VIRUS-L Digest Wednesday, 21 Aug 1991 Volume 4 : Issue 144 Today's Topics: Re: Hard disk locking ? (PC) Re: New Anti-Virus Consortium Announced Re: Problem cleaning "LIBERTY" virus? (PC) Re: Mutation engine available (PC) Re: Smithsonian Virus (PC) Re: Hard disk locking ? (PC) help identifying virus on PC (PC) Re: NEW VIRUS? (PC) Re: Problem cleaning "LIBERTY" virus? (PC) Re: More about the mutation engine (PC) Re: Hard disk locking ? (PC) Re: HELP - possible virus (IBM 5150?) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 19 Aug 91 14:15:00 +1200 >From: "Nick FitzGerald" Subject: Re: Hard disk locking ? (PC) In VIRUS-L Digest V4 #142 Fridrik Skulason wrote: One person here at the University of Iceland had the misfortune of having his hard disk trashed by the Spanish Telecom virus recently. It was possible to trace the source of the infection, but now he wants some method to prevent anyone from working on his machine while he is away - for example by asking for a password on boot-up. This is easily solvable with additional hardware - some machines include this feature in the BIOS, but it is also possible to get an add-in card for this purpose. Software-only solutions are less secure of course, but they are sufficient in his case. It is possible to create a small program which asks for a password when you boot from the hard disk, and cannot be bypassed simply by booting from a diskette. >My questions: > > #1 I guess that such a program already exists - but I have not yet > been able to find it. Does anyone know of something like this ? There's one called PC-Lock which is shareware (sort of). A "demo" version is available from many FTP sites but it only allows one character "passwords". The replacement MBR that this program writes makes the HD "invisible" if the PC is booted from floppy. From a brief play with the "demo" version it seemed to work much as claimed. I think it also gives you the option of write-protecting on a partition-by- partition basis. Padgett's DiskSecure has the option of password protecting your HD, but I don't think there has been a "public" release of this yet. (Certain extremely abberant HD controllers, like one I own, cause grief to the operation of DiskSecure and some similar programs.) > #2 If the answer to #1 is "no", I'll probably write this, and might > make it available if anybody is interested. The question is - are > programs like this a good idea ? I can imagine some potential > problems, for example if the hard disk is "protected" in this way, > without the owner's permission, and if a utility to remove the > protection is included, it really makes the program rather useless. The way PC-Lock and DiskSecure work is they allow you to create a "maintenance" disk, so you can boot from a floppy for various legitimate reasons (e.g. booting without your disk cache to de-frag). They also provide "de-install" programs. Obviously, neither maintenance disks nor de-installers should be left near the PC, although the former still require the user to supply a password. On the issue of being able to remove the protection, FDISK will do the trick if the PC's are booted from floppy, as the system still reports the hardware is present, it's just that DOS doesn't see it. A determined hacker will still be able to break in by using something as sophisticated as Norton's Utility and a bit of low level snooping around the disk and then repartitioning to his/her best guess at the original partitioning scheme (FDISK again). - - ------------------------------------------------------------------------- Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. Internet: n.fitzgerald@csc.canterbury.ac.nz Phone: (64)(3) 642-337 ------------------------------ Date: Sun, 18 Aug 91 18:00:19 +0700 >From: swimmer@stage.hanse.de (Morton Swimmer) Subject: Re: New Anti-Virus Consortium Announced RTRAVSKY@corral.uwyo.edu (Rich Travsky (307) 766-3663/3668) writes: > The August 5th Network World has an article on a new consortium: The These people obviously haven't heard of EICAR and CARO yet. It looks like there will be much work being done doubled. What a waste of time. Cheers, Morton .............................................................................. .morton swimmer..odenwaldstr.9..2000 hamburg 20..germany..tel: +49 40 4910247. .internet: swimmer@stage.hanse.de or swimmer@rzsun1.informatik.uni-hamburg.de. ..............to leave only footprints, and take only memories................ ------------------------------ Date: Mon, 19 Aug 91 16:40:00 >From: "Johnwee Lee" Subject: Re: Problem cleaning "LIBERTY" virus? (PC) SLEEJY@cc.curtin.edu.au (Johnwee Lee) writes: > KDC@UOFMCC.BITNET (Ken De Cruyenaere 204-474-8340) writes: >> The LIBERTY virus made another appearance on our campus recently. >> CLEAN V80 was unable to clean it though. I beleive the message >> was something like "Unable to clean this file, delete ? y/n " >> (Over a dozen infected files and none of them could be cleaned.) >> >> We next tried Central Point's ANTIVIRUS and it cleaned it up >> quickly. Central Point identified it as the MYSTIC virus, >> which caused a little confusion as MYSTIC isn't listed as >> and alias of LIBERTY... >> I have checked back issues of this digest for any other >> similar problems with CLEAN (version80) and LIBERTY and didn't >> find any. Has anyone else bumped into this? >> Ken > > Recently, I was also given a disk from a friend that was infected > with the LIBERTY virus. I am also having the same problem trying to > remove it.... If anyone has any idea of cleaning or removing it > without replacing the infected files please kindly let me know. > > I appreciate any help that is available. > > Johnwee Lee First of all... I would like to express my sincere *THANKS* to all those people who mailed me their advice and experience on the above. Just then when I was pondering on how to removed the "LIBERTY" virus, a friend of mine suggested to me on using the SCAN (Version 77) from McAfee on our LAN Network to try and removed it. I try using SCAN 77 and it detected it. When I used CLEAN 77, it reported to have removed it. Later on, I tried using SCAN 80 to make sure that the disk was "clean" and SCAN 80 reported that "No virus was found" !!! Thus I think that the "LIBERTY" virus that I have was a variant of the original LIBERTY virus which SCAN 80 fails to removed it safely. As such, I would recommand to others to try it out with SCAN 77 and CLEAN 77 if CLEAN 80 fails.... Now that the virus is "removed" successfully, I regret that I didn't make a copy of it for those interested in diagnosting it. Thanks you once again... Johnwee Lee *=============================================================================* | Johnwee LEE Y.K. | Second Year NOVICE | | Internet: SLEEJY@cc.curtin.edu.au | Information Processing | | P.O.BOX 589, WILLETTON, WESTERN AUSTRALIA 6155. | CURTIN UNIVERSITY of | | TEL: 619-310-1440 FAX: 619-310-4986 | TECHNOLOGY | *=============================================================================* ------------------------------ Date: 19 Aug 91 09:06:43 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Mutation engine available (PC) frisk@rhi.hi.is (Fridrik Skulason) writes: >The person who calls himself Dark Avenger - the author of the "Eddie" >virus (and others), has just released a "mutation engine" - a skeleton >for constructing encrypted self-modifying viruses. This program has >been posted in source code form on several virus BBSes, and although >it is not as sohisticated as expected, I would not be surprised if >several viruses build around it would apper in the next few months. Is this the MUTATE.ASM file, which comments you asked me to translate? If so, this file is quite old (it has been available since long time) and all viruses that can be created with it will belong to the PHOENIX family. All of them could be detected with a wildcard scan string. If this is indeed the same file (please, confirm it), I can post here scan strings that are compatible with SCAN and HTScan/TbScan(X). Regards, Vesselin ------------------------------ Date: 19 Aug 91 09:11:41 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Smithsonian Virus (PC) NZPAM001@SIVM.BITNET (Peter Kibbee) writes: > Has anyone ever herd of the stoned virus referred to as the >Smithsonian Virus? Jack Anderson's column of August 12, 1991, >headlined *Computer Hackers Still Playing Havoc*, contains the >following reference: > This particular virus even has aliases that include "Hawaii," >"Marijuana," "New Zealand," "Smithsonian" or "Hamo." C'mon, if we wait for the media to give us exact information... :-) Regards, Vesselin ------------------------------ Date: 19 Aug 91 09:14:44 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Hard disk locking ? (PC) frisk@rhi.hi.is (Fridrik Skulason) writes: >It was possible to trace the source of the infection, but now he wants >some method to prevent anyone from working on his machine while he is >away - for example by asking for a password on boot-up. >This is easily solvable with additional hardware - some machines >include this feature in the BIOS, but it is also possible to get an >add-in card for this purpose. Yes, as far as I know, the ThunderByte card offers password protection among other anti-virus stuff. >Software-only solutions are less secure of course, but they are >sufficient in his case. It is possible to create a small program >which asks for a password when you boot from the hard disk, and cannot >be bypassed simply by booting from a diskette. It depends on what do you mean exactly by "cannot". A really skilled penetrator won't be stopped by a software solution, no matter how sophisticated. True, you may even encypt the whole disk with a cryptographically strong algorithm (and of course not store the password on the disk ). This will prevent him only from -reading- the disk, not from writing on it. >My questions: > #1 I guess that such a program already exists - but I have not yet > been able to find it. Does anyone know of something like this ? I have heard of a program, called PC-LOCK. It is shareware. I -can- bypass it, therefore for me it's just garbage. There is another thing, but it is commercial and is manifactured by a Bulgarian firm. When you install it (as a device driver), you won't be even able to boot from a diskette - the machine just hangs. Yeah, this is achieved entirely in software... Nevertheless, it can be bypassed too. > #2 If the answer to #1 is "no", I'll probably write this, and might > make it available if anybody is interested. The question is - are > programs like this a good idea ? I can imagine some potential > problems, for example if the hard disk is "protected" in this way, > without the owner's permission, and if a utility to remove the > protection is included, it really makes the program rather useless. My oppinion is that such programs are not a very good idea. As I already said, all of them can be bypassed, if enough effort is applied. Also, they sometins are in conflict with programs like Disk Manager, that use the unused space of the first disk track... Regards, Vesselin ------------------------------ Date: Mon, 19 Aug 91 10:32:00 +0100 >From: ROTHWELL@IRTCORK.BITNET Subject: help identifying virus on PC (PC) Hello, We have recently discovered a virus on some of our PC's here and would appreciate it if anybody out there can recognise it and describe it for us. It manifests itself rather blatantly by displaying a colour graphic on the screen of what looks like the pictorial representation of the Mandelbrot set of Fractal geometry fame. (if that rings a bell with anyone). There is also some text on the top left hand corner "Execute: mov ax feb0, interrupt 21 any key to continue!". The hex address there may not be 100% accurate. Anyway, we would appreciate any help. Thanks. Paul Rothwell. ------------------------------ Date: 19 Aug 91 09:35:59 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: NEW VIRUS? (PC) RONNIE@ECUAFUN.BITNET writes: >1.- SCAN detects the virus in memory, then it sends and alert, saying that some >thing strange is happening in the computer's memory, and migth want to turn it >off. Does SCAN identify the virus? (Does it print a name?) >2.- A bozo message appears on the screen saying: "I'm killing the &%$,@... poli >ce program ..." After you have started SCAN? And do you use VSHIELD? >5.- You discover that all your files, including those on the sub-directories, h >as been converted to a 144 byte file that contains the message "Fakkir has %$,& >@ this Go-Go file... Ha, Ha, Ha" Is there something more that this message in the files? For such a primitive virus 144 bytes seem sufficient... Are all these 144-byte files equal? >I was searching for signatures, boot sectors, or any other clue for try to figu >re-out how the virus works, but the attack was very faster, and lethal. Was the boot sector destroyed too? If not, does it seem infected? Are there any clusters, marked as bad on the disk? Regards, Vesselin ------------------------------ Date: 19 Aug 91 09:28:05 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Problem cleaning "LIBERTY" virus? (PC) SLEEJY@cc.curtin.edu.au (Johnwee Lee) writes: > Recently, I was also given a disk from a friend that was infected >with the LIBERTY virus. I am also having the same problem trying to >remove it.... If anyone has any idea of cleaning or removing it >without replacing the infected files please kindly let me know. CLEAN is not able to disinfect most of the viruses that SCAN detects. It just destroys the infected files. It is written in the documentation, please read it. There is also a list of the viruses that CLEAN -is- able to disinfect successfully. They are not very much - in fact only the most often encountered viruses can be removed. McAfee's oppinion is that it is safer to replace the infected files from non-infected backups or from the original diskettes. I agree with him - very often it is impossible to restore an infected file -exactly- in its previous state. BTW, note that there are at least two variants of the Liberty virus. You can also try F-Prot and Dr. Solomon's Anti-Virus Toolkit as disinfection programs - they are quite good. Regards, Vesselin ------------------------------ Date: 19 Aug 91 09:43:28 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: More about the mutation engine (PC) frisk@rhi.hi.is (Fridrik Skulason) writes: >Normally I would ask Vesselin Bontchev for a translation, as the text >is probably in Bulgarian, but I have not been able to reach him. So, >if there is anybody reading this who... Well, this is probably a misunderstanding, but didn't my mail reach you? I translated them on the same day I received your message. If you still don't have them, do you want the translation posted here? > ... can display the Cyrillic character set on his/her PC. >and > ... understands Bulgarian Oh, the first thing is easy... :-) I have a small TSR program, that is both a screen (EGA/VGA only) and a keyboard driver for Cyrillics... If a lot of anti-virus researchers need it, I can send it to Ken. About the second thing, well I guess that our language is not easier then the Icelandic one... :-) Regards, Vesselin ------------------------------ Date: Mon, 19 Aug 91 11:59:56 +0000 >From: berg@physik.tu-muenchen.de (Stephen R. van den Berg) Subject: Re: Hard disk locking ? (PC) Frisk wrote: >One person here at the University of Iceland had the misfortune of >having his hard disk trashed by the Spanish Telecom virus recently. >It was possible to trace the source of the infection, but now he wants >some method to prevent anyone from working on his machine while he is >away - for example by asking for a password on boot-up. > #1 I guess that such a program already exists - but I have not yet > been able to find it. Does anyone know of something like this ? It does exist, it's called PC-Lock, can't remember who distributes it right now. I never used it, a friend of mine used it in his office. I think it is ShareWare. If you need more info, drop me a note, I'll try to find it and will tell you where to buy/ftp it. > #2 If the answer to #1 is "no", I'll probably write this, and might > make it available if anybody is interested. The question is - are > programs like this a good idea ? I can imagine some potential > problems, for example if the hard disk is "protected" in this way, > without the owner's permission, and if a utility to remove the > protection is included, it really makes the program rather useless. PC-Lock replaces your harddisk partition table, i.e. without typing in your password, you can not access any harddrives by using DOS; not even when booting by floppy. As far as I can remember they do not supply a lockbreaker program (no doubt someone wrote something like that), however any direct disk editor like NDD or DE can probably be used to remove the lock. But in order to do this, some expertise is still needed. - -- Sincerely, berg@messua.informatik.rwth-aachen.de Stephen R. van den Berg (AKA BuGless). berg@physik.tu-muenchen.de "Good moaning!" ------------------------------ Date: Mon, 19 Aug 91 12:55:45 +0000 >From: heli@eichow.tuwien.ac.at (Helmut Dier) Subject: Re: HELP - possible virus (IBM 5150?) You should clean yor disk, because the Jerusalem sort is a really dumb one. It infects files on and on so it's no wonder they need a longer time to load. you should be able to use CLEAN from McAfee (I hope I spelled it correctly) to clean most files. We had a lot of infections here at the university all over the last year and we could "heal" most of the files using CLEAN. Try to get it at some BBS (probably TRICKLE is the easiest to use). Helmut (E-Mail: HELI@EICHOW.UNA.AC.AT) ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 144] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253