VIRUS-L Digest Thursday, 13 Jun 1991 Volume 4 : Issue 102 Today's Topics: Re: Questions about "Disinfectant" (Mac). Virus detection & removal (PC) Possible Virus? (PC) Re: Removing Azusa (was: Hong Kong on...) (PC) Dave Barry's definition of a computer virus Re: Is there a 1024 virus? (PC) Re: Hypercard Antiviral Script? (Mac) F-PROT 1.16 (PC) Re: Protection evaluation with test virus: (PC) Is there a 1024 virus? (PC) Re: Hypercard Antiviral Script? (Mac) Ws and Ps now you see em.... (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 12 Jun 91 03:22:00 -0500 From: Big fish man on hippocampus Subject: Re: Questions about "Disinfectant" (Mac). firmiss@cae.wisc.edu writes: > I've been using Disinfectant since version 1.6 and I've had a few > questions I've wanted to ask for quite a while. > > 1. I believe since version 2.0, Disinfectant had the ability to install > a protection INIT. The thing is only 5k... What does it DO?... > Does it just give a warning if something is being infected? > What does it look for? If the virus is in an application, the an alert is displayed saying Disinfectant INIT found a virus and that it should be removed with Disinfectant. It will not let the program run. If the virus is in the Desktop, a similar alert will be shown, the Finder will run, but the virus will be "contained," kept from furthering the infection. This INIT only checks applications when they are run and do not check documents (i.e. Hypercard stacks). > > My current version of Disinfectant is 2.4... Is this the most current > one? I've had it for about 6 months now. As far as I know... - -- |\ \\\\__ Tony Maimer __ | \_/ o \ / | > _ (( <_ / | | / \__+___/ maimer@kuhub.cc.ukans.edu /o /_/| |/ |/ < )) _ < \ \ \| \ | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ------------------------------ Date: Wed, 12 Jun 91 09:30:56 -0400 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Virus detection & removal (PC) >Just that our experience that I wished to share was that with a >checksummer in place and use of SCAN, you can end up with every last >EXE/COM file on you hard disk looking very sick indeed. >Mike Lawrie >Director Computing Services, Rhodes University, South Africa >.............................................. I agree, such activity is possible which is why I recommend that techs be properly trained (ours get two full days) before being allowed to work on suspected viruses. CHKDSK & DEBUG anre powerful tools in trained hands as are MANIFEST, MEM, & MAPMEM. Scanners are very good automated tools for problems they hve seen before and can take care of 98% of our problems: the other 2% just have to be handled manually - see below - -------------------------------------------------------------------- >From: dwe29248@uxa.cso.uiuc.edu (Derek William Ebdon) >Subject: Re: Hong Kong on MircoTough dist. disks (PC) >One thing that Mr. Doss forgot to mention is that although Central >Point Anti-Virus v1.0 can easily romove the Asuza virus from a floppy, >it cannot remove the virus from a hard drive. The only way to >disinfect a hard drive is to redo the low level format because the >virus infects the boot sector and the dos partition. A high level >format will not remove the virus, nor will simply removing the dos >partition with the fdisk program. NO, NO, a thousand times NO !I have never seen an infection that requires low level formatting (besides, on some newer disks you can't) Azusa is one of the easier to remove (believe I posed instructions some time ago) - certainly easier than the MusicBug which can also be removed. If the problem is understood, formatting is never necessary. Azusa can be removed just using debug if you know what you are doing. Just because one generic tool does not know how to do it does not mean it cannot be done. Warmly, Padgett ------------------------------ Date: Wed, 12 Jun 91 11:02:12 -0400 From: evans@aplcen.apl.jhu.edu (R. B. Evans) Subject: Possible Virus? (PC) I have a Packard Bell 286 with the following problem: Every once in a while (50-300 characters typed) a character typed at the keyboard doesn't seem to *make-it* to the PC, and instead produces an audible beep. In addition, the keyboard occasionally shifts into a mode where the SHIFT key is being held down, (types !@# instead of 123), but the shift key has not been hit, so is not physically sticking. Packard Bell Technical Support has been unable to fix the problem. They have replaced three keyboards, two motherboards, and one power supply in their *troubleshooting* efforts. With all this hardware replaced, I suspect a possible virus, but Scan V77 shows no viruses found. If anyone has any ideas as to how to fix this annoying problem, please E-mail me your suggestions/ideas. Thanks in advance, Robert Evans evans@aplcen.apl.jhu.edu ------------------------------ Date: 12 Jun 91 11:12:51 -0400 From: "David.M.Chess" Subject: Re: Removing Azusa (was: Hong Kong on...) (PC) >From: dwe29248@uxa.cso.uiuc.edu (Derek William Ebdon) >The only way to >disinfect a hard drive is to redo the low level format because the >virus infects the boot sector and the dos partition. A low-level format is certainly not the *only* way to fix an Azusa-infected hard disk. Any program that can write a valid boot record to the partition-table area (preserving the partition information and just fixing the code) will remove the virus from the execution stream, and (since the Azusa uses only the partition table area on a hard disk, and no sectors in the DOS partition or anywhere else) that will disinfect the disk very nicely... DC ------------------------------ Date: Wed, 12 Jun 91 11:47:33 -0400 From: Joe McMahon Subject: Dave Barry's definition of a computer virus Dave Barry's column in the Sunday Washington Post, "Our Friend the Computer", has the following defintion of a computer virus: "...You have probably read about computer viruses, which computers get when they're left uncovered in drafty rooms. This is bad, because if you're working on an infected computer, it will periodically emit electronic sneezes (unfortunately not detectable with the naked eye) and you'll be showered with billions of tiny invisible pieces of electronic phlegm, called "bytes", which penetrate into your brain and gradually make you stupid..." --- Joe M. ------------------------------ Date: 12 Jun 91 17:28:33 +0000 From: chris@renoir.teradyne.com (Chris Maslyar) Subject: Re: Is there a 1024 virus? (PC) >> Can anyone suggest an explanation of our observation on several >> computers (various IBM pc types) of a result from chkdsk of 654336 >> bytes of total memory? >A number of viral programs would fit this bill, the most obvious being >the ubiquitous "Stoned". Check the boot sectors of your boot disks with >your Norton utilities. I noticed this 654336 anomaly as well. Unfortunately (fortunately?) SCAN V7.2V77 didn't find a culprit, and Norton utilities came up blank when I searched for "Stoned". I'll spare you the details of the painful steps taken to arrive at my solution to say that: Some PC/AT computers give the user an option to place 1K of BIOS into base memory subsequently reducing the size of memory to: (you guessed it) 654336 You may want to look for this option BEFORE you format your disks :) Good Luck Chris chris@attain.teradyne.com ------------------------------ Date: Wed, 12 Jun 91 19:31:35 +0000 From: EIVERSO@cms.cc.wayne.edu Subject: Re: Hypercard Antiviral Script? (Mac) Your best defense is locking your home stack, or constantly searching your home stack for script modifications. You can try editing the script of a stack before opening it, but the virus might be in any object in the new stack. Even though you can check the params of a set command for the word "script", no unlocked stack will be safe until Apple prevents using the set command in a end to HyperCard I'd elaborate, but wouldn't feel right about explaining how to commit sabotage. - --Eric ------------------------------ Date: Wed, 12 Jun 91 23:23:11 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: F-PROT 1.16 (PC) Well - F-PROT 1.16 is out...It was delayed a bit, as unusually many viruses have arrived in the past three weeks... Version 1.16 added the following features: Detection, but not disinfection of 27 new viruses: 200 268-plus 483 Bad Boy Cascade - 2 new variants: Formiche and JoJo-1703 Darth Vader (4 variants) Diamond - 4 new variants: Damage, Damage-B, David and Greemlin Eddie - new variant: MIR Fingers 08/15 Hero Leech Murphy - 4 variants: Cemetery, Kamasya, Migram-1 and Migram-2 Stardot Swiss-143 VCS 1.0 Warrior Witcode Detection and removal of 85 new viruses: 1024-PrScr 1575-B (alias 'Greencat-2') Backtime Bljec - 7 variants: Bljec-3, Blec-4, Bljec-5, Bljec-6, Bljec-7, Bljec-8, Bljec-9 Boys CARA Casino Cinderella Demon (overwriting) Diamond - new variant: Lucifer Eddie - 4 new variants: 1028, 1801, Apocalypse-2 and Zeleng ETC Frog Horse (alias 'Naughty Hacker') - 8 variants: Horse-1, Horse-2, Horse-2B, Horse-3, Horse-4, Horse-5, Horse-6, Horse-7 Incom Jerusalem - 6 new variants: Apocalypse, Carfield, Discom, GP1, Phenome and Skism Keypress-1228 Kiev-483 Little Pieces Magnitogorsk - new variant: 2048 MG - new variant: MG-1A Minimal-30 Murphy - 11 new variants: AntiChrist, Diabolik, Erasmus, Finger, Goblin, Guru, Murphy-3, Murphy-4, Pest, Smack-1835 and Smack-1841 Mutant - 3 variants Old Yankee - new variant: Bandit PcVrsDs Pixel - 11 new variants: 257, 275, 283, 295, 779, 837, 850, 854, 877, 892, 936 Raubkopi Sparse Striker #1 Sylvia-B (previously identified as Sylvia) Tequila Tumen - 2 variants: 0.5 and 2.0 USSR-311 Vienna - 2 new variants: Arf and Vienna-645 WWT - 2 variants: WWT-01 and WWT-02 (overwriting) Yaunch (alias 'Wench') Yukon (overwriting) ZK-900 Disinfection of the following viruses, which were detected in earlier versions: Faust (alias Chaos) (previously called 'Spyer') Form The following names have been changed, in an attempt to reduce the incredible confusion in the virus naming area. 1075 --> DBF blank June 4th --> Bloody! Spyer --> Faust Turku --> Keypress The following bugs/problems have been fixed: The signature for the 1049 virus has been changed, as it could cause false alarm in the 386COM.SYS file. F-FCHK would not detect all the possible mutations of the Whale virus in .COM files, although all infected .EXE files were found. This has been corrected. Occasional very long delays when some programs, such as SORT.EXE in DOS 4.0 were run have been eliminated. F-OSCHK will now correctly handle the case where a checksum evaluates to 0, as 0 previously meant "ignore". Instead the string ----- is now used when a checksum should be ignored. When F-DRIVER and F-NET were in use, Novell "execute-only" programs could sometimes not be executed. This has been corrected. F-DRIVER would on some computers fail to detect some boot sector viruses if it was loaded into high memory (above 640K. This has been corrected - LOADHI etc should now work without problems. F-FCHK will now indicate if a program has been compressed by DIET 1.10, ICE 1.01 or EXEPACK. This warning only indicates that a virus could possibly have been hidden in the program before it was packed - not that anything appears to be wrong. A new file has been added with information on Trojans and "Joke" programs, often found in virus collections. Those programs are not a threat like viruses - but some of my competitors detect them, so.... /QUERY switch added to F-FCHK. if it is used, F-FCHK will ask if it should disinfect any infected files - this used to be the default. A conflict has been reported between F-DRIVER and Desqview, and I am trying to determine if a problem exists. - -frisk ------------------------------ Date: Wed, 12 Jun 91 23:50:07 +0000 From: mcafee@netcom.com (McAfee Associates) Subject: Re: Protection evaluation with test virus: (PC) holly@fifi.isi.edu (Dennis Hollingworth) writes: >Posted for Dan Hirsh (818) 505-2285 > >I tested McAfee's SCAN77 using Rosenthal Engineering's new release of >Virus Simulator (I've seen posted as VIRSIM11.COM on EXEC-PC, >Compuserve and others). It seems that SCAN77 misses three boot sector >viruses that SCAN76 found on the same disk. Both versions of SCAN >found nine viruses in the .COM, four in the .EXE and seven in the test >memory virus. [rest of message deleted...] Rosenthal Engineering's VIRSIM program is a string-based virus simulator. As such, only scanners that use the same strings that VIRSIM uses will detect its "viruses." We regularly adjust our strings, so this why V76 would report viruses that V77 did not. Regards, Aryeh Goretsky McAfee Associates Technical Support - -- McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com 4423 Cheeney Street | FAX (408) 970-9727 | (Aryeh Goretsky) Santa Clara, California | BBS (408) 988-4004 | 95054-0253 USA | v.32 (408) 988-5190 | mrs@netcom.com ViruScan/CleanUp/VShield | HST (408) 988-5138 | (Morgan Schweers) ------------------------------ Date: 12 Jun 91 19:30:42 -0400 From: Arthur Buslik <74676.2537@CompuServe.COM> Subject: Is there a 1024 virus? (PC) Stan Orrell writes: "Can anyone suggest an explanation of our observation on several computers (various IBM pc types) of a result from chkdsk of 654336 bytes of total memory?" As Rob Slade suggests, one possibility is a virus. However, a much more likely possibility is that the computers have extended bios extended data areas. (See, e.g. "The New Peter Norton Programmer's Guide to the IBM PC & PS/2",2nd edition, 1988, page 62.) INT 15H, AH=C0H will return ES:BX as the segment:offset of a configuration table. The fifth byte of this configuration table gives configuration flags. Bit 2 of this byte is set if an extended Bios data area is allocated. Moreover, INT 15H, AH=C1H will return the segment address of the base of the extended bios area. The word at 0040:0013H is modified to reflect the reduced amount of memory available to programs. This is what chkdsk returns as "bytes total memory", and also what INT 12H returns in AX. On my COMPAQ 386/20e at work, I obtain the following when I use DEBUG: - -a100 1AFA:0100 mov ah,c0 1AFA:0102 int 15 1AFA:0104 - -g104 AX=0000 BX=E6F5 CX=0000 DX=0000 SP=FFEE BP=0000 SI=0000 DI=0000 DS=1AFA ES=F000 SS=1AFA CS=1AFA IP=0104 NV UP EI PL ZR NA PE NC 1AFA:0104 0000 ADD [BX+SI],AL DS:E6F5=6E - -df000:e6f5 l 9 F000:E6F0 08 00 FC-01 00 74 00 00 00 .....t... The configuration flag byte is 74H=01110100B, and since bit 2 is set, my machine has an extended bios data area allocated. Moreover, using DEBUG again, this time for INT 15H, AH=C1H, I obtain: - -a100 1C6B:0100 mov ah,c1 1C6B:0102 int 15 1C6B:0104 - -g104 AX=C100 BX=0000 CX=0000 DX=0000 SP=FFEE BP=0000 SI=0000 DI=0000 DS=1C6B ES=9FC0 SS=1C6B CS=1C6B IP=0104 NV UP DI NG NZ AC PO NC 1C6B:0104 7205 JB 010B - -d9fc0:0 9FC0:0000 01 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ etc., all following bytes being zero. My machine has 1Kb of memory reserved, at the top of memory for an extended bios data area. The first byte gives the number of Kb of memory reserved. On my machine all the other bytes are zero, whenever I look at them with DEBUG. (I don't know what they are when I don't look at them.) For what it is worth, the machines at work which have the extended bios data area implemented, and for which chkdsk returns 639K total memory, all have a socket in the back for a bus mouse. Art Buslik ------------------------------ Date: Thu, 13 Jun 91 00:49:47 +0000 From: mike@pyrite.SOM.CWRU.Edu (Michael Kerner) Subject: Re: Hypercard Antiviral Script? (Mac) I said I was going to rewrite my scripts to handle new trojans/viri, however I am trying to consider some options. The main problem is that there is no way to catch the parameters of the SET function in HC 2.1. So, while I play with different virus scenarios (i.e. writing ones that I think will do certain things, using certain HC resources, I want to try and find some common link between them. The answer, then, will be unable to intercept and stop infection, but will have to work beforehand. The problem with this is that a field of all stacks that have been checked needs to be kept, and everytime that a stack is opened, the field must be examined to see if this particular stack has been checked. However, the problem with that is that existing checked stacks may have been infected and will thus escape detection. So, while my solution appears to be the simplest (i.e. check all stacks to begin with then keep a running list), the time spent by the user seems to be very long. So, the story on this is: unless there seems to be some need/desire emerge for a new stack/utility to do this work, I'm moving slowly. As I said before, if anyone else feels like beating me to the punch with a solution of their own, feel free - but don't you DARE charge $$ for it. Mikey. Mac Admin WSOM CSG CWRU mike@pyrite.som.cwru.edu ------------------------------ Date: 11 Jun 91 21:53:35 +0000 From: Ullrich_Fischer@mindlink.bc.ca (Ullrich Fischer) Subject: Ws and Ps now you see em.... (PC) The following problem has occurred on our network over the past two days: On Monday, a user showed us two printouts from WordPerfect 5.1 (Network version) printed from the same document about 5 minutes apart. She swears she made no changes to the document between the two printouts. On one printout all the Bitstream Dutch 11 point (we use Bitstream fonts on HP Laserjet II printers) 'w's (upper and lower case) were missing (i.e. replaced by relatively narrow blank spaces). On the 2nd printout, the 'w's were all there. At the top of the document, a large capital W using a different font appeared in both printouts. It is a one-page document. Today the same sort of thing happened to another user on a different PC using Lotus 2.01 networker. This time the 'p's were missing from one printout but not another of the same spreadsheet. We are using Novell Netware 2.15C on an internet with a 3.1 server. These incidents happened to people who were using the 2.15C to store their data files and the application software. We are using Printer Assist from Fresh Technologies to print to the laser printers. The two incidents involved different printer servers and printers as well as different PCs. Both PCs used DOS 3.3 I scanned the network and both PCs involved using McAfee's SCAN version 77 but turned up no indication of any virus infection. To the best of my knowledge, this is the first time anything like this has happened on our network. No, I am not sure this is a virus, but it seems the kind of thing that malicious code might do. If anyone has any ideas as to what may be going on here, I would be grateful to hear them. - - Ullrich Fischer@mindlink.bc.ca (Let's just have 1 line signatures eh?) ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 102] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253