VIRUS-L Digest Tuesday, 11 Jun 1991 Volume 4 : Issue 100 Today's Topics: Re: denzuko and semlohe viruses (PC) Man Catches Computer Virus (light reading for comp.virus) Re: Checksumming (was: Interesting advert) (PC) Re: Hoffman Summary & FPROT (PC) Re: Hong Kong on MircoTough dist. disks (PC) MIBSRV Updates (PC) Advice requested (PC) Help to remove Joshi from partion table (PC) Re: Scanning infected files (PC) Is there a 1024 virus? (PC) RE: Frisk's comment in V4 #99 on 'The Bulgarian Menace' VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: 08 Jun 91 13:26:09 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: denzuko and semlohe viruses (PC) p1@arkham.wimsey.bc.ca (Rob Slade) writes: >... two alternative translations for "Den Zuk" were "The Sweet" (or "The >Suger") and "The Knife". Ah - this is not correct. I have contacted the author of the virus, and got the whole story from him - quite interesting story, in fact. Anyhow, "Denzuko" is just his nickname. - -frisk ------------------------------ Date: Sat, 08 Jun 91 19:31:07 +0000 From: richards@cse.uta.edu (David Richardson) Subject: Man Catches Computer Virus (light reading for comp.virus) Disclaimer: Reproduced WITHOUT permission. These quotations are intended to inform the network reader of the public-media usage of the term "virus" as it relates to computer virii. Persons who wish to read the entire article are encouraged to do so. From _WEEKLY WORLK NEWS_ 6/18/91 (on newsstands 6/3/91) page 29: "MAN CATCHES COMPUTER VIRUS!" by Michael Todd, special correspondent. John Stevens has a lot in common with his home computer: Both think logically, both like numbers and both are sick with a virus - the same virus! Stevens, a computer programmer who works out of his home in a Philadelphia suburb, is convinced his lingering and debilitating illness is something he got from his sick computer. And the victims's doctor agrees. [rest of article not posted] By the way, the WEEKLY WORLD NEWS can be found in major supermarkets near the National Enquierer, the SUN, and similar tabloid newspapers. We now return you to your regularly scheduled newsgroup. - -- David Richardson U. Texas at Arlington +1 817 856 6637 PO Box 192053 Usually hailing from: b645zax@utarlg.uta.edu Arlington, TX 76019 b645zax@utarlg.bitnet, SPAN: UTSPAN::UTADNX::UTARLG::B645ZAX -2053 USA The Lord is my shepherd, I shall not want. ------------------------------ Date: 08 Jun 91 15:40:46 +0000 From: ccml@hippo.ru.ac.za (Mike Lawrie) Subject: Re: Checksumming (was: Interesting advert) (PC) RADAI@HUJIVMS.BITNET (Y. Radai) writes: > Mike Lawrie writes: >>They [checksum programs] don't cater for this scenario:- >> >>1. Somehow infect the RAM of your PC with a COM/EXE targetting >> virus, such as Plastique (eg run an infected program from a >> floppy, or from a network). >>2. Run SCAN on your hard disk - this does a DOS open on all COM/EXE >> files on your hard disk, and thus infects each and every such >> file _after_ SCAN has pronounced them virus-free >>.. >First of all, Step 2 of this scenario is certainly not characteristic >of COM/EXE infectors in general, as you seem to imply. (E.g., it >won't happen with the Jerusalem virus.) It has to be a very special >virus to do this. We were hit with Plastique. Having inspected it, there seemed to be reason for me to believe that other viruses might use a similar method to trigger the infection algorithm. > Secondly, what you have described shouldn't happen with SCAN, since >before scanning it checks for the presence in RAM of viruses which act >in this way, and that includes Plastique, unless you're using an old >version of SCAN. (If this really did happen to you with a *recent* >version, contact McAfee.) Indeed, McAfee contacted me (good Company, they were concerned). We had an old SCAN at the time, but sooner or later this scenario will re-occur, as you will get hit with a similar type of virus that McAfee has not yet catered for, even if you have their very latest version. You then end up with your RAM infected, but you are living in Disneyland (like we did) believing otherwise, and you then proceed to zap your hard disk. Sure, theory says that it won't happen. hahaha. > Finally and most important, suppose we have a virus in memory which >SCAN or some other program does not recognize, and the above scenario >does occur. What does this have to do with checksumming programs?? We have a checksumming program as well - the original article to which I tried to reply asked for comments on such a thing. The checksumming program indeed may let you know that you _have_ been infected - big deal, in my opinion, if any advert lulls you into a sense of security because you have a checksummer in place. A checksummer gives you no security whatsoever, because it does not prevent a viral infection. Not that much else does either, for that matter, but that is not the point, the advert needs to be taken with a hefty pinch of salt. Just that our experience that I wished to share was that with a checksummer in place and use of SCAN, you can end up with every last EXE/COM file on you hard disk looking very sick indeed. Mike - -- Mike Lawrie Director Computing Services, Rhodes University, South Africa .............................................. Rhodes University condemns racism and racial segregation ------------------------------ Date: 10 Jun 91 03:57:56 +0000 From: Ray.Mann@ofa123.fidonet.org (Ray Mann) Subject: Re: Hoffman Summary & FPROT (PC) Richard Travsky was asking how come Patricia Hoffman's Virus Summaries keep making reference to only a very old and outdated version of F-PROT (v1.07), where the current version is v1.15, going for 1.16 and into v2.0 very soon: > Any reason why such an old version is used? My suspicion is that this is probably a result of some antagonism between Grisk and McAfee, whom Patricia Hoffman follows so closely. Frisk is a competitor... - --- Opus-CBCS 1.14 * Origin: Universal Electronics, Inc. [714 939-1041] (1:103/208.0) - -- Ray Mann Internet: Ray.Mann@ofa123.fidonet.org Compuserve: >internet:Ray.Mann@ofa123.fidonet.org ------------------------------ Date: Mon, 10 Jun 91 17:21:19 +0000 From: dwe29248@uxa.cso.uiuc.edu (Derek William Ebdon) Subject: Re: Hong Kong on MircoTough dist. disks (PC) One thing that Mr. Doss forgot to mention is that although Central Point Anti-Virus v1.0 can easily romove the Asuza virus from a floppy, it cannot remove the virus from a hard drive. The only way to disinfect a hard drive is to redo the low level format because the virus infects the boot sector and the dos partition. A high level format will not remove the virus, nor will simply removing the dos partition with the fdisk program. Derek Ebdon ------------------------------ Date: Mon, 10 Jun 91 12:16:29 -0500 From: James Ford Subject: MIBSRV Updates (PC) By Tuesday, June 11 the file VSUM9105.ZIP and VSUM9105.TXT will be placed on mibsrv. Sorry for the delay. Various other files have also been updated (thanks for the info, Keith!). A complete listing will be sent out tomorrow (June 11). Other notes: The IBM RT system on which the mibsrv files reside will be gone by June 28. The new system administrator for the College of Eng. has informed me that I will be allowed to transfer all of the archives from 130.160.20.80 to a new RISC 6000 machine.....however, the IP address is unknown at this time. Mibsrv will stay up at least until the 28th of June. As soon as I know the IP address of the new machine and get the files transfer over, I'll let you know. I have enjoyed keeping mibsrv stocked with ibm-antiviral files and will try to make the transfer as painless as possible (famous last words). - ---------- It has yet to be proven that intelligence has any survival value. - ---------- James Ford - JFORD@UA1VM.UA.EDU, JFORD@mib333.mib.eng.ua.edu The University of Alabama (in Tuscaloosa, Alabama) ------------------------------ Date: 10 Jun 91 23:02:33 +0000 From: gregm@sail.labs.tek.com (Greg Montgomery) Subject: Advice requested (PC) I am a SW Eng. for a 500 company, and I got volunteered to come up with some software to check out the PC's in our area. Is there a software package that can be LEGALLY swaped between multiple PC computers, and is not necessarily a resident program. I have been looking at Nortan, Central Point, and Virex; however, I would be interested in a list of a few more programs that are tailored for multiple PC inspection. Thanks in advance, Greg ------------------------------ Date: 11 Jun 91 07:37:36 -0700 From: CCA3607@SAKAAU03.BITNET Subject: Help to remove Joshi from partion table (PC) I try to use clean77 to remove , i get the virus removed i run the computer from new dos after i put the power off when i started ifined it again any help appreciation Terry jawberh cca3605@sakaau03.bitnet ------------------------------ Date: Tue, 11 Jun 91 17:11:00 +1200 From: "Mark Aitchison, U of Canty; Physics" Subject: Re: Scanning infected files (PC) ACDFINN@vm.uoguelph.ca (Finnegan Southey) writes: > In regards to the problem of anti-viral programs infecting files > they scan when a memory-resident virus is present: Wouldn't it be > possible to read disks sector by sector instead of opening files > through DOS calls? Yes, you can do that, and there could be other advantages too: (a) potentially faster execution (if you are doing a whole diskette, you can organise things to reduce head movement), and (b) bypass some viruses, which intercept int 21 or int 13. There are some limitations, basically involving incompatibility with some network software, RAM drives, etc, but quite a good idea for most purposes. The latest version of my CHECKOUT program uses this; earlier versions didn't check files - just the boot sector - but used int 40 instead of int 13 for similar reasons. Ultimately, anti-virus software is going to directly access the disk controller (or possibly do far calls to the BIOS), to be certain of avoiding smart viruses, and relying on DOS will be unthinkable (as it *should* be now). This leads me to a thought... suppose a virus-removal program gets rid of the virus from disk, but the infected sectors still exist in (say) an Extended memory cache system. Has anyone guarded against this? Mark Aitchison, Physics, University of Canterbury, New Zealand. ------------------------------ Date: Mon, 10 Jun 91 19:50:52 -0700 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Is there a 1024 virus? (PC) sorrell@triton.unm.edu (Stan Orrell) writes: > Can anyone suggest an explanation of our observation on several > computers (various IBM pc types) of a result from chkdsk of 654336 > bytes of total memory? A number of viral programs would fit this bill, the most obvious being the ubiquitous "Stoned". Check the boot sectors of your boot disks with your Norton utilities. ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ Date: 11 Jun 91 13:11:00 +0200 From: J|rgen Olsen Subject: RE: Frisk's comment in V4 #99 on 'The Bulgarian Menace' How about making the thing political? If 'certain countries' expect 'other countries' - e.g. (ours) to financially bail them out of up to 74 years of infrastructural mismanagement we could at least demand that the kill of their virus factories before we open our purses!! Maybe we should all tell our respectiv governments - the EEC - te World Bank etc about this ?? A topic for the comming Virus-conference ?? J Olsen University of Odense Denmark ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 100] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253