Date: Wed, 9 Jan 91 15:21:27 EST From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V4 #7 To: Multiple recipients of list VIRUS-L VIRUS-L Digest Wednesday, 9 Jan 1991 Volume 4 : Issue 7 Today's Topics: Re: Strange Problem Running Disinfectant 2.4! (Mac) Joshi & Stoned 2 (PC) Stoned Virus (PC) Re: SCAN program for IBM's (PC) MIBSRV back up & new files (PC) F-DRIVER boot check (PC) (c) BRAIN id and disinfection (PC) Re: nVIR-like resources... (Mac) Computers at Risk book - how to order - (General) Info on resident virus scanner. (PC) discovering 170x infection path (PC) obscure procedure in Yankee Doodle (PC) Stoned (PC) VM, MS-DOS and Virex (PC, I *think*) WP 8 byte bug (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Tue, 08 Jan 91 20:33:07 +0000 From: geoffb@eleazar.dartmouth.edu (Thumper) Subject: Re: Strange Problem Running Disinfectant 2.4! (Mac) GREVE@WILMA.WHARTON.UPENN.EDU (Michael Greve) writes: > > program works great on 15 of the machines. When I run it on the > last machine, the program calls up fine, but in the upper right > hand corner where it should normally tell you which drive/partition > you are currently scaning, the program comes up with a blinking message > saying insert a disk to be checked. This lab is networked using ... > 2 partitions and scan them. On this last machine, the name of the > server shows up for a quick second then it changes to the flashing > message. I've tried running it from diskette and the hard drives and > still get the same message. I can't get it to work at all. I saw a similar problem on a machine which has a Disinfectant Preferences file which had been configured for Scanning Station Mode (which is supposed to behave this way). Discard the prefs file and try again. - -Geoff Bronner '91 Student Consultant, Dartmouth College Computing Services - -- geoffb@Dartmouth.EDU | Student Consultant Fieyrnt! Alpha Theta TeddyBear. | Kiewit Computation Center Channel Z. All static, all | HB 6028, Dartmouth College =-=-=-=- day, forever. - The B-52's | Hanover, NH 03755 (603) 646-3417 ------------------------------ Date: Tue, 08 Jan 91 13:41:24 -0800 From: Jeffrey <3501P@NAVPGS.BITNET> Subject: Joshi & Stoned 2 (PC) My IBM PC has been hit with 2 viruses, Stoned-2 and Joshi. The computer hangs when we try to boot, and now it looks as if the hard-disk has been affected. What long range effects do these viruses have on recovering files from the Hard-disk? I have never heard of Joshi. I thought Stoned-2 just affected the boot-up. Do either of these viruses affect the FATS table or somehow make recovery of disk files impossible? How about using something like Norton utilities to get these files off the disk? Are we totally screwed? The guy that is "curing" the problem indicated that the two viruses in combination created some sort of unique problem and that Joshi may be a "Friday the 13th" type bomb. Any info, on the list or direct to me would be appreciated. Thanks very much. We are in the Central California area, BTW. --Jeffrey ------------------------------ Date: 07 Jan 91 05:33:01 +0000 From: jhp@apss.ab.ca (Herb Presley, Emergency Planning Officer) Subject: Stoned Virus (PC) Last week I wrote............. > I have had a problem with the "Stoned" virus on my 8088 based XT. > After the virus appeared on Christmas Day, I reformatted (high level) > the hard drive and reconfigured the partition table using FDISK. > Although the message appeared on Christmas Day, the only problem that > my PC seemed to develop was the inability to load RAMDRIVE.SYS at > bootup. Reconfiguring the partition table and reformatting the hard > drive do not seem to have helped RAMDRIVE.SYS to load. Further to my earlier posting, I got ahold of a copy of McAfee's SCAN program, and it confirmed that the [Stoned] Virus was still affecting my hard drive. So I have now managed to cure the problem, and for what it's worth to anyone, if interested, here's how: 1) I rebooted the system off my floppy system disks (DOS 3.3) which I had COPY PROTECTED! I then backed up all the files onto floppy disks using XCOPY making sure that I had removed drive "C" from the environment path variable; 2) I opened the Partitiion Table and Boot Sector with the Norton Utilities; 3) I OVERWROTE the entire partition table with "0", and wrote it to the disk; 4) I then repartitioned the disk using FDISK; 5) I then reformatted the disk from the system floppies like so - A> format c: /v/s 6) I scanned all floppy disks with the McAfee program PRIOR to copying them to the hard drive. Where I found an infected disk, I repeated the same treatment I had given the hard disk with Norton Utilities. (You can copy the files from a floppy of which you have overwritten the Boot Sector provided that you are careful NOT to overwrite the FAT) and then reformatted them from the system floppies (which I knew to be clean). 7) The problem is solved. The PC is now, according to the McAfee program, clean! And the RAMDRIVER is loading a-ok. Hope this helps anyone else who has been infected by the [Stoned] virus. (By the way, I don't know if you've noticed but the person who wrote the message "Your PC is Stoned! LEGALISE MARIJUANA!" doesn't even know how to spell legalize.......heh! heh! And I'll bet he thinks he's smart.) And one other thing, a warning! I think I picked up the virus from a fairly reputable software company's disks that I purchased several months ago - a word processor, no less! It looks like some this major company may have a snake in the woodpile. I can't mention their name here, however I will be taking my case up with them so that they can call in the mongoose brigade. But be warned! These stupid viruses come from the most unexpected and innocent places! Check everything. If you don't have a copy of a good scan program, I would suggest that you get one. - ------------------------------------------------------------------------------- DISCLAIMER: Any views expressed here are mine alone and do not represent those of this organization email : jhp@apss.ab.ca mail : 10320 - 146 St., Edmonton, Alberta, Canada T5N 3A2 phone : (403) 451-7151 ------------------------------ Date: Tue, 08 Jan 91 15:33:14 +0000 From: Douglas Barlow Subject: Re: SCAN program for IBM's (PC) > Date: Tue, 08 Jan 91 13:52:32 +0000 > From: Mr Gordon S Byron > Subject: Auto-scanning Virus Vaccine? (PC) > > I am interested in finding a DOS antivirus program which would > automatically scan disks as they are inserted. ideally, something like > SAM II on the Mac. I noticed a reference to a program called McAfee's > scan. Is that an auto-scan antivirus program? Only one problem with that idea: How can the machine tell when a disk is inserted? There isn't any type of sensor in IBM floppy drives like in the Mac. Doug Barlow ------------------------------ Date: Tue, 08 Jan 91 17:09:18 -0600 From: James Ford Subject: MIBSRV back up & new files (PC) MIBSRV (130.160.20.80) is back up. There will probably have to be some minor adjustments to make in the operating system, but anonymous FTP users should be able to access the antiviral files in pub/ibm-antivirus with no problem. If there *is* a problem, please let me know so I can correct it. The following files have been uploaded to 130.160.20.80 into the directory pub/ibm-antivirus: netscn72.zip clean72.zip vshld72.zip scanv72.zip - ---------- The ladder of success is easier to climb when laid flat. - ---------- James Ford - JFORD@UA1VM.UA.EDU, JFORD@MIBSRV.MIB.ENG.UA.EDU THE University of Alabama (in Tuscaloosa, Alabama USA) ------------------------------ Date: Tue, 08 Jan 91 11:25:39 -0800 From: p1@rlyeh.wimsey.bc.ca (Rob Slade) Subject: F-DRIVER boot check (PC) sulistio@sutro.SFSU.EDU (Sulistio Muljadi) writes: > F-driver.sys does not check drive A for any possible boot sector virus F-DRIVER does not check the disk per se, but when the boot process starts F-DRIVER, it will check memory for any resident viri. It will then terminate the boot process, forcing you to boot from a clean disk. ------------------------------ Date: Tue, 08 Jan 91 11:56:34 -0800 From: p1@rlyeh.wimsey.bc.ca (Rob Slade) Subject: (c) BRAIN id and disinfection (PC) ecs50145@zach.fit.edu ( COLDENHOFF) writes: > I do not quite understand how this boot sector virus was able to > contaminate my disks without actually booting from them. Does DOS Someone recently explained this, although I can't remember the terms he used for the different "processes". Again, though, if you stick the disk in the A: drive and power on, "reset" or , then the program on the boot sector of the A: drive disk will be loaded. Even on a "non-system" disk there is a program in the boot sector. It usually prints "Non-system disk. Replace and press any key to continue" on the screen. A BRAIN infected disk will load BRAIN into memory *and then* run that message. You remove the disk and replace with the proper system disk and hit a key, and the machine "boots" the proper system files *but BRAIN is still active.* And, of course, infects any disk it reads from then on. > Does anybody know what the typical virus scanner looks for in > reference to this virus? I hope it doesn't just look for the label - Interesting that the (c) BRAIN label doesn't show up on your disks. As BRAIN was one of the very early viri, and fairly obtrusive, it is also one of the most widely "altered" viri. However, if you have a version that is even *close* to the original, most of the scanners should find it. The early "hackers" didn't do much messing with it's core code. You can probably it yourself. PCTOOLS, F-BOOT and many other utilities will "show" you the boot sector contents, and there is a lot of text in BRAIN so it should be obvious. (You can even do it with DEBUG if you can find the right numbers.) Disinfection is fairly easy. F-DISINF works perfectly, SCAN/D should work OK, even good old SYS will take care of BRAIN. Provided you "boot clean" first. ------------------------------ Date: 08 Jan 91 23:45:10 +0000 From: kevin@crash.cts.com (Kevin Hill) Subject: Re: nVIR-like resources... (Mac) I beleive that a way to "vaccinate" a Mac against nVir is to create a resource with the nVir type and when nVir tries to infect it, it bumps into the nVir resource already there and fails. If I am wrong, please correct me everyone.. Thanks. ------------------------------ Date: Wed, 09 Jan 91 10:47:42 -0500 From: Colin Lay Subject: Computers at Risk book - how to order - (General) In December there were submissions about available studies. The General Accounting Office produced one that was recently announced as being available by anonymous FTP I believe. The National Research Council has published a much longer study entitled "Computers at Risk - Safe Computing in the Information Age". It is available from the National Academy Press in Washington. Telephone orders are accepted at 1-800-624-6242 for US customers or (202) 334-3313 for those of us who can't access the 800 number. They will accept VISA, MasterCard or American Express. Their book code is COMRIS and the price is $19.95. Quantity discounts are available. Colin M. Lay,Assoc. Prof. Fac. of Administration, Univ. of Ottawa Tel. (613)564-7015 FAX (613) 564-6518 "Any opinions expressed are mine, not necessarily those of my employer." Acknowledge-To: ------------------------------ Date: Wed, 09 Jan 91 10:52:45 -0500 From: Subject: Info on resident virus scanner. (PC) This is in response to your posting on VIRUS-L. I think a McAfee program called VSHIELD may be just what you are looking for. The program, once loaded, scans all COM, EXE, and OVR files as well as any files being copied, etc. It has the added feature of scanning the floppy drive whenever a warm boot is requested, to prevent any inadvertent introduction of viri if an infected disk is accidently left in the drive. You should be able to download this from several archives in the UK. Check Virus-L back logs for a full listing of archive sites. The file will be named VSHIELD72.ZIP. Mark A. Stoffan Graduate Student, New England Studies Consultant, Academic Computing Services University of Southern Maine IP85272@PORTLAND.MAINE.EDU ------------------------------ Date: Wed, 09 Jan 91 17:26:16 +0000 From: Martin Zejma <8326442@AWIWUW11.BITNET> Subject: discovering 170x infection path (PC) hello hunters | During autumn I worked out a TurboPascal 5.5 ( without OOP , so just 5.0 ) program , that tries to show the infection path of a group of infections with the 1701/1704 Virus , found with (no brackets) (170X) when using SCAN. The virus stores the 32-bit system clock from 0040:006C or something like that, --> ( you get the TIME when the virus gets resident ) 2) it stores the jump instruction to the eof from the previous infection ( so you get the length of the previous infected file while being resident) 3) and all the original interrupt-vectors , so you can seperate different envi ronments while infections occured 4) the original length of the current infected file all that stuff quite simple programmed. Now I want to know : IS this interesting enough to be posted in the VIRUS-L archives ??? Please send opinions ( to me directly or to the list , i'm a maniac reader ) especially the moderator of these fabulous list , Mr Ken van Wyk . Thank's for waisting your time Martin +-----------------------------------------------------------------------+ | Martin Zejma 8326442 @ AWIWUW11.BITNET | | | | Wirtschaftsuniversitaet Wien --- Univ. of Economics Vienna/Austria | +-----------------------------------------------------------------------+ ------------------------------ Date: Wed, 09 Jan 91 17:44:33 +0000 From: Martin Zejma <8326442@AWIWUW11.BITNET> Subject: obscure procedure in Yankee Doodle (PC) hello virus-proofed community | Last week i found the ( or a ) oh-so-old-but-never-found Yankee Doodle Virus at a friend , savely jailed on a floppy disk. I worked through the code quite heavy ,found nothing unbelieveable clever but : after copying the virus-code to the top of memory ( i worked hard to figure out the meaning of TOM in recent issues) , it gets the size of the absolute system memory for DOS from a word in the BIOS-segment ( 280h) multiplies this by various things to get the end of memory ( A000:0000 ) AND THEN ::: checksums 61 words starting from A000:014E ( or 012E , i'm not sure without the source next to me ) , simply adding all these 61 words together , and if the result is something like 0b52 , it writes a jump instruct ion into high memory , pointing to a small procedure which changes Int 13h (disk interupt). On my system ( a 286 Neat with 2 MB Ram running at 20 MHz 1 WS ) there is nothing accessible after a000:0000 , everything just HIGH-VALUE (FFh), not possible to change a byte . I tried using Shadow RAM enabled at A000 , but that also failed . SO THE ONE AND ONLY QUESTION : Are there systems where this part of memory is accessible or would the virus just overwrite a resident other virus when the value in the BIOS-segment is below 280h due to a previous (already running) infection ? Please many answers and soon , i'm puzzled Sincerly yours , Martin +-----------------------------------------------------------------------+ | Martin Zejma 8326442 @ AWIWUW11.BITNET | | | | Wirtschaftsuniversitaet Wien --- Univ. of Economics Vienna/Austria | +-----------------------------------------------------------------------+ ------------------------------ Date: Wed, 09 Jan 91 10:29:53 -0800 From: p1@rlyeh.wimsey.bc.ca (Rob Slade) Subject: Stoned (PC) jhp@apss.ab.ca (Herb Presley, Emergency Planning Officer) writes: > I have had a problem with the "Stoned" virus on my 8088 based XT. > After the virus appeared on Christmas Day, I reformatted (high level) > the hard drive and reconfigured the partition table using FDISK. Repartitioning and reformatting is a rather drastic way to deal with "Stoned". F-PROT and SCAN will both remove the infection fairly easily. However, none of these measures will be effective if the virus is still resident in memory. You can repartition all you like, "Stoned" will just pop right back in to your "clean" system unless you first boot from a clean source. Also, did you check your floppy disks? > Although the message appeared on Christmas Day, the only problem that > > I'm not even sure if the problems are related. > > Remember that the RAMDRIVE.SYS load worked prior to the appearance of the > "Stoned" virus. I didn't change any parameters prior to that time. I'm not sure they are related either. You say "Stoned" "appeared" on Christmas Day: how do you know that? Are you referring to the "Your PC is now Stoned" message? If so, you should know that the infection could have occured long before that. The message only appears on "1 in 8" boots, and its appearance is randomly generated. It might have been in your system for a long time before you got the message. I suggest you get a copy of F-PROT and check your system *and* floppy disks again. Since you are in Canada, you get antiviral programs and information from the SUZY Information Service. Check out the INtegrity section of the Information Networks. ------------------------------ Date: Wed, 09 Jan 91 10:14:28 -0800 From: p1@rlyeh.wimsey.bc.ca (Rob Slade) Subject: VM, MS-DOS and Virex (PC, I *think*) R3EJD@AKRONVM.BITNET (Evelyn Duncan) writes: > A friend of mine has an IBM-compatible computer and wants to dial into > the VM system here, but he needs a program that will prevent viruses Are you saying that he is worried about getting an infection, in some way, on his PC from an IBM mainframe running VM? If so, he can stop worrying, for some time at least. I assume he would be using some kind of terminal emulation package rather than being linked in some sort of network situation, but the worst that could happen is to act as a carrier for some sort of "mail virus/worm". That would still be the case whether or not he used a terminal in place of a PC, and whether or not he called in from outside, and would not affect his PC at all. (And in any case, it would be your problem. :-) ) > Virex. He called Virex's 1-800 number, but it was disconnected. The address and phone numbers I have for Microcom (makers of Virex, for the Mac, and Virex-PC) are: 3700-B Lyckan Parkway P. O. Box 51816 Durham, NC 27717 919-490-1277 fax 919-490-6672 They also have an office in England. A brief observation: Ross Greenburg, who wrote Flu-Shot, also wrote Virex-PC, and the scanner portion, VPCSCAN is *very* fast in operation. The documentation for the product is well written and helpful. You might also try the F-PROT and SCAN shareware protection products. ------------------------------ Date: Wed, 09 Jan 91 09:46:22 -0800 From: p1@rlyeh.wimsey.bc.ca (Rob Slade) Subject: WP 8 byte bug (PC) p1@rlyeh.wimsey.bc.ca (Rob Slade) writes: > The problem I encountered was that Word Perfect version 5.0, when > saving to 4.2 format (one of the options under F5) will save an > eight byte file *and erase the previous version, not just rename thee Since I posted this I have been in touch with Word Perfect. They have, apparently, not had any major reports of this type. Also *I have made some error* or this bug is intermittent. I swear I reproduced it ten times the day I found it, but I haven't been able to do it since. Some other option? A different file origin? I don't know. Anyway, to some up everything: 1) no, we still don't have any evidence for a Word Perfect specific virus; 2) operator errors or disk corruption can affect document files and 3) "there are some programs, Dr. Slade, man was not meant to delve into!" :-) ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 7] **************************************** Downloaded From P-80 International Information Systems 304-744-2253