VIRUS-L Digest Thursday, 17 Oct 1991 Volume 4 : Issue 194 Today's Topics: Invalid Media Type (Virus attack?) (PC) Thunderbyte (PC) Re: SF Worms/Viruses (Re: HW not a solution) re: scanner for all files (PC) Unfair advantage Re: Virus on Mac (Mac) Any Apple //e viruses? virus help (PC) New versions of SVC out in the wild! (PC) Re: Version 84 of McAfee anti-virus programs now available (PC) Re:Alteration-Searcher for all files (PC) PC hardware vs software Re: Anti-virus patent - David.M.Chess Re: STONED Virus - information please! (PC) Re: Help urgently needed for stoned virus (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 16 Oct 91 13:24:22 -0700 >From: portal!cup.portal.com!Taz@uunet.uu.net Subject: Invalid Media Type (Virus attack?) (PC) In the last 3 weeks, my hard drive has crashed 4 times. This is what happens: I boot up, and it locks up. Then I boot from floppy, and get to the dos prompt. When I try to get a directory of C: I get the message 'Invalid media type' ... Luckily, I use MS-DOS 5.0, and use the MIRROR command in my autoexec.bat so I FORMAT drive C: and then UNFORMAT drive C:, and then most (but not all) of my data is recovered. I brought the cpu to the manufacturer and he tested the hard drive, and said there were no defects. Could this be a virus? I run McAffee's virus checker daily, not to mention whenever I unzip a file I get from a BBS. I never found a virus! Could it be a new (or undetectable) virus? Has this happened to anyone else before? It's really a pain in the butt to have to go through this format/unformat (and lose data) process over once a week! Any suggestions? Thanks. - ------- Taz Email Address: TAZ@Cup.Portal.Com ------------------------------ Date: Wed, 16 Oct 91 23:19:43 +0100 >From: Mikael Larsson Subject: Thunderbyte (PC) harry@gem.stack.urc.tue.nl (Harry Stox) wrote: > Although personally I don't have any experiences with the Thunderbyte > hardware, my guess is that is is unusable with modern IDE or SCSI > drives, since the hardware is placed between your MFM/RLL controller > and your harddisk. Sorry but You're wrong! Thunderbyte works real great with IDE/SCSI/ESDI drives. You just plug in the card into a free slot, and forget the cable the card will get the signals from the BUS instead of via a cable between the controller and the harddisk. > The idea behind Thunderbyte resembles that of FluShot, with the > exception that instead of in software, the locking of the hard disk is > now done in hardware. Well, it's not only locking You use it for. Thunderbyte is an excellent piece of hardware that checks if files are changed, modifications of files/boot-sectors are done, if time-stamps are being changed to an odd value (like 62 in the seconds), if COM/EXE/SYS/OVL files are renamed to a NON executable extension, if read only attribute is beeing changed. etc etc. Since the card do NOT look after specific viruses, it's possible to detect new unknown viruses with it. For example, I got an example of a virus which the sender didn't know what it was. I ran the file, and wops! Thunderbyte said that the file was trying to modifiate the partition table... Later on, this virus was named TEQUILA. (This was before SCAN etc could detect it...) Thunderbyte also includes a password protection that is pretty good, You can't bypass the password whitout removing the card from the slot. Rgds, MiL (Mikael Larsson) ============================================================================== Virus Help Centre BBS Line #1: +46 26 275710 P.O. Box 7018 S-811 07 Sandviken FidoNet : 2:205/204 Sweden VirNet : 9:461/101, 9:9/0 Phone : +46-26 100518 Home of VirNet Fax : +46-26 275720 McAfee Associates Agent Sweden Mobile Phone: +46-10 955551 VSUM Agent Sweden Thunderbyte Support Sweden Member of PCVRF =============================================================================== ------------------------------ Date: Wed, 16 Oct 91 21:00:32 +0000 >From: gary@sci34hub.sci.com (Gary Heston) Subject: Re: SF Worms/Viruses (Re: HW not a solution) smith@sctc.com (Rick Smith) writes: |jay@markv.com (Jay Skeer) writes: | |>P.P.S. I got the idea of a computer virus from an old S.F. book. In |>the book they actually describe a worm (and called it that) ... |>.... This was in 1983 or 4. |>Does any one know the name of that book, or of an earlyer reference to |>computer viruses? |There's Gerrold's "When Harlie was One" which dates at least to the |early 70s. There's "Adolescence of P1" (a Morris-like worm) which I |read in the mid-late 70s, but I don't remember the author. For those interested, here's the info I have: The Adolescence of P-1, Thomas J. Ryan, (C) 1977, Ace SF Books, ISDN 0-441-00360-5 The Shockwave Rider, John Brunner, (C) 1975, Ballantine Books, ISDN 345-24853-8 - -- Gary Heston System Mismanager and technoflunky uunet!sci34hub!gary or My opinions, not theirs. SCI Systems, Inc. gary@sci34hub.sci.com Become a pheresis donor. Loan your blood to the Red Cross for a couple of hours. They, and cancer patients, will appreciate it. ------------------------------ Date: 16 Oct 91 19:23:48 -0400 >From: Wolfgang Stiller <72571.3352@CompuServe.COM> Subject: re: scanner for all files (PC) Bob Babcock writes: >Recently I corrupted some files on my hard disk, not by a virus >infection but by changing my QEMM setup and crashing while downloading >in the background. The end result was a few corrupted files with >unchanged time stamps, and maybe a few more such files that I haven't >found yet. What I would like for future use is a checksumming program >which would look at all files on my hard disk and tell me which ones >have changed without the time stamp changing. Will any of the >anti-virus programs do this? The closest I've found is one which only >looks at executable files. I've written PC Magazine's PCdata data integrity toolkit. It will do exactly what you want. It's free and you can download it from CompuServ Ziffnet UTILFORUM (GO ZNT:UTILFORUM). It will detect any virus if you boot from a clean copy of DOS first and allow you to detect damage and reload your system sectors as well as your files. It will NOT identify viruses by name, it merely identifies changes and provides directions for determining if it's a virus. If you don't have access to CompuServe send me a formatted disk in a self-addressed stamped mailer and I'll send you the toolkit and full documentation. Mail to Stiller Research, 2625 Ridgeway St. Tallahassee, FL 32310 U.S.A. Regards, Wolfgang ------------------------------ Date: Wed, 16 Oct 91 21:21:13 -0700 >From: turtle@darkside.com (Fred Waller) Subject: Unfair advantage Writes yh0a+@andrew.cmu.edu (Yary Richard Phillip Hluchan) on the subject of Fred's Virus-resistant machine: > In other words, you built one computer and ran viruses > designed for a completely different computer. Yes, yes! Someone noticed! :-) It _is_ unfair, and the viruses will complain. Actually, though, the difference is not "complete", only _slight_. It's slight enough that the OS does not see it, and the apps do not see it, but current viruses don't like it! Isn't that amazing? > If Fred Waller's Virus-Resistant machine became widely > available, all viruses that infect .COM, .EXE, etc files > would become obsolete, granted. That was part of the objective and the confirmation is appreciated. But don't forget Boot viruses and the new kind of Cluster viruses (DIR II). Those will become unhappy also. All that talent wasted! > But about six months after we all upgraded to the protected- > disk scheme we'd start seeing the spreadsheet / .BAT / terminal > viruses... I'll gladly take my chances then, and so should everyone else. But a minor correction: .BATs are executable and would be restricted to the program disk. And so can terminal emulators that I am familiar with. Not that I am particularly worried about .BAT viruses - one could READ them with a text viewer! That would be delightful, maybe even instructive. Wish all viruses were so nice. As far as "interpreted" viruses, well, Axel Gutman's posting of 12 Oct 91 16:42:00 GMT addresses the issue better than anything I could have written. Yes, there is some concern. But yes, it would be much more difficult to write interpreted viruses as effective as the current ones. Maybe impossible. Another small correction: Fred Waller's Virus-Resistant machine doesn't need to be made widely-available.. it's widely available already. In fact, it is the machine you have now, plus some interesting modifications. Nature is bountiful... :-) > A "new" virus would write to a shell / macro / etc. data file, > and would execute from within some third-party software other > than the operating system. It should be interesting to see just how it manages to become a "stealth" virus or how competently it would take over and manipulate Int 13. (In fact, I've been thinking about letting Matsumoto's DIET loose on that data drive.. just to complicate things a little... :-) Fred Waller ------------------------------ Date: Thu, 17 Oct 91 06:00:19 +0000 >From: zaremba@ux1.cso.uiuc.edu (Paul N. Zaremba (AA9BK)) Subject: Re: Virus on Mac (Mac) baudon@nestor.Greco-Prog.fr (Olivier BAUDON) writes: >We have find a new Virus. The message given is 'Don't Panic' given by >virus-check 1.2. We don't remember to have neither install this init. >(We use SAM Intercept). The virus is on an internal hard disk and >it's now impossible to boot the Mac from a protected/not protected >floppy or external hard disk. This virus is the nVIR virus, of which there are several strains. Use a recent copy of Disinfectant or Virex to remove it. It (like most Mac viruses) are wimpy....... - -- ******************************************************************************* Paul N. Zaremba - Amateur Callsign AA9BK (After A 9th Beer, Killed!) ** pnz46378@uxa.cso.uiuc.edu zaremba@ux1.cso.uiuc.edu ** zaremba@vmd.cso.uiuc.edu ** Affiliated with the best in the midwest, WKIG FM 107! I'm a shiny, happy guy ******************************************************************************* ------------------------------ Date: Wed, 16 Oct 91 21:23:53 -0400 >From: pro-angmar!johnp@alfalfa.com (John Palaima) Subject: Any Apple //e viruses? Well,Are there any APPLE //e viruses? __________ __________ |John | John Palaima |John | | _ | ProLine :johnp@pro-angmar | _ | | (_). | Internet :pro-angmar!johnp@alphalpha.com | (_). | | | UUCP: :uunet!alphalpha!pro-angmar!johnp | | |.... O....| Argus: :johnp |.... O....| ------------------------------ Date: Wed, 16 Oct 91 19:43:21 -0400 >From: pro-angmar!zalam@alfalfa.com (Zaki Alam) Subject: virus help (PC) Hi their: I seem to be having a little problem with a possible virus. I have ran SCAN v49, and it came up with no results. I have notices that the program primarily goes after any executable file; and it seems to corrupt the file when it is being executed. I have downloaded the following programs from the local BCS bbs: SCAN v49 CLEANUP 7.9v84 FLUSHOT+ v 1.7 System Info: Computer: NEC PowerMate 386/20 Segate HD 40MB (internal) - two. DOS Version: 3.30 Printout of Autoexec.bat: @echo off prompt $p$g PATH = c:\dos;c:\;c:\batch turbo + set acadcfg=c:\acad10\cfg chkdsk /f cls if exist c:\tmp\*.* del c:\tmp\*.* if exist c:\*.chk del c:\*.chk if exist c:\*.bak del c:\*.bak cls Printout of config.sys: buffers=15 device=d:\captor\ibmgpr.sys /transient /group:output device=d:\captor\ibmega.sys /transient /group:output device=d:\captor\ibmpro.sys /transient /group:output device=d:\captor\hpplot.sys /transient /group:output device=d:\captor\gsscgi.sys /transient /group:output files=20 I ran SCAN with the disk lock on. When I tried to run the program I could hear that the disk was being accessed to write on it. FLUSHOT varified this assumpting of mine. With FLUSHOT I got the following message: +=========================================================================+ |=====>Direct Disk write attempt by program other than DOS! <==== | | Interrupt 40=> Drive: x Head: y Track: zzzzz Sector: zzzzz | | By program: a:/scanv/scan.exe | | Press "Y" to allow, "G" to go till exit, any other key to fail. | +=========================================================================+ I would appreciate any help on the same. If you have any questions please do not hesitate to "call" on me. Regards, Zaki ________ |.------.| Zaki Alam, 146 Jewett Street, Newton, MA 02158 || oo || Internet: pro-angmar!zalam@alfalfa.com || '--' || Bitnet: zalam%pro-angmar@alfalfa.com |'------'| UUCP: zalam@pro-angmar.cts.com | === | Proline: zalam@pro-angmar |________| Telephone: (617) 527-7668 Res. (617) 328-9215 Off. ------------------------------ Date: Thu, 17 Oct 91 10:54:05 -0500 >From: ry15@rz.uni-karlsruhe.de Subject: New versions of SVC out in the wild! (PC) Hi, I just received a new variant of SVC it is labeled SVC 6.0! I also talked to Dr. Alan Solomon and he has a SVC 5.0. Both are out in the wild! These viruses are quite complicated and use advanced stealth techniques! Even more complicated and better than 4096. SVC 5.0 is some 3.5k SVC 6.0 is 4644 Bytes. Thes are the second most complicated viruses next to Whale. I am in the progress of analysis.... More will follow. Chris Christoph Fischer Micro-BIT Virus Center University of Karlsruhe Zirkel 2 W-7500 KARLSRUHE 1 Germany +49 721 376422 Phone +49 721 32550 FAX email: ry15@rz.uni-karlsruhe.de ------------------------------ Date: 17 Oct 91 11:01:21 +0000 >From: icking@gmdzi.gmd.de (Werner Icking) Subject: Re: Version 84 of McAfee anti-virus programs now available (PC) mcafee@netcom.com (McAfee Associates) writes: >I have uploaded to SIMTEL20 and Garbo: And why have these files different sizes on OAK.Oakland.edu (=SIMTEL) and on Garbo? >pd1: >SCANV84.ZIP Scans standalone and networked PC's for viruses >CLEAN84.ZIP Virus removal program for PC's, LAN's >VSHLD84.ZIP Infection-prevention TSR for PC's >NETSCN84.ZIP Scans network file servers for viruses and in addition LIST *84* told me that there is WSCAN84B.ZIP. It's a windows-3 version of SCAN, which makes problems when I install it on my machines, because SCAN is badly named. What does SCAN mean? I have a scanner on one of my machines, therefor I always renamed SCAN.EXE to VIRUSCAN.EXE. This does not work with the windows-version. And I do not understand why, because there is a SCAN.PIF in the windows-directory which I modified so that it points to the renamed VIRUSCAN. - -- Werner Icking icking@gmdzi.gmd.de (+49 2241) 14-2443 Gesellschaft fuer Mathematik und Datenverarbeitung mbH (GMD) Schloss Birlinghoven, P.O.Box 1240, D-5205 Sankt Augustin 1, FRGermany "Der Dativ ist dem Genitiv sein Tod." ------------------------------ Date: Thu, 17 Oct 91 12:27:00 >From: "Axel Gutmann" Subject: Re:Alteration-Searcher for all files (PC) >From: Bob Babcock >(...) What I would like for future use is a checksumming program >which would look at all files on my hard disk and tell me which ones >have changed without the time stamp changing. Will any of the >anti-virus programs do this? The closest I've found is one which only >looks at executable files. There are two ShareWare checksumming programs named FICHECK/MFICHECK that take the extensions of files to check as a command line argument (wildcards o.k.). The version (4.0) I know of is a bit outdated (see below) and I don't know if the company still exists. Here are Copyright notice and address of the company: (C)Copyright 1988, Gilmore Systems Gilmore Systems P.O. Box 3831 Beverly Hills, CA 90212-0831 U.S.A. Voice: (213) 275-8006 Data: (213) 276-5263 I can't tell You where to get them on the net because I got them on a disk from a ShareWare-vendor two years ago. If You can't reach Gilmore Systems or get the program from somewhere else, I can try to send it to You UUencoded. Bye Axel ************************************************************************ *Axel Gutmann, uh2m@DKAUNI2, Internet: uh2m@IBM3090.RZ.UNI-KARLSRUHE.DE* ************************************************************************ ------------------------------ Date: Thu, 17 Oct 91 10:20:29 -0400 >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: PC hardware vs software I think we have about beaten this to death theoretically. My opinion is that software is *enough* even though hardware is *more*. If I buy a new PC, BIOS boot drive selection will be a requirement but I am not going to retrofit my older ones. >From: Chris Stops >Subject: Virus Proof Machine ? >Any comments anyone? Some good thoughts but believe that there are easier ways (unix for instance) if you need that level of protection. Personally, IMHO, disk boot selection in hardware (e.g. Zenith, Compaq, Tandon BIOSes) plus a good set of software permissions/controls would drop viral spread below the critical point for MS-DOS machines. If viruses stop spreading, there would be little incentive for writing them. Safe Hex does not require absinence, merely prudence. In 1981, the TI 99/4 was a superior 16 bit system but the lack of flexibility doomed it in the marketplace and this was before we had an 80,000,000 PC installed base. Considering how well thay were made, it would not surprise me to see a significant number of 8088 and 80286 machines lasting into the next century. Inertia is inevitable. I also have not yet seen many millionaire anti-virus vendors yet (if they are, they hide it well). >From: "David.M.Chess" >Subject: re: More hardware! >My suspicion (and, again, I'd love to be proven wrong in actual >practice) is that software hasn't done more than it has primarily >because it isn't widely-enough installed, *not* primarily because it's >software rather than hardware... Great minds think alike . Anyone care to guess what the effect on STONED, JOSHI, etc. would be if everyone used my FREEWARE NoFBoot program ? Padgett ps this Ultravision is neat - it has a 34 row mode that lets debug display an entire sector on one screen and is easier to read than the 43 row mode. Good work is appreciated. ------------------------------ Date: Thu, 17 Oct 91 16:07:00 +0000 >From: Sanford Sherizen <0003965782@mcimail.com> Subject: Re: Anti-virus patent - David.M.Chess David.M.Chess said >I've just run across an interesting U.S. patent. It's number >4,975,950, granted to Stephen A. Lentz, entitled "System and Method of >Protecting Integrity of Computer Data and Software". If anyone is interested in contacting Steve Lentz, he can be reached in Phoenix at (602) 274-8001. He is the inventor of this very interesting product and is working with Hal Becker (602) 841-0962, who has been in information security for many years, as well as heavyweight investors. The product has gotten some good inside reviews from companies and government agencies and is being looked at quite seriously by several U.S. and international vendors. For the record, I have helped Hal and Steve with strategic information but have not had any financial stake or arrangement with them or their company. Ken De Cruyenaere said: >That is the day after RTM launched the infamous internet worm. >Coincidence ? It was a coincidence since Steve had been working on this for quite a while and the filing data had to do with the lawyers and their timetable rather than RTM. Sandy ****************** Sanford Sherizen Data Security Systems, Inc. 5 Keane Terrace Natick, MA 01760 USA RESPOND VIA-------------------> MCI MAIL: SSHERIZEN (396-5782) -------------------> FAX: (508) 879-0698 -------------------> PHONE: (508) 655-9888 ****************** ------------------------------ Date: Thu, 17 Oct 91 19:19:00 +0000 >From: phlux@athena.mit.edu (Peter H. Lemieux) Subject: Re: STONED Virus - information please! (PC) I don't have answers about SCAN, but I can tell you about the Stoned virus. It has been a persistent problem on our departmental computers for about a year. It propagates via the boot sector of a floppy disk. If an infected floppy is inserted in the A: drive and the machine booted, the virus will be transferred to the partition table of the hard drive EVEN IF THE FLOPPY IS NOT A SYSTEM DISK! An infected floppy data disk will transmit the virus despite the fact that you get a "nonsystem disk or disk err or" message back from the BIOS. I have basically thrown out infected floppies whenever I find them rather than using CLEAN for safety's sake, so I don't know about your problems with the McAfee program. Peter H. Lemieux Dept of Political Science MIT, Cambridge, MA 02139 phlux@athena.mit.edu ------------------------------ Date: Thu, 17 Oct 91 19:23:49 +0000 >From: phlux@athena.mit.edu (Peter H. Lemieux) Subject: Re: Help urgently needed for stoned virus (PC) Okay, if you know what you're doing you can try this. You need a copy of Norton Utilities. Use the explore disk function to examine ABSOLUTE sector 1. You should see the number 55 in the last byte of the sector if your disk is Stoned. The virus has copied the partition information to absolute sector 7. Using Norton copy ABSOLUTE sector 7 to ABSOLUTE sector 1. That should solve the problem. If you've never played around with a low level utility like Norton, you'd best download a copy of McAfee's Viruscan package. It's available by FTP, though I'm not sure where. Peter H. Lemieux Dept of Political Science MIT, Cambridge, MA 02139 phlux@athena.mit.edu ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 194] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253