VIRUS-L Digest Friday, 22 Nov 1991 Volume 4 : Issue 225 Today's Topics: Re: System 7 vs. viruses (Mac) ANSI Bombs Re: Protection... Re: DIR-2 found in USA (PC) Does PC virus affect hardwares? (PC) Re: Generic scanning - a small test (PC) Mark Washburn Strange occurences using DBase IV & AZUSA Comm Port (PC) Request for help on getting ".CVP" documents. Gosia virus search string (PC) Booting from floppy, Multifinder & Disinfectant (Mac) Frog's Alley / new upload (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 21 Nov 91 15:10:57 -0500 >From: xrjdm@twinpeaks.gsfc.nasa.gov (Joseph D. McMahon) Subject: Re: System 7 vs. viruses (Mac) smithd@professor.eng.tulane.edu (David Smith)i writes: > Well I do not know about Multifinder under sys 7 but under 6.8 running > AUX in which multifinder is always running the desktop and the system > have been infected and Disenfectent cannot remove it, it must be > reinitilized. Which virus are you speaking of? If it's a desktop infector, you certainly don't need to reinitialize (I assume you mean format) the disk! Rebuilding the Desktop file is good enough. Write to me privately if you need to know how to do this. --- Joe M. ------------------------------ Date: Thu, 21 Nov 91 15:12:28 -0500 >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: ANSI Bombs >From: Eric_Florack.Wbst311@xerox.com >I went to a re-write of ANSI that doesn't allow redefs, and as such was a lot >smaller. Saved me a few K in space, and disabled any ANSI bombs in the process. >Good trade off, I think. Again, a single byte change in most ANSI drivers (offset 61h for the DOS 5.0 version I have) will change the redirection character from the standard lower case "p" to *something else* and defuses the whole problem. But it is unlikely that many people will. >"How stupid you are depends on exactly where you're standing at any given >Moment." ref. Smokey & the Bandit, 1977 - the South & Pontiacs, my favourite mix. Padgett ------------------------------ Date: 21 Nov 91 19:49:23 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Protection... turtle@darkside.com (Fred Waller) writes: > Scanning is not foolproof either; the person could have scanned and > still gotten infected. Or, if the scanner was not too well designed > (as some are not), then the act of scanning itself might have spread > the virus further to other parts of the system. While I agree that scanning does not offer any serious protection, I would like to point out that the way the scanner is implemented doesn't really matter. What -does- matter is how the user uses it. If s/he always boots from a non-infected write-protected system diskette and always starts a non-infected copy of the scanner from a write-protected disk, the simple act of scanning CANNOT spread the infection. Regardless how poorly the scanner is implemented. (Unless the scanner pusposely releases a virus, of course... ) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN Tel.:+49-40-54715-224, Fax: -246 Vogt-Koeln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Thu, 21 Nov 91 14:02:45 -0800 >From: karyn@cheetah.llnl.gov (Karyn Pichnarczyk) Subject: Re: DIR-2 found in USA (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: Also Dr. Solomon's Anti-virus Toolkit, version 5.13 and above, is able to detect the virus. Not to eradicate it, however. The only three methods for removing this virus which are currently availble, are CLEAN 84, my program DIR2CLR, and using the REN method, described by Andrzej Kadlof (similar to your backup method, but much easier and faster). Also DDI's Virhunt (from the Data Physician package) version 3.0B detects and eradicates DIR-2. Karyn Pichnarczyk CIAC Group Lawrence Livermore Nat. Labs 510-422-1779 ------------------------------ Date: Fri, 22 Nov 91 10:39:49 +0000 >From: kvlxhr@uts.uni-c.dk (Hans Roulund) Subject: Does PC virus affect hardwares? (PC) This is the first time I write to this newsgroup. My friend and I had several unpleasant experiences with hardware failures. we speculate that there was probably a virus on our PCs. Now I try to describe what had happened to us. My friend had 80286 PC clone with scsi harddisk and 5.25" floppy driver. A monthago his pc kept remembering the disk infomation of A: So every time he changed adiskette, the PC continued to show contents of previous diskette when he used DOS command DIR. Further more, the correctly connected laser-printer didn't print anything. When he tried with a virus-free system diskette , everything worked. fine. But there was no way to install system on harddisk correctly. PC kept losi ng harddisk configuration info. Then my friend bought an other PC 80386, but the same problem begins to appear again. That's losing harddisk configuration info and refusing to take new diskette plus printer doesn't work. (It beeps when screen print key pressed). Can you tell me what kind of virus it could be and what cure? Now to my headache, I use PC 80386sx with AT-bus harddisk control (My friend's second PC has also AT-bus harddisk). It worked fine until I installed a fax- modem. One day the Fax modem started to siren very loudly and unbearably. And my machine seemed to have lost all info stored in cmos. AFter I specified all parameters cmos asked, I found my harddisk was total off order! Both boot sector and FAT, root directory seems to have removed 18 sectors forwards. There are a lot of blank sectors scattered on the harddisk (marked with 6F, or letter l). I know they should not be there since my harddisk was virtually full.) After I checked the FAX-modem on other machine, it seemed to be damaged. I thoug t all was due to I had no earth grounded AC line. But it doesn't seem to the right explantion. Now I try to recover invaluble files sector by sector on 89 MB harddisk. Can you expeters help. thank you G.f.x. ------------------------------ Date: Fri, 22 Nov 91 08:53:35 +0000 >From: Fridrik Skulason Subject: Re: Generic scanning - a small test (PC) In Message 18 Nov 91 17:06:41 GMT, RZOTTO@DKNKURZ1.BITNET (Otto Stolz) writes: >How can it be that in these two cases a Quick scan detected something, >a Secure scan missed? Before that test, I was under the impression >that a Secure scan will never find less viruses or variants than a >Quick scan. Well, as the name implies, Secure scan is generally more secure than Quick Scan - that is.... They are about as good at detecting known viruses - If you only want to consider them, then Quick scan is sufficient. (Of course, if you want to disinfect, then you have too use Full/Secure scan, of course). Secure Scan has a higher chance of detecting new, modified variants of old viruses - simply because it uses two search strings for each virus, while Quick Scan only uses one. However - The one string used by Quick scan is generally not the same as either of the two strings used by Secure scan. So, if a virus is modified in a way which changes both of the strings used by Secure Scan, but not the string used by Quick Scan, then Quick Scan will detect the new variant, but Secure Scan will not. This is not very likely, but nevertheless it happened in the case you refer to. Of course, when searching for totally new viruses, Quick and Secure will probably not detect anything, but it is very likely that "Analyse" will find something.... >Does this result mean that we will have to run both scans to be on the >safe side? Well, using both is safer - but normally Quick Scan should be all that is needed. - -frisk ------------------------------ Date: Fri, 22 Nov 91 08:53:39 -0500 >From: Kevin_Haney@NIHCR31.BITNET Subject: Mark Washburn Y. Radai, in his reply to Frisk's comment about Mark Washburn, writes: >Anyway, I do not agree that a program should be ignored simply because >it was written by a known virus author. While agreeing that this is strictly a matter of personal opinion and not of fact, I must disagree with Radai's view on a couple of grounds. The first is practical. If I knew that a certain program was written by a virus author, I would not use if for the simple fact that I could never be reasonably sure that the author had not planted some kind of virus, logic bomb, trap door, or some other nefarious piece of code in the program. He has done it in the past and there is probably not much reason to believe he wouldn't do it again. Thus, I would never use Virus Secure by Ralf Burger (I have seen it and it is a terrible program anyway), or any program written by Robert Morris or someone like him, no matter how good the program may be. There are too many other good programs out there written by responsible programmers. I would probably even stay away from any product from a company that knowingly employed a virus author. The second ground for my disagreement is ethical. When a person writes a virus (destructive or not) and releases it, he has violated the ethical principles that most computer professionals adhere to. To then embrace his next non-viral programming effort is to implicitely readmit him into the professional society with no regard for his past deeds. Also, I would not like any of my money going into the pockets of a virus author, even though he may claim he is "reformed". I think the view expressed by Radai implicitely encourages virus authors and so should be rejected. ------------------------------ Date: Thu, 21 Nov 91 20:26:36 -0500 >From: underwood@OUVAXA.UCLS.OHIOU.EDU Subject: Strange occurences using DBase IV & AZUSA Comm Port (PC) We are running DBASE IV 1.1 in a Student Lab setting using the A: disk as the data drive and running the program off of a Novell server. While DBase is buggy (Not my choice; merely my support!), the events in our lab exceeds even Ashton Tates know and unknown problems. The lab boot/data disks contain Read Only files for IPX, NET3, AUTOEXEC.BAT and CONFIG.SYS. Of course the system files are Hidden/Read Only. One Lab contains 640K PC Clones booting from 5.25 Floppies; the other, PS2-30s booting from 3.5 inch Floppies. In the clone lab, disks running Dbase are being trashed at the FAT level. Seriously trashed. We had no problem running Lotus and Word Perfect earlier in the quarter. Now, it is "Nightmare on Court Street!" Some of the problems are figuring out what is not in the manual. Others are memory not being released by Dbase or Dbase trashing Dbase. But, how are read only files getting fried and the FAT messed up. Note: The same event has started in the 3.5 inch PS2 lab. SCAN80 is being run at Login. Have had few viruses on my 3.5 inch computers. Anyway, HHHEEELLLLPPPPP! would be appreciated. Something in return: Sound sympton of Stoned in a Partition Table -- Drive Grinds badly. Break out the Scan, then use Nortons. AZUSA virus will play with the COMM Port, effectively disabling it on a PC/XT. Discovered while trying to install a new KERMIT on a faculty members PC/XT -- "Port 1 run through BIOS1" message. Thought it was DOS 3.2 until it always worked when I booted from Floppy A:. Took me awhile to catch on. Sent request to admin side for subscription. Will re-interate here. Also need info on how to get Patricia Hoffman's VSUM. ------------------------------------------------------------------ David B. Underwood College of Business Ohio University Athens, Ohio 45701 ------------------------------ Date: 14 Nov 91 11:03:00 -0600 >From: "APACHE::COOPER" Subject: Request for help on getting ".CVP" documents. Dear Gentlemen of Virus-L. When I was subscribed to the list, someone (sorry I forgot your name) was posting instructional files with the extension of ".CVP". Is there somewhere that I can do a database search for that string? Or do I have to download all the archives via FTP then search? Or maybe the kind gentleman can send me all those files? aTdHvAaNnKcSe (THANKS 'in' advance) /----------------------\ | Jim Cooper, TSgt | | Programmer/Analyst | | Armstrong Laboratory | | Brooks AFB, TX 78235 | \----------------------/ BTW, send replies to cooper%apache.decnet@hsdp1.brooks.af.mil as I am no longer subscribed to the list. P.S. Hopefully, our *wonderful* maintainers of the mail server will have it back on line (incoming) by the time I start receiving replies from you. ------------------------------ Date: Fri, 22 Nov 91 16:42:48 +0700 >From: KADLOF@PLEARN.BITNET Subject: Gosia virus search string (PC) Kenneth R. van Wyk writes: >I received the following FAX this morning from the Virus Bulletin: >The hexadecimal search pattern for the Gosia virus published on page 5 >of Virus Bulletin, November 1991 should NOT be used as it produces >numerous false positives. A suitable alternative pattern will be >published in December. I do not have November issue of Virus Bulletin, but Gosia is polish virus and you may find interesting some info about it. The following is extracted from Virus Information Card published in PCvirus 2(3)91: Gosia has been isolated in Poland in April 1991. It is rather primitive virus with logic very similar to W13. Effective length of virus is 466 bytes. It infects only COM files. Infected files are marked by putting 44 in the second field in file time stamp. Gosia is not resident and do not use any stealth technic. In one run it infects only one file in current directory. COM files are recognized by extension of the name. It infects files with the length in the range 100 ... 63 000 bytes. On write protected diskettes virus generate: Write protect error ... The virus signature is: 5681C64401b90300BF0001FCF3A45E8BD6 (I do hope it is not the same as in VB). The name of the virus (polish girl nickname) is taken from the string inside virus: "I love Gosia" where insted of the word "love" is heart character (code 3). Virus do not contains any destructive code. And that is all. Regards from Warsaw Andrzej Kadlof Department of Mathematics, University of Warsaw Editor-in-chief of PCvirus Bulletin ------------------------------ Date: Thu, 21 Nov 91 19:24:00 -0500 >From: Subject: Booting from floppy, Multifinder & Disinfectant (Mac) lunde@casbah.acns.nwu.edu (Albert Lunde) recently wrote: > 3 - It is *not* safe to assume that because Disinfectant cannot > repair a file that the file cannot be infected in the first place. > A virus could infect from an INIT running before the Finder was > launched, from booting from a floppy or various other ways. > Disinfectant "plays by the rules" more than viruses - the > scanning and repair runs as a regular application. Viruses > are executed by several means, each with its own limitations. Sorry, this is me being a bit naive. We don't really have a problem with people starting up from bootable floppies, so we rarely see this problem. Most kids here don't even know they can do that, and for those of us who know we can, we don't really see a point. (Most of us who know how to are employees of the computer center.) Of course, we haven't had a major virus breakout on campus lately, either. smithd@professor.eng.tulane.edu (David Smith) recently wrote: >Well I do not know about Multifinder under sys 7 but under 6.8 running >AUX in which multifinder is always running the desktop and the system >have been infected and Disenfectent cannot remove it, it must be >reinitilized. Disinfectant can't remove viruses while Multifinder is running. In order to be able to disinfect your system, you have to turn off Multifinder (which I believe can still be done in system 6.8...but I'm not sure, I haven't seen it...we're still using 6.0.7). If you can't turn it off, use a system 6.0.x disk to boot, and then run Disinfectant, and it should kill the virus. My opinions are my own...my employers would shoot me if I claimed my opinions as theirs! :-) ******************************************************************************* *** Melissa A. Jehnings * "We sometimes catch a window *** *** Student Manager * A glimpse of what's beyond *** *** Academic Computing Center * Was it just imagination *** *** Wheaton College * Stringing us along? *** *** Norton, MA * More things than are dreamed about *** *** BITNET: LISSA@WHEATNMA * Unseen and unexplained *** *** WUG@WHEATNMA * We suspend our disbelief *** *** Apple Ambassador for the * And we are entertained." *** *** Computer Users' Group of Wheaton* ---Rush, "Mystic Rhythms" *** ******************************************************************************* ------------------------------ Date: Thu, 21 Nov 91 14:44:26 -0600 >From: James Ford Subject: Frog's Alley / new upload (PC) For those people keeping track, Frog's Alley has been found in Tuscaloosa, Alabama. This comes on the heels of Plastique/Anticad..... :-( VIRLAB14.ZIP has been uploaded to risc.ua.edu for anonymous FTP. Below is a short description of the file by the uploader (part of README.TXT). - ---------- Common sense is the least common of all senses. - ---------- James Ford - Consultant II, Seebeck Computer Center The University of Alabama (in Tuscaloosa, Alabama) jford@ua1vm.ua.edu, jford@risc.ua.edu - ---------------------- begin short description -------------------------- VIRLAB A Computer Virus Simulation Environment VIRLAB is a program for the simulation of the spreading of DOS- computer viruses and their prevention. VIRLAB will thereby allow free, riskless experimenting, rather than following any fixed teaching strategy. With a basic knowledge about computer viruses the effects of viral infections during various stages can be studied without dealing with real viruses. This provides students in computer security classes etc. with a hands-on experience without getting in touch with actual viral code. The program simulates an IBM-compatible personal computer under MS-DOS, version 3.2 which contains both a floppy disk drive and a hard disk drive. In the simulation environment you can select one virus out of a database with more than 300 currently known computer viruses (including Dir-2) and infect a disk with it. As the work with this disk continues, the virus will become active and start spreading. As a general rule, this would happen unnoticed by the user during the execution of DOS-commands or user programs. VIRLAB will make these viral activities visible in various ways: - - infected disks will be shown in red - - each action of the virus will be announced if the trace mode is switched on - - you can display information about the exact content of a disk or the main memory in an info-window. Thus, you can find out where the virus has already installed itself Furthermore, VIRLAB will give help depending on the situation as to how you can remove the virus from the system. !!! What VIRLAB is NOT: !!! - VIRLAB is NOT a virus construction kit !!! - VIRLAB does NOT scan your files for viruses or prevent viral attacks !!! - VIRLAB does NOT modify your files !!! - VIRLAB does NOT use any viral code or viral scan strings. !!! If your scan program reports infections while scanning !!! VIRLAB files, this probably means that these files are infected !!! by a real computer virus. - ------------------------------------------------------------------------------ For experimentation with VIRLAB, you will need an IBM-compatible PC with operating systems MS-DOS or PC-DOS, an EGA or VGA graphic card, a mouse and a color screen. - ------------------------------------------------------------------------------ VIRLAB was developed at the Institut fuer Informatik of the Technical University of Munich (Germany) in the course of general student education. This software is in the public domain. Program and files can be freely distributed and used in this configuration. You will find the actual version on gsradig1.informatik.tu-muenchen.de in the directory pub/VIRLAB. (NOTA BENE: Copyright for the file VIRLIST.TXT is by McAfee Associates; we hereby gratefully acknowledge the permission to use this file for VIRLAB). Distribution of VIRLAB must be free of charge (except for a reasonable fee for floppy discs etc.) Karlhorst Klotz Institut fuer Informatik TU Muenchen Orleansstr. 34 8000 Muenchen 40 GERMANY Tel. +89/48095-115 Fax. +89/48095-203 e-mail: klotz@lan.informatik.tu-muenchen.dbp.de Any comments and suggestions are appreciated. ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 225] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253