VIRUS-L Digest Monday, 17 Jun 1991 Volume 4 : Issue 103 Today's Topics: Re: Hong Kong on MircoTough dist. disks (PC) re: Is there a 1024 virus? (PC) DOS 5 Fdisk (PC) Re: Hypercard Antiviral Script? (Mac) Request for info on BBS viruses, worms, etc Possible PC Virus (PC) Re: Virus scaners (PC) Re: Help With Frodo & Yankee Doodle (PC) Infected networks (PC) Re: Questions about "Disinfectant" (Mac). Getting register contents, etc. "on the fly." (PC) Problems removing Azusa (PC) Re: Is there a 1024 virus? (PC) Fprot v1.16 (PC) Why I didn't find the virus.exe (PC) Re: Hoffman Summary & FPROT (PC) New address and hostname for MIBSRV (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 13 Jun 91 11:43:07 -0500 From: csfed@ux1.cts.eiu.edu (Frank Doss) Subject: Re: Hong Kong on MircoTough dist. disks (PC) dwe29248@uxa.cso.uiuc.edu (Derek William Ebdon) writes: >One thing that Mr. Doss forgot to mention is that although Central > . . . >it cannot remove the virus from a hard drive. The only way to >disinfect a hard drive is to redo the low level format because the For those of you with IDE hard drives, contact Seagate. They are selling Disk Manager (version 4.1 or later is needed) for $6.00. This version of Disk Manager will format the boot sector, partition table, and the data sections of the disk, but not the error table. You might want to ask Seagate and your vendors for details. I am not endorsing Disk Manager, but merely reporting what Mr. Ebdon has reported as what worked for him. Thanks, Derek, for the reminder. I hope your machine is working much better now. ;-) Frank E. Doss Eastern Illinois University ------------------------------ Date: Thu, 13 Jun 91 12:52:56 -0400 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: re: Is there a 1024 virus? (PC) >From: Arthur Buslik <74676.2537@CompuServe.COM> > >As Rob Slade suggests, one possibility is a virus. However, a much >more likely possibility is that the computers have extended bios >extended data areas. This is certainly a vialble alternative. However, if running DOS 4.0 or later, CHKDSK will "normally" detect this and return "655360" anyway. A few years ago, when we received or first Compaq 386-20e in we discovered the same thing: 1k missing from the TOM & DEBUG revealed it to be essentially zero-filled (obviously not executable). After much prodding, Compaq told us that it was a buffer area for the mouse driver and that there is a jumper on the motherboard that can be moved to restore the missing 1k. Whenever a new machine comes in, it is a good idea to take some baseline data for later reference. For me, any time Int 12 is lowered, I check the memory area in question. If executable code is found, unless known, a look is taken at other system integrity areas for a reason. If nulled or obviously data, the manufacturer is called for an explination (often a frustating & time consuming experience). Padgett Somewhere West of Orlando ------------------------------ Date: 13 Jun 91 14:26:07 -0400 From: BARNOLD@YKTVMH.BITNET Subject: DOS 5 Fdisk (PC) Readers might want to play with an undocumented /MBR switch in DOS 5 FDISK. It appears to force FDISK to overwrite the code in a PC/PS2 master boot record, without touching the partition table, and in limited testing on a half dozen machines it succeeded in cleaning up machines infected with the Stoned, the Stoned 2, and the Joshi viruses. This was with the DOS 5 shipped by IBM, not Microsoft's DOS 5; can somebody please test MS-DOS 5? The Joshi can't be removed this way unless it isn't active in memory. (e.g. cold boot from a write protected, uninfected bootable DOS 5 disk with a copy of FDISK on it.) The command line syntax tested was FDISK /MBR Bill Arnold barnold@watson.ibm.com ------------------------------ Date: Thu, 13 Jun 91 18:38:36 +0000 From: EIVERSO@cms.cc.wayne.edu Subject: Re: Hypercard Antiviral Script? (Mac) Mike writes... - ------------------------------------------------------------------ The main problem is that there is no way to catch the parameters of the SET function in HC 2.1. - ----------------------------------------------------------------- I write... According to the release notes, you can catch the parameters of a Set in HC 2.1 But that doesn't matter since a Send to HyperCard is untrappable. Mike later writes... - ----------------------------------------------------------------- The problem with this is that a field of all stacks that have been checked needs to be kept, and everytime that a stack is opened, the field must be examined to see if this particular stack has been checked. - ------------------------------------------------------------------ I write... Unfortunately if the virus stack traps for the OpenStack Message it becomes harder to know when a new stack has been opened. You could have the user induce the checking proceedure, but then it would be too late and your Home Stack script could be wiped out or other worse things could happen by then. Mike again.... - -------------------------------------------------------------------- As I said before, if anyone else feels like beating me to the punch with a solution of their own, feel free - but don't you DARE charge $$ for it. - -------------------------------------------------------------------- Me again... The only solution seems to be, check your Home Stack periodicaly, or lock it, and always make backups of important stacks. Apple MUST prevent using a Set command within a Send to HyperCard or no stack will be safe!! Sounds scary doesn't it? >Mikey. >Mac Admin >WSOM CSG >CWRU >mike@pyrite.som.cwru.edu and me... - --Eric ------------------------------ Date: Thu, 13 Jun 91 15:33:00 -0500 From: TK0JUT1@NIU.BITNET Subject: Request for info on BBS viruses, worms, etc We are putting together a list of viruses, worms, or trojan horses specifically aimed at BBS software or are capable of being implanted in a system through BBS procedures (e.g., new user information, uploading zip files). We *ARE NOT* looking for viruses that are spread *on* BBSs by sharing of software, but rather for programs speficially designed to attack a system *using* BBS software, such as the recent bug in Telegard that allowed a user to access the system using zip files. We are trying to update a story for CuD. Responses can be sent to: jthomas@well.sf.ca.us or tk0jut2@niu.bitnet Jim Thomas / Sociology-Criminal Justice / Northern Illinois University ------------------------------ Date: Thu, 13 Jun 91 13:36:04 -0700 From: "robert c. morales" <7340P@NAVPGS.BITNET> Subject: Possible PC Virus (PC) I have a Packard Bell with an 80386X-16 Mhz CPU. It runs on MS-DOS 4.01 and a Dosshell 4.0. Everytime I do work on the computer (word processing, networking, games, etc.) DOS seems to create (on its own) a file, named numerically or alpha-numerically but in a random fashion, of about 15K in size (with a range of from 7K to 17K). When you try to view the file (which incidentally sits among the DOS files), you can make out that it is bits and pieces of what is on the hard drive. Initially, it has not affected any other program on the hard drive. However, two days ago, the DOS files appeared to have replicated themselves with such names as EDLIN._OM and AUTOEXEC._AT, all of which were 77 bytes in size with the same dates and times. This necessitated reformatting the hard drive. Also, the Dosshell was removed from the AUTOEXEC.BAT. Right now, the problem seems to have been corrected, whatever it was. Is anybody familiar with this problem? Most other resource people I I have consulted about this have indicated that they have only heard about this on Packard Bell computers. Any tips? Robert Morales 7340p@navpgs 7340p@cc.nps.navy.mil ------------------------------ Date: Wed, 12 Jun 91 23:57:53 -0700 From: msb-ce@cup.portal.com Subject: Re: Virus scaners (PC) In a recent VIRUS-L posting Dennis Hollingworth said: > I tested McAfee's SCAN77 using Rosenthal Engineering's new > release of Virus Simulator (I've seen posted as VIRSIM11.COM > on EXEC-PC, Compuserve and others). It seems that SCAN77 > misses three boot sector viruses that SCAN76 found on > the same disk. Both versions of SCAN found nine viruses > in the .COM, four in the .EXE and seven in the test memory > virus. Since no real virus was present all of these "hits" could be regarded as false alarms, theoretically. We must be careful to distinguish what is being tested here. Just because a particular anti-viral product does not declare a particular test string to be a virus, we cannot say that the scanner has failed. A good case can be made for saying that the simulator failed. The only "test target" that can be used is the entirety of a virus, and at that point you no longer have a "simulator", you have the real thing. Fritz Schneider ------------------------------ Date: Fri, 14 Jun 91 16:05:27 +0000 From: dave@nucleus (Dave Coder) Subject: Re: Help With Frodo & Yankee Doodle (PC) Alan@aj.ds.mcc.ac.uk (Alan Jones) writes: > FRODO & YANKEE DOODLE > > Has anyone got any information on these two viruses. > They have just arrived on the campus ( 2000+ computers ), Norton Antivirus 1.0.0 gets both Yankee Doodle (various forms) and Frodo (4096). You can install as RAM-resident program to check incoming files. It works. Dave dcoder@milton.u.washington.edu ------------------------------ Date: Fri, 14 Jun 91 13:12:04 -0700 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Infected networks (PC) padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) writes: > In this case I had such a self-check program (1400 bytes) that just > checks its own length & checksum. If it passes, the program exits, if > it fails, the client machine displays a warning message and is locked > up. In this manner, the server application files are protected from > infection (are never called by an infected client). Each client gets a > new copy of the "goat" file so clean clients are not affected, and > infected clients are identified. I have been reviewing a product from Bangkok called Victor Charlie that takes a similar approach. An intriguing concept. I hope to be able to release the review shortly. ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ Date: Sat, 15 Jun 91 01:09:56 +0000 From: lunde@casbah.acns.nwu.edu (Albert Lunde) Subject: Re: Questions about "Disinfectant" (Mac). firmiss@cae.wisc.edu writes: > 1. I believe since version 2.0, Disinfectant had the ability to install > a protection INIT. The thing is only 5k... What does it DO?... > Does it just give a warning if something is being infected? > What does it look for? It is small because it is written in assembly, with no configuration options. It tries to prevent virus infection from being successful, and issue an informative message via the notification manager. The means used to block infection vary according to the virus. Like Disinfectant it is effective against a list of known viruses, and tries to be specific enough to avoid false alarms. It does not scan files on every inserted disk for say, nVIR. > 2. I remember hearing that using Disinfectant AND the old virus > protection > CDEV(?) "Vaccine (TM) 1.0.1" was a bad idea (Vaccine somehow > rendered the > Disinfectant INIT useless or something to that effect). > Is it also a good idea to remove the INITs "KillVirus" (Icon is a > needle with the word nVIR next to it). and "Kill WDEF - virus INIT" > (Icon is just a standard document icon)? I know these are pretty old > too. (at least I don't have "Ferret" and "Kill Scores" and those > other > related relics) We are currently advocating that general users at Northwestern use only the Disinfectant INIT and not Vaccine or Gatekeeper Aid, and that they get periodic updates. The risk from unknown viruses seems balanced by the reduced grief to general users. The rate of virus spread is slow enough that this is workable. Vaccine presents unclear messages, bombs on application startup under many real infections and is bypassed by other newer viruses and has a few minor bugs unrelated to viruses. Gatekeeper Aid has occasionally removed the CODE resources from my running applications. Like the other Gatekeeper tools, I think it is useful for advanced users, but too paranoid and subject to false alarms for average Mac users. There is a tradeoff between detecting suspicious activity and being quiet and specific. (See discussion in the Disinfectant online help.) I would not recommend "KillVirus" - it seems to be one of many early nVIR tools, that are not as generally effective as the Disinfectant INIT. I know nothing about "Kill WDEF - virus INIT", but it is not needed if you use the Disinfectant INIT. > 2a. Almost forgot... What about "SAM (TM) Intercept" INIT... I know it's > newer but do "SAM" and "Disinfectant" interfere with each other? I think that these can co-exist, but I don't remember which takes priority. > My current version of Disinfectant is 2.4... Is this the most current > one? I've had it for about 6 months now. Yes 2.4 is current - see John's prior post about it and system 7. Albert Lunde - Northwestern University This post represents neither NU Albert_Lunde@nwu.edu or John Norstad ------------------------------ Date: Fri, 14 Jun 91 15:09:32 -0500 From: Paul Coen Subject: Getting register contents, etc. "on the fly." (PC) If you want to find out what's in memory at a particular location, and you're lucky enough to be using a Zenith computer (at least, on every Zenith I've seen except the Eazy-PC -- it had a non-Zenith BIOS), you can press ctrl-alt-return (enter, whatever), at pretty much any time, and be thrown into what Zenith calls a "monitor program" -- the same one you get when you press ctrl-alt-ins. Only in this state, it shows you the memory contents at the current location. You can change, examine, etc. from this point. If you type "g" and press return, you'll go back to executing the program where you left off, assuming you didn't mess with anything important. It's essentially a built-in debugger. Apologies to anyone who doesn't have a Zenith, but look on the bright side, this feature can cause incompatability problems on rare occasions. ------------------------------ Date: 15 Jun 91 09:05:24 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Problems removing Azusa (PC) padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) writes: >From: dwe29248@uxa.cso.uiuc.edu (Derek William Ebdon) >One thing that Mr. Doss forgot to mention is that although Central >Point Anti-Virus v1.0 can easily romove the Asuza virus from a floppy, >it cannot remove the virus from a hard drive. The only way to >disinfect a hard drive is to redo the low level format because the >virus infects the boot sector and the dos partition. A high level >format will not remove the virus, nor will simply removing the dos >partition with the fdisk program. Well, this is of course not correct - a format is never necessary to get rid of a virus - boot sector or otherwise. However, Azusa is rather problematic, as it does not store the original PBR anywhere - it simply replaces it. (It is easy to remove Azusa from diskettes) Suggested solutions: 1) Use NU to zero out the PBR, then use NDD to rebuild it. 2) Use a disinfection program which can replace the PBR with a "standard" PBR - such programs exist. - -frisk ------------------------------ Date: 15 Jun 91 09:12:01 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: Is there a 1024 virus? (PC) Arthur Buslik writes: >As Rob Slade suggests, one possibility is a virus. However, a much >more likely possibility is that the computers have extended bios >extended data areas. : >Moreover, INT 15H, AH=C1H will return the segment address >of the base of the extended bios area. Well, not always - I have a HP/Vectra, where the BIOS reserves a 4K area just below the 640K mark. However, INT 15H, AH=C1H is not implemented in the BIOS (I know - I traced through it), and INT 15H, AH=C0H will return the information that no Extended BIOS area is used. - -frisk ------------------------------ Date: Sat, 15 Jun 91 09:46:41 -0400 From: Jeff Subject: Fprot v1.16 (PC) Is Fprot v1.16 avaiable yet? If so where can I ftp it? Thanks. ------------------------------ Date: Sun, 16 Jun 91 01:19:14 -0400 From: Daniel Pan Subject: Why I didn't find the virus.exe (PC) A friend of my got viruses. I use scan v77 to check it found the partition table was infected by sotned and the file C:\DOS\KILL\VIRUS.EXE was infected by jerusalem. I also use Virx 1.14 to check the C drive, the only hard drive she has, and find stoned-b. But I could not find the file VIRUS.EXE exist. The kill subdir only has four files and neither is VIRUS.EXE. Does any one know what happened ? could it be a hidded file or Scan gave the fault alarm ? But the Clean did doing very well when cleaned those viruses. I cleaned the hard disk before I thinking about this question! ------------------------------ Date: Sat, 15 Jun 91 23:34:48 -0700 From: p4tustin!ofa123@uunet.UU.NET (ofa123) Subject: Re: Hoffman Summary & FPROT (PC) I think it's just too bad that Hoffman's summary keeps ignoring the latest versions of F-PROT. The SCANV shown is always the latest issue. Frisk, are you looking for distribution sites in the US? I may have a couple of systems that would be interested in becoming official distribution sites for F-PROT. Please let me know. - --- Opus-CBCS 1.14 * Origin: Universal Electronics, Inc. [714 939-1041] (1:103/208.0) - -- Ray Mann Internet: Ray.Mann@ofa123.fidonet.org Compuserve: >internet:Ray.Mann@ofa123.fidonet.org ------------------------------ Date: Sun, 16 Jun 91 10:56:44 -0500 From: James Ford Subject: New address and hostname for MIBSRV (PC) The mibsrv antiviral site (MIBSRV.MIB.ENG.UA.EDU) is moving to the new location RISC.UA.EDU (130.160.4.7). The directory structure will remain the same. At this time, all ibm-antivirus have been moved over. The solutions directory (pub/games/solutions) will me moved Monday. MIBSRV (130.160.20.80) will stay up until June 26. After that time, it will be gone / kaput / lost_in_time / lost_in_space. Please make any necessary changes in your script / information files regarding this. If you have any problems, please let me know. /\/\/\/\/\/\/\/\/\/\/\/\ /\/\/\/\/\/\/\/\/\/ - ---------- Life is one long process of getting tired. - ---------- James Ford - JFORD@UA1VM.UA.EDU, JFORD@mib333.mib.eng.ua.edu The University of Alabama (in Tuscaloosa, Alabama) ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 103] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253