Return-Path: Received: from csmes.ncsl.nist.gov ([129.6.54.2]) by first.org (4.1/NIST) id AA16718; Wed, 21 Oct 92 18:06:36 EDT Posted-Date: Wed, 21 Oct 1992 17:35:18 -0400 Received-Date: Wed, 21 Oct 92 18:06:36 EDT Errors-To: krvw@cert.org Received: from Fidoii.CC.Lehigh.EDU by csmes.ncsl.nist.gov (4.1/NIST(rbj/dougm)) id AA03612; Wed, 21 Oct 92 18:01:21 EDT Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA19775 (5.65c/IDA-1.4.4); Wed, 21 Oct 1992 17:35:18 -0400 Date: Wed, 21 Oct 1992 17:35:18 -0400 Message-Id: <9210211938.AA11578@barnabas.cert.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@cert.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V5 #166 Status: R VIRUS-L Digest Wednesday, 21 Oct 1992 Volume 5 : Issue 166 Today's Topics: Re: Request info on FORM (PC) Re: SCAN 95b doesn't find MtE in EXE files (PC) Re: Scan/Clean vs. F-protect (PC) Password Program Preventing Boot (PC) Re: Terminator 2 and Gobler (PC) Re: Oliver virus ... (PC) re: Oliver virus ... (PC) Re: Scan/Clean vs. F-protect (PC) Re: Oliver virus ... (PC) Re: HELP! (Re: IBM password) (PC) Re: VCL operation (PC) Re: Michaelangelo on Driver Disks (PC) Re: HELP! (Re: IBM password) (PC) Re: FProt (PC) Re: Pkzip 3.05 (PC) KEY Press virus & McAfee v97 (PC) Re: self-checking programs (PC) Re: Terminator 2 and Gobler (PC) Re: VIRSCAN and Joshi virus (PC) Re: Could FORM infect OS/2's BOOT.DOS file (OS/2) re: Could FORM infect OS/2's BOOT.DOS file (OS/2) Re: FORM on an OS/2 system (OS/2) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk ---------------------------------------------------------------------- Date: 20 Oct 92 11:26:35 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Request info on FORM (PC) schilligl@iccgcc.decnet.ab.com writes: > HI, Does anyone Know what the FORM virus can do to a system? 1) Did you read the FAQ? 2) Did you check in the popular virus information sources? (If you don't know them, they are listed in the FAQ.) 3) OK, I give up, here's the answer: On 24th of every month the virus makes the keys on the keyboard to "click" when you press them. [Moderator's note: I'm hoping to have a new revision of the FAQ available shortly. Comments/suggestions welcomed.] Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 20 Oct 92 11:29:45 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: SCAN 95b doesn't find MtE in EXE files (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: > Currently there are two MtE-based viruses that infect EXE files - > CoffeeShop (infects only EXE files) and Groove (infects both COM and > EXE files). The scanner also missed hundreds of infected COM files, > but this is another story... Right now one of our students is testing version 97. The test is still running, but what can be seen is that at least SOME of the infected EXE files ARE detected. What can be also seen is that at least SOME of the infected files (the spotted ones were COM files, but I don't have the final results yet), are NOT detected. So, my warning remains: don't rely on SCAN for 100% detection of the MtE-based viruses. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 20 Oct 92 11:35:20 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Scan/Clean vs. F-protect (PC) ACDPAUL@vm.uoguelph.ca (Paul D. Bradshaw) writes: > Clean [stoned] it says it can't find the virus. But, when I try to > disinfect a disk infected with michaelangelo with the command Clean > [stoned] it butchers the boot sector. Actually Clean butchered the Could you please provide some more information. I had very strong reports that Clean destroys the boot sectors of the 1.2 Mb diskettes infected with Michelangelo, when it tries to disinfect them. However, I was unable to reproduce the problem. I see from your message that you have used indeed a 1.2 Mb diskette, so obviously you are observing the same problem. Could you please repeat your experiments with a 360 Kb diskette (Michelangelo does not infect 720 Kb diskettes and damages 1.44 Mb diskettes)? > 1) Clean will run with the incorrect virus identifer. Not exactly. There is just a naming confusion between the names used in SCAN and CLEAN. > 2) This may be because stoned and michaelangelo are a lot the same. Yes, they can be disinfected with the same routine, but it -must- be able to make the difference between the two... > disk table was invalid. Corrupt. If my disk had been bootable before > I ran the disinfection programs on it, then only the disk disinfected > with f-protect would have been bootable after disinfection. Oh, then I guess CLEAN is not actually disinfecting the disk, but just overwrites the virus in the boot sector with a non-infected (but also non-bootable) program... OK, I'll check that... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Mon, 19 Oct 92 14:54:45 -0400 >From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Password Program Preventing Boot (PC) Doug: I *suspect* this is the same program I came across some time ago, if so try booting from a floppy with DOS 3.x instead of DOS 5.0. If the boot works, then it probably is. In this case the easiest way to fix it is to use my FixMBR program (FixUtil3.Zip is on most archives) - the *real* MBR is probably in sector 2. Incidently, this same situation exists with a copy of an OS identifying itself as MS-DOS Version 6.0.0015 received from an unmentionable source. I tried to call this bug (with specifics down to the bytes in the MBR involved) to MicroSoft's attention but got the expected respose ("the boot floppy is bad..." 8*( but I *did* try. Warmly, Padgett ------------------------------ Date: 19 Oct 92 20:34:05 +0000 >From: frisk@complex.is (Fridrik Skulason) Subject: Re: Terminator 2 and Gobler (PC) Robert.Turner@brunel.ac.uk (Robert Turner) writes: >Hi >Does anyone have any knowledge of either this virus, or of the >validity of the report? Well, there is indeed such a thing as the Terminator 2. The name is derived from an encrypted text string it contains: "Divide overflow The Terminator - 2 (C) 1992" it is compressed with LZEXE 0.91, but to disguise it, the author has modified it so that it does not contain the "LZ91" string at offset 28 (decimal) in the file. (so if your file contains that, it is probably a false alarm). I have not been able to make it replicate, but assuming it is a virus, I added detection of it to F-PROT 2.05b (sorry about the delays in releasing that version, folks - I made a major change to the scanner, and it is not fully tested yet). - -frisk ------------------------------ Date: 19 Oct 92 20:38:57 +0000 >From: frisk@complex.is (Fridrik Skulason) Subject: Re: Oliver virus ... (PC) lubkt@synergy.CC.Lehigh.EDU (Binod Taterway) writes: >Has anyone heard of Oliver virus? Apparantly, Channel 10 news (Philly, >I guess) had a story on this politics-minded virus that it is supposed >to trigger today (10/13) at Noon. Any info? Well, there is one Oliver virus - a member of the Dark Avenger (Eddie) family. 2136 bytes long, and not particularly interesting or widespread - just one of the 90% of all viruses that fall into the "non-interesting" category. Any decent scanner should be able to detect it - at least as a Dark Avenger variant. - -frisk ------------------------------ Date: Mon, 19 Oct 92 16:54:34 -0400 >From: "David M. Chess" Subject: re: Oliver virus ... (PC) >From: lubkt@synergy.CC.Lehigh.EDU (Binod Taterway) > >Has anyone heard of Oliver virus? Apparantly, Channel 10 news (Philly, >I guess) had a story on this... I'd be very interested if anyone knows anything about this! We've had some anxious calls. The only connection I can think of is with the completely fictional virus of that name done by the little-kid computer-genius in the Outland comic strip awhile back. But surely no news organization would report something like that as fact! *8) DC ------------------------------ Date: Mon, 19 Oct 92 22:33:29 +0000 >From: mcafee@netcom.com (McAfee Associates) Subject: Re: Scan/Clean vs. F-protect (PC) Hello Mr. Bradshaw, ACDPAUL@vm.uoguelph.ca (Paul D. Bradshaw) writes: >I recently did a test on McAfee's Clean vs. f-protect for the >universities local electronic virus conference. I thought some of you >here on virus-l might like to see my results. Basically, I was >pointing out that scan and clean don't identify viruses very well, as >well as that f-protect will do a better job of disinfecting a boot >sector virus anyway. > >________________ cut here __________ > >When I try to disinfect a disk infected with azusa with the command >Clean [stoned] it says it can't find the virus. But, when I try to >disinfect a disk infected with michaelangelo with the command Clean >[stoned] it butchers the boot sector. Actually Clean butchered the Please note that the correct syntax for using CLEAN-UP (CLEAN.EXE) is CLEAN x: [virus i.d.] Where "x:" is the letter of the drive to be cleaned, and "[virus i.d.]" is the virus identification code supplied by VIRUSCAN (SCAN.EXE). Failure to provide the correct syntax for CLEAN-UP can result in erratic results. Since the Michelangelo and the Stoned are rather similar in structure and how they infect disks, the same algorithm is used to remove the virus (of course, different parameters are fed in depending upon the variant and size of the diskette infected--this is all handled internally by CLEAN-UP). >boot sector no matter what command line prompt I gave it. You can >draw your own conclusions from that. I created three disks infected >with the Michaelangelo virus, and tested (a) Clean [stoned], (b) Clean >[mich], and (c) f-protect on it. The results of my little experiement >are listed below. > >1) Clean will run with the incorrect virus identifer. CLEAN-UP will run with any virus identification code you type in. This is why it is always a very good idea to run VIRUSCAN before running CLEAN-UP (after booting from a known-to-be-virus-free DOS boot diskette, naturally) to confirm the virus infection and get the virus identification code to use with CLEAN-UP. > >2) This may be because stoned and michaelangelo are a lot the same. Yes. > >3) F-Protect correctly disinfected my disk, while Clean butchered the boot > sector on my disk. This happened with both clean [stoned] and clean > [mich]. Can you please explain what you mean by "butchered"? Did you try running CLEAN-UP with the [GenB] virus I.D. code instead? If so, what was reported? > >4) I used Cleanv95, and F-Protect v2.05. These are the two most current > releases of each product. CLEAN-UP Version 95 was released on August 14, Version 95-B on August 19, and Version 95-C on August 20. The current version of CLEAN-UP, Version 97, was released on October 16, 1992. > >Below is the NDD report for each disinfection session. <...rest of message deleted...> It is still not clear to me under what conditions your tests of CLEAN-UP were performed, with respect to what options were used with CLEAN-UP, which version of CLEAN-UP was employed, the capacity and status of the disks used, etc. Perhaps you could relate your experiences in more detail. Regards, Aryeh Goretsky McAfee Associates Technical Support - -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: 3350 Scott Blvd, Bldg 14 | FAX (408) 970-9727 | mcafee@netcom.COM Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95054-3107 USA | USR HST Courier DS | or GO MCAFEE Support for SENTRY/SCAN/NETSCAN/VSHIELD/CLEAN/WSCAN/NETSHIELD/TARGET/CONFIG MGR ------------------------------ Date: 19 Oct 92 22:45:03 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Oliver virus ... (PC) lubkt@synergy.CC.Lehigh.EDU (Binod Taterway) writes: > Has anyone heard of Oliver virus? Apparantly, Channel 10 news (Philly, > I guess) had a story on this politics-minded virus that it is supposed > to trigger today (10/13) at Noon. Any info? Hmm, I have something here that calls itself "the Oliver virus". It is yet another Dark_Avenger hack. At first glance I didn't see any activation date in it - I mean, it seems to trash the disk (via INT 26h) just every day... But I might be wrong. It contains lots of childish and offensive messages. The first one is "Bill the Cat Lives!" - in the very beginning, coresponding to "Eddie lives...somewhere in time" in the original Dark_Avenger.1800.A virus. Is this what you have? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Mon, 19 Oct 92 23:02:23 +0000 >From: doug@cc.ysu.edu (Doug Sewell) Subject: Re: HELP! (Re: IBM password) (PC) doug@cc.ysu.edu (Doug Sewell) writes: : I just posted this to comp.security.misc, but I figure I'll post it : here for anyone else that has suggestions: Thanks to all those that have replied, either here or in comp.security. misc. The program (name available on request) that was installed had a 1992 copyright. It took over the master boot record and scrambled the par- tition table, among other things. When the machine was booted from floppy disk, the boot WOULD NOT COMPLETE. The machine would spin with the HD light on and do nothing. When booted from HD the password prompt was issued. We ended up booting from a network we had in-house and trashing the entire HD to fix it (this wasn't a problem, since it was a student lab PC). Fdisk, format, etc. all couldn't fix it, we had to over-write the entire first few sectors of the drive, then fdisk and format it. You may ask "why not use the network in the first place ?" This network is obsolete, and has been replaced with new software that unfortunately doesn't support network boot. - -- Doug Sewell, Tech Support, Computer Center, Youngstown State University doug@cc.ysu.edu doug@ysub.bitnet !cc.ysu.edu!doug Family Values: the sexist, racist, homophobic, classist, "Christian" values of the 50's. ------------------------------ Date: Mon, 19 Oct 92 23:06:35 +0000 >From: sbc@netcom.com (Spencer Clark) Subject: Re: VCL operation (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >fc@turing.duq.edu (Fred Cohen) writes: >> I have been trying to get VCL to operate on my system, and I think the >> authors don't know how to write compatible code. Does anyone know how >Ha! This is an understatement - I would say that they don't know how >to write any working code at all... If you manage to get their program >running (which is not that trivial, as you have observed), you'll see >that the viruses that they are generating are extremely buggy (besides >being simplistic non-resident COM infectors). Most of them do not >assemble, those that do hang the machine when executed and those that >don't hang usually refuse to spread... >Let's hope all virus writers will write code with this "quality"... >It's just so boring to disassemble it... I agree; the thing comes with 8 samples, only half of which replicated on my test machine. I have seen a couple of viruses made in conjunction with the VCL. They are more robust than the original samples, but nothing new, really. Spencer Clark - -- **************************************************************** \ "I am gross and pernicious, but you can't look away / / I make you think I'm delicious, with the stuff that I say \ \ I'm the best you can get, have you guessed me, yet? / / I'm the slime, oozin' out from your T.V. set!" - Frank Zappa\ **************************************************************** Hi! I'm a .signature virus! Add me to your .signature and join in the fun! ------------------------------ Date: 19 Oct 92 23:32:52 +0000 >From: frisk@complex.is (Fridrik Skulason) Subject: Re: Michaelangelo on Driver Disks (PC) mcdchg!ast!melka@gatech.edu (John F. Melka) writes: >notch). His hard disk, of course, showed infection as did the VGA >driver floppies (these are factory sealed). Identification on the >floppies was: Well - those are probably from the batch of diskettes responsible for the virus getting from Taiwan (where it was probably written) all around the world. This is not the only time this happened - I think the Music Bug virus also spread originally on VGA driver diskettes. - -frisk ------------------------------ Date: 19 Oct 92 23:38:28 +0000 >From: frisk@complex.is (Fridrik Skulason) Subject: Re: HELP! (Re: IBM password) (PC) doug@cc.ysu.edu (Doug Sewell) writes: >We suspect it's some form of commercial or shareware password protection >that imbeds itself in the partition table or some other place where it >will be activated during power-on self test. Probably, yes. Of course, if that is the case you *might* be able to remove it easily the same way as an MBR infection is removed - booting from DOS 5 and running FDISK /MBR. That will only work, however, if the program does not tamper with the table itself. >Do you have any suggestions (besides removing the hard drives - which >we're considering ?) If you think it is worth it, you might be able to get a card, which write-protects the MBR. This has the benefit of preventing infections by certain viruses, such as Stoned. I am not sure, however, if such cards for IDE disks exist yet. - -frisk ------------------------------ Date: 19 Oct 92 23:45:07 +0000 >From: frisk@complex.is (Fridrik Skulason) Subject: Re: FProt (PC) ygoland@edison.SEAS.UCLA.EDU (The Jester) writes: >Some questions: >1.Fritz said hes comming out with a new version and then I heard that >there was some things he was still doing. Is there a date for release? >When its released, where can I be sure of finding it? Well, here is what happened: I made a pretty big change to the program, in order to make it stealth-virus proof. That is, you caould run it, with a stealth virus in memory, and it would not be affected. As the method I used might cause some compatibility problems, I asked my beta testers to test 2.05b *very* carefully. They did not find any problems caused by the big change, however, but a lot of very small problems, such as if you scan a disk with a volume label containing a space in position 8, that space might vanish. Nothing critical, but some small things I like to fis. Anyhow, I think it is finished now, and when 2.05b is released it will be announced here, and uploaded to my usual sites (eugene.utmb.edu and oak.oakland.edu). >2.Right now when I try to use fprot on an hpfs drive it just says >'error reading drive'. Are there plans to make fprot os/2 compatible? no - that is, not HPFS compatible. That is, at least not the shareware version - I might add that to the "Professional" version, though. - -frisk ------------------------------ Date: Tue, 20 Oct 92 01:19:37 +0000 >From: sbc@netcom.com (Spencer Clark) Subject: Re: Pkzip 3.05 (PC) jwfernyc@THUNDER.LakeheadU.CA (JASON W FERNYC) writes: >Does anyone know if Pkzip 3.05(I know it is bogus) is infected with >some kind of new virus? I noticed it on one of the network computers >at school and didnt notice it before using my disks in the drives for >quite some time, I scanned the computer and everything checks out but >I dont want to take any chances! It *is* a hack; I've tested it before with no notable ill effects....HOWEVER, since it is a hack, I would highly recommend NOT running it (and getting rid of it wouldn't be a bad idea, either). Spencer Clark McAfee Associates ------------------------------ Date: Tue, 20 Oct 92 01:08:11 +0000 >From: 10666281@eng2.eng.monash.edu.au (KEVIN PRATER) Subject: KEY Press virus & McAfee v97 (PC) Currently I'm using McAfee ScanV97 and clean95c. My computer got infected with simple keypress virus so I cleaned it with clean95c. I then scanned with scan95 and got the message that no virus was present. Got scan97 and rescanned the disk to find the virus reported present. Clean 95 won't find or remove [key] for the one infected file so; Is this a false alarm report of the virus? or Is the virus a strain of [key] that clean95 doesn't remove? Any reply welcomed, Kevin Prater DownUnderInOz ------------------------------ Date: 20 Oct 92 11:44:15 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: self-checking programs (PC) 76336.3114@CompuServe.COM (Kevin Dean) writes: > KD > ... Stealth Bomber is a set of C- and Pascal-callable > KD > routines that perform a CRC check on the running program and do a > KD > system check for any suspicious behaviour related to stealth viruses. > > Have you actually tried it against Dir_II? > No, I haven't. My statement above is misleading and I apologize. > Neither Stealth Bomber nor any other virus detection package, present > or future, will detect all possible viruses. In addition to doing a Uh, maybe you have misunderstood me - I didn't expect it to - -recognize- Dir_II. After all, it is not a scanner, it is an integrity checker. I mentioned this particular virus, because its stealthyness is "more advanced" than the one of Frodo, for instance. Dir_II patches itself in the block device drivers chain and intercepts (and uses) device requests, not interrupts. Having seen an early version of Stealth Bomber, I just expressed a doubt that it will be able to catch such stealth tricks. Another good sample to try is the Int13 virus - it is stealth down to BIOS level, which means that even if you read the files with INT 13h (thus bypassing the DOS file system), you won't be able to "see" the virus. My point is that if a stealth virus is in memory, and if it is "stealth enough", no integrity checking program will be able to detect it. There are several anti-stealth techniques that can be used, but they either fail to work against advanced stealth viruses, or make the integrity checker completely incompatible with anything that is not plain DOS - things like LANs, compressed partitions, encrypted partitions, Disk Manager partitions, etc. The only safe way to run an integrity checker is either off-line, after you have booted from the proverbial write-protected uninfected system diskette (most of the current off-line checkers do that), or after restoring the system state to a known clean level (the ASP Integrity Toolkit does this and it is a resident integrity checker). Since Stealth Bomber cannot rely on either of these two methods (it is included in the application and is supposed to run after the virus that has infected the application has been already executed), it has no way to bypass advanced stealth viruses and to remain compatible. Note that I am not saying that the package is bad. Just the opposite - I am encouraging every program developer to use something like that. It will help to stop at least the non-stealth viruses, which are still the majority. The user just must be careful and not to develop a false sense of security, since the package will NOT detect SOME viruses. But better to have a limited protection than no protection at all. > CRC check (which will catch any non-stealth file virus) Stealth Bomber > looks for suspicious behaviour in DOS related to stealth viruses. You mean, "to SOME stealth viruses". It has no way to detect all of them. > Unfortunately, some versions of DOS exhibit virus-like symptoms Depending on the definition of "virus-like", ALL DOS versions exhibit virus-like symptoms... :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 20 Oct 92 12:07:47 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Terminator 2 and Gobler (PC) Robert.Turner@brunel.ac.uk (Robert Turner) writes: > One of our students came in the other day, reporting a virus that our > scanner didn't pick up on (Solomons' Guard - Memory resident). This > was Terminator 2, and it had been reported by a piece of software > called 'Gobler' or something similar. Uh, there is a silly Terminator virus of Russian origin. The version of FindVirus that I have can find it, but Dr. Solomon often sends me brand new versions of his scanner, which are not yet shipped to the customers, so I don't know whether it will work for you... Anyway, the virus that I mean is compressed with LZEXE, so it is very likely that Gobbler has a not very good signature for it and is causing a false positive. Do you observe any infections, i.e., does it spread to other files, or is it only in one file? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 20 Oct 92 12:23:11 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: VIRSCAN and Joshi virus (PC) LKHGC%CUNYVM.BITNET@mitvma.mit.edu writes: > Can the 1992 version of VIRSCAN detect the Joshi virus? Uh, what do you call exactly "1992 version of VIRSCAN"? If you mean the IBM program VIRSCAN, it's latest version I am aware of is 2.2.3A and it -can- detect Joshi. If you mean the program VIRUSCAN from McAfee Associates (often referred to as just SCAN), then the latest version is 97 and it also can detect Joshi. Or do you have some other scanner in mind? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Fri, 16 Oct 92 20:33:23 +0000 >From: 007 Subject: Re: Could FORM infect OS/2's BOOT.DOS file (OS/2) ZA9RA01@sysa.computing-services.manchester-poly.ac.uk (Bill Peel) writes: >A colleague has a PC which can dual boot to either DOS or OS/2. Both >Jim Bates's VISCAN and F-PROT v2.05 report that the file BOOT.DOS in >C:\OS2\SYSTEM contains a FORM image. After booting from a clean floppy >the size of BOOT.DOS reported by a dir is 512 bytes and the date/time >stamp is similar to that of other files in the directory (I know >viruses can fiddle this). The usual FORM message is not in the file. >My colleague says (I haven't had time to check this) that she cannot >find BOOT.DOS on any of the original OS/2 disks. On the hard disk it >is hidden/readonly. Could any of the experts say whether this is a >real infection and if so how to recover from it. We have had >infestations of FORM on both floppy disks and DOS-only hard disks. The file BOOT.DOS is created by OS/2, and is not found on the installation disks. It is a 512 byte image file of the DOS boot sector as it was when you last told DOS to switch to booting OS/2 (i.e. by the command "C:\os2\system\boot /os2.") If FORM was present then, it will be found in the file, and FORM will be active in memory when you next boot DOS. What you could do is to boot from a clean DOS floppy and use DEBUG or Norton's DISKEDIT to copy the boot sector from your clean floppy into the file BOOT.DOS. (You might need to do this under DOS, since OS/2 might not let Norton have low-level read access. I'm not sure.) After you copy the BOOT.DOS file, reboot from OS/2 on your HD and then set up the computer to boot from DOS. To be certain, you might want to boot from a clean DOS floppy and then run F-prot to see if FORM is present in the boot sector. Good luck! -- 007 - -- 000 000 7777 | sbonds@jarthur.claremont.edu 0 0 0 0 7 |----------------------------------------------------------- 0 0 0 0 7 | Childhood is short... 000 000 7 | ...but immaturity is forever. ------------------------------ Date: Mon, 19 Oct 92 14:45:55 -0400 >From: "David M. Chess" Subject: re: Could FORM infect OS/2's BOOT.DOS file (OS/2) >From: Bill Peel >A colleague has a PC which can dual boot to either DOS or OS/2. Both >Jim Bates's VISCAN and F-PROT v2.05 report that the file BOOT.DOS in >C:\OS2\SYSTEM contains a FORM image. Yes, this can certainly happen. When you issue the "BOOT" command, it copies the current system boot sector into a file (named BOOT.DOS if you're currently in DOS, or BOOT.OS2 if you're in OS2), then take another file (BOOT.OS2 if you asked to boot OS2, and BOOT.DOS if you asked to boot DOS) and writes that into the boot record. Then it reboots the machine. So if you issue "BOOT DOS", then at some time later boot from a FORM-infected diskette, then later issue "BOOT OS2", the FORM boot sector (but not the other sector) will be in the BOOT.DOS file. If you later issue "BOOT DOS" again, the BOOT command will re-install the BOOT.DOS file (including the virus), and reboot the machine. To clean this up, you need to get a valid BOOT.DOS file, with a valid copy of the system boot record. One way to do this is to "BOOT DOS", then run an anti-virus program that can remove the virus from the system boot record, then "BOOT OS2" again. The resulting BOOT.DOS file *should* contain a valid uninfected DOS system boot record, put there by the anti-virus program. Something like that... DC ------------------------------ Date: 20 Oct 92 11:01:49 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: FORM on an OS/2 system (OS/2) Kevin_Haney@nihcr31.bitnet writes: > so DOS can boot. If you have a DOS virus in your boot sector, OS/2 > will make an image of that virus when it creates BOOT.DOS. The way to > get rid of it is to dual boot to DOS, reboot using a clean DOS > diskette so that FORM isn't active, and then run a disinfection > program on your hard disk. And don't forget to re-install OS/2, so that it re-creates a new BOOT.DOS, with a copy of the (now) clean boot sector. Otherwise, OS/2 will re-install the virus from the old BOOT.DOS (that contains the image of the infected boot sector) the next time you tell it to boot DOS... Regards, Vesselin P.S. All these dynamic changes of the boot sector and the startup files will probably be a nightmare for the integrity checkers... - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 166] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253