VIRUS-L Digest Thursday, 15 Aug 1991 Volume 4 : Issue 141 Today's Topics: re: infected files with nonstandard extension (PC) Re: New Anti-Virus Consortium Announced SAM Exceptions crashes my Mac (Mac) WANTED: Master Index of IBM-PC Viruses (PC) Viruses in Weapons Systems Bus Error, Teenager Abuse (Mac) re: Virus Implants in DoD Weapons 8 tunes virus DOS memory mangement (PC) NetWare boot process (PC) Revised Product Test - - Virucide, Version 2.24 Product Test - - TbScan VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: 12 Aug 91 16:40:15 -0400 >From: "David.M.Chess" Subject: re: infected files with nonstandard extension (PC) >From: warren@worlds.COM (Warren Burstein) > ... >How common is this? Should a virus scanner scan all files regardless >of extension against the chance that they might be executed by some >other program? We advise users of the IBM Virus Scanning Program to use the -a option during cleanup; that says to scan all files. (We also advise the use of -g, which says to report all signatures everywhere, boot signatures in files, EXE signatures in COM-format files, and so on; during cleanup.) In general, unless you have a very critical system, I think this is the right balance. If you have an active infection, it's going to infect *some* *.EXE or *.COM file (or one of the other extensions we scan for by default), and then you'll know that you should scan everything else, too. DC ------------------------------ Date: Mon, 12 Aug 91 20:36:16 >From: c-rossgr@ingate.microsoft.COM Subject: Re: New Anti-Virus Consortium Announced >From: "Rich Travsky (307) 766-3663/3668" > >The August 5th Network World has an article on a new consortium: The >AntiVirus Product Developers Consortium (AVPD)..... > Members currently are: >Central Point Software, Certus International, Symantec/Peter Norton, >and XTree Co. Membership is open to all other vendors. There was a meeting held very recently of a so-called "steering committee". I believe the members of the steering committee include Central Point, Certus, McAfee, Microcom and Symantec. >AVPD will rely on a virus database operated and maintained by the NCSA. >This database currently has about 900 viruses. I would be interested in finding out what viruses they have. The best I can consider is that they are counting COM's and EXE's as different viruses and counting minor varients of viruses as new/different ones, two. Ross ------------------------------ Date: 13 Aug 91 16:15:48 +1100 >From: ndg503@csc1.anu.edu.au (Nick Guoth) Subject: SAM Exceptions crashes my Mac (Mac) Hi, We have just received our update to SAM 3.0.1 and have found a problem. If we try to look at the 'exceptions' in the SAM Intercept then the Macintosh crashes. Also, we have another copy on a IIsi, and because of this crash (IMO), it continues to ask por permission to allow the Moire cdev on startup - i.e. it ignores the Learn button. This does not happen on the other Macs. Someone mentioned that there is now a version upgrade of 3.0.3. Is this true? Any help would be greatly appreciated. Please e-mail to me on either of the addresses below. /-----------------------------------------------------------------\ nick guoth ndg503@csc.anu.edu.au or Nick.Guoth@anu.edu.au Research School of Chemistry Computing Unit Australian National University Canberra, AUSTRALIA "Happiness is a piece of fudge caught on the first bounce" - Snoopy \-----------------------------------------------------------------/ ------------------------------ Date: Tue, 13 Aug 91 04:29:28 +0000 >From: astlc@acad2.alaska.edu Subject: WANTED: Master Index of IBM-PC Viruses (PC) Greetings! Is there a "master index" of all the viruses ever made for the IBM-PC's (and compatibles)? I'm preparing a report on different virus strains created for IBM-compatible machines, and I'd like to use the info- rmation to add to my report. If such a "master index" is not available, could someone lead me to an FTP site w/ virus reports (and descriptions of what the viruses affect/ destroy/change)? Thanx! Tom Claydon ------------------------------ Date: Tue, 13 Aug 91 15:59:39 -0400 >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Viruses in Weapons Systems >From the August 1991 "Armed Forces Journal International" >"A draft Pentagon directive that called for implanting a >computer "virus" or software disabling mechanism in every major >new US weapon system - one that could be remotely triggered if >the weapon fell into enemy hands Sounds like media hype - there are lots better ways to deactivate a system than with a virus. A few years ago I was involved in a program to allow high-tech (for the time) system to be sold to people we had reason to believe would try to "reverse engineer" the software. Some special hardware was used to prevent this. A virus is software and is only effective if executed, something a professional can detect and avoid. Padgett ----------------------------------------------------------------------- To: Virus-L Fm: Padgett Peterson Da: 13 Aug. 1991 Su: infected files with nonstandard extension (PC) >From: warren@worlds.COM (Warren Burstein) >I had a recurring Sunday infection. I couldn't figure out how Sunday >could be hiding, it turned out that it had latched onto files that did >not end in .COM or .EXE. What the virus is looking for is an MSDOS "spawn" action, not a particular extension so it can infect anything that executes. Just because COMMAND.COM will only execute .EXE & .COM files does not mean that the CPU will not. The good news is that I have never seen an infection that had not infected at least some .COM or .EXE files so intitial scanning may be confined to these (plus .SYS and .OV*). Once detected though, the only way to be sure of eradication is to check everything. Padgett ------------------------------------------------------------------------- To: Virus-L Fm: Padgett Peterson Da: 13 Aug. 1991 Su: Problem cleaning "LIBERTY" virus? (PC) >From: Ken De Cruyenaere 204-474-8340 >CLEAN V80 was unable to clean it though. I beleive the message >was something like "Unable to clean this file, delete ? y/n " >(Over a dozen infected files and none of them could be cleaned.) >We next tried Central Point's ANTIVIRUS and it cleaned it up >quickly. This is a good reason not to rely on just one product - my preference is a layered approach with at least three levels, one normal and two dis-similar backups. If a product is not sure that a file can be cleaned, it is often better for it not to try. Padgett ----------------------------------------------------------------- To: Virus-L Fm: Padgett Peterson Da: 13 Aug. 1991 Su: Stoned at EPO (PC) >From: LBA002@PRIME-A.TEES-POLY.AC.UK >New Scientist 10 August 1991, p. 24 under byline "Computers Get Stoned >On Patent Discs" reports that the European Patent Office in Munich has >been sending clients a floppy disc containing the Stoned virus. This type of thing just keeps happening both here and abroad - where are all the lawyers when we need them ? Padgett ----------------------------------------------------------------------- To: Virus-L Fm: Padgett Peterson Da: 13 Aug. 1991 Su: New Anti-Virus Consortium Announced > >The August 5th Network World has an article on a new consortium: >The AntiVirus Product Developers Consortium (AVPD)... >Members currently are: Central Point Software, Certus >International, Symantec/Peter Norton, and XTree Co. Membership >is open to all other vendors. Haven't heard of it but the membership sounds more related to advertising budgets if more details are available, would like to know. On the subject, I was told last week that the next release of NAV will just use a single checksum file (like Engima-Logic) rather than the innumerable 77 byte _whatevers. Padgett ------------------------------ Date: 13 Aug 91 23:15:27 -0400 >From: "Robert McClenon" <76476.337@CompuServe.COM> Subject: Bus Error, Teenager Abuse (Mac) A message was posted on a customer's bulletin board system (of which I am the sysop) asking about a problem on a member's Macintosh. The author's daughter had complained that the Macintosh reported a "Bus Error". She then switched off the Macintosh. When the author turned it on, he had problems with the various options of the Control Panel. He also noticed that the System file had increased in size by 2.6M from its previous size on a backup diskette. Both I and another knowledgable participant in the bulletin board suggested that the most likely cause of this behavior (growth in System file, altered behavior of displays) was a virus. The author said that he had used Apple's virus scanner and did not think he had a virus. He then added that his daughter had been copying some sound at the time of the "Bus Error". Since sound effects and sound recordings are installable into the System file, this explains almost everything. The growth in the System file is not a virus-like anomaly but an adolescent anomaly, caused by the daughter installing sound. What caused the "Bus Error"? Is this a hardware error with the SCSI bus (which could have messed up the Control Panel)? Should he have his machine checked out? Robert McClenon Neither my employer nor anyone else paid me to say this. ------------------------------ Date: Wed, 14 Aug 91 04:40:00 +0000 >From: William Hugh Murray <0003158580@mcimail.com> Subject: re: Virus Implants in DoD Weapons >The article goes on to say that this would be great for weapons >exports and that EEPROMS could carry such "Trojan Horses" that could >be activated using electrical signals. >Hmmmmmm. Comments? Since, you would not likely know which instance of such a weapon was aimed at you, and since you might have little time to react, they would all have to be triggered the same. Since you would not have much time to react, the triggering value would have to be widely disseminated. Such a widely disseminated value would be disclosed and could then be used by an enemy to disarm weapons still in your hands. This could be compensated for in part by distributing the disabling value in a secure smart card. This could discourage its replication, and possibly even prevent its unauthorized use. Any country known to be employing such a mechanism, even thought to be employing such a mechanism, would be considered an unreliable source for arms. The very idea must already have had a chilling effect on the arms trade. William H. Murray ------------------------------ Date: Wed, 14 Aug 91 13:07:14 +0000 >From: lee@LONEX.RL.AF.MIL (Lee Ritter) Subject: 8 tunes virus Anybody know what the 8 tunes virus does?. I Have found this on some software that I have. Lee ------------------------------ Date: 13 Aug 91 17:28:07 -0400 >From: Kevin Dean <76336.3114@CompuServe.COM> Subject: DOS memory mangement (PC) Would there be any reason (apart from Frodo/4096 and its ilk) for there to be a difference between the amount of memory reported by BIOS and the amount of memory calculated by walking the DOS MCB chain? Are there any utilities that would have a (legitimate) reason to take over a portion of high memory and fiddle with the DOS MCB chain? ------------------------------ Date: Wed, 14 Aug 91 14:16:42 -0600 >From: kev@inel.gov (Kevin Hemsley) Subject: NetWare boot process (PC) I am doing research for a paper on virus protection for LANs. I need information on booting under NetWare. I haven't been able to find any information about the boot record and if/how it is different from a normal DOS boot record. Also, if anyone has any information on previously published papers dealing with virus protection on a LAN, I would appreciate hearing from you. Thanks in advance. - ------------------------------------------------------------------------------- Kevin Hemsley | Information & Technical Security | If you think that you have someone Idaho National Engineering Laboratory | eating out of your hand, it's a (208) 526-9322 | good idea to count your fingers! kev@inel.gov | - ------------------------------------------------------------------------------- ------------------------------ Date: Thu, 01 Aug 91 10:28:29 -0600 >From: Chris McDonald ASQNC-TWS-R-SO Subject: Revised Product Test - - Virucide, Version 2.24 ****************************************************************************** PT-12 June 1990 Revised August 1991 ******************************************************************************* 1. Product Description: VIRUCIDE is a commercial anti-virus program to detect and to repair known computer viruses for the MS-DOS computer environment. The report addresses version 2.24, released 21 May 1991. 2. Product Acquisition: The product is available from Parsons Technology, Inc. The address is Parsons Technology, Inc., 375 Collins Road NE, Cedar Rapids, Iowa 52401. The company has a toll free number for orders, 1-800-223-6925. The cost of a single copy, as of 31 July 1991, was $49.00. Each of three program upgrades , to include version 2.24, have been $15.00 which includes shipping and handling. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. [Ed. The remainder of this review, and other reviews by Chris McDonald and Robert Slade, is available by anonymous FTP from cert.sei.cmu.edu (ip#=192.88.209.5) in the pub/virus-l/docs/reviews directory.] ------------------------------ Date: Wed, 14 Aug 91 12:28:26 -0600 >From: Chris McDonald ASQNC-TWS-R-SO Subject: Product Test - - TbScan ******************************************************************************* PT-39 August 1991 ******************************************************************************* 1. Product Description: TbScan is a copyrighted program written to detect computer viruses and malicious programs for MS-DOS environments. 2. Product Acquisition: The program documentation states that TbScan "can be used for free in non-commercial organisations and by private users. Government and commercial organisations have to register the usage of TbScan". There is a registration form included which describes costs, to include multiple copy acquisitions. Frans Veldman is the program author. The documentation gives the following address for more information: ESaSS B.V, P.O. Box 1380, 6501 BJ Nijmegen, The Netherlands. The author has registered the copyright and made the program available on many bulletin boards and software repositories, to include the MS-DOS repository on simtel20 [192.88. 110.20]. The current path on simtel20 is pd1:tbscan28.zip. On simtel20 the number "28" in the zipped file denotes version 2.8. One will also require a virus signature data file supplied by Jan Terpstra. The path on simtel20 is pd1:vs910731.zip. This denotes a signature file of 31 July 1991. Since the signature file is updated frequently, users should recognize that the path can change. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN: 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. [Ed. The remainder of this review, and other reviews by Chris McDonald and Robert Slade, is available by anonymous FTP from cert.sei.cmu.edu (ip#=192.88.209.5) in the pub/virus-l/docs/reviews directory.] ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 141] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253