VIRUS-L Digest Thursday, 25 Jul 1991 Volume 4 : Issue 130 Today's Topics: Re: Inaccuracies in Press on Viruses Re: DOS virus attack (PC) Ralf Burger (again) re: virus for sale F-PROT & DOS 5.0 (PC) Re: F-PROT configuration question (PC) Re: Anti-Virus software recommendation sought Re: CARMEL TntVirus, A Trojan suspect. (PC) Need prg to write-prot HD partition. (PC) Re: New Devil's Dance? (PC) Index of Known Malware: 998 viruses/trojans Revised Product Test- - Virex (Mac) Revision to the Revised Product Test on SAM (Mac) Revision to PT-9, Disinfectant 2.5.1 (Mac) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: 23 Jul 91 22:49:04 -0400 >From: "Robert McClenon" <76476.337@CompuServe.COM> Subject: Re: Inaccuracies in Press on Viruses >From: Helena M Vonville > >Robert McClennon wrote on the Washington Post article which discussed >the possibility of a virus in the telephone software. He was >disturbed (and rightly so) that the press does not use the jargon >correctly when describing such problems. [The correct spelling is either McClenon in the last four generations or MacLennan. -- R. McC.] > >Fortunately (or maybe not so fortunately since we are dealing with a >certain amount of potential incompetence) the problem was not virus, >trojan, or worm related. It was just bad programming. The story was >updated on NPR late last week, I believe. >Helena VonVille >Ohio State Universiy >------------------------------ > >Date: Mon, 22 Jul 91 15:00:17 +0000 >From: jba@gorm.ruc.dk (Jan B. Andersen) >Subject: Re: Inaccuracies in Press on Viruses > >76476.337@CompuServe.COM (Robert McClenon) writes: [Thank you. That spelling is correct. -- R. Mc.C] > >>[from] The Washington Post, [...] >>>Phone system experts have suggested that a virus might explain >>>why the failures have been occurring within days of each other >>>and at the same time of day. > >>It was possible as of the date of this article (but unlikely) that >>the phone system failures were caused by a time bomb, but if so, it >>was planted as a Trojan > >Not if we're talking of the same incident. The company that develops >the software in the swithes, has admitted the bug was introduced as >part of an upgrade. But, because it was such a minor upgrade, the >software had not been tested af rigourusly as it should have been. See >comp.risk (or was is comp.dcom.telecom) for more details. > >------------------------------ 1. My real concern was not incorrect use of "jargon" terminology so much as incorrect characterization of the degree of public threat. Viruses and worms, which do spread, do not spread to isolated systems like telephone switches. To suggest that they do is a disservice to the public, who are likely to panic unnecessarily. 2. We know now that the problem was not a time bomb. I suggested that I did not think that the problem was a time bomb. The conclusion that the problem was a simple bug (which I had always suspected and had indeed posted to comp.risk) was published later than the date of my quoted note. 3. I was admonished off-line by a journalism student for making unreasonable demands of journalists with a minimal number of column-inches. I do not demand that journalists define precise technical terminology unless it is essential to technical understanding. The distinction between viruses and worms is not as important in this context as the distinction between replicators and non-replicators. Bell Atlantic may have been vulnerable to Trojan horses, time bombs, or logic bombs. Bugs got them. The press suggested that there was a real risk from viruses, commonly understood to mean replicators including viruses and worms. I don't ask full explanations from the press. I do ask the absence of harmful error. The _Washington_Post_ article contained harmful error. ------------------------------ Date: Wed, 24 Jul 91 15:20:00 +1200 >From: "Nick FitzGerald" Subject: Re: DOS virus attack (PC) Ed Wright wrote: >A virus has appeared in Detroit for DOS. The virus changes files to >hidden type and adds charters to file names. > >The standard DOS scan program are not effective for this virus. > >First infection was found on July 20, original infection occurred >within the previous 3 days. Thanks - what great information! I feel a lot better knowing this. 8-) Is this _all_ that is known? Why are you so sure it's a "virus"? Are you sure that you're not seeing the "aftermath" of someone having run Norton Anti-virus on your machine? Sorry - but with the "wealth of detail" you supplied, skeptics are likely to wonder such things. - --------------------------------------------------------------------------- Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. Internet: n.fitzgerald@csc.canterbury.ac.nz Phone: (64)(3) 642-337 ------------------------------ Date: Wed, 24 Jul 91 07:50:19 +0000 >From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Ralf Burger (again) The new and updated How-to-write-a-virus book by Ralf Burger has just been published - called "Computer Viruses and Data Security". According to the publishers, the book contains the source code to several viruses, so we can probably expect a new flood of variants based on the published examples. I'm not sure what the best response would be - a call for a boycott of all books by Abacus might be a bit too drastic...but I sure don't approve of their actions... - -frisk ------------------------------ Date: Tue, 23 Jul 91 22:24:49 -0700 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: re: virus for sale On a related note, by coincidence I happened to receive this message tonight: == E-Mail > Fetch > Echlin, Robert ======================================= Subject: virus files Hi, I am a consultant. I intend to provide training and installation of Central Point Anti-Virus. I would like to demonstrate detection and cleaning of a virus. Could you send me a file with a virus in it that I could copy and use in such a demonstration? If the first couple of bytes of the file are changed to zeroes, it could not be run and the virus could not be "transmitted". Yours sincerely, Robert Echlin == E-Mail > Out-Box > Echlin, Robert ===================================== Subject: virus files 1) Why do you intedn to specialize in CPAV? 2) I do exchange viral code with other researchers, but I need some more background on who you are. Most of those I exchange with are people whose work and writings I know, and whom I have corresponded with for at least six months. 3) Your request does not indicate a sophisticated knowledge of the field. If this is incorrect, please feel free to expand upon it, but you must realize that I receive a number of requests of this nature from those to whom I should *not* send such files. ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ Date: Wed, 24 Jul 91 08:27:48 -0400 >From: Lou Anschuetz Subject: F-PROT & DOS 5.0 (PC) Installed DOS5.0 on my machine last night (which works well imho), but ran into a problem with F-PROT. If I attempted to leave the F-PROT driver.sys in my config.sys file the machine would freeze and complain that INT13 was modified (undoubtedly true). Has anyone found a work-around for this? Thanks in advance! Lou Anschuetz temngt23@ysu.edu ------------------------------ Date: Wed, 24 Jul 91 22:11:02 +0000 >From: comb@sol.acs.unt.edu (Eric N. Lipscomb) Subject: Re: F-PROT configuration question (PC) > We are currently in the process of obtaining F-PROT for our 100 PCs >in the Business Computer Lab at The University of Alabama. We are >also using the Novell 3.1 NetWare. Our workstation's C drives are >write-protected, so our users can only infect the memory, their own >floppies, and the D drive which is used as a temporary drive. We do >however have a couple of workstations for the uses of the consultants >in which the hard drives are not write-protected. My question - Do we >need to use the F-DRIVER.SYS? The only people who can infect the >network are those who have access to places on the server other than >their own personal directory. These are only the consultants, and we >are aware about scanning anything before we download or use a floppy. >Any comments would be appreciated. We have a similar situation here at UNT. In my main lab, I have 15 PCs that are networked, but only have 2 floppies. It is true that my users can "only infect the memory" on these stations, but I *still* don't want even that to happen. So, we've installed F-DRIVER.SYS and F-NET to prevent the users from running any program that might be infected. This is also a good way for me to keep tabs on the software on the network. If a student is suddently unable to run a program from the network because F-DRIVER has prevented it, I need to take a more careful look into the rights setup on my network to see who infected the programs and how. Protection is not a bad thing. Using F-DRIVER is so simple and painless, it makes almost no sense *not* to use it. If nothing else, it can act as a good advanced warning system for your network. }lips Eric N. Lipscomb, Lab/Network Manager Academic Computing Services Email: comb@sol.acs.unt.edu "Golf is something you do to make lips@vaxb.acs.unt.edu the rest of your life look good." ------------------------------ Date: Wed, 24 Jul 91 22:17:05 +0000 >From: act@softserver.canberra.edu.au (Andrew Turner) Subject: Re: Anti-Virus software recommendation sought D.Ivens@deakin.OZ.AU (David Ivens) writes: >We are considering purchasing a site licence for Virus Buster from >Leprechaun Software. >It looks a very good package. As with all the Anti-viral pacakages it has its pros and cons - while not wishing to say it's any better or worse than others(It pays to sit on the fence) I have found it a very good product. We use it widely across campus in for staff and in student laboratories. Additionally the Leprechaun folks are very responsive to user input and a number of Buster's features have come from user requests. Buy a copy and give it a whirl. - -- Andrew Turner act@csc.canberra.edu.au Die, v: To stop sinning suddenly. -- Elbert Hubbard ------------------------------ Date: 25 Jul 91 07:30:00 +0200 >From: infocenter@yogi.vmsmail.unibas.ch Subject: Re: CARMEL TntVirus, A Trojan suspect. (PC) cssr@hippo.ru.ac.za ( Mr S. Rahim ) writes: > I got hold of Carmel Antivirus package through a bulletin board. After > having installed it on the harddisk two weeks ago, I began to have > problems. This included EXE and COM files which were working before > Carmel came on the PC. Some files hang up while others refuse to run. > > When TntVirus is activated, I performed a scan of the memory with > McAffee Scan V80, and it reported that P1 Related virus was active in > memory. Another file relating to the package when run, SCAN revealed > that Brain was active in memory. > > The possibilities which arose with the indetification by Scan were > that either Carmel software was using signatures to be resident in > memory which were the same as those viruses. I tried to infect a COM > and EXE file but there was no increase in file size not the date of > modification. However during this process a directorying of the root > directory revealed that an AUTOEXEC.$$$ file had been created in the > past few minutes. I deleted that file but it appeared back again. > > I am leaving this question open for discussion. Is this a work of a > trojan? I know a lot of people using TNT AntiVirus (me included) since about half a year and there was so far no sign for such a Trojan. Two questions raise from your problem: 1. What version do you use? The current is I think about 7.1. 2. Are you sure you got a clean copy? TNT AV is a commercial product, where you have to pay for normally. How reliable is your bulletin board you got it, when it "distributes" commercial software ?????????? bye .................................................................... Didi ****************************************************************************** * Universitas Basiliensis InfoCenter * ****************************************************************************** ------------------------------ Date: 25 Jul 91 06:23:57 +0000 >From: medici@elbereth.rutgers.edu (Mark Medici) Subject: Need prg to write-prot HD partition. (PC) Pardon the wide distribution, but I am in sort of a bad situation, and need a specific piece of software to help me out. I am in desperate need of a reasonably priced utility that can completely and securely write protect a directory branch or logical partition on a PC hard disk while allowing unimpeded read access to the protected branch/partition AND full read/write access to the remaining branch(es) or partition(s). The problem is simple: I've got 22 computers to put in four public student computer sites. These computers will not have reliable access to a file server, so software will have to be loaded on the local fixed disk of each system. I can't afford the staff or my own time to constantly clean viruses, reload software, and reconfigure applications on these computers. So I'd like to set up part of each computer's 40MB disk as a write protected partition. The ideal utility would: 1. Allow full read/write access to the 10MB boot C: partition of a 40MB fixed drive for swap space and temporary user storage. 2. Permit read-only access to the 30MB D: partition of the 40MB fixed drive for protected storage of supported programs. 3. Not be defeated by a user booting from his/her own diskette (D: would either still be read-only or be inaccessible.) 4. Be completely transparent to the user (no extra prompts or pauses during system start-up or reboot). 5. Be compatible with MS-DOS 5.0, MS-Windows 3.0, and applica- tions designed for a MS-DOS/Windows environment. 6. Provide a separate utility that, when used with a valid pass- word, provides write access to the normally protected D: partition. 7. Utility in #6 should allow the definition of more than one password and should keep a log of accesses for each system, so that different levels of maintenance staff could have access. 8. Be reasonably priced. I have a limited budget, and can't afford to pay $200 per machine for this. Of course I need to get the program, if its available, as soon as possible so I can learn it, install it on the 22 machines, and get the machines put out at the sites by Sept 1st. If you know of any utility, be it public domain, shareware or standard commercial, that might fill many of these needs, please let me know. If you have written similar software and feel you could quickly and successfully write a program to accomplish the above, I would be happy to talk to you. Please E-Mail your replies to me at medici@elbereth.rutgers.edu, or call me at 908-932-2412. I will summarize here if there is sufficient interest. ___________________________________________________________________________ Mark A. Medici, Systems Programmer III Rutgers Univ. Computing Services, USD ------------------------------ Date: Thu, 25 Jul 91 00:26:36 +0300 >From: Tapio Keih{nen Subject: Re: New Devil's Dance? (PC) >Does anyone have any hard evidence about the message displayed upon an >attempted soft reboot when devil's dance is resident? I've been >experimenting here with a version that has a different message (and >seemingly different actions) than those I've read about elsewhere. At least the variant of Devil's Dance I have displays this message: "Have you ever danced with the devil under the weak light of the moon?" "Pray for your disk!" "The_Joker..." "ha ha ha ha ha ha ha" (maybe some more / less 'ha's - I'm not 100% sure) All this is on grey background made of those ascii graphic characters (ascii code 178). Tapio Keih{nen | tapio@nic.funet.fi | DIO COMES - ARE YOU READY TO ROCK? Disclaimer: This posting has nothing to do with nic.funet.fi archive server. ------------------------------ Date: 24 Jul 91 12:39:00 +0100 >From: Klaus Brunnstein Subject: Index of Known Malware: 998 viruses/trojans After weeks of work and excellent assistance of David Chess, Yisrael Radai, Alan Solomon, Padgett Peterson and some others, I just published the "Index of Known Malicious Software: MsDos systems". It covers most of the viruses and trojans reported in this arena (similar indices for Amiga and Macintosh to follow later this year). When summing up, I was deeply depressed: the index counts: 120 virus families ("strains)") with 59 more sub-families with 744 viruses, variants and clones plus 7 trojans, and 228 single (non-strain) viruses plus 19 trojans *** totalling 998 pieces of malware *** Though some people (including Alan Solomon) foresaw 1,000 viruses later this year, the rise in figures has been underestimated. As this development is likely to continue, antivirus experts should cooperate even more strongly than contemporarily discussed. At the same time, the July edition of VTCs Computer Virus Catalog describes + 8 AMIGA viruses totalling 54 viruses +10 Macintosh viruses totalling 20 (out of 28 existing) +14 PC viruses/trojans totalling 84 The disparity between "virus known" and "viruses classified" (with the aim to maintain a good quality over quantity of classification) demands other tools and methods for analysis, classification and production of countermeasures. We are working harder to a more actual version of Virus Catalog; I am glad that Mr.Jahn joined VTC (for a doctor workm on secure databanks), and that Vesselin Bonchev will join us next week for a (not yet specified) dissertation. On the Moreover, I appreciate any cooperation with serious antivirus experts. VTC documents (Index of Known Malicious Software: IMSDOS.791; Index of Virus Catalog: Index.791; all entries classified up to now) are now available from FTP: Our FTP server: ftp.rz.informatik.uni-hamburg.de Login anonymous ID as you wish (preferably your name) dir: directory of available information cd pub/virus: VTCs documents Hoping that this works, I will be absent (with Auto-Reply on) on a sailing trip (with my schooner "Arethusa" which is a small replica of BLUENOSE but with staysails) until August 18. 1991. Klaus Brunnstein, Hamburg ------------------------------ Date: Thu, 18 Jul 91 15:06:43 -0600 >From: Chris McDonald ASQNC-TWS-R-SO Subject: Revised Product Test- - Virex (Mac) ****************************************************************************** PT-10 March 1990 Revised July 1991 ****************************************************************************** 1. Product Description: VIREX is a commercial program which includes virus detection, virus treatment, and virus prevention. The program also identifies "major" Macintosh trojan horses. The current version is 3.5 as of July 1991. 2. Product Acquisition: The product is available from Microcom, P.O. Box 51489, Durham, NC 27717. There are also several mail order software firms which market VIREX, generally at substantial savings for a single copy. Site licensing arrangements are available from the vendor. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. I obtained a copy of VIREX from MacWarehouse in July 1989. The purchase price at that time was about 30% below the manufacturer's suggested retail quote. The registration form received with the software gave one two options to obtain any future upgrades to the product. The first option was a $75.00 Annual Update Service. For this fee Microcom (then known as HJC Software) would provide automatic updates for a year. The second option was to purchase single updates for $15.00 upon notification of any VIREX new release. I chose the second option given that VIREX at version 2.0 identified and repaired all known Macintosh viruses as of that time. I wanted to build some historical knowledge as to the frequency with which updates might occur before committing myself to the automatic annual fee. I have subsequently purchased upgrades at the 2.1, 2.5, 3.0, 3.2 and now 3.5 version. [Ed. The remainder of this review, and numerous other anti-virus product reviews, is available by anonymous FTP on cert.sei.cmu.edu (IP number= 192.88.209.5) in the pub/virus-l/docs/reviews directory.] ------------------------------ Date: Fri, 19 Jul 91 15:50:34 -0600 >From: Chris McDonald ASQNC-TWS-R-SO Subject: Revision to the Revised Product Test on SAM (Mac) ****************************************************************************** PT-20 November 1990 Revised July 1991 ****************************************************************************** 1. Product Description: Symantec AntiVirus for Macintosh (MAC) is a commercial software program for the prevention, detection, and elimination of viruses for the Macintosh. 2. Product Acquisition: SAM is available from Symantec Corporation, 10201 Torre Avenue, Cupertino, CA 95014-2132 for $99.95. However, there are several mail order services which offer a single copy of the product at a reduced cost. Symantec's telephone number is 408-253-9600. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN: 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil; and Robert Thum, Systems Administrator, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN: 258-7739, DDN: rthum@simtel20.army.mil. 4. Product Test: a. I obtained a copy of SAM, Version 2.0, in October 1990 from MacWarehouse in Lakewood, NJ for $67.00 dollars. I have previously purchased software from this source with satisfactory results. I upgraded to version 3.0 for $25.00 in March 1991 directly from Symantec. [Ed. Again, the remainder of this review can be downloaded by anonymous FTP from cert.sei.cmu.edu] ------------------------------ Date: Tue, 16 Jul 91 11:58:05 -0600 >From: Chris McDonald ASQNC-TWS-R-SO Subject: Revision to PT-9, Disinfectant 2.5.1 (Mac) ****************************************************************************** PT-9 January 1990 Revised July 1991 ****************************************************************************** 1. Product Description: DISINFECTANT is a public domain program to detect and to repair virus activity for Macintosh systems. The author is Dr. John Norstad, Academic Computing and Network Services, Northwestern University, 2129 Sheridan Road, Evanston, IL 60208. Dr. Norstad's BITNET address is jln@nuacc; the INTERNET address is jln@acns.nwu.edu. 2. Product Acquisition: DISINFECTANT is available on several university and public bulletin boards. It resides in the MS-DOS repository on the Information Systems Command host simtel20 [192.88.110.20] at White Sands Missile Range: pd3:. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. I obtained a copy of DISINFECTANT, Version 1.5, in January 1990 from the Macintosh repository on the the USAISC-White Sands host simtel20. The repository has been registered with HQ ISC, and has been approved for operation by the Commander, USAISC-White Sands, under the policy of AR 380-19. I have continued to receive updates with the most recent version 2.5.1, 7 July 1991. [Ed. Again, the remainder of this review can be downloaded by anonymous FTP from cert.sei.cmu.edu] ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 130] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253