected with Michelangelo and : worked fine until it triggered and wiped much of the disk. : I believe it is unlikely that a boot/partition sector virus will spread : to further floppies under Unix. : I don't know of any Unix specific anti-virus software, but nor can I : give you the reassurance you ask for. Perhaps you could keep a DOS : boot disk and DOS anti-virus software just to do a periodic scan for : BIOS level viruses on these machines. : - -- : WITHIN THIS VALE YOUR HEAD GROWS BALD : OF TOIL BUT NOT YOUR CHIN : AND SIN Burma Shave I am interested in this issue for marketing purposes. What is the size of your network [number of nodes], and what type of value would a UNIX scanner add to other products currently available? Kelly ------------------------------ Date: 22 Aug 94 21:00:22 +0000 From: ertan@ponder.csci.unt.edu (Ertan Zanagar) Subject: Anyone heard of a virus for a SCO XENIX system? (UNIX) Does anyone know if there is a virus outhere that would in any way effect a SCO XENIX system? Any help is much appreciated. _______________________________________ ________| Ertan Zanagar ezanagar@gab.unt.edu |_______ \ | Lab. for Advaced Software Technology | / \ | University of North Texas | / / |_______________________________________| \ /__________) (_________\ ------------------------------ Date: 23 Aug 94 08:33:08 +0000 From: tnmanego@rrws1.wiwi.uni-regensburg.de (Thorsten Manegold) Subject: MBR Virus and OS/2 with HPFS (OS/2) Hi all! I'd like to know what a Boot Sector/MBR Virus (like PARITY-B) can do under OS/2 especially if the HD is formatted with HPFS. Does it get activated when OS/2 starts via the Boot Manager? If so can it do damage to an HPFS Partition? Can OS/2 run with a Boot Virus active in Memory? Can it spread further under OS/2? And finally how would one go about removing the virus? Thanks in advance - -- ********************************************************** Thorsten Manegold Plattenweg 15; 93055 Regensburg Tel.: (0941) 76 09 49 e-mail: Thorsten.Manegold@wiwi.uni-regensburg.de ------------------------------ Date: Mon, 22 Aug 94 09:20:23 -0400 From: 3gerlach@rzdspc53.informatik.uni-hamburg.de (Heiko Gerlach) Subject: Re: Yankee Doodle Virus? (PC) dwburger@rocky.ucdavis.edu wrote: : I'm looking for information on a virus known as the "Yankee Doodle" virus. : Does it exist? If so, can anyone lead me to a source for a scanner to detect : it? Thanks in advance for any help. Yes it does exist. Some years ago we had a lot of infected disks (at this time we had no hard disk). I detected the virus with VIRUSCAN from McAffee. I think you can find a current version on mcaffee.com or something like this. By the way: I don't think the virus has done any harm, but after deleting a lot of infected programs (with dos-del) on a heavy used disk there was only garbage left on it. I suppose it was an error in MS-DOS ;-( : Dave Heiko ------------------------------ Date: Mon, 22 Aug 94 09:38:51 -0400 From: cavenerl@nbnet.nb.ca (Lance Cavener) Subject: Re: New Stoned Virus? (PC) On 19 Aug 1994 10:49:40 -0000, swk@po.CWRU.Edu writes: >There is a virus residing in the boot sector of a hard drive. F-PROT >2.13a reports it as a new Stoned variant and cannot disinfect it. It >has not exhibited any destructive behavior as of yet, but does infect >other boot sectors (i.e. formatting a floppy disk on the system). Its >behavior seems to give precedence to the infected disk drive over all >other drives, so trying to boot an infected floppy still boots the >hard drive. When booting off of a clean system disk, the hard disk is >not valid and FDISK reports erroneous results. > >Is there anyway of excising this virus off of the hard drive >outside of wiping it and reinstalling everything? There a pain in the butt eh? I mean all these new viruses? Ok, stoned is pretty straight forward, but if I may suggest somthing, don't use F-PROT, use McAffee, they managed to whip up VERY good virus programs. Try using a different virus program, and see if you still pick up the virus as being new. I say this because, I had the Screaming Fist virus and all the virus programs I tried told me it was a new stoned virus and that they could not get rid of it. Until a vaccin was made for it, i was stuck. Not really much help eh? But just try a different virus program, AND NOT MSAV or PCTOOLS Virus stuff. There garbage! Lance Cavener cavenerl@nbtel.nb.ca ------------------------------ Date: Mon, 22 Aug 94 10:25:02 -0400 From: fisherd@cfs.purdue.edu (David Fisher ) Subject: Info on Bobo Virus (PC) I recently discovered a virus which was identified as "bobo". It apparently corrupts command.com and may randomly format the infected hard drive. Does anyone have further info? I checked cern, but could not find anything. Thanks for any help you can provide. David ------------------------------ Date: Mon, 22 Aug 94 10:50:59 -0400 From: kellogg@netcom.com (Lucas) Subject: Re: VIRUSCAN 2.x gripes & grumbles (PC) Ian Staples (ianst@qdpii.ind.dpi.qld.gov.au) wrote: : jhurwit@netcom.com (Jeffrey Hurwit) writes: : >one thing, the new version is incredibly bloated. The executables in : That's bad. : >The docs claim that the new SCAN is faster, and indeed it is. It scans : That's good. : >both memory and files much faster than the old SCAN. Unfortunately, it : >takes longer to load the (external) data files. If you're scanning an : >entire hard drive, there is a net gain, but not if you're only scanning : >a diskette or a few files. : That's bad. : >The new VIRUSCAN also seems to lack some useful and essential features : >that the old one had. SCAN 2.x no longer has the /MANY option, for : ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ : That's absurd! : Just subjective judgements you understand :-) : - -- : Ian Staples E-mail : ianst@dpi.qld.gov.au : c/- P.O. Box 1054 MAREEBA Phone : +61 (0)70 921 555 Home 924 847 : Queensland Australia 4880 Fax : +61 (0)70 923 593 " " " Okay, here's what is known, and what is being done: 1) VirusScan 2.10 will not run on XT's because of assembly routines designed to optimize the product on AT's. We're planning on producing another version of ScanV2.x for XT's [speed certainly isn't an issue here]. 2) VirusScan 2.10 does not run in DOS 3.3x. 2.1.1 corrects this. BTW, 2.1.1 beta should be available tomorrow sometime, with a targeted release of next week. 3) The workaround for QEMM 7.0x is to load VShield after all of the QEMM commands have been executed in the Autoexec.bat. 4) VShield 2.1.1 should fix any alarms that were being displayed when VShield is scanning upper memory. These were NOT false positives, but rather a conflict with the system BIOS. 5) WScan 2.1.1 corrects a conflict with Netware VLM drivers. Regarding the issue of speed, 2.1.0 significantly increases the speed of both loading the data files, and the actual scanning of files. I've personally witnessed ScanV2.1.0 performing faster than F-Prot; however, I've witnessed the opposite as well. It appears that one product gains the upper hand depending on the types of files being scanned. All for now, Lucas McAfee Associates ------------------------------ Date: Mon, 22 Aug 94 11:42:46 -0400 From: Otto Stolz Subject: Re: backform/FAQ (PC) On Thu, 18 Aug 94 13:42:45 -0400 R.Ellmaker said: > the command.com file was infected with BACKFORM (?) Do you mean "BackFont"? There are at least four variants: BackFont.765 BackFont.821 BackFont.900 BackFont.905 These are EXE file infectors. Best wishes, Otto Stolz ------------------------------ Date: Mon, 22 Aug 94 14:03:56 -0400 From: trebor@test1.stack.urc.tue.nl (tREBOr) Subject: F-Prot scans UMBs ??? (PC) I was wondering if F-Prot scans UMBs (A000-FFFF-segments, tech. speaking) as well. If it does: are there any viruses who utilize it, if its doesnt: why not? robert ------------------------------ Date: Mon, 22 Aug 94 15:21:01 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Mike McCarty (jmccarty@spd.dsccc.com) writes: > I have no objection to publishing information on how nuclear weapons > work. That is not the same thing as selling them to just anyone, > especially those who have already demonstrated that they are willing to > misuse them. It should probably be a crime to obtain or write a virus > with intent to use it in the commission of a crime, such as destruction > of computer data or replication without the permission and prior consent > of the owner of the data and hardware. Ha! You happened to say something reasonable - something that I definitely agree with. Yes, there is nothing wrong in publishing how nuclear weapons work. There is nothing wrong publishing how computer viruses work either - if you bother to read the archives of this forum, you will see that I have never refused such information. The wrong thing is to sell nuclear weapons to anyone. The wrong thing is to give a virus to anyone who bothers to ask. *This* is what I am objecting against. > Not too long ago, I > received a request to "trade" with a young fellow at a university. His > sig was a skull with daggers and arrows through it. Hmm, maybe I know who you mean... Did he have the word "Legion" mentioned somewhere in his .sig? > I declined, > explaining that I was unsure of his motives. But note that he already > had more viruses than I do! Were it not for his unusual .sig, I would > have sent him copies, no problem. You see, such attitude is not restrictive enough. I would send a virus to someone *ONLY* if: 1) I am sure of their (pure) motives. 2) I am sure that they are competent enough to handle the virus properly. 3) I am convinced that they have the need-to-know (or, the need-to-have this particular virus). 4) I am convinced that their virus handling procedure is good enough and the virus will not be "leaked" to third parties. 5) I have a secure way to transfer the virus. I would advise everybody to stick to those rules. The fact that the person asking already has many viruses is BY NO MEANS an excuse to give them more. > )|> other virus just by looking around a little. If it were difficult to get > )|> copies of viruses, then nobody would need protection or scanners, > )|> because it would be difficult to get infected. Get the drift? > ) > )Isn't that the way things ought to be? > I don't understand. Are you saying it ought to be such that it is easy > to get infected? Or are you saying that it ought to be difficult to get > infected? What is so difficult to understand? Even I understood it, with my, as you say, bad English. He means that this is the way things ought to be - - it should be difficult to get copies of viruses, nobody should need protection or scanners, and it should be difficult to get infected. > The point I am making is - it is easy to get infected. Yes, but this is not an excuse to spread viruses around. > The > existence of this newsgroup proves that point. No, actually it doesn't. I think that there are newsgroups dedicated to discussions about alien beings, but the last time I've looked, it wasn't easy to meet one. :-) > And no amount of effort > will make it difficult to get infected. Yes, but some efforts make it even easier! It is *those* efforts that we want to stop. > Any kid who knows > DEBUG can also get a copy of a virus and hack it up. True. But this is by no means an excuse to also give viruses even to the kids who don't know DEBUG. > You and I obviously have very different ideas here. We think > differently. Yeah, I noticed this too. > I am not sure that either of us can produce an argument > which will sound convincing to the other. Since when has this ever stopped the disagreeing parties from arguing? :-) > I think that it is foolish to think that by not selling nuclear weapons > to other countries, and by keeping "secret" the means to build them, > that the possession of nuclear weapons can be contained. Nobody is thinking *this*. The logic behind the treaties for limiting the distribution of nuclear weapons is not to make it *easier* to get one - because then the situation becomes worse. > Yes, I would definitely teach courses in "hacking". I would also publish > security holes. Especially this latter. Then the holes can be closed. The problem is that meanwhile thousands of wannabe crackers who normally wouldn't know even how to program in C will be cracking into hundreds of thousands of machines. Yes, the holes will be eventually closed - but at what price? Wouldn't it be much better to report the holes only to the people who are responsible for closing them? > A few years ago, we began migrating our software development from VAXEN > to (sort of) UNIX based Apollos. Naturally, I came across the password > file, and began looking into what it comprised. In about two hours, I > wrote a program to "crack" passwords. I ran it for about 10 minutes, > and found a few (4 or 5, I forget). Later, I pulled some more agressive > software off the net, and ran it for about an hour. I found about 20. Heh. :-) Let me guess - that system had about 200-250 users? I had a similar experience. When somebody told me that Crack normally succeeds to break about 10% of the passwords on a typical machine, I refused to believe - I couldn't imagine that one in every ten people behaves as a complete idiot when picking a password. Then I ran Crack on our machine, and it cracked... 9% of the accounts... :-( > When I reported this to the local administrators, they warned me that > attempting to crack passwords would get me in trouble, fired in fact, > and to remove the stuff. Well, I was lucker than you. My sysadmin was very receptive to my requests to tighten up the security. Since then, he has installed shadow passwords and a fascist passwd program. > When I mentioned that the purpose of such stuff is to find insecure > passwords, that the secure ones can't be found; when I told them that > they should run such crackers themselves once a month and request that > insecure passwords be changed, I was told that only by hiding such > insecurity could the system be kept secure. Actually, it is much more effective just to install a fascist passwd program - one that rejects the "weak" passwords that people pick. The full cracking is very time-consuming and should be run only once - before installing the selectvie passwd program. > This NEEDS TO BE PUBLISHED HERE AT THIS COMPANY (and elsewhere) SO USERS > CAN DEFEND AGAINST IT BY CHOOSING SECURE PASSWORDS. Oh, yes - *this* has to be published. The fact that people tend to use weak passwords. The methods used to crack them. The ways to improve the situation. However, how would you feel if somebody did such a crack and then published the found passwords themselves on the net? > So, yes, I want to publish security holes. Only in a way that does not cause more damage than the current situation. Same with viruses. > Locks will only keep honest people out. Locks are useless for defending > possessions or life. Don't you have a lock on your house? Don't you lock it? After all, it wouldn't stop a professional, whould it? So, why don't you hang the key on a nail at the front door and put a notice "HERE IS THE KEY"? Simple - because you don't want everyone who passes by to be able to enter - like the kids from the street, for instance. Same with the viruses - publishing viruses and virus generators make those nasties available to just anyone - even the complete idiot who will spread them by mistake, or the malicious (but technically incompetent) person, who will use them to cause damage. > Locks only slow down someone who is not really intent on breaking in. Yes, but we still use locks. Similarly, not giving viruses to anyone who asks only slows down someone who really wants to get them. Still, we shouldn't make their job easier by giving viruses to anyone who asks. > No, viruses cannot be made difficult to acquire. Nor can any other type > of knowledge. You seriously overestimate the knowledge of some tallentless jerks who enjoy, for instance, going to the publicly available computers at the computer shows and formatting their disks. Publishing viruses gives a tool for causing damage even to such people - who are often to clueless to create one themselves or even to find out where to ask. > )If we proceed the way you want, you'll get to do a lot more of this. > No. I'll not have to, because I'll have a good idea of what actions to > take to prevent it. By keeping myself educated on what kinds of things > viruses do, how they spread, and how to detect their actions and > existence. Oh, I got it. *You* have the technical knowledge to protect yourself from infections, so thousands of viruses must be made available to any idiot who wants them and the hell with everything, huh? Look, most users do not *want* to be forced to learn about security, virus protection, and so on. They have other things to do, which are more important to them. It is too arrogant and egotistic to intentionally create a situation when you are dictating to the others what they should know and learn. > Now for your final thought here. I do not believe there is any such > thing as "society". Each person is responsible for his own actions; each > person is responsible for his own protection. This sounds like an anarchist ideology, and to the best of my knowledge, an anarchist society has never survived for long enough, but I'll stay away from political discussions... > These governments must be > restrained from acting against persons who have not harmed another. Well, yes, sure. My point is that those who distribute viruses intentionally *are* harming the other people - directly or indirectly - - and therefore should be restrained by the legal system. > I agree that there are rapacious persons who must be > restrained. This is proper for governments to do. AFTER they have > committed harmful acts. Yep. After somebody intentionally distributes a virus, they should be prosecuted. This is pretty much what they are trying to do in the UK and I like it. > Then, with all due respect, you are ignorant. Fundamental mathematical > research is definitely being suppressed, and professors are being > threatened by the NSA. Try listening in on the cryptology newsgroups > for a while, and you will see professors posting on the threats which > have been made to them. Aw, are you refering to that story about some NSA bozo being stupid enough to threaten Jim Bidzos? Well, a technical correction - Bidzos is a lawyer, not a professor of mathematics. Besides, the NSA hardly suppresses fundamental mathematical research - after all, they are the largest employer of mathematicians in the world... I'd say, they just want the fuirts of this research for themselves... :-) > I don't want to deny people any of the things you list there. I happen > to believe that there is nothing wrong with writing viruses. I might > just do it myself, one day. I believe that there -is- something wrong > with writing viruses for the purpose of causing damage to other persons. The wrong thing is not writing a virus per se - the wrong thing is passing it to third parties. So far everybody seems to agree that passing it to third parties without their authorization is a wrong thing to do. What we are trying to explain you (and a few others) is that passing it to third parties even with their authorization is also a wrong thing to do, unless you have very strong reasons to believe that they will handle it properly and will not cause damage by malice, negligeance, or incompetence. > All viruses are -dangerous- for they must, by their nature, overwrite > something already on the disc. Mishandling of a virus -is- a bad thing. I claim that giving viruses to anybody without having any information about those people's trustworthyness and technical competence *is* mishandling them. > But just writing a virus is no worse than kindling a fire. If one is not > attempting to commit arson, or being negligent and careless, starting a > fire is not a bad thing. Yup. Yet, selling flamethrowers to children is not exceptionally wise thing either. > Incidentally, just a couple of days ago the writer of SMEG and a few > other viruses was captured in England. And I didn't have to give up any > of the liberties you mentioned above for that to happen. Heh... The liberties that the virus writers and distributors rely on in your part of the world do not exist in the UK - in the sense that they are not part of their constitution. Heck, they even don't have a written constitution there... This is exactly why it is so easy to pursue the virus writers and distributors there. > I am annoyed by the arrogance of > Vesselin. Nobody's holding a gun to your head, forcing you to read my articles that annoy you so much, right? Unless, of course, you actually enjoy being annoyed. If this is the case, I promise you lots of fun... :-) > )Only the people who write AV software or do AV research have a NEED to know > )viral code. Whether you or anyone else outside of that community knows a > )thing about viral code, does not make me any safer from viral attack. In > )fact, it only can get WORSE. The sheer amount of viral code that has been > )written merely proves this. > I couldn't disagree with you more. First, NEED to know shouldn't even > enter in to the equation. But even assuming that it does, what you just > said is completely false. The more everyone knows about what a virus is, > how it operates, and how best to combat an infection, the less damage a > virus infection will do. First, why not? Isn't the demonstratable need-to-know/need-to-have one of the most important things when making dangerous objects or substances available to third parties? Why don't we sell weapons, explosives, drugs and poisons to children? Why do you assign only competent medical personal to work with dangerous microorganisms? Why should it be any different with computer viruses? Second, *how* "assuming that it does" makes what he said completely false? Third, don't you understand that there is a HUGE difference between explaining the people how computer viruses work and simply providing viruses to anybody who wants them? Many people who call the virus exchange BBSes and download huge virus collections don't have the slightest clue about how these viruses work. And they don't learn by downloading them. Educating the people about computer virus *is* a good thing. I am doing it here all the time; we are doing it with our students all the time. We are teaching our students how to disassemble a virus - of course, in a controlled environment. This is *quite* different from uncontrollably selling/giving viruses to anybody who wants them - and it is exactly the latter that I am strongly against. > Furthermore, the more people know about viruses and their attacks, the > less likely they are not to recognize an infection. This will definitely > decrease the infection rate. Yep. However, telling the people about viruses and their attacks is one thing and giving them viruses is another. Uncontrollably giving viruses to anyone means that more people will get them. At least some of those people will be either malicious or incompetent to handle the viruses properly and will spread the infection. This will definitely increase the infection rate. Here is one example. I have written a paper about the different attacks viruses could use to evade an integrity checker. This paper of mine is publicly available - anybody could read it. In fact, I dare to think that it is a *must* for every developer of integrity checker based virus protection. Spreading *this* kind of information is a good thing. However, if instead of doing this, I would have written a virus that implements those attacks are were giving the source to anybody who wants - *that* would be a very bad thing. Do you see the difference now? > And when writing a virus is not a special thing, then those who think > that by kludging up something (the three viruses I have disassembled > were, speaking as a professionally employed program craftsman, very > shoddy workmanship) they make themselves someone special - these people, > I say, will have to move on to something else. Because writing a virus > will not -be- something special. Well, you are wrong. Yes, writing a virus indeed is nothing special. However, this does not seem to stop the brainless idiots from doing so. How else would you explain the existence of a huge number of viruses that are automatically generated by one of the available virus generators? Their authors don't know zip about assembly language and computer viruses, yet they still have created them (lots of incredibly stupid viruses) using those generators. Maybe, just maybe, if those generators were not available on the virus exchange boards, at least *those* stupid viruses wouldn't exist? Or at least not in those quantities? > I believe you are wrong. And I believe that *you* are wrong. My whole experience (and I have been in this field for more than six years) tells me so. > I am not moved by your arguments. I suspect you will not be moved by > mine. Same with me, but I just had to point out that your arguments are wrong and why. > If so, then perhaps we should agree to disagree, with mutual respect. I have no respect for the virus writers and distributors, and their supporters. > I hope that in any case, we can agree not to argue or call motives into > question. Vesselin does this frequently, and that is a major annoyance > to me. Glad to hear it. :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 22 Aug 94 15:33:11 -0400 From: lev@slced1.Nswses.Navy.Mil (Lloyd E Vancil) Subject: What is known about a virus called int (PC) A friend has been attacked by a virus identified as int. His virus checker is not the most recent and claims not to be able to remove this boot sector virus... Help please. - -- +---------------------------------------------------------------+ |suned1!lev@elroy.JPL.Nasa.Gov| . * + @ | |lev@suned1.nswses.navy.mil | . + | |lev@mindvox.com | . + * | ------------------------------ Date: Mon, 22 Aug 94 16:10:16 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) Doren Rosenthal (as194@cleveland.Freenet.Edu) writes: > > The problems I have with this is that, due to lack of technical > > expertise, very few users are able to understand how unsuitable your > > product is for testing scanners. > > You're the only one who said Virus Simulator was designed to > replace real viruses for testing scanners Vess. Am I? We shall see... > It's purpose and > limitations are spelled out quite clearly in the documentation > file. Are they? We shall see... > Although you have posted your opinion on the value and > function of Virus Simulator before you looked at it, there is > still time to read the documentation. I *have* read the documentation. I *always* read the available documentation before trying a product - yes, I know that this is uncommon. Reading the documentation did not change my opinion about your product. In fact, it convinced me even deeper that you product is misleading, worthless, and even harmful. > I can certainly > appreciate your position that it is not a substitute for testing > with a large collection of real viruses. Don't distort my position. My position is that it is not a substitute for *any* kind of testing of anti-virus products. > I'll not bore everyone with a copy of the complete and rather > lengthy documentation, as they can obtain a copy for themselves > quite easily. Here's some of what it says...... And here you go again, posting a large chunk of the docs, obviously with the intent to advertise your product once again. Normally I would protest, but this time I am glad that you did so - it offers me the opportunity to demonstrate to the readers of this newsgroup how false, wrong, and misleading your claims are. > Virus Simulator creates a simulated test suite of .COM and .EXE programs > as well as boot sector and memory resident viruses. False claim #1. The virus simulator DOES NOT generate boot sector and memory resident viruses. The programs that it generates are not viruses, with exception of the two MtE-based viruses that come with the registered version, and they are neither boot sector, nor resident ones. Therefore, the documentation lies and misleads the user. This makes one false claim. > These programs > contain the signatures (only) from real viruses. False claim #2. With a few exceptions, there is no such thing as *the* signature of a virus. Even if we leave alone the fact that the mere term is wrong and misleading (those things should be called "scan strings"), for any particular virus there are usually a large number of possible scan strings ("signatures"). The only exceptions are the polymorphic viruses (no scan string possible for them) and the variably encrypted viruses with a short, constant decryptor (only a single good scan string). This makes two false claims. > The programs themselves > are not really infected with anything, This is true. This makes two false and one correct claim. > but contain carefully selected > portions of code from their real virus counterparts. Whenever possible, > these sections of code or virus signatures are selected to trigger > vigilant virus detectors. You have "forgotten" to tell that you have actually ripped off those scan strings from other people's scanners, but I'll let that pass... > Since these are really only dummy viruses, False claim #3. THEY ARE NOT VIRUSES. Not at all. This makes three false claims and one correct claim. > not > all infected program simulations produced by Virus Simulator will > trigger every virus detecting program. Actually, the *good* scanners will follow the file entry point and look for the scan string only at a particular offset - where it has to be in a real virus. So, the *good* scanners are unlikely to be triggered by the simulations produced by Virus Simulator. > These test virus simulations are not intended to replace the > comprehensive collection of real virus samples as maintained by > Rosenthal Engineering and other anti-virus product developers for > testing. Misleading text again. It is worded in such a way as to imply that "yeah, they are not as good as a test with a comprehensive collection of virus samples, but could be used to test scanners to some extent". This is WRONG. They cannot be used to test scanners AT ALL. > They are, however, suitable for use by general end users, > system administrators and educators. "Suitable for use" is likely to mislead the people to believe that they are "suitable for (imperfect) testing". It should be re-worded to clearly explain that you actually mean "can be used without danger" - because this is what you mean, don't you? > These virus simulations set off > virus detectors for testing and demonstration without the danger > associated with their malicious virus counterparts. This is true. Actually, if your package was marketed as a generator of false positives, I wouldn't have any problems with it. So far this makes three false and two correct claims. > The simulators all produce safe and controlled dummy test virus samples False claim #4. They DO NOT produce virus samples. This makes four false and two correct claims. > The Virus Simulators and supplements are really intended to give users > some hands on practical experience using their virus protection False claim #5. The Virus Simulator gives them only some hands on experience when encountering a false positive. > The simulators > ability to actually test products exhaustively is limited. False claim #6. The ability of the simulators to actually test anti-virus products is NON-EXISTENT. So far this makes 6 false and 2 correct claims - and this only from the parts that you posted. Supposedly, you have picked the parts that you think support your position. There are several other false claims in the rest of the documentation, but I won't bother the readers with listing them all - the "quality" of your product and its documentation is obvious even from the part that was posted. I don't know how is this in the USA, but here in Germany a producer can be sued for false advertising if they make claims that their product does not stand up to. > That's why > Rosenthal Engineering maintains a very comprehensive collection of real > sample viruses for testing at our facility........... Thanks God, at least you do not sell *that*.... > >> If you want > >> to see how your anti-virus product looks when it detects a virus, > >> Virus Simulator will certainly allow you to do just that, and > >> quite effectively. > > > Wrong. The shareware version of the product only helps you to see how > > your anti-virus product looks when it causes a false positive. I > > wouldn't mind if *this* were how the product is marketted, instead of > > being advertised for testing anti-virus products. > > Vess... If your not using my Virus Simulator for what it's > designed to do, it's not going to do a very good job for you. Where does it say in the documentation that the *only* kind of test that you product provides is to show how a scanner behaves when encountering a false positive? Because, as I said, this is the *only* thing that it does. Everything else is false claims. > Vess, it's designed to set off scanners, activity monitors and > integrity checkers etc. No, it isn't. The only part that would set off an integrity checker is the part that overwrites the boot sector or infects with the MtE-based (real) viruses. However, this happens on a diskette only, and practically no integrity checker checksums floppies, because it is pointless. > Many anti-virus product producers > appreciate the ability to work with Virus Simulator and have made > efforts to be compatible. You mean - those who you have extorted to tell you which scan strings they use in their products, because if they are not generated by your simulator, they won't be detected in a "test"... > You're right, this is not designed to > replace real viruses to test scanners, please don't tell people > it is. Where, damn it, did I say that it is?! Could you please quote me on that? All the time I am trying to explain to everyone that it is NOT suitable for ANY TESTS. It is the documentation of the product - even the parts that you have quoted above - that are trying to fool the users that your product is suitable for *some* kind of testing. > These samples make every effort to get caught and many > anti-virus products make efforts to catch them. Please list some products that make efforts to catch your particular samples and are not simply fooled by them. > And if you'd bother to read > the documentation, I'm sure you would find it there as well. I *have* bothered to read the documentation. Several times. > Please Vess. Won't you at least look at the documentation file > for *my* anti-virus product. I have done so already. > Virus Simulator should only need to > satisfy the claims I make for it... It doesn't do even this - see the false claims I mentioned above. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 22 Aug 94 16:21:55 -0400 From: mhwoo@ucdavis.edu (I Wouldn't Normally Do This Kind of Thing.....) Subject: Need Help With Trident Virus (PC) Hey dudes, My computer has been infected by the [TridenT] virus. After I deleted all the infected files, I used the scan116 to scan my harddisk and no virus was found, but later, I find it again after 1 or 2 days. I haven't added any new files to the computer after I deleted the infected files. So I know it is hidden some where inside my harddisk. Can somebody help me to remove it? Thank you very much for your help! ------------------------------ Date: Mon, 22 Aug 94 23:00:14 +0000 From: cs911035@ariel.cs.yorku.ca (CHRISTOPHER M. ACKNEY) Subject: Help, unknown virus. (PC) Hi there, I'm new to this group, so I don't know the ins and outs of viruses. However, a friend of mine seems to have gotten himself into a wee bit of trouble. It seems that after a certain amount of time on his computer, the characters on the screen begin flashing in different colours. It may be a video problem, but then shouldn't it occur when he turns his computer on. Also, the background remains stable. Besides this, his computer speed drops noticeably. He's used Mcafee scan117, but to no avail. Can anyone offer any help? Please e-mail me soon at cs911035@ariel.cs.yorku.ca Thanks Chris ------------------------------ Date: Mon, 22 Aug 94 21:46:00 -0400 From: bryon@netcom.com (Bryon M. Elliott) Subject: Form virus (PC) Well, I just recently enjoyed the priveledge of wiping the Form virus off of my computer. But now that I've stopped that little viral infection, I'm wondering what exactly it was that I squashed. Can anyone out there fill me in on the detail of Form? Thanks, Bryon ------------------------------ Date: Mon, 22 Aug 94 22:39:12 -0400 From: al026@yfn.ysu.edu (Joe Norton) Subject: Little Red warning! (PC) The virus that F-Prot 2.13a and Tbscan 6.23 call "Little Red" is being shipped on VGA card driver disks! The disks are bundled with very popular Trident local bus cards. They are 3.5" and come from Tiawan. The infected files on the disk are PKUNZIP.EXE KEYIN.COM? (some little key input COM file), and another one. F-Prot 2.13a is able to both detect & clean all of them with no problem at all....(I love F-Prot!!) TBAV 6.23 can detect, but not clean it. The disks I've seen are blue HD 3.5's and have a tiny sticker on top of the normal floppy label that says: TD9400CXI DISK:ONE There is just one disk bundled with the card. I hope this message helps someone! ------------------------------ Date: Tue, 23 Aug 94 02:24:28 -0400 From: Sam Atkins Subject: Re: Excelent virus program! (PC) "E. Ashley Holgate" writes: >Jon, I work on a Banyan network and have only had 3 virus's in the 2 1/2 years You are going to get a hell of a lot more if all you are relying on for anti-virus software is stupid ole Microsoft antivirus. That's a joke. Better get f-prot, &tbav ------------------------------ Date: Tue, 23 Aug 94 06:24:55 +0000 From: spdaley@undergrad.math.uwaterloo.ca (Steve Daley) Subject: GenB virus - Need Help (PC) Hi there...I'm not sure if my first post got through, so here I go again. A friend of mine is having MAJOR problems with a Generic Boot Virus...Can you help? Having a problem with several computers, reporting GenB, Generic Boot Virus. The following programs give the following reports: McAfee 2.01 GenB at 960k Thunderbyte Unknown Boot sector virus MSAV Nothing CPAV Nothing I am switching disks in and out of these machines all the time so it is conceivable that I could have this virus --- except that I also swap between two other machines which are not affected. One note - the majority of the machines use the exact same motherboard, bios, and memory (EMPaC Computer - Shuttle Motherboard - AMI Bios - 30 pin SIMMs) - These are the machines that report the virus. The other machines are a year and a half old, with different parts in them and they do not report a virus with any of these programs -- even though I swap disks into them more than any of the other machines (these two are my personal machines). No attempts to remove the virus work. I have done the following (as well as about 500 other things): 1. Make 6.2 boot disk on clean machine with only Himem.sys and Emm386 loading - boot infected machines and check with Scanner - Same Result as above 2. Sys the hard drive from a clean floppy 3. Re-format hard drive, re-install DOS from BRAND NEW package 4. Low level drive, then do step 3. None of these or anything else helped the situation at all. ANY HELP ON THIS WOULD PROBABLY GET MY BLOOD PRESSURE BACK TO SOME SORT OF ACCEPTABLE LEVEL !!! If you can help, please email me at spdaley@cayley.uwaterloo.ca. Thanks! btw: Is it possible that McAfee's Scan 2.10 is falsely detecting this GenB virus? Steve. ------------------------------ Date: Tue, 23 Aug 94 03:25:52 -0400 From: choip@ecf.toronto.edu (CHOI PETER YOO-SANG) Subject: Need help with new virus (PC) Hi! everyone..... I need help with this new virus that got into my computer.....It is called screamin.II.652 virus and it seems it only affects .com files. The Mcafee scaner version 2.10 can find the virus, but it says it cannot remove it. So if any of you know what to do with this virus please let me know as soon as possible......... thank you ------------------------------ Date: Tue, 23 Aug 94 03:37:04 -0400 From: ashish@panix.com (Ashish Sirohi) Subject: ** PC Virus ruins my life ** Help! (PC) Apologize for the sensationalistic heading! I have a virus on my 386 PC, which Windows 3.1 Virus Software cannot detect -- however the 3.1 Windows software says that my .exe, .sys files etc are being changed. That is the most info Windows 3.1 can provide when there in a virus but it cannot identify it. All my system files etc. are among those that have been invaded. All my programs are now running *much* slower. I am no computer expert. Any suggestions on what I can do to get rid of it. Thanks. ------------------------------ Date: Tue, 23 Aug 94 08:16:24 -0400 From: urh@specs.de (Ulrich R. Herken) Subject: Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) I normally try to avoid being polemic, but here I somehow can't resist: Mike McCarty wrote: [...] >Any kid who knows DEBUG can also get a copy of Michaelangelo or any >other virus just by looking around a little. If it were difficult to get >copies of viruses, then nobody would need protection or scanners, >because it would be difficult to get infected. Get the drift? Any kid who knows how to use his fingers can get a gun an shoot someone. If it were difficult to get guns, then nobody would need bullet proof vests or security squads (and no one would be shot). Get the drift? >Until everyone knows how to write a virus, there will be those attracted >to the mystique of it. I say publish source for viruses everywhere and >make sure everyone can easily get a copy. Until everyone has a gun (possibly an assault rifle), there will be those attracted to the mystique of it. Give everyone (mainly kids!) a nice M-16 or better, and we get rid of that problem. >You sound like some people who, from time to time, decry >alt.locksmithing because "someone might find out how to pick a lock". So >what? You can't suppress knowledge. Anyone who really wants to get a copy >of a virus can get one. I got one when I didn't even want it. Cost me >many hours of disinfecting. Yeah right! I know people who got under fire (for using the horn on their car for example). Took them a while in the hospital to get their wounds disinfected. Anyone who really wants to can get a gun. >What we need is good antiviral products. We do not need thought police. What we need is good bullet proof vests (an helmets, and armoured cars and ...) [...] >We believe in liberty. We believe in freedom of thought. We believe that >individuals have intelligence. Right! That's why the US is the only country, where "Do not touch" is added to the line "Caution! Hot!". > We believe that people should be free to >learn and use everything there is to know in the universe. We believe >individuals should be responsible for their _own_ behavior (and no one >elses!). Good examples for that would be prohibition and McCarthy for example. But you are right, everyone should be able to do what they want, so have the KKK go on to eliminate some of these niggers. > >I don't think I like your ideas very much, sir. You remind me of the >bureaucratic nonsense over here attempting to suppress pure mathematical >research because someone might, just might, use it to create a cypher >which the NSA couldn't break. > >DISTRIBUTE INFORMATION FREELY AND POSITIVELY. HOLD PEOPLE ACCOUNTABLE >FOR THEIR OWN ACTIONS. Good idea, even if it weren't in all capital letters. > >I HATE being attacked by viruses. Let's stop them! But please QUIT >TRYING TO SUPPRESS INFORMATION! LET'S SUPPRESS THE PEOPLE WHO >DELIBERATELY CREATE AND RELEASE VIRUSES WITH MALICIOUS INTENT! [POLEMICS OFF] I absolutely agree with the need for distribution of information. I definitely do not agree on the idea, that the information needed in this case is gathered by making virus code available to everyone. >What you say sounds like Nazi Germany and Communist Russia to me. There >are a few intelligentsia who know how to run the lives of everyone >else. They are allowed to collect viruses and thwart them for the rest >of us. Oh, by the way, the ones who support this idea always seem to be >a part of the intelligentsia, not one of the plebes. BAH! Since no one has proven until now, that anarchy works, there will always be some people "running the lives" of others (government is an example that comes to mind). Wouldn't even you prefer to have an intelligent government instead of one that has no bloody idea about what is going on? > Only knowlege and experience can make a person safe from viruses. Good point. > When we all know how they work then: > > there will be much less incentive to write them Wrong. The incentive to do harm to others is quite independent of the knowledge who to cause that harm. > we will be able to protect ourselves from the ones being written Hopefully yes. But there will always be someone _clever_ enough to develop a new idea, of which you wouldn't know. > >Mike >- ---- Again please excuse my inadequate style in the above, but this one really made me angry. Regards, Uli - -- - ------------------------------------------------------------------------ Dr. Ulrich R. Herken (urh@specs.de) | SPECS GmbH R&D Medical Devices | Voltastrasse 5 Phone:+49 (0)30 463-3031 FAX:+49 (0)30 464-2083 | 13355 Berlin, Germany ------------------------------ Date: Tue, 23 Aug 94 09:36:51 -0400 From: harald@xs4all.nl (harald) Subject: anti-exe virus (PC) yesterday i was checking a pc from a relation in germany and macafee found the ANTIEXE virus in the primary boot sector. Macafee could not clean this virus and the SYS command did not removed teh virus. Does anyone has an idea how to remove the viruys without rebuilding everything? Can anyone tell me what the virus does and when its gonna work Please mail directly..... - -- ------H A R A L D I N E N ------------------------------------------ Amsterdam, Netherlands internet: harald@hacktic.nl AIDE Hobbemalaan 9,1213 EZ HILVERSUM TEL.(31)()035-246244 FAX.035-233032 ------------------------------ Date: Tue, 23 Aug 94 09:57:20 -0400 From: oas@po.CWRU.Edu (Omar A. Syed) Subject: Gingerbread Man Virus (PC) Hello This is my first time reading/contributing to this group. I've come here today, to ask for your help. Just a few days ago, I was struck with the Gingerbread Man Virus. I FTP'ed a file, and it had three files contained in the .ZIP. They were: GINGER.VIR GINGER.COM GINGER.EXE I didn't know what they were at the time that I executed the executable file. After running the executables, I read the GINGER.VIR. It has all the information on the Gingerbread Man Virus. It says it attacks the Master Boot Sector, .COM & .EXE files. I know a lot of my executables have been infected by now. In the .VIR file, it also mentions that F-PROT and some other AV software detect this virus. I was using F-PROT version 2.12a, not 2.13c. Unfortunately, F-PROT only detected the virus in memory, and the two files: GINGER.COM & GINGER.EXE. What I want to know is, is there anyway that I can disinfect the files that have been attacked? Also, I'm trying to replace my MBR with a clean one, I know how to do it using DEBUG & MIRROR. But, when I was testing out to see what I had for my MBR, it reports that I have a 405M hard drive, actually it's a 420M, I'm wondering if my MIRROR.COM and UNFORMAT.COM are infected and have some influence from the virus. Those two files are needed to dump my MBR to a file and replace the MBR from a file. If anyone knows how I can replace my MBR, and clean out my infected executables, please let me know. I am willing to send out a copy of the virus that I ran on my system. I have already sent out a letter to the author of F-PROT and have sent him a copy of the virus along with my MBR, if anyone wishes to receive this also, let me know. Thanks for your help. ------------------------------ Date: Tue, 23 Aug 94 15:14:28 -0400 From: iandoug@cybernet.za (Ian Douglas) Subject: Re: Smeg viruses (PC) Mike McCarty (jmccarty@spd.dsccc.com) wrote: > Many hard discs can be damaged by repeated seeking from track 0 to a > track beyond the end of the disc and back. Some can also be damaged by > repeatedly spinning up and down without waiting for the functions to > complete. This can damage driver transistors, and occasionally cause > head crashes. > Early monitors (and cheap current ones) could be damaged by software > reprogramming the horizontal retrace rate. This thread has been beaten to death in the FIdonet virus echos (and no doubt here too). There was ONE demonstratable example of such claim, and that was on an old monitor no longer manufactured. The idea of hardware damage by software (on modern hardware) is a myth. How do you think they test disk drives during the design phase? The proof of these claims is quite simple: if it WAS possible for software to damage hardware, you can bet your bottom dollar that dozens of viruses would use those techniques. But they don't, because they can't, because the techniques do not exist. > Why are you disturbed by the reports? Because you fear for your > hardware, or because you don't believe in them? Or what? Because they are unsubstantiated rumours, which cause panic for the uninformed. Cheers, Ian - -- - ----------------------------------------------------------------------------- Ian Douglas Lead, Follow, 34 InterNet: iandoug@cybernet.za P.O. Box 484 or get out of 1,73 FidoNet: 5:7102/119 7532 Sanlamhof the way. 57 TopNet: 225:2048/1 South Africa (Ted Turner, CNN) INTB PGP key available. - ----------------------------------------------------------------------------- ------------------------------ Date: Tue, 23 Aug 94 16:39:16 -0400 From: roger.ertesvaag@thcave.bbs.no (Roger Ertesvaag) Subject: SMEG Virus Test (PC) * In a message to All on 08-17-94, Vesselin Bontchev said: VB> such a way. Everybody can make a mistake, the important is that they VB> learn from them. I certainly would like to see more tests like those VB> that Luca produces, compared say, to the "tests" I have recently seen VB> in BYTE. I suppose you mean the NLM-test. Could you say a little more on what you see as the weakness(es) of this test? The virus collection? RogEr -=-=-=[ roger.ertesvaag@thcave.bbs.no ]=-=-=- - --- > SPEED 2.0b #1486 > NTSC - Never Twice Same Color. - ---- +-----------------------------------------------------------------------+ + Thunderball Cave BBS +47 2256 7018 / 2256 8809 (USR V.FC / V.FAST) + + -- thcave.bbs.no -- Oslo Norway -- + +-----------------------------------------------------------------------+ ------------------------------ Date: Tue, 23 Aug 94 20:30:14 -0400 From: ecsclfe@lux.latrobe.edu.au (ENRIQUEZ Luke) Subject: [Info-Needed] Junkie Virus (PC) Howdy, I came across the Junkie virus recently. TB 6.23 identified it as Junky in some files and as an unknown virus in others. It appeared to do something with INT 1C because qemm failed in stealth mode (ie It couldn't find the rom handler for INT 1C). Does the virus actually do something with INT 1C? Does anyone else have some analysis info on this interesting little critter? Regards, Luke - -- - --------------------------------------------------------------------------- Luke Enriquez, Dept. Electronic Engineering. LaTrobe University, Aust. "Life is like a pubic hair on a toilet seat. Someone is bound to piss you off" ecsclfe@lux.latrobe.edu.au - --------------------------------------------------------------------------- ------------------------------ Date: Tue, 23 Aug 94 21:10:27 -0400 From: datos@crl.com (Randy Ridgely) Subject: BSVs and F-PROT/VIRSTOP (PC) (Please see ObDisclaimer below before flaming me.) I have placed a floppy which is known to be infected with the C variant of Stealth_boot (CPAV & F-PROT both ID'ed it, altho CPAV only called it Stealth :-( ) in my drive while running VIRSTOP from my CONFIG.SYS file. I then did a DIR B:, a COPY to the disk, and a COPY from the diskette. I received no warning, although a subsequent scan by F-PROT reported the virus in memory. The machine is a 386/25sx-based MS-DOS 5.0 box with the following CONFIG.SYS: shell=c:\dos\command.com /p /e:512 DEVICE=C:\WINDOWS\HIMEM.SYS DEVICE=C:\DOS\EMM386.EXE NOEMS DOS=HIGH,UMB STACKS 9,512 FILES=99 BUFFERS=40 break=on DEVICE=C:\AV\VIRSTOP.EXE /OLD /COPY /BOOT /WARM DEVICEHIGH=C:\DOS\SETVER.EXE DEVICEHIGH=C:\DOS\ANSI.SYS devicehigh=C:\MOUSE\MOUSE.SYS I have also used the /DISK option with the above. I performed a similar experiment on a different machine with the same results; I do not have that machine's specs in front of me. F-TEST reported VIRSTOP installed and working. It also triggered when I attempted to run a program known to contain a file infector. I was ready to chalk this one up to the "fact" that VIRSTOP would only prevent the virus from infecting a *different* disk[ette], but frisk replied to another poster that VIRSTOP would detect a BSV on disk access. What am I missing here? (ObDisclaimer: I have spent nearly every free waking moment of the last four days pouring over this newsgroup (slash-mailing-list), the documentation for F-PROT and a few other AV s/w packages, downloading and reading papers and gopher descriptions. Yes, I read the FAQ -- tho't you might like to know that someone actually *does* once in awhile...*before* posting. I would send email to frisk directly rather than waste bandwidth, but I sent him mail two days ago about purchasing a site license for F-PROT. I haven't received a reply, so I figure if he's too busy to reply to a question involving money, he's too busy to answer freebies. I'm trying to dig myself out from under an infection of Stelboo_C at work with half the staff out sick or having quit, while persuading the Powers-That-Be that F-PROT is better than CPAV/VSAFE, despite the latter alerting on a simple DIR of the virus-laden diskette. Please excuse me if I seem a bit impatient; I don't mean to be. I know we *all* have lives and heavy workloads. Thanks for listening; flame away. :-) - -- randy Old Address: randy@stat.uga.edu (NOT valid) New Address: datos@crl.com (valid) ------------------------------ Date: 24 Aug 94 09:14:18 +0100 From: virusbtn@vax.oxford.ac.uk Subject: Re: Viruses & TSRs (PC) datadec@corsa.ucr.edu (Kevin Marcus) writes: >>2. How easy is it for a virus to defeat an antivirus product loaded as a tsr? >> (dos) > > Well, it's been done in the past, and no matter how much anti-tunneling code > a vendor might want to throw in their TSR, it is always gunna happen. > (I think, IMHO, etc... :)) > I would tend to agree with this. I mean, who *doesn't* know how to unhook the MSAV TSR. Even if you armour your code, the virus writer gets as long as he likes to break it. The other thing to remember with TSR virus protection is that many of the virus-specific ones do not have a very good detection ratio (see Virus Bulletin test in September 1993 edition)... especially on the extreme polymorphics. Indeed, it would seem that much of the effort is concentrated on what is in the wild. I would be interested to know how many TSR scanners get Pathogen or Queeg. The problem here is one of overhead (both memory and performance). Just make your code polymorphic enough, and you will defeat the TSR. Regards, Richard Ford Editor, Virus Bulletin ------------------------------ Date: Wed, 24 Aug 94 06:01:58 -0400 From: cczmjj@unicorn.ccc.nottingham.ac.uk (Malcolm Jackson) Subject: Can F-PROT kill Ripper then find new variant of Form? (PC) OK, here's the scoop! I had a few PC's whos hard disk was infected by Ripper (Boot sector) and Cascade (Various EXE files). Using F-PROT I easily cleaned all virus's from the PC's. Or so I thought! On TWO of the PC's F-PROT detected "A new variant of the Form virus" which it was unable to remove from the boot sector. Now, what puzzles me is the fact that the two PC's that had the new Form virus were new PC's and its unlikely that the new variant of Form was introduced by anybody else. I was using F-PROT from a clean bootable floppy and I rescanned after each disinfection. F-PROT only noticed the new variant of Form _after_ I had removed the Ripper virus and rebooted the PC. Hope thats clear. My question is this: Is it possible that F-PROT didn't quite manage a 100% clean-up of the Ripper virus and was fooled into thinking that it saw the new variant of Form? Or, is it possible that there really is a new variant. Just how similar are Ripper and Form? Would they leave a similar `signature' in the boot sector? They are related arn't they? I had to use SYS C: to remove the new Form virus from the boot sector and both PC's are clean now. I'm sorry I couldn't get a copy of the boot sector but the PC's were from another dept and I was being pushed for a result and I need an answer to my question because the dept in question will be bringing it up at a Computer Users meeting. My neck is on the block here! Incidently, MS-DOS's scandisk totally failed to find _any_ of the virus'. Its a bloody joke innit? Scandisk gives you a nice blue screen with lots of reassuring `ticks' coming down the screen as it checks various aspects of your hard-drive for infection, then it confidently tells you that `There are no signs of a virus on your hard drive!` (or some similar message) when in fact the opposite is true. Thanks for any help, Mal. Malcolm.Jackson@nott.ac.uk ------------------------------ Date: Wed, 24 Aug 94 12:20:25 -0400 From: interaccess!grouch@uunet.uu.net (Ray Moran) Subject: Can a virus change CMOS settings??? (PC) I am having a problem with several PCs where the CMOS settings are seemingly randomly changing. Could a virus be causing this?? Any information would be greatly appreciated. Thanks, Ray Moran ------------------------------ Date: Wed, 24 Aug 94 12:20:32 -0400 From: wslee@ai.mit.edu (Whay S. Lee) Subject: Flash Bios vulnerable? (PC) Has anybody seen a virus that attacks the flash bios yet? somehow I get the paranoia that it would be only a matter of time before one of those creeps up on me .. whay ------------------------------ Date: Wed, 24 Aug 94 14:36:44 -0400 From: "Jeffrey Rice - Pomona College, California." Subject: Integrity Checker? (PC) I noticed a few posts ago a bit on how NAV's inoculation isn't as secure as it could be. (I think it was Vesslin....) Anyway, that is about the only part of NAV I do rely on. I know some other products have checksuming (AVP,McAFee, TBAV), but these don't check as the file is executed. Or am I mistaken on that? Does anyone know of a good product that has checksuming, whether or not it scans on access? /-----------------------------------------------------------------------------\ | Jeffrey Rice | "The man who ...is not moved by concord of sweet | | Pomona College | sounds is fit for treasons, stratagems, and | | Claremont, California | spoils. Let no such man be trusted." -WS | \-----------------------------------------------------------------------------/ ------------------------------ Date: Wed, 24 Aug 94 15:26:30 -0400 From: al161926@academ01.mty.itesm.mx (Jesus Barrera Ramos) Subject: How can I remove a version of NATAS? (PC) Hi all I have a real problem, Natas is invading my school ITESM Campus Monterrey, and I've not been able to remove it from my computer, I tried SCAN and F-PROT 2.13 and both detect it but can't remove it. Does anybody know some program to remove this virus from my computer?. If you can help me I'll thank you very much. Thanks in advance. Jesus al161926@academ01.mty.itesm.mx ------------------------------ Date: Wed, 24 Aug 94 19:22:02 -0400 From: brett_miller@ccm.hf.intel.com (Brett Miller - N7OLQ) Subject: No_init virus info (PC) I am looking for information on the no_init virus. I have checked many different sources and can not find any mention of this virus. Is it possible that this goes by another name? I am fairly sure this is not the same as the Noint virus. Thanks, Brett Miller N7OLQ brett_miller@ccm.hf.intel.com Intel Corp. American Fork, UT ------------------------------ Date: Thu, 25 Aug 94 04:15:45 -0400 From: xandy@hamlet.telelogic.se (Andy Eskilsson (Flognat)) Subject: MCafee, MSAV, and FORM? (PC) Does mcafee's scan detect the form virus? MSAV reported the existence of the FORM virus on one of the laptops I am maintaining. Null problemo I thought, and brought out my virus killer, emergency disk (write protected disk, containing mcafee's scan (2.1.12? with the kaos extension) with virus description file dated 07/28-84). Booted the computer on the emergency disk, did a scan c:, mcafee reported *no* viruses. run msav /c, msav detected and cleared the FORM virus. If I ran msav /c after booting from infected(?) harddisk, it hung when it tried to scan. The reason to why we started scanning for the virus were that MS Windows (WfWg 3.11) at startup complained over a bad driver/virus infection/diskcache. Any hints why scan didn't detect the FORM virus ? /andy ------------------------------ Date: Thu, 25 Aug 94 13:07:24 +0100 From: Luca Sambucci <93647758S@sgcl1.unisg.ch> Subject: SMEG Virus Test (new) (PC) - -----BEGIN PGP SIGNED MESSAGE----- > VIRUS TEST Nr. 003 > -= SMEG Viruses =- > Copyright (C) 1994 Luca Sambucci > All rights reserved. > Italian Computer Antivirus Research Organization The "Simulated Metamorphic Encryption Generator" is an engine used to create polymorphic viruses. Some of these viruses seem to be 'in the wild', especially in the United Kingdom. At the moment there are three versions of the engine (v0.1, v0.2 and v0.3). For this test I've used one virus for each version: Pathogen:SMEG.0.1 ; Queeg:SMEG.0.2 ; Trivia:SMEG.0.3 This is a second "bug fix" version of the previous SMEG test, which had a few corrupted SMEG replications (damaged files instead of 100% working viruses). I've used completely new replications, and all of them are bug-free. Also, for this test I've added the 0.3 version of the SMEG, and I've included four new antivirus products (Dr. Solomon's AVTK, IBM-Antivirus/DOS, Integrity Master and Virex). Due to a technical problem I couldn't include the AVScan program, I'll test it again the next time. For the options used and for other products information, please refer to the TESTINFO.ZIP file available at all our distribution sites (a list of all sites is available at request). The following products (scanners) have been tested: Name Version Date (MM/DD/YY) Producer =-----------------------------------------------------------= AV Toolkit Pro (-V) 2.00e 07/13/94 KAMI Ltd. AVTK (Findviru) 6.6 05/11/94 S&S Int. Ltd. F-Prot 2.13a 07/27/94 Frisk Soft. Int. IBM Antivirus/DOS 1.06 07/11/94 IBM Corp. Integrity Master 2.22a 05/25/94 Stiller Research Sweep 2.64 08/01/94 Sophos Plc TBAV (TbScan) 6.22 07/11/94 ESaSS BV Virex PC (VPCScan) 2.94 07/05/94 Datawatch Corp. VirusScan 2.1.0 07/18/94 McAfee Inc. TEST RESULTS Pathogen:SMEG.0.1 For the test I've infected 1000 files (500 COM and 500 EXE) with "Pathogen" replications. Here the results (1000 replications): | Antivirus |Rel. |Unrel. |Not | %Total | | product |Identif.|Identif.|Detected |Detected | =----------------+--------+--------+---------+=========+-= AVP 2.00e | 1000 | 0 | 0 < 100.00% > =----------------+--------+--------+---------+=========+-= Findviru 6.6 | 1000 | 0 | 0 < 100.00% > =----------------+--------+--------+---------+=========+-= F-Prot 2.13a | 1000 | 0 | 0 < 100.00% > =----------------+--------+--------+---------+=========+-= IBMAV 1.06 | 0 | 1000 | 0 < 100.00% > =----------------+--------+--------+---------+=========+-= I-Master 2.22a | 0 | 1000 | 0 < 100.00% > =----------------+--------+--------+---------+=========+-= Sweep 2.64 | 1000 | 0 | 0 < 100.00% > =----------------+--------+--------+---------+=========+-= TbScan 6.22 | 0 | 393 | 607 < 39.30% > =----------------+--------+--------+---------+=========+-= VPCScan 2.94 | 0 | 0 | 1000 < 0.00% > =----------------+--------+--------+---------+=========+-= VirusScan 2.1.0| 950 | 0 | 50 < 95.00% > =----------------+--------+--------+---------+=========+-= Queeg:SMEG.0.2 For the test I've infected 1000 files (500 COM and 500 EXE) with "Queeg" replications. Here the results (1000 replications): | Antivirus |Rel. |Unrel. |Not | %Total | | product |Identif.|Identif.|Detected |Detected | =----------------+--------+--------+---------+=========+-= AVP 2.00e | 1000 | 0 | 0 < 100.00% > =----------------+--------+--------+---------+=========+-= Findviru 6.6 | 1000 | 0 | 0 < 0.00% > =----------------+--------+--------+---------+=========+-= F-Prot 2.13a | 1000 | 0 | 0 < 100.00% > =----------------+--------+--------+---------+=========+-= IBMAV 1.06 | 0 | 1000 | 0 < 100.00% > =----------------+--------+--------+---------+=========+-= I-Master 2.22a | 0 | 1000 | 0 < 100.00% > =----------------+--------+--------+---------+=========+-= Sweep 2.64 | 0 | 631 | 369 < 63.10% > =----------------+--------+--------+---------+=========+-= TbScan 6.22 | 0 | 129 | 871 < 12.90% > =----------------+--------+--------+---------+=========+-= VPCScan 2.94 | 0 | 0 | 0 < 0.00% > =----------------+--------+--------+---------+=========+-= VirusScan 2.1.0| 0 | 0 | 1000 < 0.00% > =----------------+--------+--------+---------+=========+-= Note: All "Queeg" replications detected by the Sweep have been identificated as "Pathogen". Trivia:SMEG.0.3 For the test I've infected 1000 files (1000 COM) with "Trivia" replications. Here the results (1000 replications): | Antivirus |Rel. |Unrel. |Not | %Total | | product |Identif.|Identif.|Detected |Detected | =----------------+--------+--------+---------+=========+-= AVP 2.00e | 0 | 1000 | 0 < 100.00% > =----------------+--------+--------+---------+=========+-= Findviru 6.6 | 0 | 0 | 1000 < 0.00% > =----------------+--------+--------+---------+=========+-= F-Prot 2.13a | 0 | 891 | 0 < 89.10% > =----------------+--------+--------+---------+=========+-= IBMAV 1.06 | 0 | 0 | 1000 < 0.00% > =----------------+--------+--------+---------+=========+-= I-Master 2.22a | 0 | 323 | 677 < 32.30% > =----------------+--------+--------+---------+=========+-= Sweep 2.64 | 0 | 0 | 1000 < 0.00% > =----------------+--------+--------+---------+=========+-= TbScan 6.22 | 0 | 771 | 229 < 77.10% > =----------------+--------+--------+---------+=========+-= VPCScan 2.94 | 0 | 0 | 1000 < 0.00% > =----------------+--------+--------+---------+=========+-= VirusScan 2.1.0| 0 | 0 | 1000 < 0.00% > =----------------+--------+--------+---------+=========+-= GLOBAL RESULTS SMEG viruses (3000 replications): | Antivirus |%Detect.|%Detect.|%Detect. | %Total | | product |Pathogen| Queeg | Trivia | SMEG | =----------------+--------+--------+---------+========+--= AVP 2.00e | 100.00%| 100.00%| 100.00% <100.00% > =----------------+--------+--------+---------+========+--= Findviru 6.6 | 100.00%| 100.00%| 0.00% < 66.67% > =----------------+--------+--------+---------+========+--= F-Prot 2.13a | 100.00%| 100.00%| 89.10% < 96.37% > =----------------+--------+--------+---------+========+--= IBMAV 1.06 | 100.00%| 100.00%| 0.00% < 66.67% > =----------------+--------+--------+---------+========+--= I-Master 2.22a | 100.00%| 100.00%| 32.30% < 77.43% > =----------------+--------+--------+---------+========+--= Sweep 2.64 | 100.00%| 63.10%| 0.00% < 54.37% > =----------------+--------+--------+---------+========+--= TbScan 6.22 | 39.30%| 12.90%| 77.10% < 43.10% > =----------------+--------+--------+---------+========+--= VPCScan 2.94 | 0.00%| 0.00%| 0.00% < 0.00% > =----------------+--------+--------+---------+========+--= VirusScan 2.1.0| 95.00%| 0.00%| 0.00% < 31.67% > =----------------+--------+--------+---------+========+--= LEGEND: - Reliably identified: Detected with the correct name (note: to be marked as "reliably identified" the scanner must provide the "exact identification" of the virus. An identification that provides the family name only isn't exact enough) - Unreliably identified: Detected with the wrong name, with the heuristic/generic analyser, or like a "new" variant of the virus - Not detected: Not detected at all - %Total Detected: The global detection rate (test set=100%) This document is available at our official distribution sites within the archive called VTEST003.ZIP Sysop or ftp-administrators that wish to become official distributors of I.C.A.R.O.'s files can contact us at one of the following addresses: Internet: luca.sambucci@ntgate.unisg.ch FidoNet: Luca Sambucci 2:335/348.6 Best Regards, Luca Sambucci =----------------------------------------------------------------------------= ________________________________ Luca Sambucci ( ) ) I said to Life, ( luca.sambucci@ntgate.unisg.ch ( "I would hear Death speak". ) ) And Life raised her voice a ( ( little higher and said, ) Italian Computer Antivirus ) "You hear him now". ( Research Organization ( ) ) Kahlil Gibran ( (________________________________) =----------------------------------------------------------------------------= - -----BEGIN PGP SIGNATURE----- Version: 2.3a iQCVAgUBLlumM+ZQNzkHaA4JAQF2PgQAhzPuCWV/pGbnG7n58S2LEJu20d2/Pe0o XQs3ymEQ2UN0GyJJkqB5b0AqDMLRS2nOxF6/8gDr3cvueg+g72ifjugrm130AeGx /gwnrvu5XO7G4bQjRisFks3iAitR2jws03g7bY46QpuQwqeFcRT/eUBqC6Zl2sHy Hb7+Vqpt27o= =EULv - -----END PGP SIGNATURE----- ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 75] *****************************************