VIRUS-L Digest Wednesday, 12 Jun 1991 Volume 4 : Issue 101 Today's Topics: Infected networks (PC) Economic Impact Of Viruses stoned/NDD (PC) Re: Hoffman Summary & FPROT (PC) Is This A Virus? (PC) Re: Questions about "Disinfectant" (Mac). Re: Help to remove Joshi from partion table (PC) MIBSRV file listing - June 11, 1991 (PC) Re: What is DOD? CCCP Virus (Amiga) Boot sector viruses on IDE drives RE: Frisk's comment in V4 #99 on 'The Bulgarian Menace' Virus scaners (PC) Protection evaluation with test virus: (PC) Re: MS-DOS in ROM (PC) Help to remove Joshi from partion table (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 11 Jun 91 10:52:14 -0400 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Infected networks (PC) Last week I had occasion to disinfect another large network with the Jerusalem (not ours - an outside company). The traditional respons is to take down the net, clean the server, and check all of the clients before reconnection. On reflection, this seemed inordinately inefficient so I came up with a new methodology which I offer for comment. Note: this works for Jerusalem, Sunday, and non-stealth infections which infect an executable before allowing it to run - please be aware of this limitation up front. The method was as follows: a) take down net & clean server b) remove non-essential applications c) replace essential applications with a batch file that 1) copies a clean selfcheck program from a writelocked directory 2) runs the self check program 3) runs the requested application In this case I had such a self-check program (1400 bytes) that just checks its own length & checksum. If it passes, the program exits, if it fails, the client machine displays a warning message and is locked up. In this manner, the server application files are protected from infection (are never called by an infected client). Each client gets a new copy of the "goat" file so clean clients are not affected, and infected clients are identified. Admittedly, this is a special case and directed to a small number of viruses, but they seem to be the most common. Comments ? Warmly, Padgett ------------------------------ Date: Tue, 11 Jun 91 16:23:49 -0500 From: Juan Jose Perez Bueno Subject: Economic Impact Of Viruses We need information about the economic impact of viruses around the world. Particulary damages produced to companies and/or users in Europe and U.S.A. We prefer information about lost job hours for viruses. Please e-mail me directly. I{ll summarize to the list. Thanks in advance ************************************************ * ___________ Juan Jose Perez Bueno * * l_ l Servicio de Informatica * * l l Universidad Autonoma de Madrid * * l o / Ctra de Colmenar Km. 15 * * < l 28049 Madrid (SPAIN) * * l_ ___/ Phone: +34 1 397 51 44 * * l/ E-Mail: * * * ************************************************ ------------------------------ Date: Tue, 11 Jun 91 08:39:16 -0700 From: Eric_Florack.Wbst311@xerox.com Subject: stoned/NDD (PC) In a note stamped: Mon, 10 Jun 91 19:50:52 -0700, Rob Slade suggests: =-=-=-= A number of viral programs would fit this bill, the most obvious being the ubiquitous "Stoned". Check the boot sectors of your boot disks with your Norton utilities. =-=-=-=" OUCH! I've had many reports that this is the best way to scramble the content of the disk, depending on what version of NDD you're using. Be careful on this one, Stan Orrel! Eric Florack:Wbst311:Xerox ------------------------------ Date: Tue, 11 Jun 91 10:07:41 -0600 From: rtravsky@CORRAL.UWYO.EDU (Richard W Travsky) Subject: Re: Hoffman Summary & FPROT (PC) Ray Mann [Ray.Mann@ofa123.fidonet.org] writes: > Richard Travsky was asking how come Patricia Hoffman's Virus Summaries > keep making reference to only a very old and outdated version of > F-PROT (v1.07), where the current version is v1.15, going for 1.16 and > into v2.0 very soon: > > > Any reason why such an old version is used? > > My suspicion is that this is probably a result of some antagonism > between Grisk and McAfee, whom Patricia Hoffman follows so closely. > Frisk is a competitor... _*IF*_ this is the case, then I would hate to see things take such a turn as "manipulating" the summary so as to make one package or another look good or bad. Once it is done to one package, what is to stop it form happening to another? And another? Will any package that offends be "punished" by making reference to old and less capable versions? (Or "punished" in some other manner?) The summary is an informative and valuable compilation of virus data. We users can only lose by seeing it prejudiced by mere commercial concerns. Must I be reduced to viewing the summary with a grain of salt? Richard Travsky Division of Information Technology RTRAVSKY @ CORRAL.UWYO.EDU University of Wyoming (307) 766 - 3663 / 3668 ------------------------------ Date: Tue, 11 Jun 91 19:13:46 +0000 From: gburlile@magnus.acs.ohio-state.edu (Greg Burlile) Subject: Is This A Virus? (PC) Recently our department has had some problems with all of the files in the root directory being erased (even the hidden system files). This happened about a week ago to one of our PCs and to two of our PCs today! I used the files that come with F-PROT that is site licensed here and could not find anything (F-PROT version 1.13). Is this a virus? I would appreciate any suggestions. Help! ------------------------------ Date: 11 Jun 91 19:36:40 +0000 From: ebates@madvax.uop.edu Subject: Re: Questions about "Disinfectant" (Mac). firmiss@cae.wisc.edu writes: >I've been using Disinfectant since version 1.6 and I've had a few >questions I've wanted to ask for quite a while. > >1. I believe since version 2.0, Disinfectant had the ability to install > a protection INIT. The thing is only 5k... What does it DO?... > Does it just give a warning if something is being infected? > What does it look for? I'm not John Norstadt, but I have seen the INIT function when I tried to run an infected program. It displayed a dialog box stating that the application was infected and that I should run Disinfectant to get rid of the virus. The application never was started and it went back to the Finder. >2. I remember hearing that using Disinfectant AND the old virus protection > CDEV(?) "Vaccine (TM) 1.0.1" was a bad idea (Vaccine somehow rendered the > Disinfectant INIT useless or something to that effect). > Is it also a good idea to remove the INITs "KillVirus" (Icon is a > needle with the word nVIR next to it). and "Kill WDEF - virus INIT" > (Icon is just a standard document icon)? I know these are pretty old > too. (at least I don't have "Ferret" and "Kill Scores" and those other > related relics) I have not experienced these problems. The only virus protection/eradication we use in our student labs is Disinfectant 2.4 (and INIT) and Gatekeeper Aid 1.1. Gatekeeper Aid automatically removes WDEF A. >2a. Almost forgot... What about "SAM (TM) Intercept" INIT... I know it's > newer but do "SAM" and "Disinfectant" interfere with each other? I have had no problems with Disinfectant and Gatekeeper Aid, and see no reason to go through the expense of SAM with all of this good, FREE stuff. > >My current version of Disinfectant is 2.4... Is this the most current >one? I've had it for about 6 months now. Yes, it's the most current version. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Edwin J. (Ed) Bates MADVAX Administrator/Postmaster Technical Support Specialist Internet: ebates@madvax.uop.edu Office of Information Technology AppleLink: U1441 University of the Pacific Telephone: (209) 946-2251 Stockton, CA 95211 Fax: (209) 946-2898 ------------------------------ Date: Tue, 11 Jun 91 19:49:42 +0000 From: paul%parsifal@econ.YALE.EDU (Paul McGuire) Subject: Re: Help to remove Joshi from partion table (PC) CCA3607@SAKAAU03.BITNET writes: >I try to use clean77 to remove , i get the virus removed i run the >computer from new dos after i put the power off when i started ifined >it again any help appreciation > > Terry jawberh You should examine the boot sector and see what else you can find. My symptoms were that I couldn't boot from the hard disk, and I found that I had been hit with Joshi and Stoned at the same time, and neither clean77 nor f-disinf (1.15) fixed it, though they both claimed that they had. (Immediately rerunning the respective program told me I was cured again.) I wound up doing a low level format, since I wasn't able to find a clean copy of the boot sector stashed away by either of them, and wasn't sure of what I was doing anyway. General question: Is there some way of rewriting the boot record without doing a low level format, or using a disk editor or debugger? For that matter, what does one use to do a low level format? Real IBMs don't come with low level formatting software. Paul McGuire Yale Economic Growth Center ------------------------------ Date: Tue, 11 Jun 91 14:35:28 -0500 From: James Ford Subject: MIBSRV file listing - June 11, 1991 (PC) Here is a listing of files available on MIBSRV as of June 11, 1991. Please inform me of any outdated files you see on this list. James Ford - JFORD@UA1VM.UA.EDU ============================= cut here =================================== 00uploads/ innoc5.zip uudecode.bas vcheck11.zip vsum9105.txt 0REVIEWS/ m-disk.zip uudecode.doc vcopy77.zip vsum9105.zip 0files.9106 navupd01.zip uudecode.pas vdetect.zip vtac48.zip INDEX.291 netscn77.zip uuencode.pas virpres.zip wp-hdisk.zip MsDosVir.291 pcvi4.zip uxencode.pas virsimul.zip xxdecode.bas MsDosVir.690 pkz110eu.exe vacbrain.zip virstop.zip xxdecode.c MsDosVir.790 scanv77.zip vaccine.zip virusck.zip xxencode.c avs_e224.zip secur222.zip vaccinea.zip virusgrd.zip xxencode.cms clean77.zip sentry02.zip validat3.zip vkill10.zip zzap54a.zip fp-115a.zip trapdisk.zip validate.crc vshell10.zip fshld15.zip unvir902.zip vc140cga.zip vshld77.zip htscan12.zip uu-help.text vc200ega.zip vstop54.zip ------------------------------ Date: Tue, 11 Jun 91 20:24:53 +0000 From: patel@mwunix.mitre.org (Anup C. Patel) Subject: Re: What is DOD? nautilus@jec310.its.rpi.edu (John M Twilley) writes: >NCKUS089@TWNMOE10.BITNET (Mac Su-Cheong) writes: > >> May someone please give me information on DOD Computer Security Center ? >>Is it possible to get reports or papers of DOD ? > >DOD stands for the United States Department of Defense. > >I am pretty sure that they publish unclassified information on >virii, but I wouldn't know where to find it. These are some of the documents I received from the NCSC (National Computer Security Center) several years ago. More info on NCSC follows. If anyone wants to contact the NCSA, I could dig up their phone number. Most of the documents listed below are at least 4-6 years old. Department of Defense (DOD) documents: ====================================== "Department of Defense Standard: Department of Defense Trusted Copmuter System Evaluation Criteria" "Department of Defense: Password Management Guideline" "Computer Security Requirements: Guidance for Applying the Department of Defense Trusted Computer System Evaluation Criteria in Specific Environments" "Technical Rational Behind CSC-STD-003-085 (see above): Computer Security Requirements " National Security Agency (NSA) documents: ========================================= "Information Systems Security: Products and Services Catalogue" "Computer Security Subsystem: Interpretation of the Trusted Computer System Evaluation Criteria" "Trusted Network Interpretation of the Trusted Computer System Evaluation Criteria" "Design Documentation in Trusted Systems" "Configuration Management in Trusted Systems" "Glossary of Computer Security Terms" "Discretionary Access Control in Trusted Systems" "A Guide to Understanding Audit in Trusted Systems" "Personal Computer Security Considerations" **************************** Reprinted from the **************************** **************************** Computer Library **************************** Book: The Computer Glossary (The Electronic Version) * Full Text COPYRIGHT The Computer Language Co. Inc. 1990. - ----------------------------------------------------------------------------- Term: NCSC Author: Freedman, Alan. - ----------------------------------------------------------------------------- (National Computer Security Center) An arm of the U.S. National Security Agency that defines criteria for trusted computer products. The security levels in its Orange Book (Trusted Computer Systems Evaluation Criteria, DOD Standard 5200.28) follow. Each level adds more features and requirements. D - Non-secure system. Level C provides discretionary control. The owner of the data can determine who has access to it. C1 - Requires user log-on, but allows group ID. C2 - Requires individual user log-on with password and an audit mechanism. Levels B and A provide mandatory control. Access is based on standard DOD clearances. B1 - DOD clearance levels. B2 - Guarantees path between user and the security system. Provides assurances that system can be tested and clearances cannot be downgraded. B3 - System is characterized by a mathematical model that must be viable. A1 - System is characterized by a mathematical model that can be proven. Highest security. - ----------------------- End of Document ---------------------- ------------------------------ Date: 11 Jun 91 17:14:59 +0000 From: Tom Carter Subject: CCCP Virus (Amiga) Recently discovered the CCCP virus on one of my disks on 4 files. I am unfamiliar with this virus but was able to detect and (I hope) eradicate it by deleting the infected files and re-installing them off my WB disk. Can some virus wizard tell me about this virus and what it does? How bad is it? Also had Smily Cancer Virus a while back and thanks to advice found here, used MVK to get rid of that. Are there any other Virus Killer/Checkers which will detect SC? Thanx. ------------------------------ Date: Tue, 11 Jun 91 11:00:33 From: johnboyd@logdis1.oc.aflc.af.mil (John Boyd;LAHDI) Subject: Boot sector viruses on IDE drives It recently occurred to me that we get rid of most boot-sector viruses by routinely doing a low-level format on a drive. However, this is not possible on an IDE drive. So the question becomes; for an IDE drive, what DO you do to get rid of a boot sector virus? And yes, I am constantly telling the users that I support that they really should be scanning everything first; even before doing a directory, and all the other prudent precautionary steps, so hopefully we won't have a problem, but you know how that works. - ------------------------------------------------------------------------ Text contained herein is my personal opinion. This is not to be interpreted in any way as a position or statement of the DOD, USAF, or any other person or entity other than myself. ------------------------------ Date: Tue, 11 Jun 91 11:54:03 -0400 From: "Richard Budd" Subject: RE: Frisk's comment in V4 #99 on 'The Bulgarian Menace' Juergen Olsen writes in VIRUS-L Digest V4 #100: > How about making the thing political? If 'certain countries' expect > 'other countries' - e.g. (ours) to financially bail them out of up to > 74 years of infrastructural mismanagement we could at least demand > that the kill of their virus factories before we open our purses!! To take a page out of the computer underground, wouldn't it be more productive to incorporate these ' virus factories ' as part of the research into computer viruses. It could become both a source of income for nations like Bulgaria and a source of employment for bored or out-of-work programmers. ========================================================================= Richard Budd | Internet: rcbudd@rhqvm19.vnet.ibm.com VM Systems Programmer | Bitnet : klub@maristb.bitnet IBM - Sterling Forest, NY | Phone : (914) 578-3746 ========================================================================= ------------------------------ Date: Tue, 11 Jun 91 11:32:00 -0500 From: Subject: Virus scaners (PC) My PC was in the repair shop and I got a call from the guy there stating that there is a virus on my hard drive. I do not know what kind of virus it is. Can someone recomend a good virus scanner I can use to remove this virus. Thanks - -Payam ACCPHH@HOFSTRA.bitnet ------------------------------ Date: 11 Jun 91 21:45:13 +0000 From: Dennis Hollingworth Subject: Protection evaluation with test virus: (PC) (PC) Protection evaluation with test virus. Posted for Dan Hirsh (818) 505-2285 I tested McAfee's SCAN77 using Rosenthal Engineering's new release of Virus Simulator (I've seen posted as VIRSIM11.COM on EXEC-PC, Compuserve and others). It seems that SCAN77 misses three boot sector viruses that SCAN76 found on the same disk. Both versions of SCAN found nine viruses in the .COM, four in the .EXE and seven in the test memory virus. THESCAN, F-FCHK and VIRX also found the test viruses, but Norton's Anti Virus couldn't find anything. There's been a number of postings about scanner producers bragging that their scanners search for more viruses than the next guys. Well, it's not how many viruses your scanner looks for that counts.... It's how many you can find! ------------------------------ Date: Tue, 11 Jun 91 21:10:44 -0700 From: jesse%altos.Altos.COM@vicom.com (Jesse Chisholm AAC-RJesseD) Subject: Re: MS-DOS in ROM (PC) padgett%tccslr.dnet@mmc.com (Padgett Peterson) writes: | "William Walker C60223 x4570" writes: | | >We're writing from two different premises. Padgett is writing about | >MS- DOS actually running from ROM, while I'm writing about the DOS | >files, and the boot disk itself, being in ROM ( a ROM-disk, as opposed | >to a RAM-disk ). ... The method of booting from | >a ROM- disk ( with an infection-proof boot sector and system files ), | >which I wrote about, is not implemented at this time, to the best of | >my knowledge. Acer America in joint venture with Smith Corona has recently marketed a small 286 PC that has a ROM cartridge that is used as a ROM disk. SCC sells it as a PWP-100 (Personal Word Processor) and the software looks alot like their earlier WP machines. This is the first in a product line that has MS-DOS on ROM cartridge. Not all of DOS, just enough to boot. (IO.SYS, MSDOS.SYS, COMMAND.COM, AUTOEXEC.BAT, CONFIG.SYS, and maybe SHARE.EXE, HIMEM.SYS, ANSI.SYS, ..., and the WP software) | While I follow the premise better now, what you are talking about is | what I referred to in the third option - somehow swapping ROM | addresses for RAM addresses or possibly a "page frame" approach such | as used for expanded memory. It will take a special BIOS driver to | accomodate just like a RAM-disk requires a special driver and the data | areas will have to stay resident somewhere. The point is that there | are a finite number of addresses available and if some are used for | ROM then there are that many less for RAM unless some extra memory | management scheme is used such as that used for "shadow RAM" on 386s - | not difficult but requires a few extras. Acer's method doesn't use up RAM addresses, since the ROM card is seen as a read-only hard disk. The ROM card itself does use some IOcard address space since it is considered an expansion card by the hardware. | The point I was trying to make was that even with this type of | mechanism, the same holes exist in MS-DOS as did before. Some have | been moved (e.g. the first attackable point) so that specific | malicious software will be thwarted, but the hole still exists and | will just be exploited in the next crop. There is still NO integrity | management in MS-DOS. Sad but true. Jesse Chisholm | Disclaimer: My opinions are rarely understood, let jesse@altos86.altos.com | tel: 1-408-432-6200 | alone held, by this company. jesse@gumby.altos.com | fax: 1-408-435-8517 |----------------------------- ======== This company has officially disavowed all knowledge of my opinions. - -- "Question Authority!" -- Wallace Stegner "And that's an order!" ------------------------------ Date: Tue, 11 Jun 91 23:24:55 -0700 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Help to remove Joshi from partion table (PC) CCA3607@SAKAAU03.BITNET writes: > I try to use clean77 to remove , i get the virus removed i run the > computer from new dos after i put the power off when i started ifined > it again any help appreciation > > Terry jawberh > cca3605@sakaau03.bitnett I would suggest a slight reordering of your disinfection procedure. 1) Boot from a known, clean, write protected system floppy disk. 2) Then run CLEAN/FPROT/whatever to remove the infection. 3) Test your system again, and redo if necessary. 4) Reboot. ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 101] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253