VIRUS-L Digest Friday, 7 Oct 1994 Volume 7 : Issue 81 Today's Topics: Viruses.... [Q:] What does 'tunneling' means? Need help: am composing a list of viruses for 1993/4 Re: Naming of Viruses Re: Few question regarding viruses Scanner Fodder my last comment (for now) on Doren's VIRSIM Free Newsletter ANNOUNCE: HTML version of comp.virus/virus-l FAQ available How does one become a "respectable" researcher? Virus Scanners for OS/2 (OS/2) Re: F-Prot scans UMBs ??? (PC) Re: Viruses & TSRs (PC) Re: Integrity Checker? (PC) Whisper Virus question (PC) Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Info wanted re Jumper virus (PC) `_2kb' virus (PC) How can I search for... (PC) [ F-PROT and MBR ] (PC) Re: Integrity Checker? (PC) JERUSALE.FU_MANCH.UNK2 virus??? (PC) Re: Can a virus change CMOS settings??? (PC) 0030 - CIAC E-34 One_half virus (PC) monkey virus (PC) Whisper virus (PC) STELBOO virus (PC) Junkie virus (PC) Unknown Virus (PC) HLLC.Even_Beeper.B (PC) Filler and Anti-Tel Viruses (PC) 'Jumper.B' a la F-PROT (PC) 1423 virus contamination. Help! (PC) Re: Using two TSRs simultaneously? (PC) Re: How can I remove a version of NATAS? (PC) Trojan Alert (PC) Check out these symptoms please - Virus ? (PC) help cleaning Swiss from disks (PC) Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Re: Floppy boot sector replacement (PC) Yale Virus questions (PC) Re: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) Fixing the boot sector of a floppy? (PC) fp-214.zip - Version 2.14 of the F-PROT anti-virus package (PC) bull-214.zip - ASCII-version of F-PROT 2.14 Update Bulletin (PC) AVP 2.1 beta (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Sat, 17 Sep 94 01:32:22 -0400 From: jmiller@iglou.iglou.com (John Miller) Subject: Viruses.... I was reading through a few of the postings and responses and was intreagued about how protective most people are about the viruses that they keep. Some are smart and some (not on this newsgroup) are just plain paranoid. For example: I work for a medium size firm that installs Novell networks. About three years ago I started getting interested in the aspect of viruses and the inner workings of destructive and benevolent viruses. But as of late I was just examining some weak viruses with minimul attack and no damage. My boss and I have been finally getting ahold of some useful test-bed viruses to see the signs, attacks, security leaks etc. of some of these viruses and how they effect a Novell network. When I went on the hunt for more test viruses, people were rather paranoid about talking about them (this is on local BBS's where I live) so obtaining them was a difficult task. But never the less I keep searching. ------------------------------ Date: Sat, 17 Sep 94 18:41:02 -0400 From: djakman@fwi.uva.nl (Kemal Djakman) Subject: [Q:] What does 'tunneling' means? I have moticed that several posts here mentions about 'tunneling' virus, or 'anti-tunelling' methods. I can't find it in the FAQ. Would someone be kind enough to explain it to me? - ---kemal--- ------------------------------ Date: Sun, 18 Sep 94 13:01:46 -0400 From: trixrabbit@aol.com (TrixRabbit) Subject: Need help: am composing a list of viruses for 1993/4 I guess this is a Top Ten list sort of thing, but I need to assemble a list of the most prominent computer viruses that emerged in 1993/4. Obviously this is subjective, but if *you* have nominations, please post them along. If you can't think of ten, no problem. If you want to append notes to your selcections, then that's probably going to be interetsing. "Thanking you in advance" (to me, the previous statement qualifies as a virus) Genuine thanks, The Rabbit ------------------------------ Date: Wed, 21 Sep 94 20:30:26 -0400 From: sbonds@u.washington.edu (Steve Bonds) Subject: Re: Naming of Viruses Michael D. Jones wrote: >This may be a trick question, or a useless one depending on your >point of view, but what determines the correct "official" name >for a virus. For example, say I have two different virus >scanners and they both catch the same virus, but they report it >as being a different virus, what virus did I just catch? Alas, the best answer in such a situation is to be sure to mention the name of the scanner along with whatever name it gave you when discussing it with anyone. In some cases, even the VERSION number is needed for clarity-- e.g. SCAN by McAfee. About the only "standard" seems to be the CARO naming standard, and it is not widely used just yet. F-prot uses CARO names whenever possible, and I believe that Dr. Solomon's AV product also uses CARO names. There may also be others-- if so let me know so I can look at them! >I know the easy answer is: who cares, you caught it!, but what if >I didn't catch a virus that this particular scanner said that it >should catch, because one or both of us used the "unofficial" >and not the "official" name. Do you see where I'm going with >this? It is also important to have as exact an ID as possible since even minor variants can have different effects. For example, what if one variant corrupts files without infecting them, yet another variant causes no extra file corruption? In the former case, one would know to yank out the ol' integrity checker to find the corrupted files and/or restore from backups. In the second case, there wouldn't be as much cause for concern. >I've heard people talking about the CARO names, although I >don't recall this ever being explained on the list and I can't >find my copy of the FAQ right now. CARO names are multi-part names separated by a dot/period. They start with the most general family possible (e.g. Jerusalem, Stoned) and progress forward with each "section" becoming progressively more detailed. (i.e. Stoned.Michelangelo.A) There are many "Stoned" viruses, and quite a few Stoned.Michelangelo viruses, but so far as I know, only one Stoned.Michelangelo.A virus. And if a variant of this one were created, the naming could change to allow for it to fit into the scheme. Check out naming.zip on Vesselin's FTP site for more detailed CARO info. It is in the directory /pub/virus/texts/tests/vtc. Lots of other good stuff there, too, but remember that peak hours in Germany are quite different from peak hours in the US. Weekends are the best time to go hunting there. >so is there some type of criteria by >which a virus is named and if so, why do different scanners >sometimes report the same virus as being different? There are no criteria for naming viruses. If I wanted to write a new scanner, I could have it call the viruses WHATEVER I wanted. Some writers do just this, and THAT is why there is so much confusion! >I would still be interested in seeing a finger, gopher, WWW >source for virus info. Ah, we can dream, can't we? The best I've seen are the old V-L archives which are available via FTP. You can get the format for html files, and convert everything yourself, of course. Just in case you end up with some spare time you'd rather get rid of... :-> It REALLY would be nice to have a WWW hypertext version of a virus catalog. It would be very easy to keep it updated, since corrections could be made and everyone could get up-to-date info without downloading over a megabyte of extraneous junk. >No, I'm still not interested or qualified >enough to manage it either Perry. I'd even be interested in a >DOS or Windows based app if I could find one that was fairly >reliable and up-to-date. Sorry Patricia, even though yours is >the best and easiest to use that I have found so far, truth is, >it doesn't meet the above requirements very well. I know it sounds >like I'm just complaining and not giving any solutions, but I >don't have any solutions, just suggestions. Join the club! I've been whining for years about this same topic. And, like you, I barely have enough time to read comp.virus, much less take on a task of this Hurculean magnitude. You might again poke through Vesselin's FTP site, it has some good info scattered around. Check out CAROBase, particularly. Not really up-to-date, but the information is pretty reliable. The online info in F-prot is also quite reliable, but very brief. >Concerning the FAQ. The FAQ says, "The FAQ is a dynamic >document, which changes as people's questions change." But the >FAQ also says that it was last updated on 18 November 1992. So >either the date has not been updated since 1992 or people have >been asking the same questions since 1992. It's not really that >bad is it Vesselin and Frisk. :) I've submitted a few potential questions to the FAQ, complete with answers and never heard back. I hadn't realized that it had been so long since it has been updated. 1992 is getting a bit old, isn't it?? No wonder it seems awfully familiar each time I read it... :) Maybe Ken is just really busy, but if things are THAT busy, maybe he ought to hand off the FAQ to someone who has too much free time. >I also tried to subscribe to the mailing lists for this group a >couple of weeks ago, but I haven't seen anything yet. Is >perhaps the FAQ incorrect (see above), did I do something wrong, >or did my request just get lost somewhere out there? Sometimes it takes a couple of weeks. Hang in there. Also keep in mind it takes just as long (or longer!) to UNsubscribe. -- 007 PS: Note the new address! That giant pause you failed to hear from me this summer was me at 2400 baud paying $0.32/minute for connect time. But I'm back now! ------------------------------ Date: Wed, 21 Sep 94 21:14:48 -0400 From: sbonds@u.washington.edu (Steve Bonds) Subject: Re: Few question regarding viruses Fridrik Skulason wrote: >haq@savage.umiacs.umd.edu writes: > >>I have few questions regarding to computer viruses: > >>3. Is sealth virus uses enryption? > >some do, some don't thealth and encryption are tho independent properties. Stealth generally means that the virus takes active measures to hide itself from detection. For example, removing itself from a file when that file is looked at, then reinfecting when the file is closed again. In this way, someone looking for viruses will only see the original program. The virus just isn't there during the time they spend looking. Encryption means the virus takes more passive measures, by scrambling its code so it looks like nothing harmful. However, the code to de-scramble the virus to its original state can't be hidden, so this can often be found. See the FAQ for more info-- this is excessively brief. -- 007 ------------------------------ Date: Fri, 23 Sep 94 06:16:22 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Scanner Fodder Here is the documentation for a set of sample files I received recently. Those files seem to serve the same purposes as Doren Rosenthal's virus "simulations", but at least the author of this "product" does not make false claims about what the product does. - ----------------------------------------------------------------------------- SCANNER FODDER - SWAGSoft Software The included files are not guaranteed to do anything but waste your time. They are not viruses or functional programs. They are purely SCANNER FODDER. They wil not determine if an anti-virus scanner is effective or useless; they are only guaranteed to raise some false alarms depending upon the anti-virus software suite being used to inspect them. SCANNER FODDER dumb baits are packed with signature strings pulled from numerous sources: Virus Bulletin, the book "Computer Viruses and Anti-virus Warfare" by Jan Hruska; and virus I.D.'s used by various members of the Computer Anti-virus Research Organization. A number of things can happen when an anti-virus scanner inspects a SCANNER FODDER dumb bait. 1. The scanner will see nothing. It does not include any of the signatures for SCANNER FODDER dumb baits in its database. Such a scanner is either extremely unorthodox or poorly maintained. 2. The scanner will recognize a string, but determine that the SCANNER FODDER dumb bait is not a live virus. It will report nothing. This is the best result. 3. The scanner will recognize a string and report that the SCANNER FODDER dumb bait is infected by the virus. It may volunteer to delete or attempt to repair the file. If it repairs the file, it will ruin it. Attach a SCANNER FODDER dumb bait flagged in this manner to a real program with the command "copy command.com+fodder.com command.com." Repeat the exercise for disinfecting the file. The scanner will ruin the file, even though it worked perfectly even with the SCANNER FODDER dumb bait attached. 4. The scanner will report that the SCANNER FODDER dumb bait is infected with a new variant of the virus. Nope. SCANNER FODDER dumb baits are not viruses; many are only stupid hunks of binary data which will cause a machine hang. SCANNER FODDER dumb baits are useful only in testing how susceptible a virus scanner is to misidentification and false positives. SCANNER FODDER dumb baits can be attached to real programs using the procedure in Step #3 to see how quickly and effectively a poorly implemented scanner will try to ruin a file. Since SCANNER FODDER dumb baits are not viruses, no anti-virus program should attempt to remove them. Try it. Watch the fun ensue! SCANNER FODDER dumb baits have one other specialty purpose. SCANNER FODDER dumb baits can be passed around on virus exchange BBSes as digital currency. Since most system operators will rely only upon anti-virus scanners to determine virus identity, an archive of SCANNER FODDER dumb baits will serve to inflate online libraries with dubious content. SCANNER FODDER dumb baits can also serve to waste the time of anti-virus software developers. This archive of SCANNER FODDER dumb baits can include any or all of the following virus false alarms: - -frisk ------------------------------ Date: Fri, 23 Sep 94 09:17:42 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: my last comment (for now) on Doren's VIRSIM I really have better things to do with my time, but here is a tech-note, which I intend to use as a "standard reply" in the future. - ----------------------------------------------------------------------------- Frisk Software International - Technical note #5 "Simulated" viruses One of the most annoying questions I get is: "I created a bunch of viruses with the Virus Simulator, and [product X] does not detect any of them. Why ?" This "virus simulator", available on BBSes and FTP archives under the name VIRSIM2C.ZIP provides several options, one of which is the possibility to to create files, which contain bits and pieces from various viruses. The documentation of the package makes various claims, such as: "The simulators all produce safe and controlled dummy test virus samples that enable users to verify that they have installed and are using their virus detecting programs correctly..." "A virus detecting program is validated when it reports the simulations." "Virus Simulator's ability to harmlessly compile and infect with safe viruses, is valuable for demonstrating and evaluating anti-virus security measures..." Those claims are false, or at least extremely misleading. The facts are: The files created by the program are not viruses, and there is no valid technical reasons why they should be reported as such. A virus scanner may pick up some of the virus fragments and incorrectly conclude that a virus is present. A scanner may actually react in one of four different ways, when it encounters one of those "simulations". 1) The scanner might not report anything at all. This is the "correct" approach - the files are not virus infected. However, this does not tell you anything about whether the scanner would find the actual viruses or not. 2) The scanner might report something like "Non-virus: VIRSIM-generated" A few anti-virus companies have taken this approach, partly to avoid having to answer the question why they do not report a virus, but partly because they are afraid that somebody might actually use VIRSIM to decide between two scanners - in other words, they are afraid to losing a sale to an inferior product that incorrectly reports viruses. 3) The scanner might report something like "Unknown variant of virus X". This indicates the scanner picks up the search string, but is able to determine that the file is not infected in the regular way. A report like this is really a false alarm, and indicates a possible problem with the scanner....it may be too likely to generate false alarms....however, this is much less serious than the situation described below. 4) The scanner might report the file to be infected with a virus, and might even offer to remove the virus. This is the worst possible performance. It indicates that the identification part of the scanner is seriously flawed and the scanner might for example be unable to distinguish between two similar, but different variants of the same virus. It might also have serious problems when disinfecting....possibly frequently corrupting files because of the lack of proper identification. In other words, the VIRSIM-generated files are not usable for scanner testing at all. - -frisk ------------------------------ Date: Fri, 23 Sep 94 10:59:28 -0400 From: "Mr. Shannon Roxborough" Subject: Free Newsletter Information Systems Security Monitor (ISSM) is available FREE-OF-CHARGE from: Dept. of Treasury Bureau of the Public Debt AIS Security Branch 200 3rd Street Parkersburg, WV 26101 Voice: (304) 420-6368 BBS: (304) 420-6083 E-mail: sbranch@well.sf.ca.us Mr. Shannon Roxborough Multi-faceted Free-thinking International Consultant worldadvisor@delphi.com ------------------------------ Date: Fri, 23 Sep 94 14:15:52 -0400 From: D Peterman Subject: ANNOUNCE: HTML version of comp.virus/virus-l FAQ available Just thought I'd let it be known that I have converted the FAQ to hypertext (HTML) and it is available for your perusal at your leisure... The url is http://www.umcc.umich.edu/~doug/virus-faq.html It is still somewhat under construction (I haven't made the ftp links yet...) but it is functional! - -- - --- Of all the things I've lost, I miss my mind the most... --- - --- Doug Peterman - doug@umcc.umich.edu - dpeterma@pt8000.pto.ford.com --- ------------------------------ Date: Fri, 16 Sep 94 04:16:47 -0400 From: dnikuya@netcom.com (dave nikuya) Subject: How does one become a "respectable" researcher? Dear Friends, I have only recently gained access to the internet, through the now infamous Netcom service provider. I have the temerity to make a rather lengthy posting to this newsgroup because I feel very strongly about the issues involved. I beg your indulgence in advance for my inexact analogies, and hope that any flames produced are directed at my main points and not at minor mistakes. I also apologize in advance to Vesselin and anyone else who may take my comments personally; they are not intended to question anyone's character, but rather to state my case for a viewpoint that seems to be in disfavor with many important contributors to this forum. I consider Vesselin one of the most helpful and knowledgeable people on the net, but I must question some of his comments: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >Yaron Y. Goland (ygoland@hollywood.cinenet.net) writes: > >> That netcom allows it's users to distribute viral code and related >> information when clearly marked as such is required as a basic >> characteristic of freedom as defined in the United States of America. > >Unfortunately, the 'net is not confined to the United States of >America, and what Netcom does causes impact to several other >countries, where actions like that are considered illegal. Surely you don't mean that it's unfortunate that the net is not confined to the US :), and surely you don't mean that US net services should be confined to that which is legal in every country? For example, would you advocate censoring the discussion groups on politics, sex, and religion, to make them acceptable to the government of Iran? >> I realize that many people in this group come from countries where the >> emphases of society is placed upon the society and not the individual. >> Thus society feels perfectly within it's rights to restrict the rights >> of the individual at any time it feels a threat to itself. > >Exactly. Of course, the problem here is that society is not monolithic, and in practice it is not society that restricts the rights of the individual, but a very small group of people who have gained (by whatever means) the power to decide issues for everyone. A paradox of government, recognized even by the ancient Greeks, is that people of the necessary quality, wisdom, and integrity to decide these issues for society are among those least likely to possess the ambition and ruthlessness required to obtain high public office. Thus, Americans have a traditional distrust of people who want to tell them what is good for them, especially when there appears to be a conflict of interest (see below). <...> >> Many of the people who read this group are considered by the public as >> experts on the subject of computer viruses and their views will be >> sought when legislation relating to virus and malicious software is >> written. I hope they will keep in mind the nature of freedom, its >> costs as well as its benefits. > >Sure, we will. I also think that making it illegal to *write* a virus >is a serious infringement on a person's liberty. However, I also >believe that it should be made a crime ("criminal negligeance"?) to >give a virus to somebody who you are not convinced that they would be >competent and responsible enough to handle it properly. Well, this is a very stringent requirement. While I sympathize with your motives, I am sure that you are aware that many people suspect elements of the anti-virus community of spreading viruses in order to increase demand for their services. And as I have already stated, I consider you to be one of the most helpful and competent people in cyberspace, but I do not know you personally, and I recently saw an article which stated that some people believe that you are the Dark Avenger. So it would be very difficult for anyone to _prove_ that he should be one of the elite to whom people can send viruses in full confidence that they won't be misused. Can there be no middle ground, where a responsible entity can make viruses available to adults willing to identify themselves and sign a statement promising responsible use, to remain on file? By way of analogy, guns are obviously very dangerous, and are involved in thousands of crimes and accidents every day. Yet in the US, you do not have to prove that you are responsible and competent to buy a gun; you only have to prove (at most, and very informally) that you are not a convicted felon or a lunatic. (I am not saying this is good or bad; I am saying that this is the kind of tradeoff between freedom and risk that is traditional in the US). Another thing we have learned in the US is that making things illegal can create new problems. With alcohol in the 1920's and many drugs today, the benefit of less people using the drug seems to have been offset by the increased crime caused by the vicious gangsters who struggle for control of the drug market, habitual users committing burglaries and robberies to obtain the money necessary to buy the drug at the much higher prices that black marketeers charge, and otherwise good citizens having their lives ruined because they were caught experimenting with a recreational drug. The parallel I am trying to draw is that if distribution of clearly marked viruses is made illegal, then people who want to get viruses in spite of the law will still do so, but their only source will be the underground BBS's that demand a new virus as initiation, so that you may have the unintended effect of increasing the production of viruses, and the proliferation of BBS's run by unsavory characters. As a possible example, and I may be wrong about this, but my impression is that the Ludwig-bashers in this forum may have done more harm than good. If you read the early issues of his newsletter, it seems he was really trying to put out good information of use to researchers, but in later issues he includes articles that seem slanted more toward the people wanting to spread viruses than to contain them. Perhaps he could have gone either way in the beginning, but the vituperation he got from the "legitimate" AV community, plus whatever success the AV community had in keeping "respectable" researchers from subscribing to his publications, left him with nothing to lose among researchers and a customer base with a disproportionate number of non-respectable characters. Even so, I really do consider it ironic that many PC magazines consider themselves too pure to carry his ads, but have pages of ads for pornographic CD-ROMS. The real danger I see is that many people who are interested in learning about viruses will have no legal way to do it. Let me lay my cards on the table and explain why this is a real fear for me: there seems to be a very small number of established AV researchers, some of whom are regular contributors to this forum, who are widely accepted as the "legitimate" AV community. While I am sure that it is unintentional, there is often an undercurrent of condescension or even ridicule when these insiders refer to people who are interested in AV activities, but who have not established themselves as members of this community. For example, Vesselin's statement regarding Ludwig's CD-ROM: "most respectable anti-virus researchers refuse to even take a look at it." Well, I bought it, and I also subscribe to his newsletter. Yes! I admit it! And yet I don't feel that I am a contemptible person, and in moments of high self-esteem would even consider myself "respectable". My problem is that I am not an "insider" in the AV community, so I can't just ask strangers to send me their viruses like you do. It is not at all clear to me how an outsider becomes an insider in the AV community. Must one work for a Fortune 500 company, or at a major university? It seems to me that there are many sincere and competent people who would not meet these criteria, and possibly some nefarious and incompetent people who would. Am I completely ignorant of the facts? Is there some professional organization that I can join which will allow me access to the virus libraries even though I am not a Ph.D.? I happen to be fascinated with assembler language and direct control of devices on PCs. With the proliferation of cheap Pentium machines and gigabyte hard drives, it seems that the market for programmers has irrevocably swung toward rapid, visual development, and that hand- crafted, fine-tuned code is not in much demand anymore. However, knowledge of machine language and device control would seem to be very helpful in AV research, and I would like to pursue a career in this area. I have been sufficiently humbled by Vesselin's and Frisk's excellent postings to realize that I will not be able to write a competitive product from scratch, but I don't think it's unreasonable to aim at a career where I either become an expert in detection and eradication using existing products, and work as a consultant or troubleshooter to businesses; or possibly even go to work for an AV vendor as a programmer. I am still developing my skills in this area and can not afford to quit my current job to pursue this full time, so it will likely be some years before I can hope to enter the insider AV community on merit. However, it seems that many of the insiders are setting up criteria that will guarantee that outsiders remain so indefinitely. The most obvious example of this is regarding virus exchange. I have seen many posts from insiders that encourage questioners to send them a virus for study. Then these same insiders discourage making viruses available for study to anyone else. This is what I was alluding to above when I mentioned a conflict of interest: they are acting so as to perpetuate their monopoly on expertise. The appearance of a conflict is even more strongly suggested by the fact that these insiders are rightly considered as authorities by the general public, and when they are asked for a solution to a virus problem, they recommend each other's commercial products. No problem there, I recommend them too---but I don't try to keep new players out of the field. It seems to me that learning to solve virus problems without working with real viruses is like learning to ski or swim by reading books--- the theoretical knowledge is useful, but it's no substitute for real experience. No less authorities than Vesselin and Frisk have made very forceful posts that simulators are useless for working with AV products, so what am I to do? I consider myself a responsible, competent, and sincere student of viruses. I have nothing but contempt for anyone who would encourage or allow the distribution of unmarked, infectious viruses to an unknowing person. I feel that I need live viruses to increase my knowledge of them and the products that combat them, but I am not an insider, so I can't get them from CARO or whatever. That leaves me two choices---get them from Ludwig's CD or an FTP site, or get them from a BBS that requires me to first contribute a new virus. I would never do the second, hence I am forced to do the first, and am consequently insulted by comments in this forum that imply anyone buying Ludwig's disc has some deficiency. I can stand the insult, but you will put me in a very difficult position if you are able to carry out your campaign of making illegal the availability of clearly marked viruses to people who accept the risk and responsibility. I beg you to recall that you were not always a world-renowned authority, and that you wouldn't be one today if someone hadn't taken a chance by providing you with live viruses. And if I may say this without offense, if the laws did become more restrictive, a student at a Bulgarian university would probably not be high on the list of people to trust with viruses. P.S. Vesselin, if I may address your point about selling an infectious biological virus to all comers: of course this would be ridiculous. But there are at least three differences which make the risk-benefit equation different in the case of computer viruses: 1) It is much more difficult to defend myself against a biological virus that can be transmitted by air, water, food, contact, etc., than against a computer virus that can only enter my computer via two well- defined and well-controlled routes (floppy and NIC). 2) There may be a significant risk that a non-expert will inadvertently spread a very infectious biological virus, (e.g. if he accidentally touches or inhales it). There is virtually no chance that anyone of normal intelligence and taking normal precautions will inadvertently spread a computer virus (please note I am referring here to situations in which the person has deliberately asked for and received a clearly marked virus). The only way I can transmit a virus from the (non-networked, at home) PC that I use for virus research is to write to a floppy with it, remove the floppy, carry the floppy to work, and put the floppy in another machine. Very rudimentary precautions, such as using colored floppies on my virus machine, would make the above sequence require deliberate action. 3) The chances that an independent researcher working at home will make a significant contribution to molecular biology are negligible. Significant innovations and products are created by independent PC researchers all the time. If I may also correct one statement of fact, you implied in another thread that KOH source is not available. In fact, the source was published in Ludwig's newsletter (V2N2). Highest respect, Dave N. - -- dnikuya@netcom.com ------------------------------ Date: Wed, 21 Sep 94 00:26:42 -0400 From: "Jason K. Fritcher" Subject: Virus Scanners for OS/2 (OS/2) Hello. Can someone tell me where I can FTP a GOOD OS/2 virus scanner? Also, will something like TBAV, or F-Prot work under OS/2? Any help will be appriciated. Thanx. Jason - -- ---------------------------------------------------------------------------- Bits/KeyID Date UserID Finger for PGP 2.6 Key 1024/6BAB12ED 08/22/94 Jason K. Fritcher Key Fingerprint -- 8D 7B 26 E1 0A A1 29 FF EB AD EE 0B 24 7C 2A 29 ------------------------------ Date: Thu, 15 Sep 94 19:17:31 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: F-Prot scans UMBs ??? (PC) tREBOr wrote: >I was wondering if F-Prot scans UMBs (A000-FFFF-segments, tech. speaking) as >well. If it does: are there any viruses who utilize it, if its doesnt: why >not? Well, I don't think that any virus would use F000:xxxx since they will probably end up overwriting shadowed BIOS info. There are a few viruses that use video memory (B000 and B800) to store themselves, and/or part of them- selves. (StarShip comes to mind). - -- - --> Kevin Marcus, Computer Science Dept., University of California, Riverside Email: datadec@cs.ucr.edu datadec@wintermute.ucr.edu ------------------------------ Date: Thu, 15 Sep 94 19:28:47 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: Viruses & TSRs (PC) wrote: >datadec@corsa.ucr.edu (Kevin Marcus) writes: >concentrated on what is in the wild. I would be interested to know how many >TSR scanners get Pathogen or Queeg. The problem here is one of overhead (both >memory and performance). Just make your code polymorphic enough, and you will >defeat the TSR. NAVTSR from NAV 3.04 detects both of these. - -- - --> Kevin Marcus, Computer Science Dept., University of California, Riverside Email: datadec@cs.ucr.edu datadec@wintermute.ucr.edu ------------------------------ Date: Thu, 15 Sep 94 19:33:39 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: Integrity Checker? (PC) Jeffrey Rice - Pomona College, California. wrote: > I noticed a few posts ago a bit on how NAV's inoculation isn't as >secure as it could be. (I think it was Vesslin....) Anyway, that is about the Everything in every product can always be improved, and Vess is usually the first to point out the idealistic non-realistic or non-business decision oriented way to take care of the problems. >only part of NAV I do rely on. I know some other products have checksuming >(AVP,McAFee, TBAV), but these don't check as the file is executed. Or am I >mistaken on that? Does anyone know of a good product that has checksuming, >whether or not it scans on access? Of course, the Innoculation needs to be installed to a clean system. When testing a system for infection, it is necesarry to do so after you have done a clean boot. (so that any full stealth viruses won't be active in memory). This is true for all integrity related products that I have seen. And, since Vesselin is probably also suggesting that data can be manipulated in the database of info NAV keeps, there are currently no viruses that I am aware of which do this. - -- - --> Kevin Marcus, Computer Science Dept., University of California, Riverside Email: datadec@cs.ucr.edu datadec@wintermute.ucr.edu ------------------------------ Date: Thu, 15 Sep 94 23:28:55 -0400 From: qureshi@ug.cs.dal.ca (Saqib A Qureshi) Subject: Whisper Virus question (PC) HI all! I just got a bad case of la rotten Whisper virus. I had to delete a bunch of files and restore from diskette. My question being is that enough to stop the spread now?..has it infected my .com's or did it just infect my exe's? Now all exe's on my HD are write protected =/..no sign of the virus so far. I hope the author of the Whisper Virus get infected by a very nasty virus too...(not his computer). -Saqib - -- Bad luck is when you win the lottery: and God decides it's a nice day to end the Universe. ------------------------------ Date: Fri, 16 Sep 94 01:40:04 -0400 From: tcooke@maths.adelaide.edu.au (Tristrom Cooke) Subject: Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) >wrong thing is to sell nuclear weapons to anyone. The wrong thing is >to give a virus to anyone who bothers to ask. *This* is what I am >objecting against. As far as I am aware (and I am far from an expert), the Rosenthal Virus Simulator is not exactly a virus, but with some very simple modification can be made into a virus. Since we are into analogys here, why can't we compare the simulator to an item such as brake fluid. Now brake fluid is intended to be used in the brakes of cars, but with a simple modification (I forget what you add), it can be made into an explosive of some kind. I don't think this fact however is sufficient to outlaw the sales of brake fluid. - -- - ------------------------------------------------------------------ Tristrom Cooke. | THIS SPACE FOR RENT | tcooke@spam.maths.adelaide.edu.au | | - ------------------------------------------------------------------ ------------------------------ Date: Fri, 16 Sep 94 06:31:33 -0400 From: "A.APPLEYARD" Subject: Info wanted re Jumper virus (PC) This morning VET said it had found and removed Jumper virus from one of our public PC's. Please describe Jumper virus. In particular, can it survive warm boot in memory under DOS 5.00? I can find nothing about Jumper virus in my Virus-L index. ------------------------------ Date: Fri, 16 Sep 94 07:33:00 -0400 From: "A.APPLEYARD" Subject: `_2kb' virus (PC) Where I work we had an attack of what McAfee Scan v116 reported as the `_2kb [Genp]' virus. Does VET find this virus? if so, under what name? ------------------------------ Date: Fri, 16 Sep 94 18:56:21 +0000 From: cpcallen@undergrad.math.uwaterloo.ca (Christopher Allen) Subject: How can I search for... (PC) A computer belonging to a friend of mine recently became infected with a virus, called by the virus scanner which detected it, 'stoned.empire.monkey'. According to the computer store to which this friend took the machine, the virus was a new one, and the scanner which they were sold was the only one which would detect it... (I thought this sounded like the store trying to make a sale.) The scanner did in fact detect the virus in question, which seems to be primarily a boot-sector virus, but I was unable to obtain a copy of the checker and do not know what it was (although it had bloody awful looking menus...) Since I have exchanged disks with this computer on a number of occasions, I was naturally concerned that my machine might also be infected, so I FTPed the latest version of McAfee's which I could get, scanv117.zip, from oak.oakland.edu. Unfortunately, while said program did not find any viruses, the virus in question was not listed in the list of viruses which accompanied the scanner. My questions are: 1) Does McAfee's call this virus something else? 2) Is there a newer version which will detect it (Note: I have an XT, so a version which is being discussed here (which requires an AT) will not work...) 3) What else will detect it? 4) How can I checksum my MBR to find out if it has been changed (I can compare to the MBR on a number of other machines...) 5) How can I replace my MBR? I recall at one point discovering that one of the DOS commands had a /MBR switch, but I cannot now locate it... Was I halucinating? Any assistance which can be given will be greatly appreciated... Please reply to cpcallen@undergrad.math.uwaterloo.ca Christopher Allen ------------------------------ Date: Fri, 16 Sep 94 15:23:49 -0400 From: sayhow@solomon.technet.sg (Foo Say How) Subject: [ F-PROT and MBR ] (PC) Two harddisk scanned on different machines reports that Master Boot Sector is now what it should be. F-PROT says this may be falsm alarm, but may be infected by a false virus and ask for a copy be made for it verify ... how do I make such a copy ? One of he harddisks in question was infected by viruses before it was low-level formatted to eliminate it. Any ideas and suggestion is most welcome. Foo Sayhow ------------------------------ Date: Sat, 17 Sep 94 21:15:41 -0400 From: jcrawfo4@mason1.gmu.edu (John P Crawford) Subject: Re: Integrity Checker? (PC) I have found a product called Integrity Master to work quite well (at least it suits my simple requirements :-) . It doesn't check *as* programs are executed, but I didn't know there *were* any products that did that. Anyway, it's shareware from Stiller Research, at 72571.3352@Compuserve.com, also stiller@GEnie.geis.com. A phone number (Florida) is (904) 574-0920. - -- John Crawford. Email addresses are, in increasing order of probable retention, and/or preferred use, depending on who you are :-) jcrawfo4@mason1.gmu.edu (humble student by night) root@karma.gsa.gov (godlike Unix sysadmin by day) j.crawford14@genie.geis.com (minor Cyberstrike player) - -- PGP 2.6 ID to be included this spot RSN -- ------------------------------ Date: Sun, 18 Sep 94 01:20:30 -0400 From: eahu326@rigel.oac.uci.edu (Frances Leung) Subject: JERUSALE.FU_MANCH.UNK2 virus??? (PC) Hi there! I ran a virus check program and found the above Jerusale.fu_manch.unk2 virus? Could someone please give me some insights as to what this virus does and is there a program out there that can remove it? Thanks in Advance! ------------------------------ Date: Sun, 18 Sep 94 10:37:34 -0400 From: iandoug@cybernet.za (Ian Douglas) Subject: Re: Can a virus change CMOS settings??? (PC) Ray Moran (interaccess!grouch@uunet.uu.net) wrote: > I am having a problem with several PCs where the CMOS settings are > seemingly randomly changing. Could a virus be causing this?? Yes.. for example, Exe_Bug disables the A: drive in CMOS. IIRC, Bad_Motherboard (posted in a Fidonet virus echo) also messes with the CMOS. But you most likely have battery problems.. there are proggies available that claim to check your CMOS battery. Cheers, Ian - -- - ----------------------------------------------------------------------------- Ian Douglas Lead, Follow, 34 InterNet: iandoug@cybernet.za P.O. Box 484 or get out of 1,73 FidoNet: 5:7102/119 7532 Sanlamhof the way. 57 TopNet: 225:2048/1 South Africa (Ted Turner, CNN) INTB PGP key available. - ----------------------------------------------------------------------------- ------------------------------ Date: Sun, 18 Sep 94 13:33:26 -0400 From: Monty Solomon Subject: 0030 - CIAC E-34 One_half virus (PC) Begin forwarded message: Date: Sun, 18 Sep 1994 08:43:01 -0500 (EST) Newsgroups: tdr.problems Date: Sun, 18 Sep 1994 07:29:32 -0500 (EST) From: Problem Reporting Service Organization: Tansin A. Darcos & Company, Silver Spring MD USA Errors-To: PROBLEM-ERRORS@tdr.com Subject: 0030 - CIAC E-34 One_half virus (PC) To: Recipients of list Problems Date: Tue, 13 Sep 1994 14:58:45 -0700 From: Bill Orvis Subject: CIAC E-34 One_half virus (PC) _____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ _____________________________________________________ INFORMATION BULLETIN One_half Virus (MS-DOS) September 13, 1994 1600 PDT Number E-34 _____________________________________________________________________________ PROBLEM: A previously unknown computer virus is damaging systems. PLATFORM: All MS-DOS, PC-DOS, Windows systems, all versions. DAMAGE: Damages files, encrypts hard drive. SOLUTION: Update your Anti-Virus program to detect/remove the virus. _____________________________________________________________________________ VULNERABILITY While it is not epidemic, the virus has been seen at an East ASSESSMENT: coast site and it isn't detected by the current versions of most virus scanners (revised versions are upcoming.) The virus is intentionally damaging and all files on an infected machine are at risk. Warning: Removing the virus may make some files inaccessible (see below.) _____________________________________________________________________________ Critical Information about the One_half Virus CIAC has received information about a new computer virus named One_half. The virus, first discovered in April 1994 and previously seen only in Europe, has been found at an East coast site in the United States. The virus is intentionally damaging and all files on an infected machine are at risk. Removal of the virus without first saving critical files could render those files unrecoverable (more below.) Symptoms - -------- Symptoms of the infection include problems connecting to a file server, changes in file sizes, an inability to start Windows, an inability to boot a system and damaged files. If a suspicious activity detector, such as DDI's VirAlert program, is installed, it intercepts an attempt to write to the master boot record of a hard drive when an infected file is run. If the master boot record is already infected, VirAlert warns that system interrupt 21 is pointing to a non-existent block of memory when the system is booted. Virus Morphology - ---------------- When an infected file is run, the virus attacks the master boot record of the hard drive. It copies the original master boot record to a sector that is eight back from the end of the first track and modifies the master boot record to run the virus code. The remainder of the virus code is found in the last seven sectors of the first track on the hard disk. The following strings are in clear text in the virus code. Dis is one half. Press any key to continue ... Did you leave the room ? The virus also contains the names of several prominent antivirus products; SCAN, CLEAN, FINDVIRU, GUARD, NOD, VSAFE, MSAV The virus is multipartite, infecting .COM and .EXE files as well as the master boot record. The virus adds 3544 bytes to .COM and .EXE files. The virus is polymorphic and changes its appearance with every infection by inserting different do-nothing instructions between the actual commands in the virus code. The virus is a stealth virus and actively hides the infection in the first track. With the virus in memory, any examination of the first track on the hard drive will see only the normal master boot record in the first sector and empty sectors for the rest of the track. The virus is intentionally damaging. Every time an infected machine boots, the virus encrypts two cylinders of the DOS partition of the hard drive starting with the highest numbered cylinder and progressing to lower numbered ones. The virus then hides the fact that it is encrypting the hard drive by decrypting any of the encrypted sectors whenever they are accessed by the system. Only with the virus out of memory do you see the encrypted sectors. Detection and Removal - --------------------- ========================================================================== WARNING: Because of the encryption the virus does, be sure you copy any important files to a floppy disk or tape before removing the virus. The CHK_HALF program described below does not decrypt any encrypted cylinders, so when the virus is removed, the encryption key is lost with it and any files in the encrypted cylinders are lost. =========================================================================== DDI has made a detection/removal utility available named CHK_HALF. This program must be run from a machine that was booted with a KNOWN, CLEAN, LOCKED floppy to insure that the virus is not in memory. When CHK_HALF is run, it scans the current drive and master boot record and removes any virus infections it finds. The utility does not scan memory first and will not work correctly with the virus in memory, so be sure the system was booted with a clean, locked floppy. The utility also does not decrypt any encrypted cylinders, so be sure to copy any important files before removing the virus. 1. Save on a floppy disk or tape any irreplaceable files before attempting to scan or clean a system. If the files are in one of the encrypted sectors, the virus must be in memory for them to be retrieved. If any of these files are executables, be sure to scan them before putting them back on a cleaned machine. 2. Boot your system with a clean locked floppy to insure the virus is not in memory. 3. Run the CHK_HALF.EXE program to scan and remove the virus. Delete any files that CHK_HALF was not able to clean. 4. Run a disk maintenance utility such as that included in Norton Utilities or PC Tools to locate and repair damaged directory structures and files caused by encryption of the cylinders and by the bug in the virus. 5 Replace any damaged or missing files on the system. The file CHK_HALF.ZIP is available on the CIAC file servers. Use anonymous FTP to connect to ciac.llnl.gov (128.115.19.53) and find the file in the /pub/ciac/sectools/pcvirus directory. The CRC-32 checksum from pkzip for the file is: e02bf70a, and its expanded file length is 14,024 bytes. Version 4.0E of the Department of Energy's site licensed antiviral product, Data Physician Plus!, will be available the week of Sept. 12, 1994 and will detect and remove this virus. Other antivirus software which detect this virus include Dr. Solomon's Antivirus Toolkit version 6.65 (currently available), Norton's AntiVirus October 1 monthly update, and McAfee Scan version 2.11, which is scheduled for shipping in mid-September, F-PROT version 2.14a, scheduled for the end of September. _____________________________________________________________________________ CIAC wishes to thank Bill Kenny of DDI for spending his Labor day weekend laboring to write a detection/removal package for this virus so we would have it on Tuesday morning. _____________________________________________________________________________ For additional information or assistance, please contact CIAC: Voice: 510-422-8193 FAX: 510-423-8002 STU-III: 510-423-2604 E-mail: ciac@llnl.gov Previous CIAC Bulletins and other information are available via anonymous FTP from ciac.llnl.gov (IP address 128.115.19.53) formerly irbis.llnl.gov. CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information, and Bulletins, important computer security information; 2. CIAC-NOTES for Notes, a collection of computer security articles; 3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 4. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. CIAC's mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for "list-name" and valid information for "LastName" "FirstName" and "PhoneNumber" when sending E-mail to ciac-listproc@llnl.gov: subscribe list-name LastName, FirstName PhoneNumber e.g., subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36 You will receive an acknowledgment containing address, initial PIN, and information on how to change either of them, cancel your subscription, or get help. _____________________________________________________________________________ PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending E-mail to first-request@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. ------------------------------ Date: Sun, 18 Sep 94 20:23:21 -0400 From: sfrazza@netaxs.com (Sally Frazza) Subject: monkey virus (PC) Hi, Is there any software available to clean monkey virus from boot sector of diskette or from hard drive? Those I've tried say this virus can't be safely removed. Norton says that fdisk /mbr method does not work for this virus. Sorry if this is old hat, but I could use some help. I already reformatted 1 drive and lost a few things and lots of time reinstalling. Thanks. Sally ------------------------------ Date: Mon, 19 Sep 94 00:10:51 -0400 From: dhuang@huey.csun.edu (David Huang) Subject: Whisper virus (PC) My computer is infected with the Whisper virus according to the latest version of McAfee scan. Unfortunately I know not what to do in order to get if off my system. I deleted the infected files but it keeps on infecting after I reboot the computer. Does anyone have any information/advice for this virus? Thanks. ------------------------------ Date: Mon, 19 Sep 94 15:11:36 -0400 From: gt7495b@prism.gatech.edu (Daniel H. Smith) Subject: STELBOO virus (PC) Recently the company I co-op for detected the stelboo virus on several of the computers. I have not been able to find out much information on this virus through the virus programs. Is this virus known as anything else? If you have any information on what this virus does, I would appreciate you sending me it through email (gt7495b@prism.gatech.edu). Thanks in Advance. Daniel Smith gt7495b@prism.gatech.edu - -- Daniel H. Smith Internet: gt7495b@prism.gatech.edu Georgia Institute of Technology, Atlanta Georgia, 30332 uucp: ...!{decvax,hplabs,ncar,purdue,rutgers}!gatech!prism!gt7495b Internet: gt7495b@prism.gatech.edu ------------------------------ Date: Mon, 19 Sep 94 22:29:19 -0400 From: rdj@scammell.ecos.tne.oz.au (Richard Jones) Subject: Junkie virus (PC) I found a PC with the Junkie virus on it and are having a hard time removing it. Does anybody know how this virus infects PC's or how to get rid of it? Thanks in advance. ------------------------------ Date: Tue, 20 Sep 94 08:25:33 -0400 From: jmurphy@pts.mot.com (Jeff Murphy X8627 P7769) Subject: Unknown Virus (PC) I believe that my 486 computer running MS-DOS 6.22 and Windows 3.1 has picked up an unknown/new/stealth virus. I am using recent versions of TBAV, and F-PROT, and DOS's VSAFE (At different times, not together). A virus scan with TBAV and F-PROT does not detect any virus signature, but detect CRC changes on my files. The files that this virus attempts to write to the most are: COMMAND.COM WIN.COM MMPLAYER.EXE I have tried to boot from a clean floppy and run "FDISK /MBR" and even used TBAV's immunize boot sector command, but VSAFE, and TBAV tell me that the above files are still being written to. I have read the FAQ file, but I did not see anything about how to get rid of or identify this type of virus. Does anyone have any suggestions or has anyone found a similar virus? Thanks, Jeff Murphy =========================================================================== Jeff Murphy Georgia "Put your nose to the Boynton Beach, FL Institute of grindstone... It will gt7848b@prism.gatech.edu Technology sharpen your buggers" =========================================================================== ------------------------------ Date: Tue, 20 Sep 94 11:23:06 -0400 From: reeda@sun1.bham.ac.uk (Alan Reed) Subject: HLLC.Even_Beeper.B (PC) I have a PC infected with the HLLC.Even_Beeper.B companion virus detected by f-prot 2.14 . Although it is easy to remove I would like to know what its payload is to find out what damage it might have done, could someone point me at an analysis please. Alan Reed, EMAIL: A.Reed@bham.ac.uk, PHONE: 021 414 3992 (hold for messages), FAX: 021 414 3952, WWW: http://sun1.bham.ac.uk/~reeda ------------------------------ Date: Tue, 20 Sep 94 13:59:37 -0400 From: dmbarley@midway.uchicago.edu (David M. Barley) Subject: Filler and Anti-Tel Viruses (PC) I recently had a machine and several installation disks die because of a virus. First, msav detected the ani-tel virus and then it dies. Then, I boot off of a clean disk and run scan. Scan sees nothing and tells me my disks is clean. Finally, I reboot from my hd and run everything again. Msav sees nothing, and scan tells me I have the filler virus in memory and to reboot and scan again. When I do, nothing is detected...What should I do... - -- David Barley ------------------------------ Date: Tue, 20 Sep 94 16:36:35 -0400 From: glratt@is.rice.edu (Glenn Forbes Larratt) Subject: 'Jumper.B' a la F-PROT (PC) We had a user at here at Rice infected with what F-PROT 2.14 called "Jumper.B". I can find no reference, however, to the name "Jumper" in either the virus descriptions accessible through F-PROT nor from VSUM 4.08. Is there another name for this beast? Thanks, - -- Glenn Forbes Larratt x5474 LAN Specialist, Rice U, Systems & LAN Management The Lab Ratt (not briggs :-) "Get over it!" -the Eagles, Hell Freezes Over '94 glratt@rice.edu (Internet) http://is.rice.edu/~glratt / GE/MU/T/O d?(++) p Neil Talian? c+(++) l u+ e- m* s+/+ n@ h- f+ !g w+(+++) t+ r y+ ------------------------------ Date: Wed, 21 Sep 94 07:02:46 -0400 From: Sergi.Ferrer@uv.es (Sergi Ferrer) Subject: 1423 virus contamination. Help! (PC) At our Department we have one computer infected with the 1423 virus. The clean117 version can detect this virus (not included however in the virus list), but not remove it. What can we do? Thanks Sergi Ferrer Departament de Microbiologia Phone: +34 (6) 3864390 Facultat de Biologia Fax: +34 (6) 3864372 Universitat de Valencia E-mail: Sergi.Ferrer@uv.es E-46100 Burjassot-Valencia, SPAIN ------------------------------ Date: Wed, 21 Sep 94 20:53:52 -0400 From: sbonds@u.washington.edu (Steve Bonds) Subject: Re: Using two TSRs simultaneously? (PC) Yves Bellefeuille wrote: >Is there any point in using two anti-virus TSRs simultaneously? It might allow one to be more sure of catching any viruses which might slip by the first due to oversights, programming bugs, or just poor quality. However, I feel that the DISADVANTAGES outweigh the advantages. >I've managed to install the TSRs from both Norton Anti-Virus version 3.0 >and F-Prot version 2.13a. Actually, Norton's NAVTSR is a resident scanner >and generic monitoring program, while F-Prot's VIRSTOP is a resident >scanner. The two TSRs seem to tolerate each other's presence in memory >quite well. > >Does this have some disadvantage I don't realize yet? Or is it pointless? Well, both of these will hook interrupt 0x21 so using two will slow down program loading by twice as much-- not so much of a problem on modern, fast computers and for TSRs which use efficient searching algorithms. However, the lost memory and the additional possibility of TSR conflicts outweighs the possible slight advantage one might have by loading both. VIRSTOP may also do some strange things in memory which could trip your generic monitor, even when no virus was present. So the summary answer is: it's pointless to have two monitors in memory. Using two redundant AV products is good insurance, but as crowded as memory gets on most DOS-based machines, I don't think the added insurance in the case of resident monitors is worth the cost. -- 007 ------------------------------ Date: Wed, 21 Sep 94 21:40:02 -0400 From: crandall@netcom.com (Mark Crandall) Subject: Re: How can I remove a version of NATAS? (PC) Jesus Barrera Ramos (al161926@academ01.mty.itesm.mx) wrote: : Hi all : I have a real problem, Natas is invading my school ITESM Campus Monterrey, : and I've not been able to remove it from my computer, I tried SCAN and : F-PROT 2.13 and both detect it but can't remove it. Does anybody know : some program to remove this virus from my computer?. If you can help me : I'll thank you very much. Thanks in advance. SCAN V2.1.0 with virus list V2.1.997 dated 5/9/94 with remove the NATAS virus; however, when it does, it does not correct all of the damage done by the virus. To completely correct the problem, I did the following: boot from a: with clean disk used scan from a: with the following syntax: a:scan c: /clean /nocomp The /nocomp is to skip compressed files, which SCAN sometimes hangs up on After cleaning the disk it was no longer bootable so I used Nortons DISKTOOL to put system files back on the disk. It still wouldn't boot because the combination of NATAS and SCAN altered the partition table, but not enough to make Norton 7.0 realize that the partition table was bad. I used Norton diskedit to modify the PHYSICAL hard disk and replaced the first couple of hundred bytes of sector 0 with 00's. I was very careful not to modify any of the actual partition table DATA located further in the sector! Then I ran Norton's Disk Doctor which repaired the disk. After that it booted again! (before that, whenever we found a disk with NATAS, only a low level format would fix the darn partition table problem) Mark Crandall Director R&D - Fairwest Direct, Inc. - -- - - - - - - - - - - Mark Crandall Fairwest - R&D Department 6020 Cornerstone Court West #100 San Diego, CA 92121 Voice 619-552-0777, Fax 619-552-0098 crandall@netcom.com ------------------------------ Date: Wed, 21 Sep 94 22:58:31 -0400 From: owenh@spacebbs.com (Owen Hawkins) Subject: Trojan Alert (PC) FROM: Owen Hawkins - Sysop - Space BBS, Menlo Park CA (415) 323-4193 (BBS) Internet: owenh@spacebbs.com ************ TROJAN ALERT *********** Two users reported that a program named BACKD10.EXE changes the c:\autoexec.bat so it will format the c: drive the next time you boot. The file_id.diz description states that "Back Door Lister" version 1.0 will list the backdoors in 12 different bulletin board systems. The following is the CRC values using PKUNZIP 2.04 Searching ZIP: BACKD10.ZIP - Length Method Size Ratio Date Time CRC-32 Attr Name ------ ------ ----- ----- ---- ---- -------- ---- ---- 6337 DeflatX 5948 7% 02-06-94 10:15 5bc655c6 --w- BACKD10.EXE 868 DeflatX 406 54% 01-17-94 18:10 696f8604 --w- BACKD10.NFO 252 DeflatX 173 32% 01-17-94 18:03 c5c775be --w- FILE_ID.DIZ ------ ------ --- ------- 7457 6527 13% 3 If you are using FWKCS: Copy the 3 lines directly below to a file named XCSLIST.DEL 5BC655C6 18C1xBACKD10.EXE BACKD10.ZIP 696F8604 364xBACKD10.NFO BACKD10.ZIP C5C775BE FCxFILE_ID.DIZ BACKD10.ZIP then run the command: FWKCS /t20u XCSLIST.DEL - -Owen- ------------------------------ Date: Thu, 22 Sep 94 11:09:56 -0400 From: yves.blondeel@fundp.ac.be (Yves Blondeel) Subject: Check out these symptoms please - Virus ? (PC) Hi everyone, In recent days, I have been experiencing a particularly weird printing problem (three occurrences to date). When I print out a document, one specific letter is not printed (either throughout the whole document or everywhere in headers and footers). The letters that were not printed are: a, o, n (in that order, different problem on different days, non-capitalised letters only). One example (from my address which I print in fax headers): "Ce tre Tech ologique - Facultes U iversitaires de Namur." My configuration: Hardware: IBM compatible 486DX33; 8 MB RAM; two hard drives; ATI Ultra+ Video board; 3Com Etherlink III; Intel Satisfaxion/200 faxmodem. HP Laserjet III+. Software: Windows 3.11, Microsoft Office 4.2b, Word for Windows 6.0. I used Windows truetype fonts exclusively. Problem happened both with Arial & Times New Roman. System checked with PC Tools for Windows 2.0 (Central Point Anti Virus) which is now around 250 days old. No viruses detected. Comments anyone ? I would be grateful I you e-mailed them directly to me. I am not a regular reader of comp.virus. Many thanks in advance, Yves ____________________________________________________________ Yves Blondeel ...dissent is (of) the essence... Keen observer of telecommunications regulation throughout Europe Centre Technologique, Rue du Seminaire 22, B-5000 Namur, Belgium Tel +32 81 72 51 32 Fax +32 81 72 51 28 FaxModem +32 81 72 51 65 ___________________________________________________________ ------------------------------ Date: Thu, 22 Sep 94 15:04:13 -0400 From: Beth Subject: help cleaning Swiss from disks (PC) I need help cleaning the Swiss virus from a floppy disk. I know about 'fdisk /mbr' which cleans it from a hard drive. Any ideas on what to do with a disk that has the Swiss virus (besides tossing it)? Thanks a lot Beth Hunter beth@wam.umd.edu ------------------------------ Date: Thu, 22 Sep 94 19:53:03 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Fridrik Skulason wrote: )as194@cleveland.Freenet.Edu (Doren Rosenthal) writes: ) )>I'm sorry, but I do not make the source code or MtE engine )>available without my built in safeguards. ) )Unfortunately, your safeguards are worthless. Any decent assembly-language )programmer can easily remove them, and create a fully working virus, without )your restrictions. ) )- -frisk ) Any decent assembly-language programmer can easily write his own virus without needing Doren's. Any half-baked assembly-language programmer can easily get his hands on a wild virus and modify it. The purpose of the safeguards is to prevent accidental escape. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Thu, 22 Sep 94 20:28:10 -0400 From: bill@mustang.smcvt.edu Subject: Re: Floppy boot sector replacement (PC) Vesselin Bontchev (bontchev@fbihh.informatik.uni-hamburg.de) wrote: : A. Padgett Peterson, P.E. Information Security (padgett@tccslr.dnet.mmc.com) writes: : > >We agree again. It should not be hard to write a utility which would : > >read the boot sector off any cleanly formatted disc, fix up the BPB part : > >of it and write it to the disc to be "disinfected". Maybe I'll do it. : > >But not now, I'm working 14 hours per day as it is. Anyone else want to : > >pick up the gauntlet? It would be a good thing! : > I did that three years ago. It is FreeWare and it is called FixFBR : > (Fix Floppy Boot Record) & is one of the FixUtils. It also performs heuristic : No, Padgett, it doesn't do *that*. After FixFBR treats a floppy, that : floppy becomes non-bootable. This is exactly why I want such a : capability built-in in SYS - because SYS already contains a proper : image of a bootable boot sector for that particular operating system : and it is natural for it to do this job. We just need an option that : tells it not to put the operating system itself on the floppy. : Regards, : Vesselin : - -- : Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg : Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN : < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C : e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany I wrote such a utility in Turbo Assembler not too long ago. I formatted two diskettes (high and low density) with dos 6, used debug to dump the hex values to a text file for each, and declared them as variables in the source code to the program. The program itself consists mainly of an int 13 read to see if the diskette is high or low density, and then a write for the corresponding boot sector image memory. I tried it out on both bootable and non-bootable diskettes. Interestingly enough, it cleaned the boot sector virus I was playing with (QRry/Essex) fine, and furthermore did not change a bootable disk to non-bootable or vice versa. It seems there is no difference in the actual boot sector of a bootable disk versus a non-bootable disk, rather it seems the difference lies in the existence of the system files (typically io.sys and msdos.sys). Note that this program was done for a rather specific purpose, and is not really meant to work with DOS 2.0 or DRDOS or anything like that. Also, I have not made it public domain or copyrighted it or anything...anyone know how to go about doing this, incidentally? :) Bill - -- Bill McKinnon Senior Information Technology Assistant bill@mustang.smcvt.edu @ Saint Michael's College Department b_mckinnon@smcvax.smcvt.edu of MIS & Academic Computing ------------------------------ Date: Fri, 23 Sep 94 00:59:09 -0400 From: ah861@Freenet.HSC.Colorado.EDU (Ken Elliott) Subject: Yale Virus questions (PC) I have only an XT, 8088 chip, actually a Tandy 1000 HX. Several times in the last few months I have gotten a flash: "Yale Boot Virus" when I have taken one of my disks to a nearby Kinko copy shop computer.... the computer there clears it with Norton utilities. My home computer has only 256K. As I said it is a Tandy 1000 HX. I have a feeling I got the virus from some shareware a while back, but rarely has anything happened except I did lose 6 text files several months ago but nothing since. I read a little about the Yale in a book and it says it actually goes to the ROM and lodges there and is activated only when one uses the Control AlT Delete key sequence as in resetting.. any suggestions on what to do about this without costing a fortune? thanks Ken Elliott ------------------------------ Date: Fri, 23 Sep 94 04:18:13 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) as194@cleveland.Freenet.Edu (Doren Rosenthal) writes: >This is certainly unfortunate and I'm willing to cooperate with >any anti-virus product producer that wishes to participate. >Simply identify the simulations as what they are "Test Simulated >Viruses From Rosenthal Engineering." Surely this is exactly what >they are and who could fault anyone for detecting them as that. I am sorry, but my program is a virus detector ... not a detector of non-viral programs. I will do my best to avoid detecting your simulations... As I have said before, they are not viruses, and I see no reason to bother to detect them....doing so would in my opinion make your product appear more credible than it is. - -frisk ------------------------------ Date: Fri, 23 Sep 94 15:22:19 -0400 From: Iolo Davidson Subject: Fixing the boot sector of a floppy? (PC) bontchev@fbihh.informatik.uni-hamburg.de "Vesselin Bontchev" writes: > Iolo Davidson (iolo@mist.demon.co.uk) writes: > > > > Dr. Solomon's has had a utility to clean floppy boots for > > years. > > Uhm, sorry Iolo, but Dr. Solomon's usility does not do *that*. > Instead, it overwrites the boot sector of the floppy with a > non-bootable sector with the correct BPB, thus making the floppy > non-bootable. I guess we define "clean" differently, or perhaps "floppy boots". I am aware that CleanBoot does not restore the boot sector to its original state, but it gets rid of the virus boot sector, which is clean by my reckoning. - -- THE TIME IS WHEN YOU'RE TO START OFFERED A SUBSTITUTE A REAL DISPUTE Burma Shave ------------------------------ Date: Thu, 15 Sep 94 21:14:41 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: fp-214.zip - Version 2.14 of the F-PROT anti-virus package (PC) I have uploaded to SimTel, the Coast to Coast Software Repository (tm), (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): SimTel/msdos/virus/ fp-214.zip Version 2.14 of the F-PROT anti-virus package major changes in this version: new scanning engine (described in the NEW.214 file) reduction in program size and memory requirements (by 30-40K) detection of around 250 new viruses, which brings the total to 4460 different viruses recognized by the program. - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Thu, 15 Sep 94 21:15:35 -0400 From: Mikko.Hypponen@wavu.elma.fi (Mikko Hypponen) Subject: bull-214.zip - ASCII-version of F-PROT 2.14 Update Bulletin (PC) I have uploaded to SimTel, the Coast to Coast Software Repository (tm), (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): SimTel/msdos/virus/ bull-214.zip ASCII version of F-PROT 2.14 Update Bulletin This is the ASCII version of the F-PROT Professional 2.14 Update Bulletin. F-PROT Update Bulletins contain information about the current virus situation globally. Every time a new version of F-PROT Professional is published, it is accompanied with a new Update Bulletin. Bulletins are published on paper in A5 format. Update Bulletins are published by Data Fellows Ltd of Helsinki, Finland. Data Fellows Ltd is the publisher of F-PROT Professional Anti-Virus Program in Scandinavia, Asia, Africa and most of Europe. They can be reached via e-mail at f-prot@datafellows.fi Articles in this issue of the Update Bulletin: Virus Situation In Far East F-PROT Remains At the Top The Award Goes To Data Fellows Ltd's Vineyard Workgroup Software World Wide Web New Viruses In the Wild - Kaos-4 - Tai-Pan - Parity_Boot.B - VLamiX - Goldbug - _1099 New Viruses in Belgium - Sandrine - BombTrack Hong Kong - A Crossroads for Viruses Good viruses and bad viruses - A dozen reasons why a "good" virus is a bad idea False alarms of anti-virus products F-PROT support informs: Common Questions and Answers Changes in Version 2.14 New Viruses Detected by F-PROT 2.14 Uploaded by a member of the F-PROT Professional Support Team. - - - Mikko Hypponen // mikko.hypponen@datafellows.fi // Finland Data Fellows Ltd's F-PROT Professional Support: f-prot@datafellows.fi Check out our WWW site at http://www.datafellows.fi/ ------------------------------ Date: Mon, 19 Sep 94 18:08:46 +0400 From: eugene Subject: AVP 2.1 beta (PC) Hi all! AVP 2.1 beta was sent to AVP distributors and technical support sites: Belgium: bvba DataRescue sprl, 110 route du Condroz, 4121 Neupr=E9, Belgium contact : Dr Pierre Vandevenne Phone/Fax : +32-41-720399 BBS/Fax : +32-41-720237 E-mail : peterpan@datarescue.knooppunt.be Fido : 2:293/2213 Italy: Future Time Anti-Virus Technology s.n.c. Mail address: Rome, Umberto Saba st. n. 54/C (Italy) Phone(s) : +39-6-8607663, +39-6-5020879 Fax : +39-6-86321371 E-mail: : MC3162@mclink.it Fido: : 2:335/347.4 Netherlands: Address : Roggekamp 416, 2592 VH The Hague, The Netherlands Contact : Titia Vlaardingerbroek Phone : +31703836044 Fax : +31703471256 E-mail : vrch@knoware.nl FIDO : 2:281/552 VIRNET : 9:3110/0 BBS : +31703857867 USA: Central Command Inc., P.O. Box 856 Brunswick, Ohio 44212 Contact : Keith A. Peer Phone : (216) 273-5743 E-Mail : kapeer@netcom.com Switzerland: Metropolitan Network BBS, AVP, Postfach 827, 3000 Bern 8 Contact : Vuille Gerard Phone(s) : +41 (0)31 348-0424 Fax : +41 (0)31 348-0428 E-mail : avp-support@metro.ch or gerard.vuille@metro.ch BBS: : +41 (0)31 348-1331 (v.32bis/terbo/V.FC/V.34/HST - 2 l= ines) : +41 (0)31 348-0422 " 1 l= ine) Regards, Eugene - --- - -- Eugene Kaspersky, KAMI, Moscow, Russia - -- eugene@kamis.msk.su +7 (095)278-9412 ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 81] *****************************************