VIRUS-L Digest Tuesday, 4 Jun 1991 Volume 4 : Issue 97 Today's Topics: Fw: Trojan version of VIRUSCAN version 78 (PC) Virus Stats RE: MS-DOS on ROM (PC) RE:CERTUS STUDY mentioned in - VIRUS-L Digest V4 #94 Requirements for Virus Checkers (PC) Re: AIDS Information Trojan (PC) Virus Unknown (PC) Hong Kong on MircoTough dist. disks (PC) RE:My mail of June 3 - NOVELL and Virus (PC) Hong Kong/Azusa (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 13 May 91 14:50:16 -0700 From: Aryeh Goretsky Subject: Fw: Trojan version of VIRUSCAN version 78 (PC) - -------------------------- HEADS UP! - -------------------------- (original message follows) TROJAN VERSION OF VIRUSCAN VERSION 78 We have received a trojan horse version of VIRUSCAN. The hacked SCAN has apparently been uploaded to BBSes in Michigan, USA under the filename SCANV78.ZIP. Running PKZIP -V on the file reveals: .PKUNZIP (R) FAST! Extract Utility Version 1.1 03-15-90 .Copr. 1989-1990 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help .PKUNZIP Reg. U.S. Pat. and Tm. Off. . .Searching ZIP: SCANV78.ZIP - Fantasia BBS (313)/788-0882 . . Length Method Size Ratio Date Time CRC-32 Attr Name . ------ ------ ----- ----- ---- ---- ------ ---- ---- . 12816 Implode 5255 59% 04-08-91 14:28 08a87ed8 --w AGENTS.TXT . 9406 Stored 9406 0% 02-03-91 17:04 42cf9931 --w REGISTER.DOC . 23008 Implode 12550 46% 05-06-91 18:15 f9735dd5 --w SCAN.EXE . 6495 Implode 1895 71% 10-31-89 16:16 0449b09d --w VALIDATE.COM . 3626 Implode 1802 51% 11-29-90 01:59 ab76470f --w README.1ST . 21257 Implode 5767 73% 05-06-91 19:35 a0728a17 --w VIRLIST.TXT . 2844 Implode 1406 51% 02-14-91 14:25 aa330b57 --w VALIDATE.DOC . 24515 Implode 9188 63% 05-06-91 19:34 172a967f --w SCAN78.DOC . ------ ------ --- ------- . 103967 47269 55% 8 The number listed for the Fantasia BBS is NOT a BBS number and has no connection with the trojan horse. I have called the phone number and asked the party at the other end to contact me. Running PKUNZIP on the file reveals the following: .PKUNZIP (R) FAST! Extract Utility Version 1.1 03-15-90 .Copr. 1989-1990 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help .PKUNZIP Reg. U.S. Pat. and Tm. Off. . .Searching ZIP: SCANV78.ZIP - Fantasia BBS (313)/788-0882 . Exploding: AGENTS.TXT -AV . Extracting: REGISTER.DOC -AV . Exploding: SCAN.EXE -AV . Exploding: VALIDATE.COM -AV . Exploding: README.1ST -AV . Exploding: VIRLIST.TXT -AV . Exploding: VALIDATE.DOC -AV . Exploding: SCAN78.DOC -AV . . Authentic files Verified! # TJB859 Zip Source: McAFEE ASSOCIATES While the Authentic Files Verified Message appears, the Serial Number is NOT correct. McAfee Associate's Serial Number is NWM405. Examination of the AGENTS.TXT, README.1ST, VALIDATE.*, and VIRLIST.TXT files revealed that these are straight from VIRUSCAN Version 77--the version number in the VIRLIST.TXT file was still V77. The SCAN78.DOC file had been modified so that all occurrences of V77 were switched to V78. Additionally, the following text was added for the validation data: . The validation results for Version 77 should be: . . FILE NAME: SCAN.EXE . SIZE: 23,008 . DATE: 05-06-1991 . FILE AUTHENTICATION . Check Method 1: 2C21 . Check Method 2: 022E . For the What's New section, the following text was added: . WHAT'S NEW . Version 78 of SCAN removes a few small bugs and continues . to optimize the procedures SCAN uses to find viruses, as in Version 77, . as well as adding a few more to the list of known viruses. SCAN is now much . more compressed than was previously thought possible, so please enjoy the . shortened file size, it should still work just fine. . Refer to the enclosed VIRLIST.TXT file for a schematic . description of the new viruses. For a complete description, please . refer to Patricia Hoffman's VSUM document. . Examination of the SCAN.EXE file has show that it contains the help message that VIRUSCAN displays as well as the program information message. However, the program does not contain any of the other messages that VIRUSCAN has in it. The REGISTER.DOC file distributed with the trojan version of VIRUSCAN is not a text file, but rather another .ZIP file containing a file named TB1.COM: . PKUNZIP (R) FAST! Extract Utility Version 1.1 03-15-90 . Copr. 1989-1990 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help . PKUNZIP Reg. U.S. Pat. and Tm. Off. . . Searching ZIP: REGISTER.DOC . Extracting: TB1.COM -AV . . Authentic files Verified! # TJB859 Zip Source: McAFEE ASSOCIATES . When unZIPped, the REGISTER.DOC file displays the same Authentic Files Verified Message as the SCANV78.ZIP file did. Examination of the of the TB1.COM file revealed that it contains the Whale virus. This is all I currently know about the SCANV78.ZIP trojan. If you see any copies of this file, please ask the system administrator or sysop to remove it and ask them to contact the uploader to warn them that it contains a virus. Aryeh Goretsky McAfee Associates Technical Support - - - - aryehg@tacom-emh1.army.mil ------------------------------ Date: Mon, 03 Jun 91 02:35:41 -0500 From: Fwtns Georgakopoulos Subject: Virus Stats Hi Everyone... I am wondering if anybody out there can help me... I have to write this paper on virus and I have no statistics... I couldn't possibly conduct a survey which could have been very realistic...If anyone knows where I could find some stats on virus or if someone even has anything (that would be great! :-)) I would really appreciate the help... Thanks in advance... Frank ------------------------------ Date: Mon, 03 Jun 91 10:02:46 -0400 From: "David B. Horvath" Subject: RE: MS-DOS on ROM (PC) Radio Shack, in the newer versions of the TANDY-1000 series (SL, TL, and newer) all have MS-DOS in ROM. The ROM emulates a write-protected hard disk with NO free space. The boot device is selectable in the system startup (stored in battery backed CMOS RAM) - as well as certain default AUTOEXEC.BAT/CONFIG.SYS entries. The pseudo-disk is implemented in socket ROM chips; the salesmen talk about the ease of upgrade - "just replace the chip with a new one - easier than upgrading from floppy..." - David B. Horvath +--------------------------------------------------------------------+ | David B. Horvath, CDP AT&T Net: 215-354-2468 | | Systems Analyst - GE Internet: horvath_db@scov19.dnet.ge.com | | Adjunct Instructor - CCC DecNet : SCOV19::horvath_db | | M.S. Candidate - UPENN ICBM Net: 40 N 75 E | | (dhorvath@pennsas.upenn.edu) | | Standard Disclaimer: All expressed opinions are my own and do not | | represent any of my employers or affiliated organizations. | | | +--------------------------------------------------------------------+ ------------------------------ Date: 03 Jun 91 09:45:00 +0200 From: J|rgen Olsen Subject: RE:CERTUS STUDY mentioned in - VIRUS-L Digest V4 #94 RE: LAN's as vehicle for spreading virii! - ----------------------------------------- We run an installation including 700 MAC/PC's (250+450), 8 Novell Nets, 6 3+SHARE-nets, Appletalk etc. The remarks below refers mainly to our experience with the Novell-nets in the Dep. of Social Sciences - 5 - with 120+ workstations. - ----------------------------- This is mainly a question of network management. 1. Certainly - in a university where students can load programs into the netdrives - an infected program can be spread. BUT - 2. Serious problems only arise if someone with Supervisor rights are infected when logging in to do a bit of system Admin. 3. So the combination - daily scanning of areas where users (students) can leave their (games,pirate copies (sorry) etc) and removal of same combined with carefull network management (scanning of RAM & local disk) will do the trick. 4. We still have to see a Virus infecting the Netware - without a bit of outside help - as described under 2. - ----------------- Anybody with a comment to 4. ?? - -------------------------------- Do not bother to suggest that we install TSR's etc for checking. We have tried - but a number of our applications are RAM-hungry - and some does not even like some of those TSR - e.g. they start behaving funny. But a bit of planning and prevention can do the trick - or have done so til this moment. J Olsen Academic Information Systems University of Odense Denmark ------------------------------ Date: 02 Jun 91 23:41:01 -0400 From: Robert McClenon <76476.337@CompuServe.COM> Subject: Requirements for Virus Checkers (PC) >From: microsoft!c-rossgr@uunet.uu.net >>From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) >> 6) Must be easy to remove for troubleshooting >Hey, *my* code never needs to be removed! Excuse me, but I use Virex-PC, which is Ross's product. I do occasionally need to remove it, not to troubleshoot IT, but because something is incompatible with it. One commercial game requires 540K of FREE memory, not counting MOUSE.SYS, which it uses, and can't fit if Virex-PC is installed. A third-party fax board program has TSR conflicts with Virex-PC. I don't know what it is doing, but it tries to take over the same interrupts as Virex-PC and the results are unpredictable. (Sometimes it refuses to run. Sometimes it crashes.) The need to remove an anti-viral program is not entirely a function of the anti-viral program's flaws. I have dealt with the problem by defining a batch file which creates a dummy file which signifies that on the next (warm) boot of my PC, Virex-PC is not to be loaded, and then rebooting. Anyway, Padgett is right. A program must be easy to remove in the event of trouble. The trouble may not be the fault of the program. The game admits it is a hog. The fax program is written very sloppily, but it is worth the price I paid for it. (It came free with the fax modem board.) Robert McClenon Neither my employer nor anyone else paid me to say this. ------------------------------ Date: 03 Jun 91 20:42:30 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: AIDS Information Trojan (PC) mcafee@netcom.com (McAfee Associates) writes: >Does anyone recall whatever happened to Joseph W Popp, the alleged >mastermind behind the AIDS Introductory Information Trojan Diskette? The trial date has been set for November 11th and will take place at Southwark Crown Court, London. - -frisk Fridrik Skulason Technical Editor of the Virus Bulletin (UK) (author of F-PROT) E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 ------------------------------ Date: Tue, 04 Jun 91 06:24:13 +0000 From: ekwong@rose.waterloo.edu (Edward the Awaken) Subject: Virus Unknown (PC) Help! My PC is infected by this virus that my SCAN 3.5 can't even detect. The virus has a little bug that moves across the screen line by line shifting the text something like 10 spaces to the left. The bug seems to work in the background, ie while an application is running. The bug that moves across the screen looks like this ********=( Can someone help me id this virus and maybe suggest a possible care I will be greatful. Thankyou in advance. Edward K. Address: ekwong@lotus.uw.edu ekwong@rose.uw.edu ------------------------------ Date: Tue, 04 Jun 91 08:34:33 -0500 From: csfed@ux1.cts.eiu.edu (Frank Doss) Subject: Hong Kong on MircoTough dist. disks (PC) One of our users here at Eastern Illinois has discovered the Hong Kong virus on the distribution disks included with Micro Tough's TVGA board. This board is a MS-Windows enhancer Trident chip graphics board. The disk are labeled TVGA-8916 (disks one - three). All three of the notchless disks had the virus. As the disks were the notchless type, the virus came from either the factory or the duplicating company. Micro Tough has been notified. Norton Anti-Virus 1.00 did NOT find the virus, but Central Point Anti-Virus 1.00 found and purged the virus. To say the least, our user was most discerned with his factory-bought virus. ;-) This has been a warning . . . Frank E. Doss Academic Computing Eastern Illinois University ------------------------------ Date: 04 Jun 91 16:15:00 +0200 From: J|rgen Olsen Subject: RE:My mail of June 3 - NOVELL and Virus (PC) In my mail - I wrote on Mon, 3 Jun 1991 9:45:45 UTC+0200 >Subject: RE:CERTUS STUDY mentioned in - VIRUS-L Digest V4 #94 >RE: LAN's as vehicle for spreading virii! - ----------------------------------------- >4. We still have to see a Virus infecting the Netware - without a bit > of outside help - as described under 2. > ----------------- >Anybody with a comment to 4. ?? >-------------------------------- Later the same day the June issue of VIRUS BULLETIN hit my desk (compliments to the editor for ensuring that By FIRST CLASS MAIL you get it at the start of the month and not at a somewhat later date) - and there it was! The answer to any network managers nightmare - GP1 - - a NOVELL specific virus (variant of Jerusalem)! I have mailed the NOVELL board - asking for a comment! Any answer will be forwarded to Ken for consideration/remailing through him. J Olsen Academic Information Systems University of Odense Denmark ------------------------------ Date: Tue, 04 Jun 91 11:29:39 -0400 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Hong Kong/Azusa (PC) >One of our users here at Eastern Illinois has discovered the Hong Kong >virus on the distribution disks included with Micro Tough's TVGA >board. This board is a MS-Windows enhancer Trident chip graphics >board. The disk are labeled TVGA-8916 (disks one - three). The "Hong Kong" is the name Central Point Software has chosen to use for the AZUSA virus previously reported in Dayton on Trident TVGA disks. It becomes memory resident on boot and has a counter that typically after 32 boots will zero the interrupt addresses of COM1 and LPT1 in the system data area casusing access to these peripherals to fail. CHKDSK will also report something less than 640k (655360 total bytes memory) available to DOS. More importantly, this is the THIRD time that Trident's distribution disks have been reported in connection with infected boot sectors. (Packard Bell SVGA - Dec,90; TVGA disks in May) & points out the need for something more that just a warning. Other manufacturers have accidently introduced viruses before but most have instituted policies to avoid ever doing it again. (IMHO) an investigation should be launched to determine just what is going on, to determine why this has occured, and to try to ensure that it is not repeated. It has been mentioned before but (IMHO) what is needed is a national computer integrity laboratory organized to become a clearing house for viral information (to avoid AZUSA/Hong Kong & Jerusalem/1813 confusion in the future), to provide a testing mechanism for the effective *weighted* evaluation of anti-virus products, and to inspect/certify manufacturers procedures for preventing future virus disseminations. This would have to created as a disassociated not-for-profit organization to have any meaning, we seen several commercial attempts already, but is something that is needed. However, it would take resources to establish so if any of the Virus-L members know of grants available or manufacturers who would be willing to make equipment available to set up such an organization, (my den closet is not big enough) please let me know. Hotly, Padgett Somewhere west of Orlando These views are my own, most likely no one else would want them. ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 97] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253