VIRUS-L Digest Thursday, 22 Aug 1991 Volume 4 : Issue 146 Today's Topics: RE: where is VSUM9108.ZIP or TXT Re: Hard disk locking ? (PC) Can virus infect PC data diskettes? (PC) Re: Problem cleaning "LIBERTY" virus? (PC) Re: Scan (PC) Re: help identifying virus on PC (PC) Re: Hard disk locking ? (PC) Questions regarding Novell, Virus.. Bad hit on KENNEDY/12 Tricks Trojan?? (PC) VIRx on a 3COM network (PC) re: Partition Table Virus (PC) Review of DISKSECURE (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 21 Aug 91 15:12:13 -0600 >From: Diskmuncher Subject: RE: where is VSUM9108.ZIP or TXT >From: al161926@mtecv2.mty.itesm.mx (JESUS BARRERA RAMOS) >I've been lookin' for VSUM9108.zip o .txt de Patricia M. Hoffman 'n I've >not found it...could some body tell me where can I get a copy of that >document?...I'd thank ya a lot You won't find it...at least not under the old name. Look for VSUMX9107.ZIP on risc.ua.edu in the pub/ibm-antivirus directory. Included below is some information from one of the read-me files in the new package. ============================================================================ HyperText VSUM X9107 READ_ME.1ST With the June, 1991 release, the Virus Information Summary List has been converted from its original ASCII list format into a custom, hypertext database format. With the new format, the product name has been changed to HyperText VSUM. The previous ASCII list product has been discontinued, and will no longer be updated. Why the change to a hypertext database? The original ASCII format had become extremely large and unwieldy, it was difficult for most people to effectively use. Printing also had become a problem unless one had a very high speed laser printer. More importantly, the information presented in the ASCII version was never really intended to be read sequentially as a book, but instead to be a reference book or encyclopedia. ============================================================================= >...oh!...by the way...I've also been >lookin' for a program that convert executable code to source code I know >there're programs to do that but I've not found one...If somebody has >one...please send me a copy (if it's shareware) or tell me where can I >get one...thank ya in advance...bye. There are lots of these in the mirrors/msdos/disasm directory at wuarchive.wustl.edu (PD1: on SIMTEL-20). My favorite(s) are ASMGEN3.ZIP MD86.ZIP DIS86.ZIP Note: these are disassemblers so you must know/understand Assembly Language. To my knowledge, there are no reliable programs to reverse engineer programs back to their original high-level source code (C, Pascal). John-David Childs Consultant, University of Montana con_jdc@lewis.umt.edu ------------------------------ Date: Thu, 22 Aug 91 12:29:00 +1200 >From: "Mark Aitchison" Subject: Re: Hard disk locking ? (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: > It depends on what do you mean exactly by "cannot". A really skilled > penetrator won't be stopped by a software solution, no matter how > sophisticated. True, you may even encypt the whole disk with a > cryptographically strong algorithm (and of course not store the > password on the disk ). This will prevent him only from -reading- > the disk, not from writing on it. > > My opinion is that such programs are not a very good idea. As I already > said, all of them can be bypassed, if enough effort is applied. You can't have a 100% secure system, it is always a trade-off between security and what you can afford - in time/inconvenience/money/spare slots/RAM/etc. Just like fire-walls for protection, you assume that after some time they will give up or you will return and see them. Think of hardware protection systems in a computer - you could lift the lid and unplug the card, or whatever. If you put a padlock on it, a determined hacker will bring cutters! if you encrypt the data, it is a matter of time before any code can be broken. But, of course, you can feel happy if it takes, on average, over 20 years on the fastest computer to crack the code, or to cut the padlock the person has to think of bringing bolt cutters in advance, and must sneak them past everyone in the office, etc. To stop careless use of a computer, software is often enough. To stop a virus from infecting a hard disk, a simple switch in the disk cable, accessible by anyone, isn't a security risk, it is perfectly good for the job. Not that either method is totally safe against every eventuality, but good enough under the circumstances. >Also, > they sometins are in conflict with programs like Disk Manager, that > use the unused space of the first disk track... > >Such programs need not use the unused space on the first track, the MBR is >plenty big enough for password protection. By the way, a copy of a lock program (not the PC-Lock others have mentioned) is available via anonymous ftp from newton.canterbury.ac.nz [132.181.40.1] in the directory: /pub/antivirus. It is a FREEWARE demo: you may use it for free, but not sell it, and should use it with care (caveat emptor and all that). To use the program type in LOCK/? and it will explain the rest. Please send comments back to me, and I'll pass them onto the author. NOTE that the newton computer is small and slow; it would be nice if some other ftp site made the program available. Mark Aitchison, Physics, University of Canterbury, New Zealand. ------------------------------ Date: 22 Aug 91 03:54:06 +0000 >From: masticol@athos.rutgers.edu (Steve Masticola) Subject: Can virus infect PC data diskettes? (PC) A friend (who works on a network which was hit recently by the STONED virus) asked me to post the following questions. 1. Can a virus infect data diskettes and propagate from them (possibly by rewriting the boot track)? 2. Can viruses infect data files (not executables) downloaded from BBSes? Also, if someone has a pointer to an archive with info about PC viruses (in plain text), or good magazine articles, I'd appreciate knowing that, too. Thanks, - - Steve Masticola (masticol@cs.rutgers.edu). ------------------------------ Date: Thu, 22 Aug 91 03:53:42 +0000 >From: mcafee@netcom.com (McAfee Associates) Subject: Re: Problem cleaning "LIBERTY" virus? (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: [some of message deleted] >CLEAN is not able to disinfect most of the viruses that SCAN detects. CLEAN-UP removes over 90% of reported viruses (i.e., viruses that are in the "public"). >It just destroys the infected files. If CLEAN-UP comes across a virus that it can not successfully remove, than it prompts the user if it should overwrite and delete the file. >It is written in the documentation, >please read it. There is also a list of the viruses that CLEAN -is- able >to disinfect successfully. They are not very much - in fact only the most >often encountered viruses can be removed. McAfee's oppinion is that it is >safer to replace the infected files from non-infected backups or from the >original diskettes. I agree with him - very often it is impossible to >restore an infected file -exactly- in its previous state. [rest of message deleted] Given the nature of the problem with the virus, I am more inclined to believe that the problem is a result of a variant of the virus. However, given the fact that no infected executables are available, we (McAfee Associates) will have to wait until another infection of a similar nature is reported. Regards, Aryeh Goretsky McAfee Associates Technical Support - -- McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com (business) 4423 Cheeney Street | FAX (408) 970-9727 | aryehg@darkside.com(personal) Santa Clara, California | BBS (408) 988-4004 | 95054-0253 USA | v.32 (408) 988-5190 | CompuServe ID: 76702,1714 ViruScan/CleanUp/VShield | HST (408) 988-5138 | or GO VIRUSFORUM ------------------------------ Date: Thu, 22 Aug 91 04:05:11 +0000 >From: mcafee@netcom.com (McAfee Associates) Subject: Re: Scan (PC) BL163193@TECMTYVM.BITNET (Jesus Miguel Garcia) writes: >Whats the new Scan antivirus of Mcaffe? I heard about version 83.... The current version of VIRUSCAN is V80. The next release is scheduled for the last week of August. Or to be more accurate, is scheduled for no sooner than the last week of August. Aryeh Goretsky McAfee Associates Technical Support >Thanks for help... > >Miguel Garcia Rdz. >Monterrey, N.L. >Mexico - -- McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com (business) 4423 Cheeney Street | FAX (408) 970-9727 | aryehg@darkside.com(personal) Santa Clara, California | BBS (408) 988-4004 | 95054-0253 USA | v.32 (408) 988-5190 | CompuServe ID: 76702,1714 ViruScan/CleanUp/VShield | HST (408) 988-5138 | or GO VIRUSFORUM ------------------------------ Date: Thu, 22 Aug 91 09:55:17 +0300 >From: Tapio Keih{nen Subject: Re: help identifying virus on PC (PC) >it for us. It manifests itself rather blatantly by displaying a >colour graphic on the screen of what looks like the pictorial >representation of the Mandelbrot set of Fractal geometry fame. (if >that rings a bell with anyone). There is also some text on the top >left hand corner "Execute: mov ax feb0, interrupt 21 any key to >continue!". The hex address there may not be 100% accurate. Anyway, we >would appreciate any help. Thanks. The virus is Tequila virus. It is originated in Swizerland and its authors are known (brothers, aged 18 and 21). When infected file is executed for the first time, it'll check if hard disk's partition table is already infected. If the virus notices that there's no copy of it in partition table, it will infect it. Next time when you boot your computer from the infected hard disk, the virus will begin to infect files. It uses variable encryption on files, but on partition table it is in decrypted form. Virus infects only .EXE files and they grow by 2468 bytes. Depending on date and how many times infected files have been executed, the virus will display that mandelbrot picture. If one executes that program virus suggest to execute, a text about L.I.N.D.A. and beer will be displayed. Tapio - -- Tapio Keih{nen | tapio@nic.funet.fi | DIO COMES - ARE YOU READY TO ROCK? Disclaimer: This posting has nothing to do with nic.funet.fi archive server. ------------------------------ Date: Wed, 21 Aug 91 23:31:53 +0000 >From: edc115s@monu6.cc.monash.edu.au (skiman) Subject: Re: Hard disk locking ? (PC) >frisk@rhi.hi.is (Fridrik Skulason) writes: > One person here at the University of Iceland had the misfortune of > having his hard disk trashed by the Spanish Telecom virus recently. > It was possible to trace the source of the infection, but now he wants > some method to prevent anyone from working on his machine while he is > away - for example by asking for a password on boot-up. > > Hardware solutions... How about a Bernoulli Box, or some other form of removable hard disk? I know it's an expensive (and drastic?) solution, but if the data is important ... - -- Fraser Bryden edc115s@monu6.cc.monash.edu.au "I seem to be having this tremendous problem with my lifestyle!" Arthur Dent: Hitch Hiker's Guide to the Galaxy ------------------------------ Date: Thu, 22 Aug 91 13:05:24 -0400 >From: Ed Maioriello Subject: Questions regarding Novell, Virus.. We have found that the best way of dealing with Macintosh viruses on a Novell network is to limit the write privileges of lab users on the server, and to use the Disinfectant Init along with periodic Disinfectant scans. Giving the user minimal write privileges will help restrict where a virus might take hold on the Server. This also prevents users from changing the server configuration. I also recommend revoking write privileges to the Desktop file as well. I have not found Mac viruses that infect DOS or Netware files, so the worst case scenario is substantially reduced. And while Mac viruses seem to be more common they are usually less virulent than DOS viruses. Disinfectant from Northwestern U. has proven to be by far the most effective virus eradication program. In summary, rather that trying to erect huge anti-virus barriers which are generally less than completely effective and tend to give a false sense of security we remove the virus if and when they appear. In nine months of supervising public Netware Macintosh Labs I have often removed a virus from a user's disk, but never found one on a server. I hope this helps. Ed Maioriello Bitnet: EMAIORIE @ UGA University Computing & Networking Servs. Internet: emaiorie@uga.cc.uga.edu University of Georgia Athens, Ga. 30602 (404)-542-5162 Where are the Snowdens of yesteryear? ------------------------------ Date: Thu, 22 Aug 91 16:24:59 +0000 >From: comb@sol.acs.unt.edu (Eric N. Lipscomb) Subject: Bad hit on KENNEDY/12 Tricks Trojan?? (PC) OK. Here's a good one. . . For whatever reason, one of our Business Profs decided to scan the copy of VIRUCIDE on his hard disk, and lo and behold, SCAN 5.3C67 finds Kennedy and 12 Tricks Trojan in VIRUCIDE.EXE. VIRUCIDE, scanning itself, finds nothing. SCAN also tells us that the file is compressed with LZEXE and is infected internally. Hmmmm. Next step, we run SCAN 6.3V72 on VIRUCIDE.EXE, and the Kennedy virus reveals itself again, but not the 12 Tricks Trojan. Hmmm. Next step, run the latest release of SCAN. Bingo, it finds Kennedy. All versions of SCAN that we throw at it find Kennedy and tell us that the file is LZEXE compressed. Now, a bit of info about VIRUCIDE: the file is 40209 bytes long, dated 5-8-90. It appears to the user to be functioning properly, and even though SCAN says it's infected, nothing *apparently* happens to the system as a result. However, one of our techies is looking at the execution of the program, and has found that as VIRUCIDE scans a file, it also attempts to perform a write to side 0 track 0 sector 6, thus far unsuccessfully. One of the strings it attempted to write was "Disk Killer". Hmmmmm. F-PROT being my anti-virus package of choice, I threw VIRUCIDE at the mercy of that. F-FCHK didn't find anything in VIRUCIDE.EXE, nor did it give any indication that the file was compressed in any way. Next, I installed F-DRIVER.SYS (with all necessary files, etc.) and *ran* VIRUCIDE.EXE, and F-DRIVER let it through. Hmmmm. Now, except for the suspicious attempts to write to the boot sector, it seems to me that McAfee SCAN is giving a false positive on the Kennedy virus in VIRUCIDE. VIRUCIDE (another, later version that scanned clean by everything we threw at it) and F-PROT don't identify anything. And an old version of SCAN identified the 12 Tricks Trojan. Unfortunately, I don't have any other disk scanners laying around that I can check it against. But our techies are looking a little more closely into this suspicious disk write behaviour exhibited by the suspect VIRUCIDE. Any thoughts/ideas from the list at lagre, specifically the McAfee crew (since both SCAN and VIRUCIDE came from McAfee)? This is certainly something that our University will take into serious consideration as talks finalize on which product to go with as a campus standard. Thanks for your time! }lips - -- Eric N. Lipscomb, Lab/Network Manager Academic Computing Services Email: comb@sol.acs.unt.edu "Golf is something you do to make lips@vaxb.acs.unt.edu the rest of your life look good." ------------------------------ Date: Thu, 22 Aug 91 11:22:49 >From: c-rossgr@ingate.microsoft.COM Subject: VIRx on a 3COM network (PC) >From: acrosby@uafhp.uark.edu (Albert Crosby,AG ENG 210,4452,5014447866) > >I just tried using the VIRx scanning program on network volumes attahed >via 3Com 3+Open. The scanner reported "Bad status reading partition table" >and stopped for a key press. The program then presented a message that it >was "Scanning: \\ \DOSAPPS\" and paused. > ^^^^^^^^^^^^^^ <= this space was filled with high order garbage characters. Yeah, that's a problem we found out about immediately after the last release. It'll be fixed up in the next release of the code (actually, the release *after* the next release). It stems from some weird interactions we noted on Novell networks, doing a workaround to solve that problem and then discovering that 3COM does stuff just differently enough to cause the high order garbage you found. Mea culpa: I only have a small Novell network here, and should have checked with a 3COM dude. Please give a call to Microcom at 919-490-1277 and report this bug? See, then collect the bugs, stick it on a sheet of paper, and then badger me mercilessly until that sheet of paper is nothing but cross outs. Sorry for the hassle. Ross Author, VIRx ------------------------------ Date: Thu, 22 Aug 91 10:15:40 -0400 >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: re: Partition Table Virus (PC) Ms. (safe) Burke-Davis: I have never found it necessary to do a low level format of a drive (including IDE) however have done it occasionally when there has not been any information on the disk needing saving (all data is lost after a LLF). However there is another method that a skilled technician can use. First, cold boot from a write-protected floppy disk containing DEBUG and CHKDSK. Run CHKDSK (or SCAN /M) to determine if the virus is in memory - if so the memory will show a loss of 1k from the TOM (640k machines normally return 655360 bytes. 654336 or less is a danger sign unless something else is going on (I do not know how your PC is configured so must be vague). If clean, my notes show that the virus moves the real Master Boot Record (partition table) to track 0 head 0 sector 7. To disinfect, just verify that track 0 head 0 sector 7 contains the MBR (look for the ASCII warning messages near the end) and copy it to track 0 head 0 sector 1. This will disconnect the virus code in sector 6 from the initialization sequence. (to be really safe, zero out sector six). The PC should now be safe to use. This is a "stealth" virus so before disinfecting, you must make sure that the virus is not resident in memory. Also, the TELEPHONICA infects executable files so you must make sure that they are all cleaned before execution or it will re-infect the PC. Just be careful but a low-level format is unnecessary for a professional. Hope this helps, Padgett ------------------------------ Date: Tue, 20 Aug 91 12:17:00 -0700 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Review of DISKSECURE (PC) After a brief (ack ... two months!?!) hiatus, another review. Pursuant to the recent discussions regarding hard disk locking, that's basically what DISKSECURE does. And I'm *still* waiting for some smart company to make a hard disk with a write protect switch ... PCDSKSEC.RVW 910816 Comparison Review Company and product: A. Padgett Peterson POB 1203 Windermere, FLA, 34786, USA (407)352-6007 eves Florida time (407)648-0733 fax DISKSECURE v .95 Summary: Low level hard disk protecion to prevent access, by virus or otherwise, to hard disk. Cost not yet released as shareware Rating (1-4, 1 = poor, 4 = very good) "Friendliness" Installation 3 Ease of use 3 Help systems 3 Compatibility 2 Company Stability 2 Support 3 Documentation 2 Hardware required 3 Performance 3 Availability Local Support General Description: DISKSEC.EXE replaces the partition table of the hard disk with code which performs load time checking and prevents access to the hard disk if booted from floppy, and offers software write protection to the system areas of the disk. CHKSEC.EXE verifies DISKSEC operation, and FLOPSEC.EXE creates a bootable floppy for maintenance purposes. Comparison of features and specifications User Friendliness Installation Default installation is simple and can be accomplished through a supplied batch file (DSINSTAL.BAT). A "quick start" reference is provided along with the regular documentation. For protection of the hard disk only DISKSEC is required to be run, although this limits the possibilities for recovery. Novice users may not be sufficiently aware of the dangers inherent in this process. The program is replacing the partition table of the hard disk, and, if it fails, all information which the computer requires to access the disk and information will be lost, even if the information is not, physically, erased. Although the possibility of this is very small, a backup of the partition boot record prior to installation would be a good idea. Ease of use Operation of the programs is simpe. DISKSEC provides ample prompting and opportunity for the user to stop at any point. CHKSEC and DSRPART are quite terse in the feedback that they provide to the user, but operate easily and well. Help systems None provided. DISKSEC is well prompted and the other programs have no options. Compatibility Company Stability Padgett is an unstable personality, and should be avoided when driving "The Judge." Company Support Padgett is well known as a contributor to VIRUS-L/comp.virus. Documentation The documentation is quite clear to anyone familiar with MS-DOS operations. Occasionally certain points may not be clear to novice users (for example, the fact that "removal" of DISKSECURE is done via the DSRPART program.) The spelling could use some work. Hardware Requirements None specified, but a hard disk and at least one floppy disk (which can be used to boot from) would appear to be minimum requirements. Performance In testing, DISKSECURE detected the presence of the BRAIN virus and prevented infection. DISKSECURE detected the presence of the Stoned virus. Infection of the hard disk occurred and the disk was not accessible thereafter, even after booting from a clean floppy. Running DSRPART.COM removed the infection. (NB - access to the hard disk is restored only after rebooting once DSRPART.COM has been run.) Creation of a "maintenance" diskette with FLOPSEC appears to render the diskette unusable for other purposes. Diskettes with important files on them should not be used, and nothing should be written to them thereafter. It appears that the program indulges in some "stealth" technology of its own: the partition boot record appears unchanged after installation. Local Support None provided. Support Requirements DISKSECURE is simple enough for a novice user to run, and should provide significant protection with minimal risk. Recovery is quick and easy, as long as the user remembers the importance of DSRPART.COM. Intermediate users should note the difficulties in running system optimizing software. copyright Robert M. Slade, 1991 PCDSKSEC.RVW 910816 ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 146] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253