VIRUS-L Digest Tuesday, 21 May 1991 Volume 4 : Issue 86 Today's Topics: m-disk (PC) Help With Frodo & Yankee Doodle (PC) A busy month (PC) re: The Shape of the World (PC) Re: Tequila virus (PC) re: VIRSCAN Question (PC) re: Dead vs Live: Commercial Necessity?? Problem with Yankee Doodle virus (PC) Bug in VirusScan (PC) Re: VIRRUSSUM format Re: Dead vs Live: Commercial Necessity?? Re: Which format for Partition Table Viruses (PC) re: Dead vs Live: Commercial Necessity?? Detecting Spanish Telecom ?? (PC) F-PROT and BBSes (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: 20 May 91 03:39:26 +0000 From: mryman@oucsace.cs.ohiou.edu (Mark Ryman) Subject: m-disk (PC) Could someone please send me some info about how we may become registered to legally use m-disk in our labs here at Ohio University? We have been having some problems with the 'Ohio' virus and I have used a copy of m-disk to remove it from several user's disks. My boss would like for me to find out about getting registered and possibly obtaining a site liscence (if necessary) before we begin using it on a regular basis in our labs. Any info would be appreciated. Also, what other anti-viral software will remove this particular virus? Thanx. -Mark ------------------------------ Date: Mon, 20 May 91 10:12:30 +0000 From: "Alan Jones" Subject: Help With Frodo & Yankee Doodle (PC) Alan J Jones Manchester Computing Centre University of Manchester Oxford Road M13 9PL England FRODO & YANKEE DOODLE Has anyone got any information on these two viruses. They have just arrived on the campus ( 2000+ computers ), I have managed to contain them so far but I am worried as they are brand new to this site; at the moment there is only myself who is dealing with the virus problem and it's great fun just keeping up with the ones that I know about. Viruses that have arrived in the last three years are STONED, PING PONG, JERUSALEM (1813), DARK AVENGER, V2100, VIENNA, ITIALIAN, YALE, BRAIN ( LIMITED INFECTION ), LISBON, CASCADE. The last virus to hit hard was V2100 which is running rampent but I can deal with that one at the moment. Thanks Alan ------------------------------ Date: Mon, 20 May 91 14:44:22 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: A busy month (PC) Well, this has been a busy month.....over 60 new viruses so far. Here is a list of most of the PC viruses I have received this month, but I am expecting over 40 additional new ones by mail any day now. The names below are the names Virus Bulletin will use in the next issue, where the viruses are listed - hopefully this list (which I plan to post monthly) will help reduce the naming confusion a bit. 217-A 268-plus 1028 Backtime Bljec family: Bljec-3 Bljec-4 Bljec-5 Bljec-6 Bljec-7 Bljec-8 Bljec-9 Boys Darth Vader family: Darth Vader-1 Darth Vader-2 Darth Vader-3 Darth Vader-4 Diamond (1024) family: Damage-A Damage-B Diamond-1173 (David) Greemlin Eddie (Dark Avenger) family: Eddie-1801 MIR ETC Evil Empire family: Empire A Empire B Horse (Hacker, Black horse) family: Horse-1 (1154) Horse-2 (1158) Horse-2B (1160) Horse-3 (1610) Horse-4 (1776) Horse-5 (1576) Horse-6 (1594) Horse-7 (1152) Jerusalem family: Carfield Discom Keypress-1228 MG family: MG-1A Murphy family: Guru (Bhaktivedanta) Murphy-3 Murphy-4 Smack-1835 (Patricia) Smack-1841 (Patricia-2) Mutant family: Mutant-123 Mutant-127 Mutant-127A Old Yankee family: Bandit Pixel (Amstrad) family: Pixel-257 Pixel-275 Pixel-283 Pixel-295 Pixel-779 Pixel-837 Pixel-850 Pixel-854 Pixel-892 Pixel-892 Raubkopi Tequila VCS 1.0 Vienna family: Arf (Violator subgroup) 645 Warrior - -frisk - -- Fridrik Skulason Technical Editor of the Virus Bulletin (UK) (author of F-PROT) E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 ------------------------------ Date: 21 May 91 00:26:00 +0000 From: rebill02%ULKYVX.BITNET@jade.Berkeley.EDU (Russell E. Billings) Subject: re: The Shape of the World (PC) microsoft!c-rossgr@uunet.uu.net writes: >Dave: A telling anecdote: at the Trenton Computer Fair last month, >about 100 people crammed into a room to hear about some of the new >virues. When asked who had been infected with a virus, about 80% of >the people raised their hands. I asked those infected with Jerusalum, >Stoned and Ping-Pong to drop their hands. One hand was left. Cascade. I'm curious, did you tell the ones who had been hit by those three to drop their hands, or did you ask that those who had *ONLY* been hit by those three to drop their hands? A subtle difference, but an important one, nonetheless. Russell - -- BITNET: rebill02@ulkyvx.bitnet UUCP: ...psuvax1!ulkyvx.bitnet!rebill02 ------------------------------ Date: Mon, 20 May 91 18:19:00 -0700 From: mrs@netcom.com (Morgan Schweers) Subject: Re: Tequila virus (PC) Some time ago microsoft!c-rossgr@uunet.uu.net whispered: >>From: "David.M.Chess" > >>Has this been around for awhile? Just in the last week or so, I've >>heard of it from a couple of different, widely separated, places in >>Europe, and I hadn't heard of it before. Does anyone have a good.... > >By the look of things, it's a flip flop virus: an infected program >infects the partition record, infected partition records infect >programs. Additionally, it looks a lot like a combo of 1260 and v101: >it is impossible to get a scan string for it. > > Greetings, *Chuckle* It's a variant of the Flip virus, actually. A bit of psuedo-encryption code was added, and a bit of infection code was removed, but otherwise it's mostly flip-like. Mr. McAfee gave me a scan string quickly after I handed it to him, and it'll be in the upcoming release of Scan as well. (Clean, of course, will remove it.) It's *VERY* rarely 'impossible' to find a scan string for something. It's been suggested that pirated copies of Golden Axe by Sega have been spreading it's infection on the other side of the pond. A side note, regarding the Flip, it patches COMMAND.COM (under DOS 3.3, at least) to fix the DIR command to hide the filesize increase. It modifies two bytes, to chain to itself. This is important, as if these bytes are not fixed the COMMAND.COM will crash after being cleaned. I haven't checked to see if the Tequila virus does this as well, but I would guess that it does. Dave Chess mentioned to me that the Tequila displays a low resolution Mandelbrot set upon activation. I haven't confirmed it, but I plan to. (Anybody want GIF copies when I do? *chuckle*) -- Morgan Schweers - -- "Any opinions are not the express opinions of McAfee Associates. I just pattern, in game of life." (Do not meddle in the affairs of cats, for they are subtle and will piss on your computer.) -- mrs@netcom.com ------------------------------ Date: 20 May 91 14:44:04 -0400 From: "David.M.Chess" Subject: re: VIRSCAN Question (PC) > From: "Robert McClenon" <76476.337@CompuServe.COM> > > The scan resulted an error message being displayed >three times saying something to the effect of: An invalid opcode was >encountered without an error handler being registered. This message >did not say where the error was found. Heh! That error message is coming from the FAPI interface code in VIRSCAN.EXE. (VIRSCAN is a "Family Application" that can run under either OS/2 or DOS.) The only time I've seen it before is when something has damaged the VIRSCAN.EXE file (and damaged it enough that it bombs before it gets to the self-check). Could this VIRSCAN.EXE have been damaged by something? Some viruses, the 1813 (Jerusalem) for example, have bugs that keep them from correctly infecting Family Apps, and they sometimes break them instead. I'd suggest that your friend get a known-good copy of VIRSCAN.EXE, and run it from a write-protected floppy. That's the best advice I can think of at the moment... DC ------------------------------ Date: 20 May 91 14:51:06 -0400 From: "David.M.Chess" Subject: re: Dead vs Live: Commercial Necessity?? "Jonathan E. Oberg" asks whether or not new viruses can still become widespread in the real world, given that there are lots of detectors out there, and lots of channels by which information about new viruses can travel. I'm afraid the answer is probably "yes, definitely", although I'd love to be wrong! While the people who read VIRUS-L, and probably all their friends, are well aware of viruses and how to defend against them, I think the average machine out there, and possibly still the average company, is not at all well protected. The Joshi virus, for instance, is now quite widespread, but it has not been around that long; certainly it doesn't date from before we knew about stealthed boot viruses! The world still seems to contain a critical mass of unprotected, sufficiently connected machines, dense enough for viruses to thrive in. If a virus gets lucky (gets shipped with 10,000+ pre-configured machines from some random source, say), it's still the case that it has a very good chance of getting thoroughly embedded in the populace... *Boy*, would I like to be wrong this time! *8) DC ------------------------------ Date: Tue, 21 May 91 00:52:38 +0000 From: spock!lucifer@decwrl.dec.com (Samid Hoda) Subject: Problem with Yankee Doodle virus (PC) I have a serious problem with the Yankee Doodle virus. I am currently using McAfee v.75 to scan and clean the hard disk, but it does not seem to be working very well. I have already formatted the hard disk once, in attempt to get this virus off the machine. Any help at all will be greatly appreciated as this is a school machine and is needed. Thanks in advance. Samid Hoda decwrl!spock!lucifer ------------------------------ Date: Mon, 20 May 91 22:51:29 -0400 From: Padgett Peterson Subject: Bug in VirusScan (PC) It is possible that there is a bug in some of the 7x versions (inc. 77) of the McAfee SCAN utility that may cause it to miss some infected overlays. A JERUSALEM infection was encountered in which the .EXE was properly diagnosed but an infected .OVL was missed despite being checked as part of the default. Use of the /A swich resulted in the infected .OVL being detected. Since the .EXE will always be infected also, there is no real danger, however, if an infection occurs that may also infect .OVL files (see the VIRLIST.TXT file iside the SCANxx.ZIP file), a rescan using the /A switch following a CLEAN activity is recommended. I do not know if this is particular to the Jerusalem-related viruses or if others are affected also. We have reported this to McAfee associates and a fix or explination should be forthcoming. Incidently, the infection appears to be the original sUMsDos version. Warmly, Padgett ------------------------------ Date: Tue, 21 May 91 17:23:00 +1200 From: "Mark Aitchison, U of Canty; Physics" Subject: Re: VIRRUSSUM format BOXALL@qut.edu.au writes: > It is far easier to view the document with a file viewer, say LIST. > This works quickly and effieciently as the user simply has to do a > search for a keyword and the information is presented immediately. > > Not everyone wants to use a database to access the information, as > this will take more time and increase the complexity of retrieving > information. There is a (growing) need to find virus information when a simple search is insufficient (no disrespect to Vernon's program) - there are simply too many viruses to make this convenient unless you are familiar enough with them to search the likely places first. So I suggest a smallish index file (in DIF format, which most people/programs can understand) *as well as* the big virus lists. The index should be public domain and list several important attributes of each virus, one per line. I could go into further detail if anyone needs it. Mark Aitchison. ------------------------------ Date: 21 May 91 07:42:12 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: Dead vs Live: Commercial Necessity?? PH461A04@VAX1.UMKC.EDU (Jonathan E. Oberg) writes: >QUESTION: Will new live viruses spread effectively without new >techniques?? Yes - just consider viruses like Telecom (stealth/boot sector), Azusa (stealth/boot sector) and Tequila (steaLth/program) - all of which are quite recent, use no radical innovations, although they are all quite intersting from a technical point of view, and spreading quite rapidly. However, around 90% of all new viruses no not spread much, if at all. My opinion is that... ...The number of new virus variants is growing exponentially. ...The number of new virus families is also growing exponentially, but at a much slower rate. ...The number of "successful" new viruses has been constant for a while, or growing very slowly - I don't think that more than 5 "successful" viruses appear per month, even though the number of the number of new variants is nof 60-100 per month. ...The number of virus infections is more-or-less stable - no significant increase, despite all those new viruses. >With the increase of scan/resident/other virus programs, and a >significant decrease in the time between when a virus is detected and >the information on that virus is published, the time a virus has >available to spread is shortened, perhaps below the critical level >necessary for success. One problem - people will often use outdated anti-virus software. Here in Iceland anti-virus software has been sold on 10-20% of all MS-DOS machines, and probably pirated on additional 30-40%. As a result, infection reports had practically stopped. Last month, however, Asuza arrived here and has been spreading considerably, often on sites which obtained anti-virus programs two years ago, and have not bothered to update them since. >Is the stoned virus, for example, so prevelent because it is well >designed and/or defeats virus detection, or because it proceded the >large increase in sites with virus detection programs. The second explanation - no doubt. The same applies to Jerusalem, and a few other "old" viruses. >Without a continual influx of successful viruses, that is new >techniques, the only marketable force behind upgrades and/or market >share are dead viruses. Well, there are always occasional "successful" viruses - but the success often depends on how the viruses are distributed initially. If the author just uploads the virus to McAfee's BBS or sends is anonymously to me or some other anti-virus author, the virus will not spread much - not unless it "escapes" from the virusv-research community. If, as in the case of Tequila, the author systematically uploads an infected, popular game to BBSes all over Europe, the virus may get a significant initial distribution, before anti-virus programs have been updated to detect it. - -frisk ------------------------------ Date: 21 May 91 07:49:47 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: Which format for Partition Table Viruses (PC) tony4@garfield.cs.mun.ca (Anthony H. Galway) writes: >(be assured that I have also done a LOW level format in cases when the >partition table was hopelessly infected). Uh, what do you mean ? There is NO virus which will "hopelessly" infect the partition table - all PBR infections can be removed without any formatting at all, although sometimes with some effort. Disinfection may not always cure all problems - if the virus in question is the variant of Stoned which stores the original PBR at (0,0,2) a low level format may be necessary on some machines - PS/2 in particular, I think. In the case of Azusa, Bloody and a few other viruses, not all disinfection packages are able to handle the problem, however. - -frisk ------------------------------ Date: Tue, 21 May 91 09:46:42 +0700 From: James Nash Subject: re: Dead vs Live: Commercial Necessity?? Jonathan E. Oberg wrote: > QUESTION: Will new live viruses spread effectively without new > techniques?? > [lots of good stuff deleted for space] > With the increase of scan/resident/other virus programs, and a > significant decrease in the time between when a virus is detected and > the information on that virus is published, the time a virus has > available to spread is shortened, perhaps below the critical level > necessary for success. I agree. Everyone fears a "great plague" type of virus but we won't get one. When the Black Death swept across Europe, medical science was still throwing leeches at problems. We are beyond the "leech" stage and will effectively combat any hyper-virus. Worth remembering when using the medical analogy for viruses that humans have created these binary beasts (: not nature. Everyone has now become a virus "expert". I have heard tales (from my own department) of a one-byte hyper-code self-extracting virus. If I ever find it, I'm going to analyse it and make a fortune in data compression routines! The point I want to make is that while people like ourselves stay restrained, others like to panic and this panic causes a lot more damage than most viruses. In that sense, a virus that gets a lot of media attention but causes little actual damage could be called successful because of mental damage. Also, people lose their jobs over one case of Stoned; now that's REAL damage :-< > Is the stoned virus, for example, so prevelent because it is well > designed and/or defeats virus detection, or because it proceded the > large increase in sites with virus detection programs. Does not, in I would say that Stoned is so successful because it exploits a flaw in the PC architecture which is also our main ally in the fight against viruses - booting from floppy. How many times have you seen a student put their disk in the PC then switch it on? I do it by mistake myself sometimes. Whether the author was a great visionary(!) or got lucky doesn't matter, he was the first(?) to use the technique. I doubt that we will see too many original techniques because we (not I!) know about every aspect of the PC, unlike the human body. > Without a continual influx of successful viruses, that is new > techniques, the only marketable force behind upgrades and/or market > share are dead viruses. Cruel. Perhaps virus fighters ought to remember that their ultimate goal, like doctors, is to make themselves redundant. - -- James Nash, Computing Services, Coventry Polytechnic, England ------------------------------ Date: Mon, 20 May 91 14:40:33 +0000 From: A.C.G.Saunders@newcastle.ac.uk (Aidan Saunders) Subject: Detecting Spanish Telecom ?? (PC) Following the recent infections at Oxford University (see article from A.Appleyard - 16/5/91) I've been trying to find scanners to detect these viruses. (I understand there are two forms of this: one boot sector version, one file version.) Having checked the documentation of the F-PROT (1.14) & McAfee SCAN (v77) packages, I don't find any reference to these. So: 1) How can Spanish Telecom be detected ? 2) Which virus detection/removal packages can deal with Spanish Telecom ? 3) What signature strings can be added to programs such as F-PROT & SCAN that allow user-defined signatures ? Any help would be appreciated ! If you mail responses to me, I'll summarise. Many thanks, Aidan Saunders - -- - ---------------------------------------------- ARPA :: a.c.g.saunders@newcastle.ac.uk UUCP :: ...!ukc!newcastle.ac.uk!a.c.g.saunders - ---------------------------------------------- ------------------------------ Date: Tue, 21 May 91 13:09:05 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: F-PROT and BBSes (PC) My anti-virus package (F-PROT) is by now quite well known in the academic community, but I hear quite often that it is very difficult to obtain for anyone without network access. This is a problem for many PC-owners, who would like to use it, but are unable to find it. The package is available on several BBSes, but they often have only old versions. So, what I am planning to do is to send each new version by mail to 30-50 BBSes around the world - the question is just which ones..... If you know of (or run) a BBS, where the SysOp is willing to upload the package and announce each new version as it is received, I would like to hear about it. I will not consider any BBS on my list of 'Virus BBSes', however - the 12 or so BBSes which make viruses available for downloading are IMHO the major reason for the recent explosion in the number of virus variants. - -frisk ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 86] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253