VIRUS-L Digest Tuesday, 22 Jan 1991 Volume 4 : Issue 13 Today's Topics: Stoned on a Hardcard (PC) Re: Need help w/ CMOS problem in PS/2 Model 70 (PC) Query - Disinfectant vs. Virex (Mac) Re: Need OTS Virus package (UNIX) Re: Disinfectant vs. Virex (Mac) International Virus Infections (PC) Stoned variants (PC) Apathy and viral spread (general) F-PROT 1.14 (PC) Processor-specific viruses and other subjects (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Fri, 18 Jan 91 14:15:12 -0700 >From: rtravsky@CORRAL.UWyo.Edu (Richard W Travsky) Subject: Stoned on a Hardcard (PC) We're currently having a few skirmishes here with the stoned virus. In one instance we had stoned show up on a hardcard (and removed same). Hadn't thot of hardcards being infectable before, but I suppose it's no different from the flat round kind of hard disk. Are there any differences in viral behavior/ detection/removal when a hardcard is involded (as opposed to a hard disk)? Richard Travsky Bitnet: RTRAVSKY @ UWYO Division of Information Technology Internet: RTRAVSKY @ CORRAL.UWYO.EDU University of Wyoming (307) 766 - 3663 / 3668 ------------------------------ Date: 18 Jan 91 22:09:13 +0000 >From: bdh@uchicago.UCAR.EDU (Brian D. Howard) Subject: Re: Need help w/ CMOS problem in PS/2 Model 70 (PC) wright@cs.uiuc.edu (David Wright) writes: >My apologies if this group is not appropriate, but I would like to >solicit advice on a problem that may be a malicious attack: >I am looking at a friend's PS/2 Model 70 that he reports has had >problems including problems reading diskettes that appear to be fine >in another machine (a laptop that I am keeping carefully isolated). Hold it right there. The PS/2 has a 'feature' in that it will ignore how a diskette is formatted and will ignore the diskette hardware. If you format a 1.44M 3-1/2" (I assume you mean 3-1/2") to be 720K (i.e. use it in your laptop that only has 720K floppy?) and attempt to read it in the PS/2 it will think it is formatted HD (1.44M) and give up. Tape up the little square hole on the upper left hand side (no, not that one under the slide) and try it again. - -- "Hire the young while they still know everything." ------------------------------ Date: 18 Jan 91 22:32:07 +0000 >From: francis@cis.ohio-state.edu (RD Francis) Subject: Query - Disinfectant vs. Virex (Mac) Virex 1.3 is rather old, and probably won't catch any virus except those older than WDEF, at least (discovered in late 1989). Virex is updateable from the company, for a fee; I believe that 2.0 was released in 1989, though my memory may be playing tricks on me there. As far as I know, from the standpoint of reliability, both products are completely reliable. The only differences visible to the user are minor cosmetic differences in implementing the interface, the commercial vs. PD issue, and the cost. By commercial vs. PD, I mean to mention that some people would prefer to use a commercial product that they have to pay to get upgrades for because that prodcut's creators are more motivated to keep the program up-to-date, and less likely to drop support. Personally, I recommend Disinfectant; John Norstad's done a great job, his updates are usually the first I hear of the existance of a new Mac virus, and his support for the product has been wonderful. ------------------------------ Date: 18 Jan 91 22:38:14 +0000 >From: limes@Eng.Sun.COM (Greg Limes) Subject: Re: Need OTS Virus package (UNIX) ssdc!jbasara@uunet.UU.NET (jim basara) writes: |> I would like to request recommendations for off-the-shelf packages |> which will prevent/isolate/monitor/etc. viruses on a Sun workstation |> under unix. Occasionally, I see people asking about such things on this list and elsewhere, and I am underwhelmed by the amount of information that therefore appears on the net. Has anyone ever actually SEEN a "virus" on a UNIX box? And, don't tell me about worms, that's a different matter ... I am specificly looking for information about programs that propogate by modifying other programs. My background as an operating systems programmer at Sun leads me to believe that such virii would be more difficult and less rewarding for Joe Virus-Writer to create, and easier to protect against using mechanisms available in the system, but it might be nice if I could have some backing information that I could give when people ask me about such things ... - -- Greg Limes #include #include ------------------------------ Date: 19 Jan 91 05:31:38 +0000 >From: kddlab!lkbreth.foretune.co.jp!trebor@uunet.UU.NET (Robert Trebor Woodhead) Subject: Re: Disinfectant vs. Virex (Mac) First of all, you should ALWAYS GET THE CURRENT VERSION of any Antiviral utility. Using old versions is a ticket to disaster as it lends a false sense of security. Given the easy availability (Disinfectant is everywhere; and you can order an upgrade of your current VIREX by calling 1-800-877-CURE) there is no excuse not to be current. The current versions of VIREX and Disinfectant find and remove all currently known Mac Viruses. Both have powerful INITs. Starting with V3.0, the VIREX INIT became significantly more powerful. The INIT now has repair capabilities (in fact, the only reason to use the Application is if wierd things start to happen and you want the App's better reporting.) All the antivirals do a fine job of the basic function of virus detection and repair; where they are differentiated is in bells&whistles, nice user interfaces, and support. When you go with a commercial product like, oh to pick one at random, VIREX (available at finer computer stores, as well as a lot of direputable ones...) you are paying for handholding; there's going to be someone on the other end of the phone line for you to call when the going gets wierd. Disclaimer : I wrote the Virex Application. - -- +--------------------------------------------------------------------------+ | Robert J. Woodhead, Biar Games / AnimEigo, Incs. trebor@foretune.co.jp | | "The Force. It surrounds us; It enfolds us; It gets us dates on Saturday | | Nights." -- Obi Wan Kenobi, Famous Jedi Knight and Party Animal. | ------------------------------ Date: 20 Jan 91 19:23:37 +0100 >From: clear@cavebbs.gen.nz Subject: International Virus Infections (PC) One of my BBS users (David Clarke) reported an interesting virus attack on board the cruise liner Royal Viking, in Wellington on Sat 19 January. He was called to the ship to diagnose some problems they had been having with the hardware. The JOSHI virus was discovered on two PS/2 55's running MS-DOS 4.01. The KEYPRESS virus was found lurking on a Toshiba portable running MS-DOS 3.3 on a 20MB HD. David writes, "Joshi infected three of my diskettes while I was hunting for the problem, I've learned my lesson, keep all diskettes write protected!" As mentioned, the callout was to diagnose hardware problems. What made it harder to pin down as viruses was neither of these viruses being seen in New Zealand before (as far as I know). It is interesting to note he had downloaded SCAN and CLEAN from The Cave, as the computer press and newspapers over here are continually lambasting bulletin boards as a primary source of infection. Its a good thing some people know better... - -- - -------------------------------------------------------------------------- Charlie "The Bear" Lear | clear@cavebbs.gen.nz | Kawasaki Z750GT DoD#0221 The Cave MegaBBS +64 4 643429 V32 | PO Box 2009, Wellington, New Zealand - -------------------------------------------------------------------------- ------------------------------ Date: Sun, 20 Jan 91 17:52:17 -0800 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Stoned variants (PC) timt@ashtate.A-T.COM (Tim Trimble) writes: > the stone virus not being in the states yet can be considered false. The original posting referred to the fact that the *Stoned-II* virus had not been seen in the United States. There have, in fact, been two *major* variants of Stoned, with *minor* variations of each. The Hoffman list describes a total of six variants altogether, and as those familiar with virus reseaarch will attest, this is probably very conservative. ------------------------------ Date: Sun, 20 Jan 91 18:07:13 -0800 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Apathy and viral spread (general) Recently, Stratford Software has started a new online information service called SUZY. (The service is active in Canada, and is in beta testing for users in the United States.) I manage the data security/anti-viral topic area (referred to as an "Information Network", or "IN") called INtegrity. Any SUZY user can look at the information in the INs, but, as they "leave" the area, they are asked if they want to "join". This simply puts them on a mailing list that can be used to send announcements to the "members" of an IN. If they want to "join", they hit ENTER, if not, they hit . Well, as of today, the number of SUZY users who have joined INtegrity stands at 170. Some others may have dropped in and looked around, but deliberately left themselves off the list when they left the IN. The number of accounts on SUZY currently stands at about 6000. However, research I have done indicates that less than 15% actually use the system more than once a month. Interestingly, this figure has remained unchanged since SUZY was released. That means that less than 900 accounts are "active". What does this mean to you, and to data security? It means that less than 3% of all, and 20% of *active* SUZY users care enough about data security to join the anti-virus IN. This is the *real* reason that computer viri are so widespread today: people do not realize the danger. Those of you who have studied viral charactersitics, and virus protection and functions, will realize how easy it is to protect yourselves against most viri. But if the majority of users think they are safe, and do not take *any* precautions, then viri have a fertile breeding ground to grow and spread in. As my wife says, it show not only how few people understand technology, but how few even understand the concepts of public health. ------------------------------ Date: Mon, 21 Jan 91 09:47:48 +0000 >From: frisk@rhi.hi.is (Fridrik Skulason) Subject: F-PROT 1.14 (PC) Changes to F-PROT Version 1.14 added the following features: Detection, but not removal of Anthrax Crazy Eddie V2P6 The reason V2P6 is not removed is because of the complexity of the various encryption methods - If you ever get infected by the virus, I suggest you contact its author: Mark Washburn 4656 Polk Street NE Coloumbia Heights, MN 55421 USA Detection and removal of the following viruses: 217 417 440 492 516 600 696 699 (erronously called "711" elsewhere) 707 948 1049 1067 1075 1226 1600 2144 2480 Agiplan Alabama-B Amstrad-852 AntiPascal AntiPascal 2 Attention Bebe Best Wishes Black Monday Burger-537 Carioca Christmas in Japan Cookie Datalock Destructor DIR Doteater Evil Father Christmas (Choinka) Groen Links Guppy Hymn Internal Invader Jerusalem-G Joker Joker-01 Kemerovo Leprosy-B Liberty II Lozinsky MG MG-3 MGTU MLTI Monxla/Time Musicbug Nina Nomenklatura Parity Phoenix Piter Plastique (4 new variants) Polimer Proud Saddam Scott's Valley Stone `90 (T@V) - a variant of Vienna Superhack (Scottish Murphy) SVC Sverdlov Tiny-family (11 different variants) Turbo-448 Turbo Kukac Turku (Twins) V2P2 VFSI (Happy) Vienna (several new variants) Violator Virdem-792 Voronezh Westwood Wisconsin Zero Hunt (Minnow) F-FCHK now does a much better job of identifying minor variants of viruses, in particular those cases where the differences are insignificant and do not matter with regard to disinfection. As an example, it will now identify the minor Jerusalem-variants (Payday, Mendoza, A-204, Puerto, Sunday, Anarkia, Westwood, B, C, G GrLkDos etc.) correctly, instead of just labeling them "Jerusalem". The /LIST switch added to F-FCHK, to produce a report with a list of files scanned, and results. The /MULTI switch added to F-FCHK and F-DISING to scan multiple diskettes. The switches may be combined with other switches - for example you can use F-DISINF A: /MULTI /AUTO if you have a large pile of infected diskettes or F-FCHK C: /AUTO /LIST > report.lis to scan and disinfect drive C: and produce a report. The following bugs/problems have been fixed: The identification string for "Zero Bug" has been changed as it produced a false positive in LB.COM from Lahey and several other programs. F-FCHK now reports the correct number of files disinfected, when files are infected with multiple viruses. Occasional (but very rare) crashes of F-XLOCK and F-FCHK if F-LOCK was not installed. Problems when removing "Stoned" from a hard disk formatted under some DOS versions earlier than 3.0 Occasional incorrect removal of Alabama. The following problem-fixes and changes are expected in version 1.15 Detection of Whale is not fully reliable, as I do not yet have samples of all the different mutations of the virus. This is not a serious problem, as the virus is not known to exist "in the wild", but I am working on this. F-DRIVER.SYS seems to be disabled on some machines running PC-NFS. This was only discovered yesterday, and I am searching for a way to solve this. Automatic scanning of boot sectors will be added in 1.15. ------------------------------ Date: Mon, 21 Jan 91 10:11:46 +0000 >From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Processor-specific viruses and other subjects (PC) Processor-specific viruses When the first viruses appeared, some of them were discovered to work only on 8088/8086 but not on '286 or '386 computers. The best example of this are two early boot-sector viruses: Ping-Pong (Italian, Bouncing Ball) - the standard version uses the MOV CS,AX instruction which only exists on 8088 and 8086. Alameda (Yale) - The first version used the POP CS instruction, for the same purpose - which also generates an "invalid instruction" interrupt on later processors. The reason for this was assumed to be that the authors of the viruses only had access to an 8088/8086 computer. Now we have a different, but equally interesting situation. One of the recent viruses from Eastern Europe fails to execute on the 8088 and 8086 processors, but works perfectly on a '386. The reaon is its use of the PUSH IMMEDIATE instruction (hex opcode 68), which did not exixt on the 8088/86. The author of this otherwise non-remarkable 492 byte virus can therefore safely be assumed to have access to a more powerful computer than the virus writers two years ago... :-) Translations wanted.... >From the Bebe virus comes this text - what does it mean - and what language is this ? VIRUS! Skagi "bebe" Fig Tebe ! The MLTI virus contains this text - clearly a reference to the "Eddie" virus, but what does "RED DIAVOLYATA" mean ? (I want to emphasize that "Dark Avenger" is the name of the author of the "Eddie" virus - not the name of the virus itself.) Eddie die somewhere in time! This programm was written in the city of Prostokwashino (C) 1990 RED DIAVOLYATA Hello! MLTI! >From the POLIMER comes this text - is this Polish ? And what does it mean ? A le'jobb kazetta a POLIMER kazetta ! Vegye ezt ! ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 13] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253