VIRUS-L Digest Wednesday, 10 Jul 1991 Volume 4 : Issue 121 Today's Topics: Re: DOS 5.0 & FPROT116 (PC) Stoned virus (PC) Re: Self scanning executables (PC) F-Prot on BBS. (PC) Doodle Virus (pc) T.S.R's ( Which is the best ) Keypress Virus (PC) Re: Problem with GUARD (PC) Re: Apology; Malicious Programs Definitions Revisited Self testing; New viruses; Beta testing; Translations (PC) re: Research Virus Bulletin Conference VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: 09 Jul 91 19:26:38 +0000 From: shaunc@gold.gvg.tek.com (Shaun Case) Subject: Re: DOS 5.0 & FPROT116 (PC) SLCLANCY@UCI.BITNET (Steve Clancy) writes: >A user recently posted this on our BBS. Has anyone else experienced this? > >"I was wondering if any one has experienced a problem with FPROT116. >Since I installed it with msdos ver 5.00 it hangs my system with the >message Virus Alert!! Int 13 has been changed. I have tested and no >virus is found. If I disable f-driver in my config.sys file everything >is ok. All other programs associated with this program works fine. Any >thoughts or suggestions?" I recently installed DOS 5.0 on a 25 mhz 486. When I attempted to install FPROT116 on the system, I got the exact same result you describe above. Shaun. - -- shaunc@gold.gvg.tek.com - -- 100,000, perhaps 200,000 or more Iraqis died in a "Turkey Shoot" inappropriately called a "war." -- Michael Albert The above work is in the public domain, unless it is a piece of email. ------------------------------ Date: Tue, 09 Jul 91 20:45:42 +0000 From: kenward@rocdec.roc.wayne.edu (Strahd Von Zarovich) Subject: Stoned virus (PC) Hello all you Virus Gurus. The ever friendly Stoned Virus just hit our office and luckily (???) there was only one casualty. It seemed to wipe out the partition table and both copies of the fat. I used Norton to get back the partition table but it seems to be choking a little getting the FAT's back. Any Ideas? I really hate to let it wipe out files that it doesn't think are repairable. Oh yeah, did I forget to mention that this was my Boss's Computer? Thanks for ANY help. A post or e-mail are fine either way. - -- Do you crave power? Hate the living? Then don't be afraid of the Mists! Come to Ravenloft! Your New Island Home! Jeff Kenward: kenward@rocdec.roc.wayne.edu ------------------------------ Date: Tue, 09 Jul 91 19:04:10 -0400 From: Jeff Boyd Subject: Re: Self scanning executables (PC) A friend of mine solved the self-scanning problem, and his solution (with TC and TP code) is in the public domain. A *true* CRC is calculated. Such a routine must solve a set of equations which predict what the CRC will be after that same CRC is stored within the program itself. Since the CRC is stored somewhere within, it is theoretically possible for the self-check to be cracked. However, the current estimate of time required for this is 3-4 hours on a 33-386 ... too long for such action to escape your notice. If there is interest in this item, let me know. I'll contact the author and ask if he can make it available for FTP somewhere. jeff ------------------------------ Date: Tue, 09 Jul 91 19:53:08 -0400 From: IP85272@PORTLAND.BITNET Subject: F-Prot on BBS. (PC) Does anyone on this list know of a public BBS that usually has the most recent F-PROT? I will be closing my university Internet account in a few weeks and would like to be able to access new versions as they are released. Does Frisk offer a mail update service to registered users? Thanks for any responses. You can E-mail me direct if you wish. Mark Stoffan University of Southern Maine IP85272@PORTLAND (BITNET) IP85272@portland.maine.edu (Internet) ------------------------------ Date: Sat, 10 Jul 91 08:44:24 From: "MUSTAFA T. ALGHAZAL" Subject: Doodle Virus (pc) Hello , one of our PCs here is inficted by doodle virus .We remove it by Macafee clean software ,but it returned back. Can anybody send me some info about it,and a way to remove it . Thanks a lot .... Mustafa ____________________________________________________________________ | MUSTAFA T. AL-GHAZAL || DEVMTG12@SAKFU00.BITNET | | ACADEMIC COMPUTING SERVICES || VOICE: (966) 3-580-0219 | | KING FAISAL UNIVERSITY || COMPUTER CENTER | | HOFUF-SAUDI ARABIA || P.O.BOX 380 | |________________________________||________________________________| ------------------------------ Date: Wed, 10 Jul 91 08:10:48 +0000 From: "Alan Jones" Subject: T.S.R's ( Which is the best ) Alan J Jones Manchester Computing Centre University of Manchester Oxford Road M13 9PL England tele 061-275-6038 fax 061-275-6040 Does anyone have any feelings on what T.S.R. virus checker for the PC gives the best protection whilst not using a vast amount of memory. I work at the Universtiy of Manchester and on site there are about 4000 + computers and all will need some form of protection from the students ( sorrey I ment viruses ) at this moment the little cherubs are off on holiday ( peace, quiet, joy and bliss ). My task is to place some form of protection on the computers before the hoards get back and start to infect ( sorrey again I ment to say use ) the computers and in doing so make my life a liveing hell. The products that I have looked at so far are :- Dr Solomons Virus Guard Norton Anti-Virus Virus Intercept McAfee Associates Vshield Vet Vet-Res Bye for now Alan ( MCC ) ------------------------------ Date: Wed, 10 Jul 91 12:23:00 +0000 From: SRCU@EGFRCUVX.BITNET Subject: Keypress Virus (PC) HELLO EVERYBODY ..... I AM A NEW MEMBER IN YOUR GROUP. I want to discuss a new virus in my LAN ,i'm the lan adminstrator, which is KEYPRESS. My LAN type is 10NET , the server is TANDY 4000,IBM compatib e This virus symptoms is : 1. Damaging the SCAN.EXE 1. Damaging the SCAN.EXE & tthe CLEAN.EXE files 2. Hanging some of the commands of LAN loading,specially those managing the connection with modem on an RS232 serial port. 3. Hanging the commands of management of the Ram extensions, i use the 386MAX commands. 4. Finally , when scanning and cleaning from a write protect floppy it make horrible sounds trying to cut the protecion shields. Even when i succeed to remove them, they just come back again showing at the top right corner of the screen the word SAMSOFT. I have tried scan & clean with McAfee scan ver. 6.9V75. I WOULD LIKE TO KNOW OF ANY NEW ANTI VIRUS PACKAGE AND ANY SUGGESTION FOR PROTECTING THE LANS FROM VIRUSES. MONIRA B.W. MOHAMED PROGEMMER,SYSTEMS ENGINEER A.O.I. HEAD OFFICE ------------------------------ Date: Wed, 10 Jul 91 15:01:00 +0300 From: Y. Radai Subject: Re: Problem with GUARD (PC) Tim Martin writes: > I received GUARD from Y. Radai today. I think I found a >significant problem with it. On rebooting from the hard drive, after >an infection by "stoned", Guard removes stoned from the PBR but not >from memory. .... If >instead a floppy disk is formatted, chances are it will be infected >with the stoned virus. .... As is stated in the GUARD.DOC file, "GUARD ... does not prevent infec- tion of RAM or of diskettes." It is designed to protect only the hard disk. For protection of diskettes and memory you have write-protect tabs, generic monitoring programs, known-virus scanners, etc. Several people seem to be under the impression that GUARD is sup- posed to be a panacea for virus problems, and are disappointed when they find that it is not. GUARD is intended to block a *specific security hole*: that which occurs because ordinary anti-viral pro- grams, such as those mentioned above, don't get a chance to activate when booting is performed from a diskette. GUARD is not designed as a *substitute* for other programs, but as a *supplement* to them. Please judge it in that light. >In my opinion, "Guard" doesn't give us anything that is not already in >Padgett's DiskSecure package. Who ever said it does? Actually, I haven't yet had the opportunity to try DiskSecure (though I'm willing to bet that GUARD contains quite a few features that DiskSecure doesn't). I guess the most authorita- tive answer on such a comparison will come from Padgett. >When it is infected by a stealth virus (at least by the Empire family >of viruses) guard does not permit the computer to be rebooted from the >hard drive, and automatically remove the virus from the hard disk. This is a serious claim, and will have to be investigated. (That, after all, is what testing is for.) Thanks, Tim. Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL P.S. I take this opportunity to apologize to the person who received six copies of the GUARD.UUE file. (I sent only one, honest!) And if anyone who requested it has not received it within (say) 5 days of his request, please write to me again. ------------------------------ Date: Wed, 10 Jul 91 18:37:00 +0300 From: Y. Radai Subject: Re: Apology; Malicious Programs Definitions Revisited William Walker writes: > Finally, postings from several people >caused me to correct my spelling of the plural of "virus." The >correct spelling is "viri," according to the rules of spelling in the >Lincoln Library of Essential Information (my dictionary doesn't have a >plural listed for "virus"). NO, NO, NO. (That's getting to be a popular retort. Two people used the very same expression when correcting a statement by Mike Ramey!) Take into account the following facts: 1. Webster's Third New International Dictionary gives the plural form of the word explicitly; it's "viruses", not "viri" (and certainly not "virii"!!). 2. Since our use of the word "virus" is by analogy with the micro- biological use, try looking at a book in that area. Again, you'll find that the only plural used is "viruses". 3. As for the book you mention, take a closer look. You might find (as I found in another grammar book) that not all words ending in "-us", even if they are of Latin origin, form their English plural by replacing the "us" by "i" (as in Latin itself); many simply suffix "es". If you don't believe me, try using "boni", "circi", "chori", "campi", or "cauci" in a sentence. Summary: "Viri" is fine if you're speaking Latin, but in English it's "viruses". ------------------------------ Date: Wed, 10 Jul 91 15:06:33 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Self testing; New viruses; Beta testing; Translations (PC) Several subjects... Self-testing: I wrote about a self-testing program yesterday - saying it was useless against stealth-viruses and overwriting viruses, but as others have pointed out it is even worse than that - a routine which only checks the program in memory is of no use whatsoever. There exist programs for adding self-test to most programs, but they cannot detect infection by Frodo and a few other sophisticated stealth viruses. It is possible for a self-test program to detect those viruses, but I know of no such program available now - they are all on the drawing board. New companion virus: Until now the only known companion viruses were AIDS II and TPWORM. Now the third one has been discovered, and it is by far the most sophisticated one. It is a 351 byte COM virus, called Twin-351. Unlike the other two companion viruses it stays resident in memory, intercepting the Findfirst/FindNext calls. As the files containing the virus are also marked as "hidden", the virus is able to hide quite efficiently, unless a program reads the directory directly. Has anyone heard of this virus outside Norway ? Mule: One of the more interesting variants of Jerusalem is the 'Slow' virus. It was first reported in Australia, but sources there say it may have arrived from Thailand. A related variant was discovered later in California, and named Scott's Valley, after the place of discovery. What makes these variants interesting is the addition of encryption - apart from it they are more-or-less standard variants of Jerusalem. Recently a new encrypted variant of Jerusalem was discovered in Australia. My personal opinion is that the viruses have a common auther, but this new one uses a different encryption algorithm, and is not detected by the same pattern as the other two variants. To detect it, the following pattern can be used Mule 2E8A 262F 0E3E 3027 43E2 FA59 585B 1FC3 (or, for users of F-FCHK) Mule 3+5m6kpjdmgjUlsuQbMSM-gEm7ZR7Wlgs+AFojmN5jwum94OmLjLjoAt5a5aMofWgN The virus is 4112/4117 bytes long, and contains the text "My name is Mule" Beta-testing? I am sending out copies of version 2.0 of my program to anyone willing to do a bit of testing - let me know if you are interested. Cracker Jack: There is a crackpot in Milan, Italy who is producing an incredible number of viruses. Most of the viruses are variants of Murphy, or some other viruses, which are available in source code form. He gives them names like "Exterminator", "Demon" and so on - expecting us to distribute the viruses in the reasearch community, and make him "famous". One of the viruses was not named according to his wishes - he called one of them "Patricia", but in accordance with the rule that viruses should not be named after virus researchers, (therefore the "Solomon" virus should be known as Jerusalem-1600/1605), it was named "Smack", because of the following text it contains: Special message to Patricia Hoffman: I love you!!!!!!!! SmackSmack!! Can you give me your telephone number??? Ciao bellissima! He did not like this name change, as is evident from a text message in one of the viruses in the next batch we got from him: Patricia does not function correctly, because I haven't run it before send. Now I'm debugging it ehehehehehahahahahahah Smack Virus....what a horrible name!!!!!!!!!!!!!!!!!!! Compliments to the Dark Avenger for the nice viruses excuse me if I create some variants of your beautiful viruses Viruses are a nice thing!! His viruses are available on one of the Italian virus BBSes, and probably elsewhere as well, but they are (as far as I know) not known in the wild. My question - he is probably going to continue creating viruses, but should we play the game the way he wants - what I would like to propose is a name change - just group all his viruses together and give them a name like "Stupid Jack" or "Crackpot", followed by a number. We would then have Crackpot-272 (not "Demon") Crackpot-1951 (not "Goblin") and so on for his 20 (or whatever) viruses. Opinions ? Translations: I am having my anti-virus package translated into several different languages, including Norwegian, Finnish, French, German, Italian and Spanish - in addition to English and Icelandic. Portugese and Turkish versions have also been discussed. If anybody is interested in the production of a version for any other language, please contact me. - -frisk ------------------------------ Date: Wed, 10 Jul 91 11:18:00 -0400 From: "Dr. Harold Joseph Highland, FICS" Subject: re: Research Hope this reaches you in response to your request on Virus-L. Will forward to Ken van Wyk as well for inclusion in Virus-L. [1] The mathematical in COMPUTERS & SECURITY was by Dr. Winfried Gleissner and appeared in Vol. 8, No. 1, pp 35-41 [February 1989]. [2] Dr. Klaus Brunnstein of U of Hamburg [Germany] presented an excellent paper on spread of virus [counts, new ones, mutations, etc.] at Fourth Annual Computer Virus and Security Conference in NYCity in March 1991. You should read this. [3] Dr. Frederick Cohen also has some estimates of virus spread. [4] What school are you at? What is your address? [5] If you school library does not have C&S I might be able to direct you to one near you that has. Too bad you're not near NY. HJH ----------------------------------------------------------------------- | | | Dr. Harold Joseph Highland, FICS | | Managing Director, COMPULIT Microcomputer Security Laboratory | | Distinguished Professor Emeritus of State University of New York | | Chairman, IFIP/WG11.8 on Information Security Education & Training | | Editor-in-Chief Emeritus of Computers & Security | | 562 Croydon Road Elmont, New York 11003-2814 USA | | | | Voice: +1 516 488 6868 Telex: +1 650 406 5012 [MCIUW] | | Electronic mail: Highland@dockmaster.ncsc.mil | | X.400: C=US/A=MCI/S=Highland/D=ID=4065012 MCI Mail: 406 5012 | | | ----------------------------------------------------------------------- ------------------------------ Date: Wed, 10 Jul 91 17:41:00 +0300 From: Y. Radai Subject: Virus Bulletin Conference This is a forward from Edward Wilding, editor of the Virus Bulletin: -------------------------------------------------------------------- The Virus Bulletin Conference takes place on September 12-13th 1991 at the Hotel de France on the Channel Island of Jersey in the UK. Speakers include Vesselin Bontchev, Ross Greenberg, Yisrael Radai, Jim Bates, Jan Hruska, Steve White (IBM), Fridrik Skulason, John Norstad, Ken van Wyk, David Ferbrache and Gene Spafford, plus presentations from Digital, New Scotland Yard's Computer Crime Unit, and corporate computer security specialists responsible for implementing real world anti-virus measures worldwide. Subjects include an introduction to MS-DOS viruses, the Bulgarian 'virus-factory', anti-virus tools and techniques, integrity checking methods, disassembly and forensics, IBM's strategy, future programming trends, Macintosh viruses, CERT, Unix, Digital's strategy, blackmail, extortion and espionage through logic bombs, trojans and covert channels and corrupt working practice. Registration information is available from Miss Petra Duffield in the UK. Tel. +44 235 531889, Fax. 0235 559935. ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 121] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253