Date: Fri, 11 Jan 91 10:59:42 EST From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V4 #9 To: Multiple recipients of list VIRUS-L VIRUS-L Digest Friday, 11 Jan 1991 Volume 4 : Issue 9 Today's Topics: Re: SCAN program for IBM's (PC) Mac system 7.0 compatible Anti-Virus programs (Mac) Stoned and Joshi (PC) Re:Auto-scanning Virus Vaccine? (PC) Hard Disk Protection (PC) Re: Virex Address (PC) Re: possible macintosh virus (Mac) Re: Stoned Virus (PC) Re: Computers at Risk book - how to order - (General) Joshi & Stoned II (PC) Re:obscure procedure in Yankee Doodle (PC) Re:SCAN program for IBM's (PC) re: Joshi & Stoned 2 (PC) re: obscure procedure in Yankee Doodle (PC) Politically motivated viruses VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Thu, 10 Jan 91 12:56:00 -0600 From: Pete Klammer/303-556-3915 Subject: Re: SCAN program for IBM's (PC) >> From: Mr Gordon S Byron >> >> I am interested in finding a DOS antivirus program which would >> automatically scan disks as they are inserted. ideally, something like >> SAM II on the Mac. I noticed a reference to a program called McAfee's >> scan. Is that an auto-scan antivirus program? > >Only one problem with that idea: How can the machine tell when a disk >is inserted? There isn't any type of sensor in IBM floppy drives like >in the Mac. > >Doug Barlow Isn't the write-protect sensor status available for polling? If you constantly (once per clock tick) check the write-protect detector, you could see the "shadow" of the diskette sleeve (write protected or not) as the disk is inserted or removed. I.e., if the detector toggles in any way, a diskette has been either inserted or removed. - --poko "Eesti vabaks/free Estonia!" Pete Klammer (303)556-3915 FAX(303)556-4822 CU-Denver Computing Services, AHEC Box#169 / PKLAMMER@CUDENVER.bitnet 1200 Larimer St, NC2506, Denver CO 80204 / {uucp...}!boulder!pikes!pklammer P.O. Box 173364, Denver CO 80217-3364 / pklammer@cudnvr.Denver.Colorado.EDU ------------------------------ Date: Thu, 10 Jan 91 15:01:46 -0500 From: azavatone@lotus.com Subject: Mac system 7.0 compatible Anti-Virus programs (Mac) Hello folks. I have been working under system 7.0b1 for a while now and It's pretty snazzy. In fact I now need the functionality of 7.0 and rarely switch back to 6.0.x. I am also a registered user of Sam 2.0.2c, Rival 1.whatever amd Disinfectant 2.4. (yes, I do the virus protection here) My problem is that none of these versions of these anti-viral programs (esp. the inits) are not fully 7.0 compatible. Anyone out there know anything that is? Mister Cozza, are you listening? Any replies are welcome. Send to Azavatone@lotus.com Thanks, Alex Zavatone Zav B!-] ------------------------------ Date: Thu, 10 Jan 91 10:32:21 -0800 From: p1@rlyeh.wimsey.bc.ca (Rob Slade) Subject: Stoned and Joshi (PC) 3501P@NAVPGS.BITNET (Jeffrey) writes: > The guy that is "curing" the problem indicated that the > two viruses in combination created some sort of unique problem > and that Joshi may be a "Friday the 13th" type bomb. Get a new expert. The dual infection may indeed cause some "conflict" problems between the viri, but the "hanging" of the computer is a common symptom of Joshi. But only on January 5th. According to Pat Hoffman's December '90 listing, Joshi cannot be removed from a hard disk without a low level format, but you might try FPROT version 1.13. FPROT's BOOTVIR.TXT does not state whether or not it will remove Joshi, but it does a fine job with Stoned (1 or 2). Joshi is a "Friday the 13th" type bomb *only* in the sense that it is date activated. There is no report of deletion of files. Finally, yes, Jeffrey, recovery is possible. Quite easily. *Boot from a known clean system disk first!* Both Joshi and Stoned are boot sector viri. In fact, if you are willing to boot from floppy, you can know use your computer as is. As long as you don't boot from the hard disk, the viri will never activate. But, assuming you don't want to go along with such an awkward kludge, having booted clean you can now use any back utility to backup your files, and then do any disinfection procedures you wish, with FPROT, SCAN, CLEAN or even a low level format. OK, one caveat. With the two viri operating and moving sectors around, your FAT *may* have suffered some damage. But I don't think it very likely. ------------------------------ Date: Thu, 10 Jan 91 16:07:52 -0500 From: "Bonnie Scollon" Subject: Re:Auto-scanning Virus Vaccine? (PC) I have been waiting for someone more knowledgable than I to answer this but since no one has stepped forward, here goes......... Vi-Spy (from RG Software) has a resident program which can be used to automatically scan diskettes. It works on most newer machines (since around 1986) which support Drive Change Line (or something like that.) If the machine has this technology, the disk is automatically scanned and if a virus is found, the user has the option to clean the diskette. If the user chooses not to clean, they are not able to use the diskette. This, however, does not work if the diskette is called from within a program (such as a data disk with a word processor.) More info on this can be found in the documentation with the software. Although this program is expensive by the single copy, the educational site license is very affordable. Bonnie Scollon Oakland Community College (Michigan) ------------------------------ Date: 10 January, 1991 From: Padgett Peterson Subject: Hard Disk Protection (PC) >> From: Mr Gordon S Byron >> >> I am interested in finding a DOS antivirus program which would >> automatically scan disks as they are inserted. ideally, something like >> SAM II on the Mac. Could be done with something hooking the timer but why ? MACs execute code on the floppy when inserted but an IBM or clone does not (unless you try to boot from it). Under MS-DOS, a program must be requested for execution before it is loaded and that is when good anti-viral programs do their thing. >From: Carlos Jimenez >Subject: Re:Prevent hard disk infection? (PC) >>Is there any way to prevent a virus from infecting a hard disk when >>you cold boot with an infected diskette in drive a: ? (I should have >>written "when you unfortunately have left a diskette in drive a:" or >>"when you leave your computer unattended and someone boots from a >>diskette"). >> >>Paul M. Monat Lab Manager Phone: 613-564-6895/6500 >When a boot sector virus infects a disquette (with or without operating system ) >it can make a boot sector that can infect any hard disk using > - direct access to hard disk port > (I don't know any virus that use this method actually), They do not because many disks use different ports and access methods so one single method will not work well. Most hardcards and non-standard disks (EDSI, SCSI) use their own ROM extensions located at a different address so a virus cannot tell just where to look (incidently, a similar reason is why DOS viruses do not fare well under unix or OS/2). > - BIOS Int 13h Function 03 (Write sector) > (like Stoned) Yup > - DOS Int 26h (Write absolute sector). > (like Bouncing Ball, Boot sector infectors cannot use this since Int 26 is not there until after DOS loads (and usually goes through Int 13 ultimately as do most of the Int 21 functions that do disk access anyway). >The third method of infection has a solution using software. If you >clear the partition table of your hard disk, the DOS can't recognize >the hard disk (like it hasn't low level format), and Int 26h calls >will fail. For a sucessfull boot from hard disk you must change the >original bootstart routine by another, that writes the original >partition table and then reads the boot sector of the active partition >and execute it. You must include a program that clears again the >partition table (I have a driver in CONFIG.SYS) This is what I have been playing with except that the copying of sectors is a crude way to do it - a custom partition sector either not containing the partition table or with an encrypted table is much more effective. You can also check for certain things like a hooked Int 13 very easily since you are dealing with the bare BIOS at this point - something impossible from either CONFIG.SYS or AUTOEXEC.BAT. Another plus is that you can do many other things from here like prevention of hard disk formatting, partition table corruption, and passing of clean system parameters to the rest of the anti-virus program invoked later. and may have just found a nice 69 Grand Prix, whee, Padgett ------------------------------ Date: Thu, 10 Jan 91 16:42:10 From: microsoft!c-rossgr@uunet.UU.NET Subject: Re: Virex Address (PC) >From: rtravsky@CORRAL.UWyo.Edu (Richard W Travsky) > >The January 7th PC-WEEK has a full page ad for virex on the back cover. >The address and phone numbers (definitely) are: > Microcom Software Division > 3700-B Lyckan Parkway > Durham NC 27717 > 1-919-490-1277 > in Europe call 44 483 740763 >There was no 800 number listed, so that apparently has been discontinued. >A version of their software for PCs is listed as "new". The 1-800 number is for people who have already purchased Virex-PC, although a quick phone call to 1-800-555-1212 would give that to people who haven't purchased the product (yet ). The "New" notation is to show that VIREX-PC is new for the PC as versus the well established Virex for the Mac. A new release of Virex for the Mac was announced today at MacWorld. A new release of Virex-PC will be forthcoming shortly -- just one more bug to kill....current release is V1.1a. Each purchase includes one free upgrade. Ross M. Greenberg, Author, Virex-PC These are not the views of Microsoft. ------------------------------ Date: 11 Jan 91 00:09:51 +0000 From: sam@wolfen.cc.uow.edu.au (Sam Tan) Subject: Re: possible macintosh virus (Mac) mwu@teri.bio.uci.edu writes: >Does anyone know of a Macintosh virus that will make all floppy disks >appear to be locked to the computer? At first, we thought the problem >was with the disk drive, but when it started surfacing on other >computers, we've become a little suspicious. Any help would be >appreciated. >Matt Wu >mwu@teri.bio.uci.edu The only occurence I know of this happenning is when you try to recover disks using MacTools. The programs set the software disklock field on the disk to ON, thereby making the System think that the disk is locked. You will need to copy the stuff off the disk, and reformat it, unless you know how to reset the lock byte. NB: Merely inserting the disk in your drive and selecting "Erase Disk" won't work, the System will say the disk is locked. You will have to hold down the "Cmd-Opt-Tab" keys while inserting the disk. This key combination only works on the Finder, not all applications. Enjoy. Sam sam@wolfen.cc.uow.edu.au ------------------------------ Date: Fri, 11 Jan 91 13:54:00 +1100 From: U5434122@ucsvc.ucs.unimelb.edu.au Subject: Re: Stoned Virus (PC) jhp@apss.ab.ca (Herb Presley, Emergency Planning Officer) writes: > Last week I wrote............. > > > I have had a problem with the "Stoned" virus on my 8088 based XT. Etc... Herb goes on to say how he cleaned his HDD the hard way, instead of using CLEAN from McAfee. I would have suggested CLEAN to Herb, only my mail bounced, and so did mail routed through uunet.uu.net. Can you supply a proper path Herb? Send me an email message, and I will tell you what your path to/from me is. (I don't know until you send mail to me.) > Hope this helps anyone else who has been infected by the [Stoned] > virus. (By the way, I don't know if you've noticed but the person who > wrote the message "Your PC is Stoned! LEGALISE MARIJUANA!" doesn't > even know how to spell legalize.......heh! heh! And I'll bet he > thinks he's smart.) Unfortunately, the guy *did* know how to spell "legalise". The virus originated in New Zealand which uses British spelling of such words, just like I do. Danny U5434122@ucsvc.ucs.unimelb.edu.au ------------------------------ Date: Thu, 10 Jan 91 12:35:00 -0800 From: hooverm@sysjj.mdcbbs.com Subject: Re: Computers at Risk book - how to order - (General) CMLHD%UOTTAWA@acadvm1.uottawa.ca (Colin Lay) writes: > The National Research Council has published a much longer study entitled > "Computers at Risk - Safe Computing in the Information Age". It is > available from the National Academy Press in Washington. Telephone > orders are accepted at 1-800-624-6242 for US customers or (202) 334-3313 > for those of us who can't access the 800 number. They will accept VISA, > MasterCard or American Express. I just received my copy, but havent gotten to read it yet. 303 pages, it looks pretty good. Chpt. Title 1 Overview & Recommendations 2 Concepts of Information Security 3 Technology to Achieve Secure Computer Systems 4 Programming Methodology 5 Criteria to Evaluate Computer and Network Security 6 Why the Security Market has not Worked Well 7 The Need to Establish an Information Security Foundation 8 Research topics and Funding Mark Subject: Joshi & Stoned II (PC) In issue 7 Jeffery <3501P@NAVPGS.BITNET> writes that his PC is infected by both JOSHI and the STONED II (Donald Duck). I havent tried such a dual infection but it certainly is feasible. Because JOSHI is more selective, I would venture that it was the first infection, followed by the STONED II, therefore the real partition table can probably be found at absolute sector 9 on the hard disk (if not it might be in sector 7, but I doubt it. Interestingly, Joshi puts its code into sectors 2-6, skipping 7 where the Stoned usually infects. To look at these sectors, use the following debug code: a mov ax,0201 ; read one sector mov bx,200 ; put it in ds:200 mov cx,9 ; ch=track 0, cl=sector to read, 1 is first mov dx,80 ; dh=head 0, dx=80 first fixed disk int 13 ; the notorious - see IBM ROM BIOS by Ray Duncan int 20 ; quit ; bare gets you out of assemble mode g ; to run d200 3ff ; dumps sector (more than one screen) real table will have ; messages like "Invalid Partition Table" in ASCII e107 ; to change sector number after you find the partition table and it is in the 200-3ff area, just e102 to change the 2 (read) to 3 (write) and e107 to 1 & run to put the partition table back. NOTE: do not try the last part unless you are SURE you know what you are doing as it can lose the table completely, making the disk unreadable except by an expert. However, for a multiple infection such as you seem to have I would prefer the manual method to any automatic one (why CLEAN et al have disclamers). Incidently, since this is dangerous, I didn't tell you to do it. Padgett Addendum: you MUST cold boot from a known clean floppy before attempting disinfection or sector reads since many viruses intercept Int 13. Padget ------------------------------ Date: Thu, 10 Jan 91 22:13:56 +0700 From: Carlos Jimenez Subject: Re:obscure procedure in Yankee Doodle (PC) >Send by Martin Zejma <8326442@AWIWUW11.BITNET>: > >hello virus-proofed community | >Last week i found the ( or a ) oh-so-old-but-never-found Yankee ... >... >SO THE ONE AND ONLY QUESTION : >Are there systems where this part of memory is accessible or would the >virus just overwrite a resident other virus when the value in the >BIOS-segment is below 280h due to a previous (already running) >infection ? The segment A000h of computer is used by graphics cards like EGA, MCGA & VGA to implement graphics modes 0Dh to 13h and new modes of higher resolution. This segment of memory isn't used in text modes. Thus, when you use text modes (the normal situation if you don't work in Windows) the virus can use the segment A000h. Probably you have a CGA or Hercules Graphic Card and then you can't use this segment (There isn't RAM for the virus in this segment). I hope this comment can help you. Carlos Jimenez R+D Manager Phone: +34 1 556 92 15 ANYWARE Information Security +34 1 556 92 16 General Peron, 32 Fax: +34 1 556 91 58 28020 Madrid (SPAIN) EUnet: cjimenez@anyware.es ------------------------------ Date: Thu, 10 Jan 91 22:40:34 +0700 From: Carlos Jimenez Subject: Re:SCAN program for IBM's (PC) >> From: Mr Gordon S Byron >> >> I am interested in finding a DOS antivirus program which would >> automatically scan disks as they are inserted. ideally, something like >> SAM II on the Mac. I noticed a reference to a program called McAfee's >> scan. Is that an auto-scan antivirus program? > >Only one problem with that idea: How can the machine tell when a disk >is inserted? There isn't any type of sensor in IBM floppy drives like >in the Mac. > >Doug Barlow I can sugest this idea: If you install a TSR that capture Int 13h Function 02h (BIOS Read sector) and this TSR scans virus signs in each read of the boot sector of the floppy disk you automatically detects boot viruses in the first access to the removable media (DOS will read the boot sector of the removable media, i.e floppy disk, on the first access to floppy because needs to know which is the format of the disk for access him). You can add another interrupt routine that capture Int 21h Function 4Bh or 3Dh (EXEC or OPEN) and before to execute or open some file, the TSR scans it for known sign of viruses. This is the basis for TSR vaccines like VSHIELD or F-PROT. If you wish more details you can write me to cjimenez@anyware.es Carlos Jimenez R+D Manager Phone: +34 1 556 92 15 ANYWARE Information Security +34 1 556 92 16 General Peron, 32 Fax: +34 1 556 91 58 28020 Madrid (SPAIN) EUnet: cjimenez@anyware.es ------------------------------ Date: 11 Jan 91 09:32:33 -0500 From: "David.M.Chess" Subject: re: Joshi & Stoned 2 (PC) I'd guess that you just have the usual Stoned virus (at least one version of one popular scanner was reporting "Stoned 2" on normal Stoned infections); as far as I know, the Stoned-2 hasn't reached the U.S. population yet. Anyway, assuming you have the usual Stoned virus and the usual Joshi virus, neither of them "intentionally" do any damage to files (that is, there's no piece of code in either one to which one can point and say "this was clearly intended to trash the disk / files"). On the other hand, both are doing odd and unexpected things to your disk, and there are definitely circumstances in which (for instance) the Stoned by itself can overlay part of your FAT with a copy of the original master boot record (producing, to say the least, unexpected results). I wouldn't be at all surprised if on some machines a combined Stoned+Joshi infection would damage something on the disk! I would except, though (assuming, again, that you have the "vanilla" viruses), that only a few sectors have actually been trashed, and that virtually all your data is still there *somewhere*... DC ------------------------------ Date: 11 Jan 91 09:39:54 -0500 From: "David.M.Chess" Subject: re: obscure procedure in Yankee Doodle (PC) Martin Zejma <8326442@AWIWUW11.BITNET>: > Are there systems where this part of memory is accessible or would the > virus just overwrite a resident other virus when the value in the > BIOS-segment is below 280h due to a previous (already running) > infection ? I haven't verified it myself, but a reasonably authoritative rumor says that the checksum the virus does will detect a Bouncing Ball (a.k.a. "Ping Pong") infection active in memory, and patch it so that it (eventually?) stops infecting. There are a few other cases of viruses that look for other viruses; the Den Zuk / Ohio family look for and remove the Brain (before installing themselves), the TPxxVIR look for and remove earlier members of the family, and so on. DC ------------------------------ Date: Fri, 11 Jan 91 15:10:18 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Politically motivated viruses Somebody asked about politically motivated viruses - I just wanted to mention the 'GrLkDos' or 'Groen Links' variant of Jerusalem, which plays a tune associated with the Dutch 'Groen Links' (Green Left) political party. Of course we really don't know whether the virus was written by a supporter of the party or somebody who wanted to give the party a bit of bad publicity. Both explanations are possible. - -frisk ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 9] **************************************** Downloaded From P-80 International Information Systems 304-744-2253