VIRUS-L Digest Friday, 16 Aug 1991 Volume 4 : Issue 142 Today's Topics: Re: Problem cleaning "LIBERTY" virus? (PC) When can a virus infect (AMIGA) Re: Virus Bulletin search strings (PC) Mutation engine available (PC) Smithsonian Virus (PC) Hard disk locking ? (PC) Re: Code Execution Simulator? (PC) NEW VIRUS? (PC) Re: 8 Tunes re: OS/2 Viruses (PC) (OS/2) Self-scanning executables (PC) More about the mutation engine (PC) Re: Bus Error, Teenager Abuse (Mac) HELP - possible virus (IBM 5150?) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 15 Aug 91 11:26:00 >From: "Johnwee Lee" Subject: Re: Problem cleaning "LIBERTY" virus? (PC) KDC@UOFMCC.BITNET (Ken De Cruyenaere 204-474-8340) writes: > The LIBERTY virus made another appearance on our campus recently. > CLEAN V80 was unable to clean it though. I beleive the message > was something like "Unable to clean this file, delete ? y/n " > (Over a dozen infected files and none of them could be cleaned.) > > We next tried Central Point's ANTIVIRUS and it cleaned it up > quickly. Central Point identified it as the MYSTIC virus, > which caused a little confusion as MYSTIC isn't listed as > and alias of LIBERTY... > I have checked back issues of this digest for any other > similar problems with CLEAN (version80) and LIBERTY and didn't > find any. Has anyone else bumped into this? > Ken Recently, I was also given a disk from a friend that was infected with the LIBERTY virus. I am also having the same problem trying to remove it.... If anyone has any idea of cleaning or removing it without replacing the infected files please kindly let me know. I appreciate any help that is available. Johnwee Lee *============================================================================== | Johnwee LEE Y.K. | Second Year NOVICE | | Internet: SLEEJY@cc.curtin.edu.au | Information Processing | | P.O.BOX 589, WILLETTON, WESTERN AUSTRALIA 6155. | CURTIN UNIVERSITY of | | TEL: 619-310-1440 FAX: 619-310-4986 | TECHNOLOGY | *============================================================================== ------------------------------ Date: Thu, 15 Aug 91 02:57:13 -0600 >From: Kevin Kadow Subject: When can a virus infect (AMIGA) With ZEROVIRUS running, after booting from a TC500 hard drive, I ran across a newly acquired disk which, upon being inserted, resulted in: ZeroVirus gave a warning "ColdCapture has been changed!" options: retry clear choosing clear resulted in the warning coming back up in about 1/10 second. I did a cold start, then switched to VIRUSX... Upon inserting the suspect disk, VirusX warned: Australian Parasite detected! Choosing clear seemed to work, since VirusX went back to sleep. I was under the impression that a boot-block virus could only start-up if you booted from an infected disk, not by simple insertion? When will Australian Parasite be documented in the brunnstein files? - -- technews@iitmax.iit.edu kadokev@iitvax (bitnet) My Employer Disagrees. ------------------------------ Date: 15 Aug 91 08:50:57 +0000 >From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: Virus Bulletin search strings (PC) warren@worlds.COM (Warren Burstein) writes: >The sunday virus has two entry points, one for a COM file (0 jumps >to 95), one for an EXE file (at C4). It happens that the search >string in the Virus Bulletin starts at the COM entry point, which >means that if you were scanning starting at the entry point of >an infecte EXE file, you would not find it. This signature was defined before I started as the Technical editor, so I am only indirectly responsible for it, but I don't quite understand what you mean by "..you would not find it." The signature string is present in all infected .EXE files too - and just look for the virus in one fixed location does not look very sensibfle to me. - -frisk ------------------------------ Date: Thu, 15 Aug 91 14:23:40 +0000 >From: Fridrik Skulason Subject: Mutation engine available (PC) The person who calls himself Dark Avenger - the author of the "Eddie" virus (and others), has just released a "mutation engine" - a skeleton for constructing encrypted self-modifying viruses. This program has been posted in source code form on several virus BBSes, and although it is not as sohisticated as expected, I would not be surprised if several viruses build around it would apper in the next few months. - -frisk ------------------------------ Date: Thu, 15 Aug 91 10:51:11 -0400 >From: Peter Kibbee Subject: Smithsonian Virus (PC) Has anyone ever herd of the stoned virus referred to as the Smithsonian Virus? Jack Anderson's column of August 12, 1991, headlined *Computer Hackers Still Playing Havoc*, contains the following reference: This particular virus even has aliases that include "Hawaii," "Marijuana," "New Zealand," "Smithsonian" or "Hamo." TIA Phone: (202) 673-4725 NZPAM001 @ SIVM.BITNET No pressure, No diamonds ------------------------------ Date: Thu, 15 Aug 91 15:26:38 +0000 >From: Fridrik Skulason Subject: Hard disk locking ? (PC) One person here at the University of Iceland had the misfortune of having his hard disk trashed by the Spanish Telecom virus recently. It was possible to trace the source of the infection, but now he wants some method to prevent anyone from working on his machine while he is away - for example by asking for a password on boot-up. This is easily solvable with additional hardware - some machines include this feature in the BIOS, but it is also possible to get an add-in card for this purpose. Software-only solutions are less secure of course, but they are sufficient in his case. It is possible to create a small program which asks for a password when you boot from the hard disk, and cannot be bypassed simply by booting from a diskette. My questions: #1 I guess that such a program already exists - but I have not yet been able to find it. Does anyone know of something like this ? #2 If the answer to #1 is "no", I'll probably write this, and might make it available if anybody is interested. The question is - are programs like this a good idea ? I can imagine some potential problems, for example if the hard disk is "protected" in this way, without the owner's permission, and if a utility to remove the protection is included, it really makes the program rather useless. - -frisk ------------------------------ Date: Thu, 15 Aug 91 16:23:58 +0000 >From: Fridrik Skulason Subject: Re: Code Execution Simulator? (PC) dkarnes@world.std.com (Daniel J Karnes) writes: >The thing is catching 99% of the hundred or so viruses I have tested >against so far with only a few false positives. Well - it would be interesting to run it against a larger set - containing 400-800 viruses or so. In particular, I would be interested in seeing how it performs against a similar program of my own, as I have not been able to obtain anything better than a 95% detection. Programs like this are not new - I saw one (Russian or Bulgarian) in Hamburg last December. This type of anti-virus programs has a problem with viruses written in a high-level language, but they are very efficient in finding most instances of suspicious code. However - the number of false positives may be unacceptable in many cases. - -frisk ------------------------------ Date: Thu, 15 Aug 91 11:08:00 -0500 >From: RONNIE@ECUAFUN.BITNET Subject: NEW VIRUS? (PC) I want to now if anybody out there has notices or sighths about the HV32 FAKKIR virus (PC). This virus, attacks faster and, unfortunatedly, effective, it can destroy in me mory the SCAN anti-virus program, an then attacks, as i saw, it seems that the SCANning process is the activator for the virus actions, i'm not sure about that. The way in that he does is as follows: 1.- SCAN detects the virus in memory, then it sends and alert, saying that some thing strange is happening in the computer's memory, and migth want to turn it off. 2.- A bozo message appears on the screen saying: "I'm killing the &%$,@... poli ce program ..." 3.- The speaker beeps uncontrolled 4.- You turn off and on again your machine 5.- You discover that all your files, including those on the sub-directories, h as been converted to a 144 byte file that contains the message "Fakkir has %$,& @ this Go-Go file... Ha, Ha, Ha" It seems that the virus works while the speaker is beeping, so, the faster you reboot your machine, the more files you prevent from attack. I was searching for signatures, boot sectors, or any other clue for try to figu re-out how the virus works, but the attack was very faster, and lethal. If anybody out there has notices about this abomination, please answer. Thanks in advance. Ronnie Nader B. Pacific National Bank UCSG Systems Eng. faculty EcuadorGuayaquil - Ecuador ------------------------------ Date: Thu, 15 Aug 91 18:41:58 +0600 >From: ry15@rz.uni-karlsruhe.de Subject: Re: 8 Tunes Hello, the 8 tunes virus is most probably a german product. It plays 8 tunes after going resident, provided the infection is 90 or more days old. The virus will wait for 30 min and then start playing randomly selected tunes of it's repertoire. Four are german folk, songs two are english songs, one is garbage, and the last is part of the virus TSR interpreted as music (garbage too). Sincerely Christoph Fischer P.S.: I presume you have the other technical details, if not let me know. Christoph Fischer Micro-BIT Virus Center University of Karlsruhe Zirkel 2 W-7500 KARLSRUHE 1 Germany +49 721 376422 Phone +49 721 32550 FAX email: ry15@rz.uni-karlsruhe.de ------------------------------ Date: Fri, 16 Aug 91 00:50:21 +0700 >From: swimmer@stage.hanse.de (Morton Swimmer) Subject: re: OS/2 Viruses (PC) (OS/2) W.CAELLI@qut.edu.au (William J. Caelli) writes: > There have been a number of questions about whether or not there have > been any reports of OS/2 viruses - particularly program ( as distinct > from boot-sector ) viruses. Has anyone got any reports of such OS/2 > viruses. Nope, not a thing. I suspect that there just are not enough installations of OS/2 yet, in those areas where virus writers tend to be. When we looked into the possibility of writing viruses for OS/2 we found many facinating possibilities, I wont go into here. But, like the MAC operating system, OS/2 has better self-protection and is far more complicated to program. I doubt not that we will see an OS/2 virus some day. Cheers, Morton Virus Test Center, Hamburg, Germany .............................................................................. .morton swimmer..odenwaldstr.9..2000 hamburg 20..germany..tel: +49 40 4910247. .internet: swimmer@stage.hanse.de or swimmer@rzsun1.informatik.uni-hamburg.de. ..............to leave only footprints, and take only memories................ ------------------------------ Date: Fri, 16 Aug 91 00:53:05 +0700 >From: swimmer@stage.hanse.de (Morton Swimmer) Subject: Self-scanning executables (PC) >From: a_rubin@dsg4.dse.beckman.com > If I disassembled/debuged some of the CRC checkers, _I_ >probably could write a virus which checked for (some variants) of >those checkers and modified its infections accordingly; if I didn't Or you could just destroy the checksum as the Tequila virus did to the McAfee authentication codes on files. Cheers, Morton .............................................................................. .morton swimmer..odenwaldstr.9..2000 hamburg 20..germany..tel: +49 40 4910247. .internet: swimmer@stage.hanse.de or swimmer@rzsun1.informatik.uni-hamburg.de. ..............to leave only footprints, and take only memories................ ------------------------------ Date: Fri, 16 Aug 91 00:49:42 +0000 >From: Fridrik Skulason Subject: More about the mutation engine (PC) The file below looks strange - but it contains the PKZIPed, xxencoded comments by Dark Avenger which were included in his new "mutation engine". Normally I would ask Vesselin Bontchev for a translation, as the text is probably in Bulgarian, but I have not been able to reach him. So, if there is anybody reading this who... ... can display the Cyrillic character set on his/her PC. and ... understands Bulgarian I would really appreciate a quick translation, as I am planning to write a bit about this engine for the September edition of the Virus Bulletin. begin 400 mutate.zip hI2g1-+c++++4+0c32-ReZkPBeE6++-k2+++8++++HJJIEJF39Y3HHEw+2UAY h3HMbC1ZeSomRPVw7-U2HBCLqZjQ7ZpPhaXFeq8--icvRqfLcpe-Z7LwPR4nN h633-zldqOR8ZJzw4QHrfIi0qDQXFdJgZiqrIjwcBTB0Yk6xpnSpy9SiKfhmw h9VgeDAEw8KbN5vGcw3xFzOeVypyqOtMUFNx4NLFI4x1SGdm1JBcIOggkqDpx heix-mcPxCvEcTgPrfZ3tqx7xnI54V+ZXTBYiGvicaV+excvivZYNTsdxZoCT hBUJ74rHeJLhRmaxjqP63wN79eNpLhnduq9BJfHKeRRCzhCjEhQvgf34BWvVZ h3nTAokPodiUJ3TmUJuAy-GLDdGGIKfPYZgvcVDcl8Cm8LDucREmRZJWJkB43 hJJjte3KL2heqFBlBUXtJ7GK3t3qDGhfoRhqbU8ccyzhNOtz8rZbDZeKo-8qY hh2+YVTcPEdskofRFxSIUIM1lIYSoBEsGdYuOBcSaU7hKv9dJyutLBSqlNvCe h6pAmsIo9PcmMAO1V0sQ2YFJLpEsF7cWvvQk3fP-pep8GGztJHGqSD7RrI7bn hdP2yZRe0Q8rgMuCyfEfeMxdg4FfJRcfbd80CC82rRHm67nraGQCZ2vVCxmoQ hd+wIRoeLVRe41up9nrrFGxy8qvlA03uV6vnj67dqI9sjMn6loW15cZovhquP hTr-MM8dfY1wclaJz4ppCWAxFgTeSKVPsNSL8ROg5fTWeD1SmkVKm3TLcKIYj hOgWKhgXje4sYe0wZNAfdVUnJZt5hjseo8XH9r9R8L3zJF0IpP5sqB2bgarvX hmpdgzsJ3e1jN2DafDTUfBFSLTGQsXrMpygjKnQfSIGrFTy5hdrHTHppZEu1M hIVS51EEW-rLYfkdg3CKNvJCpHoA45GcucaqmLhKhdzUKmI5BSxiuRADG9QDc h+p-9+E68++c++++4+0c32-ReZkPBeE6++-k2+++8++++++++++++6+++++++ W++-BJJF-J2IiEJBBI2g3-U+++++-++2+C++++B20++++++++ + end ------------------------------ Date: Fri, 16 Aug 91 00:58:10 +0000 >From: mike@pyrite.SOM.CWRU.Edu (Michael Kerner) Subject: Re: Bus Error, Teenager Abuse (Mac) Bus errors are not always bus errors. What I mean by that is that to me a bus error suggests a hardware problem, which in my experience has been rarely the case. Typically the error is caused by an INIT/CDEV conflict that the user is not aware of. I have had similar problems with a specific Mac in my balliwick (I'll kill Stoll if I ever meet him - can't stop using that word...) with CDEV transfers back and forth. They should try disabling/removing various INITs and CDEVs one by one and performing the operation. Then they will probably find out what was the cause. The second most common cause of bus errors (in the low numbers) is a memory problem. Typically this will arise if the SIMM wasn't inserted right, or if it has (once in an eclipse that YOU experience) gone bad. Mikey. Mac Admin WSOM CSG / TRW Inc. CWRU / Corporate HQ mike@pyrite.som.cwru.edu ------------------------------ Date: Fri, 16 Aug 91 04:08:54 +0000 >From: feldheim@spot.Colorado.EDU (FELDHEIM JOHN D) Subject: HELP - possible virus (IBM 5150?) I think I may have a virus, but I'm not sure. I have an old IBM model 5150. Recently, it has been acting weird. Its running a lot slower and some files won't run at all. It has been getting progressively worse. A file I ran yesterday won't run anymore today. Also, the longer its on, the slower it gets. After ten minutes, its so slow that I can see lines between screen flashes. I have been using my modem to call BBS's and check out files, so its possible that I picked up a virus somewhere. I got a copy of Mc so and so's virus scan program. When I ran it, it said that I had a Jerusalem virus on about 25 files. Can anyone help me? I don't want to start cleaning my hard drive unless I'm sure that I need to. I'm rather a novice when it comes to computers, and I would appreciate any help or advice that anyone has. Please e-mail me with any suggestions. Thanks, John Feldheim feldheim@spot.colorado.edu ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 142] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253