VIRUS-L Digest Friday, 3 Aug 1990 Volume 3 : Issue 138 Today's Topics: Various subjects (PC) re: Antivirus-viruses Virus documentation New link virus: COM + 453, direct action (PC) Forwarded: POSSIBLE PROGRAM TROJAN HORSE!! (PC) 4096 Virus and Checksums (PC) 4096 Running Rampant at Wharton! (PC) Virus information requested Re: Site licenses Re: 4096 Running Rampant At Wharton! (PC) Re: Site licenses F-PROT experience, anyone? 4096 in Bradford, UK (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Thu, 02 Aug 90 13:23:11 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Various subjects (PC) F-PROT news F-PROT version 1.12 is finished - It is not completely up to date, as I have not yet been able to obtain samples of some very recent viruses (Sublimal and Poem for example). The next update will therefore appear soon - expect 1.13 late in August. The program has been sent to everybody on my distribution list, and has also been uploaded to chyde.uwasa.fi. I also expect it to appear soon on comp.binaries.ibm.pc. "Stealth" virus I have seen the name "Stealth" used for 4 different viruses, 4096 (Frodo, IDF) and 1260, as well as two of the Bulgarian viruses. This is too confusing, so what I propose (and what I will do in version 1.13 of F-PROT) is to use "Stealth" to refer to a class of viruses - the viruses that attempt to hide from detection, using a variety of methods. Comments, anybody ? Lost mail Some time ago I deleted several mail messages by accident. I assume many of them were virus-related, so if any of you sent me mail about three weeks ago and have not received a reply, I probably lost your messages. Sorry :-( Just E-mail me again, but don't expect a reply until in about 10 days or so, because ..... Vacation time I am going on a vacation today - the first time for more than two years when I will not have a computer in front of me most of the day. I will be back on August 10......... - -frisk - -- Fridrik Skulason University of Iceland | Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 | ------------------------------ Date: 02 Aug 90 09:33:09 -0400 From: "David.M.Chess" Subject: re: Antivirus-viruses Anthony Appleyard writes, among other things: > For example, if Den Zuk hadn't got the bug of malfunctioning on > small disks, it would likely have spread largely ignored, and > flushed out the harmful Brain from most of the places where it > breeds... I imagine there will be lots of flames on this, and I don't really want to add to them (on the other hand, I don't want there to be no response to the item, so here I am!). I'm not sure if Mr. Appleyard means to imply that if the Den Zuk had only been less buggy, it would have been a Good Thing; if that's the intent, though, I'd like to disagree strongly! Any virus (with or without the Den Zuk's Brain-removal, "logo" and other side effects) that messes around with my system without my knowledge is a Bad Thing. It will eventually spread to some place where it will do harm (a non-standard disk format that it doesn't notice, but messes up; a new version of the op system that it's not compatible with; or whatever). The only anti-virus virus that would be at all defensible would be one that announced itself in large and unmissable letters when first run, and gave the user the option (which I, personally, would always exercise) to tell it to erase itself completely from the system. Even then, I don't entirely share Mr. Appleyard's confidence that there are already so many sample viruses out there that one more won't provide budding virus writers with extra education. I'm not certain that it would, but I wouldn't want to take the chance... DC ------------------------------ Date: Thu, 02 Aug 90 10:47:00 -0400 From: "Michael N. Davis" Subject: Virus documentation I just joined this list and I was wondering if this list maintains an archive of full documentation on each virus. For example, a warning has gone out about the 4096 virus at a med school in a nearby city that I do some pc work for. The report said that there was no software that could detect and remove it. Someone here at my institution told me that there is software to detect and remove it. It would be nice if I could get at will an archive file from this list fully describing the 4096 virus, its modus operandi, and the software that will cure it. Does such exists and if so how do I access it from BITNET? Thanks. _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ Michael N. Davis, System Manager, NC A&T State University, Greensboro, NC 27411 BITNET: DAVISM@ATSUVAX1 ------------------------------ Date: 02 Aug 90 16:10:23 -0500 From: "Otto Stolz" Subject: New link virus: COM + 453, direct action (PC) In the HQ of Sxdwestdeutscher Bibliotheks-Verbund (located at the university of Constance, Germany), a new virus has been detected. The virus adds 453 (four hundred fifty three) bytes to COM files. (It is neither the V-345 from the Amstrad strain, nor the Vienna 435.) F-FCHK and SCAN do not recognize this virus. It is not yet know whether this virus carries a payload. I know that it infects COM files in the local directory; whilst it did not infect files in other directories during my tests, we cannot be completely sure about the infection mechanism until the virus has been dis-assembled. Following are my preliminary findings in VTC format. I'll send a sample to the VTC at Hamburg for further investigation. If anybody has already seen this beast and knows more than I do (cf. infra), please drop me a note. Otto - --------------- Entry................. ((not yet assigned -- anything alluding to the length would be confusing, as we have already 435 and 345 viruses)) Alias(es)............. Strain................ Detected: when........ 1 Aug 1990 where....... Sxdwestdeutscher Bibliotheksverbund (located at Universit2t Konstanz) Classification........ Link virus, direct action COM infector Length of virus....... 453 bytes added to COM files - ----------------------- Preconditions -------------------------------- Operating System(s)... Version/Release....... Computer models....... - ------------------------Attributes ----------------------------------- Easy identification... File size increases by 453 bytes The following offsets are taken relative to the address the JMP instruction (cf. infra) points to. offset | string / bytes found -------+---------------------------------- 007 | "VIRUS" 00D | "*.COM" 013 | "????????COM" 030 | file-id of the infected program 043 | original contents of 1st 3 bytes 052 | "TUQ.RPVS" Type of infection..... Direct action. Begin of program is overwritten with JMP instruction pointing to appended viral code. Infection trigger..... Executing an infected file will trigger the infection attempt in the local directory. Virus has been tested with one bait (at most) available, so it is not clear whether multiple programs will be infected. No files outside the local directory have been infected during tests. Interrupts hooked..... none Damage................ Particularities....... - ----------------------- Acknowledgement ------------------------------ Location.............. Rechenzentrum der Universit2t Konstanz Classification by..... Otto Stolz Dokumentation by ..... Otto Stolz Date.................. 1990-08-02 ------------------------------ Date: Thu, 02 Aug 90 12:02:35 -0700 From: rogers@marlin.nosc.mil (Rollo D. Rogers) Subject: Forwarded: POSSIBLE PROGRAM TROJAN HORSE!! (PC) The info below was provided by our local Computer REsource Center. I contacted the sender below and tried to get more details on this. However, he told me he had gotten the info from a third party. So there is no local confirmation that this is a real trojan horse running around within this program. Since the trigger date was two days ago, thought you might wish to distribute this information, so users who currently have or contemplate obtaining this software can be forewarned. Sorry i could not obtain more complete details. I was told this could be the commercial or PD version of the software. - ------- >From marlin!nosc!manta!bray Wed Aug 1 15:41:42 PDT 1990 Article 660 of nosc.micro: Path: marlin!nosc!manta!bray >From: bray@manta.NOSC.MIL (Robert E. Bray) Newsgroups: nosc.micro Subject: DISCOVER Program Warning Keywords: disk management utility, program problems Message-ID: <1171@manta.NOSC.MIL> Date: 1 Aug 90 22:01:12 GMT Distribution: nosc Organization: Naval Ocean Systems Center, San Diego Lines: 16 - ------- DISCOVER Program Users: It has come to the attention of the CRC that the PC program called, DISCOVER (a disk management desktop utility similar to PC Tools, Norton Commander, XTREE Pro, etc.), has been programmed with a trigger to begin ciphering files/directories that are referenced or created AFTER 31 JULY 1990, AND it doesn't let you un-cipher those files/directories! Users beware--you may want to stop using DISCOVER asap. Currently, further information on this problem is limited. However, if you have questions, call the CRC (Bayside x32247 or Topside x32268). Bob B. (Bayside CRC) - ------- ------------------------------ Date: 02 Aug 90 13:39:32 -0400 From: Steve Albrecht <70033.1271@CompuServe.COM> Subject: 4096 Virus and Checksums (PC) In browsing through the April 1990 issue of Computers and Security, Volume 9, No. 2, I read the following comments of Dr. Harold Highland on the 4096 virus: "This recently published computer virus is particularly disturbing in that...checksum techniques likewise appear to be useless, the virus `disappears' during the checksum process..." Can someone please elaborate on how the virus avoids the checksum process, or perhaps direct me to more detailed information on this virus? In particular, does it avoid all checksum algorithms, or only certain ones? How does it avoid detection from the checksum operation? Any help would be most appreciated. Steve Albrecht MIS Field Services PLAN International 70033,1271@compuserve.com ------------------------------ Date: Thu, 02 Aug 90 15:07:25 -0500 From: martha rapp Subject: 4096 Running Rampant at Wharton! (PC) Michael, You must find a way to check and remove the virus from Students's or the lab will never completely get rid of the infection. Get an old machine wit h the proper size drives and set it up near the doorway and don't allow anyone to use the machines if their disks have not be certified virus free. I don't t hink that Diskmanager is a anti-virus program. Use and pay for Scan from McAfe e or something similar and ensure that you can get updates easily. The main it em is that with hard drives on your machines you must constantly check for viru sues. Martha Rapp Computing Services IUPUI ------------------------------ Date: 02 Aug 90 15:17:33 +0000 From: cdss!hyman@uunet.UU.NET (Risa Hyman x2021) Subject: Virus information requested Hello Netlanders, I am posting this for a student at the University of Maryland and also for our own development information. Would appreciate info on virus screens, virus scanning packages and successful approaches that you have found in dealing with these threats to our open network of communication. His class does not have access during the summer session to the Internet, and we have been so busy on our development set up that we have neglected to become smart enough, fast enough. We've read the books, but real life information is better. Any info on public domain virus screens would be great. Thanks in advance as always. - -- Risa B Hyman Any opinions expressed are my own. Arinc Research Inc uucp : uunet!cdss!hyman SRG, Mail Stop 5230 voice: 301 266 2021 2551 Riva Road Annapolis , MD 21401 fax : 301 266 2047 ------------------------------ Date: Thu, 02 Aug 90 21:26:12 +0000 From: plains!umn-cs!LOCAL!aslakson@uunet.UU.NET (Brian Aslakson) Subject: Re: Site licenses DKAZEM@NAS.BITNET (Don Kazem) writes: >We have been thinking about standardizing on a virus >scanner/disinfector for our organization. We have about 1500 users. >Our vision is to have a scanner/disinfector package available >to the PC support analysts and have them use it on suspicious >machines or perform random audits. >I have been thinking about purchasing a Service Industry >License from McAfee Associates. The total package would cost >about $6800.00 for (20 copies). This license would allow us >to perform checks on various machines, however, the software >must not remain with the clients. The security guy here got a good laugh and said that you must be a couple decimal places off. 68$. I could believe 680$ (maybe). I don't know FPROT (fprot111.zip via mibsrv.mib.eng.ua.edu in pub/ibm-antivirus via anonymous ftp) but the security guy recommends it and they charge either one or two dollars per machine in large numbers... Brian Aslakson - -- Macintosh related: mac-admin@cs.umn.edu All else: aslakson@cs.umn.edu ------------------------------ Date: Thu, 02 Aug 90 21:59:37 +0000 From: plains!umn-cs!LOCAL!aslakson@uunet.UU.NET (Brian Aslakson) Subject: Re: 4096 Running Rampant At Wharton! (PC) GREVE@wharton.upenn.edu (Michael Greve) writes: > We thought we had rid ourselves of the 4096 virus. Since I last wrote > to this list the 4096 virus has re-infected the orginal 5 machines in > our lab plus 4 more. We seem to be losing the battle of 4096. What > I feel is wrong is that we probably have some students with infected > com and exe files on their floppies (programs, games etc.). They are > using their programs and re-infecting our machines (unknowingly). We > are currently using Diskmanager as our hard disk protection software. > Diskmanager isn't protecting the machine against 4096. Is there a > program, either shareware or by purchase, that will work with Diskmanager > and protect the machine from 4096? At this point we don't have the DiskManager, by Ontrack Software (800)752-1333, is not anti-viral software, has never claimed to be (I'll betcha) anti-viral, and if you told them -- wait --, I'll tell them. I didn't have to finish asking my question about anti-viral when the man said "No." It isn't anti-viral, never claimed to be anti-viral, it partions Harddisks. That's what it does. Okay? "No. No. No." Anyway, get either scan or fprot (or both), also get some memory resident program like scanres or vshield. Fprot may have something like this in it (with it). READ the documentation. Try anonymous ftp at mibsrv.mib.eng.ua.edu goto pub/ibm-antivirus and mget til you're blue in the face. There is some excellent stuff there. scanv64.zip fprot111.zip vshld64.zip and so on.... Try to download to a clean machine, read everything, then go for it. Scanres you'll have to get from McAfee's BBS directly, if you want it. The number's in the documentation for scan. Fprot I'm checking out tonite. Good luck. Brian Aslakson - -- Macintosh related: mac-admin@cs.umn.edu All else: aslakson@cs.umn.edu ------------------------------ Date: Thu, 02 Aug 90 20:59:21 +0000 From: frotz%drivax@uunet.uu.net (Frotz) Subject: Re: Site licenses DKAZEM@NAS.BITNET (Don Kazem) writes: ] We have been thinking about standardizing on a virus ] scanner/disinfector for our organization. We have about 1500 users. We have about 200. ] Our vision is to have a scanner/disinfector package available ] to the PC support analysts and have them use it on suspicious ] machines or perform random audits. We intend to put dedicated PC class machines (no or very *tiny* hard disk ~10M) in stations around the company. We can do this because we have so many of these low class machines practically lying around. These machines would contain one of these licensed disinfectants and would provide local access to the latest disinfectant and would allow users to easily check software that has come in from questionable sources (e.g. BBS' or via Tech Support...) ] I have been thinking about purchasing a Service Industry ] License from McAfee Associates. It has been suggested that we do this as well. I am still evaluating other resources (e.g. This newsgroup.) before I commit to doing this, though I agree that it is very cost effective (psychologically to upper management) to have direct associations with McAfee Associates. ] Has anyone one else in the corporate arena implemented such a ] policy/structure? We are in the very early stages of defining and implementing this. Will post more as I get a better handle on things. - -- John "Frotz" Fa'atuai frotz%drivax@uunet.uu.net (email@domain) Digital Research, Inc. {uunet|amdahl}!drivax!frotz (bang!email) c/o MIS Dept. (408) 647-6570 (vmail) 80 Garden Court, C13 (408) 649-3896 (phone) Monterey, CA 93940 (408) 646-6248 (fax) ------------------------------ Date: 03 Aug 90 03:38:14 +0000 From: sigurd@vax1.udel.edu (Sigurd Andersen) Subject: F-PROT experience, anyone? Academic Computing Support at the University of Delaware is considering licensing F-PROT, a set of programs by Fridrik Skulason (frisk@rhi.hi.is). I'd like to know if anyone has reviewed or tested these programs, and what their experience has been. I can summarize responses if people are interested. ------------------------------ Date: Thu, 02 Aug 90 10:07:50 +0000 From: Drew Subject: 4096 in Bradford, UK (PC) Just for the record, here's a few details of a recent attack of the 4096 virus at the University of Bradford in the UK. In May 1990 I found a copy on one of our machines in our department. Having identified it as 4096 and removed it with the latest version of the excellent Scan from McAfee. Talking to one of our students she indicated it had come from our computer centre It seemed the CC here has a version of Netscan installed on their Novell Networks which was not current enough to be able to detect it, hence they seemed to be lulled into a false sense of security. Anyway it was all removed eventually, but it was the most virulant viral attack at the University. Previously we've had Brain and Vienna on Computer Centre PCs, and nVIR B and WDEF B on their Macs. Obviously if we have had it here it must be common within the UK, and perhaps more widespread in Europe and the US than people may imagine. Drew Radtke - ----------- Janet: Drew@uk.ac.bradford.central.cyber2 Internet: Drew%cyber2.central.bradford.ac.uk@cunyvm.cuny.edu Earn/Bitnet: Drew%cyber2.central.bradford.ac.uk@ukacrl UUCP: Drew%cyber2.central.bradford.ac.uk@ukc.uucp Post: Science & Society, University of Bradford, Bradford, UK, BD7 1DP. Phone: +44 274 733466 x6135 Fax: +44 274 305340 Telex: 51309 UNIBFD G PS Could Friderick Skulason send me his notes on this virus as I am interested in his opinions and ideas? ------------------------------ End of VIRUS-L Digest [Volume 3 Issue 138] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253