Date: Thu, 10 Jan 91 13:57:04 EST From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V4 #8 To: Multiple recipients of list VIRUS-L VIRUS-L Digest Thursday, 10 Jan 1991 Volume 4 : Issue 8 Today's Topics: Administrivia - Document archive update Re: nVIR-like resources... (Mac) Re: UK Computer Crime Unit Re: MacVirusIndex (Mac) Re: Prevent hard disk infection? (PC) Re: QEMM Virus? (PC) Re: Addition to monthly postings? Floppy disk detection (PC) Re:Prevent hard disk infection? (PC) Re: QEMM Virus? Followup from Quarterdeck (PC) clean72.zip update (PC) Virex Address (PC) Various thoughts Stoned in KC, Mo. (PC) Re: Stoned Virus (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Thu, 10 Jan 91 11:54:55 -0500 From: Kenneth R. van Wyk Subject: Administrivia - Document archive update I just put a README file in the VIRUS-L/comp.virus document archives on cert.sei.cmu.edu (directory pub/virus-l/docs), and did some general house-cleaning there. The README contains a list and one-line summary of all the files on the archive. Don't forget that the docs are provided as a free service; if you have submissions or updates, please feel free to send them in! Just mail them to krvw@cert.sei.cmu.edu. Ken ------------------------------ Date: 09 Jan 91 22:55:51 +0000 From: pasrich@boole.SEAS.UCLA.EDU (Puneet Pasrich/;093091;eeugrad) Subject: Re: nVIR-like resources... (Mac) kevin@crash.cts.com (Kevin Hill) writes: > I beleive that a way to "vaccinate" a Mac against nVir is to create a >resource with the nVir type and when nVir tries to infect it, it bumps >into the nVir resource already there and fails. > If I am wrong, please correct me everyone.. Thanks. You are correct in stating that you can "vaccinate" against the nVir by creating dummy resources and pasting them into each application. However, this will not be met with a favorable response from your favorite anti-viral program. I'd recommend not creating these dummy resources, unless for whatever reason, you are not allowed to use a program like Disinfectant or SAM. - -- ============================================================================== == Puneet Pasrich ============ Internet: pasrich@seas.ucla.edu ============== == Karate Kid ================ Macs rule, and that's all there is to it ====== == In Capitalism, man exploits man. In Communism, it's the other way around. = ------------------------------ Date: 10 Jan 91 00:10:11 +0000 From: abvax!iccgcc.DNET!herrickd@uunet.UU.NET (daniel lance herrick) Subject: Re: UK Computer Crime Unit ccx020@cck.cov.ac.uk (James Nash) writes: > XPUM04@prime-a.central-services.umist.ac.uk (Anthony Appleyard) writes: >>>"The UK Computer Crime Unit hasn't got an email-address, nor do they >>>read these UUCP-news. Pandy >>>pandy@spiff.hut.fi" >> >>If they aren't in contact with the computing world, how can they operate >>effectively? If they can't email, and have to rely on GPO mail and the >>phone and personal visits, and can't get email circulars, they are going to >>be way behind developments. Can't they afford a microcomputer and a modem? > > The reason why the UK CCU has such a small budget is because their > superiors do not believe there is a problem. If more people in the UK > actually reported viral infections as crimes then the police might be > interested in solving those crimes. We are years behind America and > other nations in this respect. Is there a system manager geographically near them who reads this and could invite them over to get acquainted? Show them some of the existing cooperative anti-vandal effort? Give both you and them new resources? Offer them access to the net through your system, either by phone or by coming to your facility to use a local terminal? dan herrick herrickd@iccgcc.decnet.ab.com ------------------------------ Date: Thu, 10 Jan 91 02:14:44 +0000 From: jstewart@rodan.acs.syr.edu (Ace Stewart) Subject: Re: MacVirusIndex (Mac) jwright@uwila.cfht.hawaii.edu (Jim Wright) writes: >Andreas "Pandy" Holmberg (pandy@spiff.hut.fi) has pointed out to me >that there is a MacVirusIndex available from nic.funet.fi in the >directory /pub/mac/doc. Does anyone know if this is available from an >archive site in the U.S.? Yup sure is! On icarus.cns.syr.edu (128.230.1.49) in /virus is a copy of the file. Being one of the SysAdmins for that system, I am always interested about these things, and if people have requests, let me know... Cheers! Ace >(Please don't everyone grab this file from >Finland. Wait until it shows up a bit closer to you.) I haven't seen >this, so I don't know how it compares to the Virus Encyclopedia Stack. I agree wholheartedly. - -- | Ace Stewart (Jonathan III) |A /\ | | Affiliation: Eastman Kodak Company. Rochester New York | _/ \_ | | Internet/ARPA: jstewart@rodan.acs.syr.edu | \_ _/ | | Bitnet: jstewart@sunrise.bitnet | /\ A| ------------------------------ Date: 10 Jan 91 09:17:07 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: Prevent hard disk infection? (PC) MONAT%UOTTAWA@acadvm1.uottawa.ca writes: >Is there any way to prevent a virus from infecting a hard disk when >you cold boot with an infected diskette in drive a: ? Not without additional hardware I'm afraid. Any program run from AUTOEXEC.BAT or CONFIG.SYS is run after the disk has booted, and (possibly) infected the hard disk. You can get software which will detect the infection as soon as it happens, but to prevent it, you need additional hardware, which will prevent writes to the hard disk, unless some conditions are met. - -- Fridrik Skulason University of Iceland | Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 | ------------------------------ Date: 09 Jan 91 09:47:04 +0000 From: Mark Hughes Subject: Re: QEMM Virus? (PC) rtravsky@CORRAL.UWyo.Edu (Richard W Travsky) writes: >This appeared in a recent Info-Ibmpc digest. Figured I'd pass it on. > ...deleted... >From: David Kirschbaum >Subject: Reported QEMM virus >Received from the Fido Dr. Debug Echo, 1 Jan 91. >David Kirschbaum >Toad Hall >FROM: Richard Crain Area # 23 ( Dr. Debug ) >TO: ALL >SUBJECT: Virus >I have found what appears to be a virus on the factory supplied disk >from Quarterdeck on the QEMM386 V5.1 diskette in the Optimize.com amd >install.exe programs. These 2 programs contain a HEX signature of >EAF0FF00F0 which indicates the possible presence of the 648 virus. I have checked my QEMM v5.0 master disks and find this signature also occurs in the same named files, but which are obviously much older. They are dated 9 March 90 on my disk. I have been using QEMM v5.0 for a good few months (can't remember exactly when I bought it) and have had no reason to suspect virus infection of my system. The age of QEMM v5.0 without apparent virus report is interesting. In addition, McAfee's scan program 5.1v67 fails to complain about QEMM v5.0 or v5.1 despite manual inspection showing that the signature does appear as reported above. A "Vienna/648" virus is described in the McAfee documentation. This is all fairly re-assuring to me, but it is possible that this is a dormant virus just waking up. It needs further investigate (by Quarterdeck I guess), but caution rather than panic seems appropriate. Hope this adds to the investigation. [Ed. Please see followup below!] Mark - -- ---------------- Eml: mrh@camcon.co.uk or mrh@camcon.uucp | Mark Hughes | Tel: +44 (0) 223 420024 Cambridge Consultants Ltd. |(Compware & CCL)| Fax: +44 (0) 223 423373 The Science Park, Milton Road, ---------------- Tlx: 81481 (CCL G) Cambridge, CB4 2JB, UK. ------------------------------ Date: 09 Jan 91 21:29:44 +0000 From: CAH0@gte.com (Chuck Hoffman) Subject: Re: Addition to monthly postings? jwright@uwila.cfht.hawaii.edu (Jim Wright) writes: > It has been suggested that I add a section to the monthly postings of > archive sites that would explain what to do with ZIP, ZOO, ARC, HQX,, > SIT, etc. files. Would you find this information useful? I would find it useful, especially if you included in the "what to do" information about upgrades to software like Stuffit, United, etc. - -Chuck - - Chuck Hoffman, GTE Laboratories, Inc. | I'm not sure why we're here, cah0@bunny.gte.com | but I am sure that while we're Telephone (U.S.A.) 617-466-2131 | here, we're supposed to help GTE VoiceNet: 679-2131 | each other. GTE Telemail: C.HOFFMAN | ------------------------------ Date: Thu, 10 Jan 91 12:31:00 +0100 From: "Olivier M.J. Crepin-Leblond" Subject: Floppy disk detection (PC) >From: Douglas Barlow >> From: Mr Gordon S Byron >> >> I am interested in finding a DOS antivirus program which would >> automatically scan disks as they are inserted. ideally, something like >> SAM II on the Mac. I noticed a reference to a program called McAfee's >> scan. Is that an auto-scan antivirus program? > >Only one problem with that idea: How can the machine tell when a disk >is inserted? There isn't any type of sensor in IBM floppy drives like >in the Mac. > >Doug Barlow There are many types of 3 1/2 PC disk drives. Some drives actually detect a disk as soon as it is inserted. This type is recognizable when the shutter door of the disk is heard to slide as soon as the disk is inserted. However, I think that the sensor is a purely mechanical sensor (switch) which is connected to a solenoid of some sort, which makes a small lever slide the shutter. The second type of 3 1/2 disk drive slides the shutter open only when the disk is accessed for the first time after being inserted in the drive. What one would need, is some guidelines on the features a PC disk drive should have. Because of the number of cheap clones around, there is still a long way to go. Olivier M.J. Crepin-Leblond, Internet: Communications & Signal Processing , Electrical Engineering Dept., Imperial College of Science, Technology and Medicine, London, UK. >> If nothing else works: take disk. take knife, use knife on disk. ------------------------------ Date: Thu, 10 Jan 91 14:24:38 +0700 From: Carlos Jimenez Subject: Re:Prevent hard disk infection? (PC) >Is there any way to prevent a virus from infecting a hard disk when >you cold boot with an infected diskette in drive a: ? (I should have >written "when you unfortunately have left a diskette in drive a:" or >"when you leave your computer unattended and someone boots from a >diskette"). > >Paul M. Monat Lab Manager Phone: 613-564-6895/6500 > Faculty of Administration Fax: 613-564-6518 > Canada K1N 6N5 Bitnet: Monat @ Uottawa When you light the computer the ROM BIOS checks the machine and then searchs for someone disquette in drive A:. If it can read a boot sector, read it in 0000:7C00 and run it. (There is someones BIOS for AT's,'386 & '486 that permits configure which is the drive for start and stores this information in CMOS memory. I don't know if this is your case). When a boot sector virus infects a disquette (with or without operating system) it can make a boot sector that can infect any hard disk using - direct access to hard disk port (I don't know any virus that use this method actually), - BIOS Int 13h Function 03 (Write sector) (like Stoned) - DOS Int 26h (Write absolute sector). (like Bouncing Ball, I don't know any solution throw software for the two first method of infection but I can suggest that you change the ROM or add some EPROM that prevents boot from A:. The third method of infection has a solution using software. If you clear the partition table of your hard disk, the DOS can't recognize the hard disk (like it hasn't low level format), and Int 26h calls will fail. For a sucessfull boot from hard disk you must change the original bootstart routine by another, that writes the original partition table and then reads the boot sector of the active partition and execute it. You must include a program that clears again the partition table (I have a driver in CONFIG.SYS) WARNING: - This method forces two writes in the partition sector (for create and erase the partition table) in each warm or cold boot. It can reduce MTBF (Mean Time Between Failures) of this sector, and a write error can to be dangereus. - If you don't have the DOS in the active partition, the problem is more complicated. (I can send you some ideas). Carlos Jimenez R+D Manager Phone: +34 1 556 92 15 ANYWARE Information Security +34 1 556 92 16 General Peron, 32 Fax: +34 1 556 91 58 28020 Madrid (SPAIN) EUnet: cjimenez@anyware.es ------------------------------ Date: 09 Jan 91 01:52:25 +0000 From: mitel!cunews!cognos!roberts@uunet.UU.NET (Robert Stanley) Subject: Re: QEMM Virus? Followup from Quarterdeck (PC) Dear Virus-L moderator, With reference to the report of a possible virus in QEMM-386 v5.1, this is not a virus. I have already passed the enclosed information through to the comp.sys.ibm.pc.digest moderator where this report first surfaced on the Internet/Usenet. I have been in touch with Quarterdeck Office Systems because we make extensive use of QEMM-386 in our development environment, and received the following FAX from them. ======================= Start of FAX ============================= Dear Mr. Stanley, Thanks for forwarding the FidoNet message. We will see if we can crawl on FidoNet and set the record strait (sic). For the record, the byte string "EA F0 FF 00 F0" can indeed be found in the OPTIMIZE.EXE and INSTALL.EXE as well as QEMM386.SYS. That code is JMP F000:FFF0. It is the way that we reboot the system. It is an intentional part of our code, not the result of a virus. While rebooting the system is something a virus might do, having this code in your program certainly does not make you a virus. If this is the signature some virus scan program is using to detect the 648 virus, it would seem they need to devise a more discriminating test. Please be assured that our programs are produced under highly controlled circumstances and that great care is taken throughout our organization with respect to virus infection. We are confident that none of the products we have ever shipped have contained viruses. Of course, our disk, like any unprotected diskette is subject to infection by a virus when it is installed on a machine which already carries a virus. If you are concerned about this, you should obtain and run one of the many good virus detection programs, but again, the report you forwarded does not indicate a virus. Hopefully, all of this helps you breath easier. Stan Young Technical Support ======================== End of FAX ============================== We had no evidence of a virus on any of our systems, but I thought I ought to inform them of this report. I have informed Quarterdeck that I am forwarding their reply to you. I believe that you should publish this information as soon as possible, to allay fears that may have been started by the wide dissemination of the original report. If you wish to cross-check my information before publishing it (I, too, could be a malicious prankster), Quarterdeck's standard phone line is (213) 392-9851, and their technical support line is (213) 392-9701. I have no connection with Quarterdeck other than as an extremely satisfied user of QEMM-386. Robert_S - -- Robert Stanley UUCP: uunet!mitel!cunews!cognos!roberts | 3755 Riverside Driv e Cognos, Inc. INet: roberts%cognos.uucp@ccs.carleton.ca | PO Box 9707, Ottawa (Research) Alice: (613) 738-1338 x6115 (EST/EDT) | Ont K1G 3Z4, Canad a [I haven't really lost my mind, I'm sure I have a backup on tape somewhere.] ------------------------------ Date: Thu, 10 Jan 91 09:21:27 -0600 From: James Ford Subject: clean72.zip update (PC) A bad copy of clean72.zip was put on mibsrv on Janurary 9, 1990. When receiving the file from Homebase, line noise apparently trashed the file transfer. A clean copy of clean72.zip has been placed on mibsrv at 9:00am CST on Jan. 10, 1990. Thanks to CSOCKWEL@UA1VM.UA.EDU and CASSI@UCSELX.SDSU.EDU for telling me me of the problem. - ---------- You cannot antagonize and influence at the same time. - ---------- James Ford - JFORD@UA1VM.UA.EDU, JFORD@MIBSRV.MIB.ENG.UA.EDU THE University of Alabama (in Tuscaloosa, Alabama USA) ------------------------------ Date: Thu, 10 Jan 91 09:12:55 -0700 From: rtravsky@CORRAL.UWyo.Edu (Richard W Travsky) Subject: Virex Address (PC) The January 7th PC-WEEK has a full page ad for virex on the back cover. The address and phone numbers (definitely) are: Microcom Software Division 3700-B Lyckan Parkway Durham NC 27717 1-919-490-1277 in Europe call 44 483 740763 There was no 800 number listed, so that apparently has been discontinued. A version of their software for PCs is listed as "new". ------------------------------ Date: 10 January, 1991 From: Padgett Peterson Subject: Various thoughts Being a new year and having some time over the holidays to collect a few thoughts on PC (IBM-type) viral protection. First off, the only effective solution to unknown boot sector viruses (as well as known ones) would have to be in the form of an Int 13 intercept, and the only time that the system is both stable and known that software can affect is on the partition table read following POST since neither DOS nor anything else has revectored the interrupts yet. Since there is no way short of hardware to prevent floppy booting, protection must take place here. This way, even if an infection takes place, it can be detected immediately, something I do not believe can be guarenteed at any later time (e.g. in CONFIG.SYS or AUTOEXEC.BAT). A second layer is some form of system protection that monitors the operating system and prevents subversion. The easiest method would be to incorporate this into the "special" partition table but must be recognized as a separate task. The next layer of protection would be authentication of files presented to the operating system for execution such as any number of systems do (Enigma-Logic's VIRUS-SAFE, McAffee's SCAN with the /AV, or the Dr. Panda Utilities plus many others). Such authentication can only be effective if the operating system can be trusted when it is invoked. Finally, some form of authentication or denial of unknown programs presented to the system (floppies) must be provided, such as with McAfee's VSHIELD, Fridrik's F-PROT, or CERTUS. The trouble is that such scanning is only good on known infections and must be kept up to date. For many the thought of updating 5000 machines with no budget is horrifying. Intelligent application of these four elements should reduce risk of infection to near zero and detect the remainder as soon as they happen. Lately, I have been playing with some "smart" partition table programs and other than the difficulty of debugging (when you make a mistake, on boot the PC just sits there smiling at you) and proper handling of registers in a 50h byte "nitch", it is proving very interesting. For instance "fixing" a PC so that if it is booted fom a floppy, the hard drive is just not there to DOS is trivial and STONED/JOSHI/BRAIN attacks are immediately detected. Having fun in the Sun Padgett ps some of the techniques found could correct viral mistakes so I cannot discuss these in an open forum or with unknown individuals however, the above should point to things to look for in a "good" anti-virus program or mix of programs. ------------------------------ Date: Thu, 10 Jan 91 12:47:57 -0500 From: Arthur Gutowski Subject: Stoned in KC, Mo. (PC) Just got off the phone with a friend of mine in Kansas City, MO. He has been infected with the Stoned virus (don't know which variant). He apparently contracted the infection from a borrowed copy of Ontrack's Disk Manager. The diskette was obtained from the Computer Resale Center in Kansas City. He has not booted up with any other diskettes in quite some time, so he strongly suspects the Disk Manager diskette. Fortunately for him, he had already cleaned off the drive and was preparing to low-level format the hard drive anyway. He will start with a cold boot from a clean diskette before proceeding (don't want to spread the beast any further). He has contacted the vendor and alerted them to the problem. As always, there are no guarantees, but it would seem that the Ontrack diskette caused the infection. Disclaimer: This was meant for information only. It was not intended to nail anyone to the wall (except for the ******* that wrote the virus to begin with!!) -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- "The problem with the future is that it keeps turning into the present." -Hobbes -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- _ /| Arthur J. Gutowski, System Programmer \'o.O' MVS & Antiviral Group / WSU University Computing Center =(___)= Bitnet: AGUTOWS@WAYNEST1 Internet: AGUTOWS@WAYNEST1.BITNET U PH: (313) 577-0718 *or* AGUTOWS@cms.cc.wayne.edu Bill sez "Ackphtth" ------------------------------ Date: Thu, 10 Jan 91 06:44:04 +0000 From: frank@cavebbs.gen.nz (Frank van der Hulst) Subject: Re: Stoned Virus (PC) jhp@apss.ab.ca (Herb Presley, Emergency Planning Officer) writes: >Further to my earlier posting, I got ahold of a copy of McAfee's SCAN >program, and it confirmed that the [Stoned] Virus was still affecting >my hard drive. So I have now managed to cure the problem, and for >what it's worth to anyone, if interested, here's how: Lots of stuff deleted here: What you needed to do was to a) Boot from a clean copy-protected disk (which you did), then b) Fix your HD boot sector. Having done that, Stoned is dead. Finally, c) Go through your floppies with e.g. SCAN, and treat them the same way... Stoned can only get off the floppy if you boot off the floppy. >Hope this helps anyone else who has been infected by the [Stoned] >virus. (By the way, I don't know if you've noticed but the person who >wrote the message "Your PC is Stoned! LEGALISE MARIJUANA!" doesn't >even know how to spell legalize.......heh! heh! And I'll bet he >thinks he's smart.) Hate to say this, but he's smarter than you are!!! LegaliSe is the Queen's English as spoken here in NZ (where Stoned originated, and is now at epidemic levels) -- your version is a mere vulgar Americanism. :-) >And one other thing, a warning! I think I picked up the virus from a >fairly reputable software company's disks that I purchased several >months ago - a word processor, no less! It looks like some this major >company may have a snake in the woodpile. I can't mention their name >here, however I will be taking my case up with them so that they can >call in the mongoose brigade. Many software shops here open packages for demos, etc., then reseal them. It is not uncommon to find a virus on a disk in a "sealed" package. - -- Take a walk on the wild side, and I don't mean the Milford Track. ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 8] **************************************** Downloaded From P-80 International Information Systems 304-744-2253