VIRUS-L Digest Monday, 20 May 1991 Volume 4 : Issue 85 Today's Topics: Re: Trojan version of VIRUSCAN version 78 (PC) Re: SCAN hangs when checking Windows' SOL.EXE (PC) re: Partition Table Viruses (PC) re: VIRUSSUM format (PC) re: DISKSECURE update (PC) Tequila virus (PC) Re: VIRUSSUM format (PC) re: The Shape of the World (PC) VIRSCAN Question (PC) Partition Table Viruses (PC) MS-DOS in ROM? (PC) Dead vs Live: Commercial Necessity?? Which format for Partition Table Viruses (PC) Q: Yankee Doodle ?? (PC) Re: VIRRUSSUM format Disinfectant and System 7 (Mac) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 16 May 91 16:50:01 -0700 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Re: Trojan version of VIRUSCAN version 78 (PC) PHYS169@csc.canterbury.ac.nz (Mark Aitchison, U of Canty; Physics) writes: > > NOT correct. McAfee Associate's Serial Number is NWM405. > > This worries me. Could somebody explain what good the PKUNZIP > authentication system should be, as it obviously isn't providing > enough warning here. (Who would know, and think of looking at, the > serial number? Probably few people). Exactly the point ~made in one recent posting that examined the various mathods McAfee Associates uses to try to maintain the integrity of the programs. The "authentic verification" only attaches a code which (more or less) confirms that the archive was packed up by an identifiable person. I am sure that McAfee Associates is even now burning up the phone lines to Phil Katz demanding what twit registered a copy of PKZIP under the name of their company with that serial number. ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ Date: Fri, 17 May 91 09:17:00 -0400 From: "Monty Hinten" Subject: Re: SCAN hangs when checking Windows' SOL.EXE (PC) I suspect the problem lies in a "normal" DOS bad sector. I have encountered similar problems with SCAN, though usually on floppy disks. I find that running Norton's Disk Doctor will repair the disk, moving a part of the file if necessary, and then SCAN will process the file normally. A quick way to determine if the problem is related to a bad sector is to COPY it to another directory, then SCAN it. If the copy fails, then you know what the problem is. I wouldn't reccomend using CHKDSK /F to repair your disk; if you don't have NDD (or something equivelant, like PC TOOLS), try DELeting the file, then copy it back to the Windows directory from the distribution diskette. You may have to use the EXPAND utility that comes with Windows - I don't remember. Monty Hinten Information Security Officer US EPA, Region I, Boston BITNET: RHZ@NCCIBM1.BITNET ------------------------------ Date: Fri, 17 May 91 12:09:43 -0400 From: Padgett Peterson Subject: re: Partition Table Viruses (PC) >From: "Anthony H. Galway" >... and so ....format C:! > Now am I the absolute soul of niavete by taking this action, >or am I doing the only thing possibly? Having dealt with a number of viruses, I have never "HAD" to format a disk, all are removable by someone who understands the architecture. Except in one case which I suspect you have encountered & relates to hardware rather than a virus (no hidden sectors), all that is needed is a protected bootable floppy containing DEBUG, a hardware list (optional but handy), and CHKDSK. The problem with CLEAN and other generic disinfection routines is that they being automatic routines, cannot anticipate or handle every conceivable mix of hardware and O/S. A good tech who understands assembly language, MBRs, & viruses can. Given the first two qualifications, the rest can be taught in a day. ------------------------------ Date: Fri, 17 May 91 12:09:43 -0400 From: Padgett Peterson Subject: re: VIRUSSUM format (PC) >From: kuhnle@ait.physik.uni-tuebingen.de (Volkmar Kuhnle) >But over the months al lot of new viruses (and strains of existing ones) >have been uncovered, so that VIRUSSUM.DOC grew in size. Since the >current version is about more than 500 K in length, is is getting >harder and harder to find informations about a special virus in >a file of this size, since I have to use a normal editor. The 9104 version is in excess of 600k now something I have commumicated with Patricia about since last year. For the short term, Vern Bureg's (sp?) excellent shareware LIST facility can handle it easily plus provide search facilities to find certain occurances. For editing, my WordStar has no problem (very good for translating DEBUG to source code too - plug) with large files. At one point last year I tried some simple reformatting & whitespace elimination that reduced VSUM from 500k to around 300k without changing the format. I also suggested page breaks at each virus to fit into a loose- leaf folder and allow monthly updates so that the whole thing only had to be downloaded once. My suspician is that the original version was done on an IBM mainframe (used to be sorted in EBCDIC order) However since it is copyrighted material, such forms cannot be distributed without permission. The problem with a .DBF format is that not everyone can read it. For that reason my preference is for flat ASCII files, these can even be put onto a mainframe if desired. There are a number of flat-file databases available & is the reason I reformatted VSUM for Patti last May to have consistant column boundaries & charactoristic formats. There is no question that VSUM could be made much smaller without losing any functionality, the .ZIP ratio gives a good indication of that. ------------------------------ Date: Fri, 17 May 91 12:09:43 -0400 From: Padgett Peterson Subject: re: DISKSECURE update (PC) My DISKSECURE v.93 system for IBM PCs is now on the CVIA bulletin board (408)988-4004 with updates and simple installation. This will probably be the last beta version as there is only one more fix I need to put in to handle some very early XT disk controllers that write to the MBR periodically. I make no guarenttees for anything other than I use it myself but enen though there is a "quickstart" for use from a floppy, PLEASE read the .DOCs. Warmly, Padgett ------------------------------ Date: Fri, 17 May 91 14:17:05 From: microsoft!c-rossgr@uunet.uu.net Subject: Tequila virus (PC) >From: "David.M.Chess" >Has this been around for awhile? Just in the last week or so, I've >heard of it from a couple of different, widely separated, places in >Europe, and I hadn't heard of it before. Does anyone have a good.... By the look of things, it's a flip flop virus: an infected program infects the partition record, infected partition records infect programs. Additionally, it looks a lot like a combo of 1260 and v101: it is impossible to get a scan string for it. Naturally, VIRX14 catches it. Ross ------------------------------ Date: Fri, 17 May 91 18:54:32 +0000 From: ebrewer@ux1.cso.uiuc.edu (Ellen Brewer) Subject: Re: VIRUSSUM format (PC) kuhnle@ait.physik.uni-tuebingen.de (Volkmar Kuhnle) writes: >But over the months al lot of new viruses (and strains of existing ones) >have been uncovered, so that VIRUSSUM.DOC grew in size. Since the >current version is about more than 500 K in length, is is getting >harder and harder to find informations about a special virus in >a file of this size, since I have to use a normal editor. > >I came to the conclusion that an ASCII file is not appropriate for the >distribution of so much data. Therefore I would suggest to supply >future versions as DBF files (dbase format). Database programs which >are able to read DBF files are very common in the PC world. And it >would be much easier to find information about a virus quick in >an DBF file than in an ASCII file. Distribution in ASCII file format is far preferable to any other format. While many people use dbase, it is far from universal. I hesitate to think of the contortions I would have to go through to get information from a DBF file. Nor do I think that an alternative nonuniversal format is an acceptable solution. What you need is a text file browser, since you don't need to edit, just scan for strings and read. This would provide you with a general purpose tool for looking at any text file, not just a way to look at VIRUSSUM.DOC. The software I use is LIST by Vernon D. Buerg. It's free for personal use, with a suggested donation of $15 if you find it of value. It doesn't insist on reading the whole file into memory at once. There's probably a much more recent version than the one I have from 1987, but even that one is very nice, and allows marking blocks of lines and writing them to another file. I'm sure there are other programs to fill this function too--this just happens to be what I use. - -- Ellen Brewer (ebrewer@ux1.cso.uiuc.edu) "Non ignara mali, miseris succurrere disco." ------------------------------ Date: Fri, 17 May 91 14:51:04 From: microsoft!c-rossgr@uunet.uu.net Subject: re: The Shape of the World (PC) >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) >.... part of the education we have failed to provide is what the >risks really are. My opinion is that a good regimen (screening & >briefings) plus an integrity routine that will detect anomalies is >what the general population needs. With all due respect, everybody has always been taught that if an ounce of prevention is worth a pound of cure, then two ounces of prevention must be even better. If my code merely did integrity checks, instead of doing integrity checks *and* known signature scanning, I'd lose out to somebody who offers both. That's because *their* marketing people have a single mission in life (as do *my* marketing people): to sell as much code as possible. I've probably hobbled the marketing guys at Microcom (who are quite good, btw, and I recommend the group I deal with to anyone with other types of code) by requiring them to be completely honest in their claims. That honesty is costing marketshare, I bet. >For large corporations, the cost of a site license can be lost in the >noise compared to the cost of trying to administer several thousand >updates (5000 PCs x 10 minutes per update x 4 times per year = 1 2/3 >manyears not to mention the distribution nightmare). Much easier to >take a one-time installation hit plus automatic installation at the >warehouse as part of the distribution process. I agree...to a point. I would think that updating 5000 PC's for a new scanner that differs from the previous one in a bunch of new viral strings for a bunch of "research only" viruses is a waste of time. In the case of my last update, though, some problem areas were worked on, the code was made faster and more reliable, networking is better, etc. Yet, in this climate, if I had merely released code with those enhancements (the ones that I really care about) and not upped the virus count from about 350 to about 420, people would not have downlaoded the code: they seem to have seen the "two ounces" mentioned above as more important then the enhancements. I can't simply say "Yo! *NOBODY* gets the Whale Virus, so why do you care?" >>And the marketing dudes I work with closely at Microcom tell me what >>we can lose a site license because of and where our strong points are: >So be the first to offer BIOS level checking & authenticated paths as >part of the boot process. We do that through the DOS level now, but you raise a good point. I'll incorporate that into the next cut of the code, given time. >Today, the sheer diversity of anti-viral products demonstrates that, >as in pointing devices and user interfaces, the One True Answer has >yet to be found. Unle$$, of cour$e, you buy my code. Ross ------------------------------ Date: 17 May 91 23:08:33 -0400 From: "Robert McClenon" <76476.337@CompuServe.COM> Subject: VIRSCAN Question (PC) An associate of mine had a problem at work today. He was trying to use IBM's VIRSCAN to scan a diskette for viruses. The diskette supposedly contained three PowerPoint files with extensions of .PPT and nothing else. The scan resulted an error message being displayed three times saying something to the effect of: An invalid opcode was encountered without an error handler being registered. This message did not say where the error was found. Then his workstation "froze hard", and he had to power it off to restart it. Was this error message coming from VIRSCAN or from DOS? If it was coming from VIRSCAN, what was VIRSCAN trying to do and what was it really doing? His theory is that VIRSCAN was scanning the entire diskette rather than all files and was being confused by fragments of deleted files, and locked up because of an uncertain situation. I am wondering whether the error was coming from DOS, and indicates that his copy of VIRSCAN on his hard disk is bad and should be reinstalled. Has anyone ever seen this message before? Where does it come from? What does it mean? Robert McClenon Neither my employer nor anyone else paid me to say this. My opinions may be someone else's, but then again they might not. ------------------------------ Date: 17 May 91 23:38:31 -0400 From: Wolfgang Stiller <72571.3352@CompuServe.COM> Subject: Partition Table Viruses (PC) >From: "Anthony H. Galway" > > Our PC labs have been recently become victim of several >partition table viruses, namely Bloody!, Azusa and Stoned. I find >that McAfee's CLEAN works well on the STONED allowing it to clean the >partition table almost all the time (rarely, though it happens, it >seems to be to far gone and I end up doing a format), but the BLOODY! >virus seems to be a bit more advanced more often than not the CLEAN >program claims that it can not safely remove the virus from the >partition table ... and so ....format C:! > > Now am I the absolute soul of niavete by taking this action, >or am I doing the only thing possibly? Is there any better anti-viral >around that can handle partition table problems? If not is there any >way to better protect ourselves. There are tools: CHKBOOT and LODBOOT which come with the PCdata Integrity toolkit (Free) which will detect any boot or partition table infections and reload if these sectors should be infected. (The toolkit also detects any file corruption or virus infection) Reloading the partition sector would have solved your problem without the need for a "format C:" unfortunately, you've got to use CHKBOOT before your partition table is infected. These programs are available on CompuServe (GO ZNT:UTILFORUM) and download PCDCOM.ARC and PCDART.COM for the toolkit and the (self-extracting) article. These files are also on many BBS systems including the NCSA BBS 202-364-1304. Please read my article in the Feb 13th 1990 PC Magazine to learn all about this free software without downloading. If used according to directions the toolkit provides a complete virus detection system that will detect ALL viruses. Wolfgang Stiller (Stiller Research) Author of the PCdata Integrity Toolkit ------------------------------ Date: Fri, 17 May 91 06:43:55 -0400 From: "Krishna E. Bera" Subject: MS-DOS in ROM? (PC) Is there any effort underway to produce a ROM version of MS-DOS or clone that is: 1. inexpensive 2. easy to upgrade (by changing a board, for example) 3. standardized in interface (i.e., DOS interrupt calls) 4. bootable (obviously), but DIP switch selectable from a disk 5. preferably not patented ? If this has been dismissed in earlier discussion, my apologies and please e-mail me a summary. - -- Krishna E. Bera Programmer/Analyst kebera@alzabo.ocunix.on.ca MIL Systems Engineering Inc. Ottawa, Canada ------------------------------ Date: Sat, 18 May 91 02:16:00 -0600 From: "Jonathan E. Oberg" Subject: Dead vs Live: Commercial Necessity?? Without getting into a philosophic discussion about what constitutes life, and whether viruses (biologic or electronic) are alive, let me define a virus that has had limited detection in the public - what has been refered to here as a research virus - as a "dead" virus and a virus that continues to be detected in the public to a signficant degree as a "live" virus. QUESTION: Will new live viruses spread effectively without new techniques?? The observation may be a bit naive, but in regard to the discussion of research viruses vs viruses in the environment, have we not minimized the risk of a new virus propogating by known means (for example, boot sector stealth viruses) with any success?? Few sites do not have *some* protection/ detection available. Further, the infrastructure for distributing notices of new viruses symptoms, detection methods/signitures, et cetera is now well defined and used (this forum for example.) Has anyone studied the rate of introduction of successful viruses?? My guess would be a strict decline. Is this far off others' experiences? On a strickly biological model, viruses must have some time X necessary to propogate from one system to another. We are unconcerned with propogation on one system, as this will be a factor in how long the virus takes to move from system to system. With the increase of scan/resident/other virus programs, and a significant decrease in the time between when a virus is detected and the information on that virus is published, the time a virus has available to spread is shortened, perhaps below the critical level necessary for success. The WDEF virus on the mac, for example, was an example of a new viral technique. It became widespread. Successors however, have faired poorly: CDEF, MDEF, LDEF?? Once the technique is known, detection/prevention effectively kills these viruses. Call this the smallpox syndrome; once we know how to detect, remove, and innoculize against these strains, we effectively erradicate them as successful viruses. Is the stoned virus, for example, so prevelent because it is well designed and/or defeats virus detection, or because it proceded the large increase in sites with virus detection programs. Does not, in fact, a unique (defeats currect programs) and successful (infects "large" number of sites) virus *drive* the acceptance of virus detection/prevention programs. The question is important in considering the commercial aspect of virus protection. Without discarding the deeply appreciated efforts of frisk, et al, virus protection has become big business. I cannot imagine Symantic for example, advertising NAV as "Catches 100% of live viruses." To be commercially competitive, they *have* to advertise they catch *at least* as many viruses as their competitors, even though 99% of these viruses are never seen outside "virus labs." Without a continual influx of successful viruses, that is new techniques, the only marketable force behind upgrades and/or market share are dead viruses. Jonathan Oberg 76100.1254@compuserve.com ------------------------------ Date: Sat, 18 May 91 09:39:11 -0230 From: "Anthony H. Galway" Subject: Which format for Partition Table Viruses (PC) I have, for partition table viruses, always done a DOS format to rid myself of the offender if McAfee's CLEAN didn't work (be assured that I have also done a LOW level format in cases when the partition table was hopelessly infected). This does not remove the virus, but it does seem to do something to the partition table that allows CLEAN to then remove it. Recently, (READ: since my previous post 2 days ago), it has come to my attention that this is not the accepted way of ridding myself of the virus, instead I should do the LOW Level format. Which way is correct? I know the LOW level format guarantee's results, but this method also destroys any additional partitions. We use DOS 3.3 and have two partitions, C: & D:. If I do a LOW level format then I have to reinstall about 30MB of various programs, this of course does not include any user programs/data, whereas if I use the DOS format and reformat only drive C: I then have to reinstall little more than half that. So am I safe in doing the DOS format, or should I only use a LOW level format? Thanks for any help. Anyone know where I can get a comprehensive list of viruses, their symptoms and what they do? - -- Anthony H Galway |\_/| I tried to think up something either tony4@garfield.cs.mun.ca (` ') profound or witty to put here ...... tony@piglet.engr.mun.ca |"| I couldn't. ------------------------------ Date: Fri, 17 May 91 23:58:37 From: Michael Stribick Subject: Q: Yankee Doodle ?? (PC) Hello ! What kind of virus is the YANKEE DOODLE ?? What happens to a infected PC ?? Bye, mike ------------------------------ Date: Mon, 20 May 91 08:56:00 +1000 From: BOXALL@qut.edu.au Subject: Re: VIRRUSSUM format It is far easier to view the document with a file viewer, say LIST. This works quickly and effieciently as the user simply has to do a search for a keyword and the information is presented immediately. Not everyone wants to use a database to access the information, as this will take more time and increase the complexity of retrieving information. Wayne Boxall Computer Virus Information Group Queensland University of Technology Australia ------------------------------ Date: Sun, 19 May 91 19:50:16 -0600 From: j-norstad@nwu.edu (John Norstad) Subject: Disinfectant and System 7 (Mac) Thanks to an error in Apple's Compatibility Checker, I've been deluged with requests for information on Disinfectant 2.5. If you have installed the Disinfectant INIT on your system, Apple's Compatibility Checker incorrectly reports that it is incompatible with System 7, and it recommends that you get version 2.5. There is no Disinfectant 2.5, and there won't be one! Disinfectant 2.4 works fine with System 7, provided you leave the Disinfectant INIT in the System Folder proper. Do not move the INIT to the new Extensions Folder. If the Installer moves the INIT to the Extensions Folder for you, move it back to the System Folder proper. If you try to repair an infected file, Disinfectant 2.4 may tell you that the file is busy and recommend that you "try again without MultiFinder." You can't turn off MultiFinder in System 7. If this happens to you, restart your Mac using the "Disk Tools" startup floppy that comes with System 7. Then run Disinfectant again. There is one small problem with Disinfectant 2.4's custom get file dialog which lets you select a folder to be scanned. Don't try to select any files or folders in the new Desktop level in this dialog. Disinfectant may crash or scan the wrong object. I am working on a new version 3.0 of Disinfectant which will take full advantage of the new facilities available in System 7, including Balloon help, full color icon families, anti-viral and other Apple events, icon dropping in the Finder, a new solution to the busy files problem, and other neat new stuff. Version 3.0 will also include a very thorough discussion of all the issues regarding viruses, Disinfectant, and System 7 in the online manual, and it will fix the problem with the custom get file dialog. I hope to release this new version sometime this summer. Again, until my version 3.0 is released, you can and should use version 2.4 with System 7. John Norstad Academic Computing and Network Services Northwestern University j-norstad@nwu.edu ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 85] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253