VIRUS-L Digest Monday, 28 Jan 1991 Volume 4 : Issue 15 Today's Topics: Re: Text in MLTI virus (PC) Re: Mac virii & System 7.0 (Mac) Public domain virus information for archives? Re: Norton Antivirus (PC) Re: Norton Antivirus (PC) Stoned in partition table (PC) Virus Query (Mac) Re: (No) Viruses in Irak's EXOCET? Re: New virus 1586? (PC) CARMEL Turbo Anti-Virus Set Problem with F-Prot 1.14 (PC) Processor-specific viruses and other subjects (PC) Stoned, disk size and drive preference (PC) This is getting insane... VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Thu, 24 Jan 91 13:09:49 -0600 >From: "McMahon,Brian D" Subject: Re: Text in MLTI virus (PC) (I haven't posted here for a long while -- things have been very busy.) frisk@rhi.hi.is (Fridrik Skulason) wrote: >The MLTI virus contains this text - clearly a reference to the "Eddie" >virus, but what does "RED DIAVOLYATA" mean ? (I want to emphasize >that "Dark Avenger" is the name of the author of the "Eddie" virus - >not the name of the virus itself.) > > Eddie die somewhere in time! > This programm was written in the city of Prostokwashino > (C) 1990 RED DIAVOLYATA > Hello! MLTI! Paul Coen responded: >Well, I can't help you with the RED DIAVOLYATA, aside from the rather >obvious point that it seems to be the "name" of the author. Let's hope not. :-) DIAVOLYATA I think is related to English "diabolical", referring to the Devil. There are several interesting things about this signature. o "Diavolyata" does not translate directly to "Devil" in any of the Russian, Polish, Czech, Bulgarian, and Serbo-Croatian dictionaries in our library. The Russian would be "d'yavol." Transliterating from Cyrillic to Latin script gets interesting, but "diavol" is a plausible rendition. (I could go on, but it's outside of the list's topic. Check the archives of RUSTEX-L on the UBVM LISTSERVer.) One wild and unsupported guess: DIAVOLYATA could be a contraction of "diavol" and "rebyata" (colloquially, "kids") for something like "devil-kids." Just a WAG (Wild-Assed Guess), though. o The city of Prostokwashino does not appear in either the Bol'shaya Sovetskaya or the Brockhaus (generally good for Eastern Europe). "Prostokvasha" is Russian for "curdled milk." o MLTI is an abbreviation for "Moskov'skij Lesotekhnicheskij Institut," the Moscow Forest Engineering Institute. It's been several years since my last Russian class -- make of this what you will, but at your own risk... Brian McMahon | VAX Kludgemeister, Macintosh Medic, Grinnell College Computer Services | Human Help Key, support for sundry Grinnell, Iowa 50112 USA | stats packages, and rookie DECUS Voice: +1 515 269 4901 | Symposia Editor. Please allow two Fax: +1 515 269 4936 | to four weeks for miracles. ------------------------------ Date: 24 Jan 91 20:51:09 +0000 >From: phaedrus@milton.u.washington.edu (Mark Phaedrus) Subject: Re: Mac virii & System 7.0 (Mac) st871184@pip.cc.brandeis.edu writes: > I hope this hasn't been discussed already, but I'm curious about >the net world's thoughts about what will happen to all the viruses (Virii) >we know and hate when system 7.0 comes out (in the first quarter of 1991?) Based on my limited Mac programming experience, I sincerely doubt that there will be much change. System 7 is not going to magically change all the rules of Mac programming; it adds new features on top of the existing ones. If this weren't true, no System 6- programs would work with System 7. Therefore, I would speculate that the existing crop of viruses will do just fine, since they mostly use the same sorts of file system calls that applications do. WDEF and the other "stealth" viruses might run into trouble, if they use any undocumented file system features to get around virus detection programs. Those viruses might stop propagating, or might crash the machine. But more conventional viruses (Scores, etc.) should work under Sys 7. - -- Internet: phaedrus@u.washington.edu (University of Washington, Seattle) The views expressed here are not those of this station or its management. "If you can keep your head while those about you are losing theirs, consider an exciting career as a guillotine operator!" ------------------------------ Date: Fri, 25 Jan 91 08:45:47 -0500 >From: the element of laughter Subject: Public domain virus information for archives? hello all. last month, as i was sitting here paging though one of the digests, i read a post by someone requesting help for removal of some virus from the pcs in the lab that he was a consultant for. that post (and the numerous others that appear with that same theme: "please help me remove from my pc/friend's pc/pc lab") prompted me to write to Ken and ask him what he thought about creating a set of "virus man pages" that would be stored in the archives and made available to everyone so that requests for help could be referred to there instead of endlessly repeating the procedure to the list again and again. he mentioned to me the list that is maintained by patricia hoffman which is not public domain and how he would *love* to have something like that made available to the network at large. i agreed. however, i am not a virus expert, nor am i a computer guru. (merely a well-learned user ;) ergo, i cannot compose this data myself. but, i am more than willing to try and coordinate an effort to make this service available to the net. the way i envision this project is asking people to volunteer to write about a specific virus the necessary information regarding its charac- teristics, its effects, its means of propagation, its removal, etc. this method will require that some kind of template be drafted so that there is some semblance of order to the descriptions. it will also re- quire that there be some kind of panel or group of experts who "okay" each file before being added to the archives. again, that is how i think would be the best way to tackle this project, should any of you feel that this would be worthwhile (i know kenneth and i feel that way). please feel free to comment on that suggestion or make your own as i'd rather discuss this matter first before plunging head- long into it. there are a number of other concerns ken and i discussed, but until i am sure that there is some support for this idea, i will hold off on them. if there is interest, i'll probably just post the correspondance that we had for everyone's perusal (you don't mind do you, ken?) and we can go from there. - -- rob woiccak rewoicc@erenj.bitnet ------------------------------ Date: Fri, 25 Jan 91 16:51:53 +0000 >From: DEL2@phoenix.cambridge.ac.uk Subject: Re: Norton Antivirus (PC) Santo Nucifora ( asked about Norton Antivirus. I haven't used it but it got a slashing review in PC Business World last week, for making unfair claims about its abilities, (claims "Norton Antivirus is the most complete and comprehensive virus protection utility for the IBM PC and its compatibles", yet only 141 signatures are loaded into memory, in a device driver misleadingly called a Terminate Stay Resident program); for being out of date (despite promised monthly upgrades, nothin had arrived yet); for being comparatively expensive (compared eg with Frisk's F_Prot!!); for using some rather poor techniques and (not least) for not being written by Peter Norton. Quotes from review: ...Using [our set of viruses]... we obtained the following results: percentage of files oin which viral activity was detected -- 80%. Percentage of infections correctly identified -- 56%. ... it detects Casper, V2P2, and 1260 using the same identity ...all Symantec's virus definitions come from the US [so double checks with other programs will give different results because of differing nomenclature] Overall assessment: Pro: nice user interface; both 5.25-inch and 3.5-inch write-disabled disks supplied as standard. Con: misleading documentation; immature product; not enough virus recognition patterns. Hope this is useful. Regards to all, Douglas de Lacey. ------------------------------ Date: Fri, 25 Jan 91 14:07:21 -0800 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Re: Norton Antivirus (PC) SANTO@SENECA.BITNET writes: > I was wondering if anybody has seen or used the Norton Antivirus? Is > it any good? What techniques are used to detect and remove viruses? > What type of preventative measures are used? I have spoken with the people from Symantec, and they have said they will be shipping me a copy right away. Mind you, they said that over a week and a half ago, so you can draw your own conclusions about their customer service for starters. :-) An interesting piece of trivia: apparently they were already working on SAM-PC (Symantec Antivirus for MS-DOS) when they bought Norton, so the package is really a combined project. > North York, Ontario (Do I have to include Canada or is Ontario well know?) You're willing to admit that Ontario is *within* Canada? :-) ------------------------------ Date: Fri, 25 Jan 91 14:00:01 -0800 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Stoned in partition table (PC) brinkley@cs.utexas.edu (Paul Brinkley) writes: > the disk, and Stoned is still there. Someone at the lab suggested Did you boot from a clean system disk before you started all this effort? Stoned is resident in memory, and will, of course, re-infect your disk as soon as you have prepared it if you do not boot from a clean source first. I apologize if you *have* done this, but we are seeing repeated reports of this kind. FPROT deals very effectively with the Stoned variants that I have seen, and low level formats, re-partitioning and so forth are unnecessary extremes to go to. ------------------------------ Date: Fri, 25 Jan 91 15:14:47 -0500 >From: motto!murray@lsuc (Murray S. Kucherawy) Subject: Virus Query (Mac) Has anyone heard of the MURPHY virus for the Mac? Rumor has it that it's out there, and it has already hit several sites in this area. =============================== Murray S. Kucherawy ========================== Motorola Canada, Ltd. Communications Division, Toronto [on work term] University of Waterloo, Ontario, Canada 2B Math/Computer Science Internet: murray@motto.UUCP (work) mskucherawy@watmath.UWaterloo.ca (UW) UUCP: uunet!utai!lsuc!motto!murray uunet!watmath!mskucherawy ------------------------------ Date: 25 Jan 91 06:01:18 +0000 >From: ropg@ooc.uva.nl (Rop Gonggrijp) Subject: Re: (No) Viruses in Irak's EXOCET? The argument that is missing in the discussion so far is the motive for the French to include a virus other than the fact that they might once be fighting their own weopon systems. How about this scenario: France takes a more and more active part in the battle and sends ships to attack the koweiti shores Irak launches one single exocet and kills 40 French sailors French public opnion demand the arms exports to stop immediately, thus killing the French arms industry. Far from any military interests, I think the industry itself would protect itself from this worst case (best case... ;-) scenario even if the generals did not ask for it. If they did not put a virus in they are stupid... - -- Rop Gonggrijp (ropg@ooc.uva.nl) is also editor of Hack-Tic (hack/phreak mag.) quote: "We don't care about freedom of the mind, | Postbus 22953 (in DUTCH) freedom of signature will do just fine" | 1100 DL AMSTERDAM Any opinions in this posting are wasted on you | tel: +31 20 6001480 ------------------------------ Date: 26 Jan 91 08:48:08 +0000 >From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: New virus 1586? (PC) csas400@vax1.mankato.msus.edu writes: > 3. Changes files size. > filename noVir Vir Difference > command.com 37637 39223 1586 > simcity.exe 191845 193431 1586 > share.exe 10301 11879 1578 >From this information it is clear the length of the virus is not 1586 bytes, nor 1578, but rather 1575 bytes. The reason is as follows. In almost all cases, a variable length increase means the virus first pads the program to make the length a multiple of 16 bytes, before appending the virus. Assuming this is the case, we get before padding after padding after infection difference command.com 37637 37648 39223 1575 simcity.exe 191845 191856 193431 1575 share.exe 10301 10304 11879 1575 A side effect is that disinfectors may not be able to restore infected files 100% - they may contain 1-15 garbage bytes at the end, after the virus has been removed.This will not affect the operation of the program in any way, unless it does a check of its own integrity. >If someone (reputable [ie. has written vir.pro. programs before]) would like >to tackle this hobbie of killing and detection of this virus I'll send you a >copy. Well - I would be heppy to add detection/removal of this virus to my F-PROT program - assuming it does not use any really complex encryption, it should not take more than a couple of hours to have the disinfector ready. But be careful in who you send the virus to - there are not more than 10-12 people I would send it to. - -frisk - -- Fridrik Skulason University of Iceland | Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 | ------------------------------ Date: 26 Jan 91 12:08:21 +0700 >From: infocenter@urz.unibas.ch Subject: CARMEL Turbo Anti-Virus Set Please send me any information you have about the Turbo Anti-Virus Set from Carmel Software Engineering distributed by EPG International Hans-Stiessberger-Strasse 3 D-8013 Haar by Muenchen I recently got a copy of it and it seems to be a quite good product (so far I can judge about ...) bye .................................................................... Didi **************************************************************************** * * Universitas Basiliensis InfoCenter * **************************************************************************** * ------------------------------ Date: Fri, 25 Jan 91 20:01:44 +0700 >From: "J.C. Kohler" Subject: Problem with F-Prot 1.14 (PC) Hi there, I installed the new version of F-PROT (1.14) today and I encountered a small problem. When I tried to do a F-XLOCK *.* in my WordPerfect directory, there were many files which it couldn't protect. Especially the file WP.EXE, which is the most important one, and the one that is the most frequently run was not lock-able. I'm using a Dutch version of WP 5.1, does anybody has an ideay why F-XLOCK can't lock them, it displays an error message, which contains something about a illegal header. Many Thanks in advance Christian ==== [J.] Christian Kohler Keele university, United Kingdom JANET : csw76@uk.ac.keele.seq1 INTERNET : csw76%keele.ac.uk@nsfnet-relay.ac.uk BITNET : csw76%keele.ac.uk@ukacrl UUCP : ..!ukc!keele!csw76 ------------------------------ Date: Sat, 26 Jan 91 21:24:10 -0500 >From: "Richard Budd" Subject: Processor-specific viruses and other subjects (PC) frisk@rhi.hi.is (Fridrik Skulason)writes in VIRUS-L V4 #13: >From the POLIMER comes this text - is this Polish ? And what does it >mean ? > A le'jobb kazetta a POLIMER kazetta ! Vegye ezt ! The last sentence looks like Magyar (Hungarian). I've had some exposure to that language from a recent bicycle tour of Hungary, but I am not versed in it. I will send a copy to our Budapest office for possible translation. Richard Budd | E-Mail: IBMers - rcbudd@rhqvm19.ibm VM Systems Programmer | All Others - klub@maristb.bitnet IBM - Sterling Forest, NY | Phone: (914)578-3764 - ------------------------------------------------------------------------ Question of the Week - How would the Persian Gulf Crisis been handled if Jimmy Carter had still been President? ------------------------------ Date: Sun, 27 Jan 91 17:56:46 -0800 >From: Robert Slade Subject: Stoned, disk size and drive preference (PC) The following exchange ported from the SUZY Information System: == E-Mail > Fetch > Sinclair, Wayne =========================================== = Subject: Stoned signature I have had problems with the Stoned virus in the past, at least I hope its past, but one thing puzzels me! I cleaned the whole of my system including all of my 3.5 and 5.25 floppies (100's of them) and fould many of my 5.25s to be infected by not one 3.5 disk out of a 100 or so. I did get reports back from F-Prot that there may be something unidentafiable on the boot sector and I attributed that to the strange formating that PC Tools 6.0 puts on the disk. Are some versions of the Stoned virus not capably of infecting drive B: or was I just outright lucky? Since I done the compleat system clean up a few month ago I have had no problems. I run F-Prots sys file to keep gaurd all the time, it saved me in the past 4 or 5 times. Also what triggers the Stoned virus into action, a key combination, timers, certain number of boots I can't figure it out? In all the times that the little pest gave me problems I had been previously working in PC Tools. I let Central Point know about this and their responce was "Oh". Strange. Wayne Sinclair == E-Mail > Fetch > Sinclair, Wayne > Reply =================================== = Subject: Stoned and drives There are at *least* six versions of "Stoned" on the loose, probably a good many more. So one cannot be too certain about "absolute" behaviour of the virus, but ... There are actually two possible explanations of the behaviour you see. I have a report of a version of "Stoned" (reported to be the original, in fact) that will not infect 3.5" drives. (This may have been "inspired" by the original BRAIN virus, which checked for the signature of a low density, 5.25" disk, and would not infect otherwise.) I have, in my possesion, a version which happily infects any size of floppy, but will not infect the B: drive. Activation is problematic as well. One of the versions I have will happily infect any disk in the A: drive, whenever the A: drive is accessed. Even for a DIR. The other version is a sullen beast, and I haven't yet figured out it's exact activation, but PCTOOLS seems to trigger it in my case as you report with yours. And yes, FPROT (at least up to version 1.13) did report PCTOOLS formatting as suspect. I have sent frisk a copy of the PCTOOLS boot sector, but I don't know whether he has been able to incorporate it into 1.14. Which is, by the way, available now in the INtegrity Library. ------------------------------ Date: Mon, 28 Jan 91 10:23:04 +0000 >From: frisk@rhi.hi.is (Fridrik Skulason) Subject: This is getting insane... A week ago I finished analysing the 70 or so new viruses I had received in Hamburg and started distributing version 1.14 of my program. I was hoping for a few virus-free days, but guess what happened.... In the past week I have received over 20 new viruses, and I know of 4 more "in the mail". I spent the weekend analyzing the new viruses, and as expected, it turned out that many of them were just variants of older viruses. In some cases the viruses are more-or-less rewritten, possibly by the same author, and possibly by someone with access to the source or a disassembly. A good exammple of this is a group of viruses from Taiwan, which are aither called Plastique or AntiCAD (although some people use Taiwan-3, Taiwan-4 etc). One of the members of the family is also known as Invader. All the viruses are targeted against AutoCAD. I now have copies of at least 6 members of the family, one 2576 byte, one 2900 byte, one 3012 and three 4096 byte variants. The viruses are based on the Jerusalem virus, although the 4096 byte variants are also able to infect the boot sector. In many other cases, the difference between two variants is very small - - only a few bytes (or even just a single bit) and the total length of the virus has not changed. How do such viruses get created ? Dr. Alan Solomon had some thoughts on this subject, and I agree with him: 1) accidental changes - bit errors in memory or when copying files. 2) deliberate changes, produced to prevent detection by some scanning program. 3) deliberate changes, produced to get a "reward" which some anti-virus companies offered for "new" viruses. - -frisk - -- Fridrik Skulason University of Iceland | Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 | ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 15] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253