VIRUS-L Digest Monday, 28 Oct 1991 Volume 4 : Issue 199 Today's Topics: VSHIELD.... (PC) "Heavens no, I think thieves are terribly *irresponsible*!" Michaelangelo Virus (PC) RAD: flagged by ZeroVirus III (Amiga) Re: SVC 5.0 (PC) RE: Measures Info on Tequila virus (PC) Is this a Mac Virus? (Mac) Sneaky Multi-Partites (PC) Protection for Desqview users (PC) Re: New virus - advanced symptoms (PC) Re: Version 84 of McAfee anti-virus programs now available (PC) Re: Several subjects (PC) Re: Pakistani/Ashar (PC) Typo in Validation Data for NETSCAN V84 (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 22 Oct 91 18:38:58 -0500 >From: RY01@ns.cc.lehigh.edu (Robert Yung) Subject: VSHIELD.... (PC) To anyone...hopefully the maker. Does VSHIELD v84 work with Super PcKwik v2.X when VSHIELD is loaded high? In previous versions of Vshield, I needed about 110K UMB to load it high. Now that it has the /LH switch, can I make due with less UMB available prior to loading? In the latest PC-MAG, it says that a device driver is better against certain viruses that can run circles around TSRs. Why not make Vshield a device driver? It certainly would have more memory to load into when it is the first loaded (that is after the memory driver). /~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\ | Robert 'Bobby' Yung | | That is about as effective as trying | (| RY01@NS.CC.Lehigh.Edu | | to melt an iceberg with a warm stream | | "THE MACHINE!" | | of piss. -Armmstrong | \~~~~~~~~~~~~~~~~~~~~~~~~ |_______________________________________/ ------------------------------ Date: Tue, 22 Oct 91 17:13:32 -0700 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: "Heavens no, I think thieves are terribly *irresponsible*!" >From the "do they really mean that?" media file: >From the "Trend Newsletter", published by Trend Microdevices, makers of PC-cillin antivirus package, September, 1991: On the Federal Micro Show in August "The popularity of computer viruses was evident since three other antivirus software developers were [there] ..." Just love them little varmints, don't you? :-) ============= Vancouver p1@arkham.wimsey.bc.ca | "Power users think Institute for Robert_Slade@mtsg.sfu.ca | 'Your PC is now Research into CyberStore | Stoned' is part of User (Datapac 3020 8530 1030)| the DOS copyright Security Canada V7K 2G6 | line." R. Murnane ------------------------------ Date: Wed, 23 Oct 91 04:01:53 +0000 >From: k083240@hobbes.kzoo.edu (Stephen P. Gilmer) Subject: Michaelangelo Virus (PC) I'm a student at Kalamazoo College who's been asked to find out any information about the Michelangelo virus on PC's. Any and all information on this virus would be helpful. Also, as a new subscriber to this group, what virus detection program(s) is considered the best for the PC? As I am extremly busy (midterm exams!), would you please e-mail me direct at k083240@kzoo.edu. Thanks in advance. Steve Gilmer k083240@kzoo.edu ------------------------------ Date: Tue, 22 Oct 91 19:49:49 -0400 >From: rogue@cellar.org Subject: RAD: flagged by ZeroVirus III (Amiga) I have been having a problem with ZeroVirus III when I have a RAD: device mounted. It gives me two warnings about KickTagPtr being $7f7ff58 and KickMemPtr containing $7f7ff38. If I tell it to ignore the results while I'm running the program, everything's fine. However, if I iconify the program, the alerts return constantly, and I cannot make them go away. This is a bulletin for the author(s) of ZeroVirusIII to recognize and repair this problem. My system is an Amiga 3000, model 25/100, with 6 megs of Ram, and an 880k rad: device in fast memory. Rachel K. McGregor : rogue@cellar.org : {tredysvr,uunet}!cellar!rogue ------------------------------ Date: Wed, 23 Oct 91 12:01:32 +0300 >From: grdo@botik.yaroslavl.su (Dmitry O. Gryaznov) Subject: Re: SVC 5.0 (PC) Andrzej Kadlof writes on Soviet SVC virus: >only files on hard disk) and Create File (3C only on hard drive). I do >not know for what reason virus do not infect files if the file name >contains characters 'MM' or 'MB' (maybe protection of author software). First of all, not 'MB' but 'BM' - a hexadecimal 16-bit constant 4D42 represents the 'BM' string - bytes must be swapped. This trick IS a protection of some software - namely COMMAND.COM, IBMBIO.COM and IBMDOS.COM. ^^ ^^ ^^ The SVC 3.1 virus checks file names for 'AI' and 'SC' substrings - Soviet anti-virus AIDSTEST by Lozinsky and McAfee's SCAN. It doesn't ^^ ^^ check for 'MM' and 'BM' however. The next, SVC 4.0, virus checks for 'AI', 'SC', 'MM' and 'BM' and SVC 5.0 checks only for 'MM' and 'BM'. - -- Sincerely, Dmitry O. Gryaznov | PSI AS USSR grdo@botik.yaroslavl.su or grdo1@node.ias.msk.su | Pereslavl-Zalessky Phones: office: (08535)-2-0715 home:(08535)-2-1465| 152140 USSR ------------------------------ Date: Wed, 23 Oct 91 15:53:37 -0400 >From: Arthur Gutowski Subject: RE: Measures A long time ago in a galaxy not too far from home, Fred Waller said: > We weren't discussing idiot-proof measures. But the > virus problem is not user-created, although a recent article by Mark > Aitchison makes an extremely good point that public education must > play a very important part in any attempt to solve it. True, it is not user-created, but it is user- (and vendor-) proliferated. I say this because vendors have yet to put sufficient integrity management (both soft- and firmware) into PCs. I also say this because the bulk of the users out there have not implemented even a minimum of protection on their machines. Even a modicum of protection could greatly reduce the current threat. > Rather, my view is based on (Waller's) Pecking-order Metaphysics: > (...details deleted...) > So the "pecking order" is: 1. software; 2. hardware; 3. operator, > ascending. (Above that, you have to resort to mythical or government > forces... both yield unpredictable results). > From (Waller's) Pecking-order Metaphysics, one readily derives the > Waller Principle: > "If You Really Want to Stop a Software Virus, Stop > it with Hardware". > and the Waller Afterthought: > "Anything Else is Probably a Waste of Time and Effort, and > May Actually Be Counterproductive". Not necessarily so. As said before, and points have been made since, that because hardware and software communicate with humans, who are likely to obey a percentage of the time. You're right, with operators iike that, who needs a virus? These people are more likely to cause crashes *without* the help of a virus. But, with proper education, even software can be used to effectively reduce the virus threat to a livable minimum. Hardware isn't absolutely necessary to solve the problem, if the OS has enough smarts (though it is a stronger determinant than software, in most cases). VM, MVS, and even Apple Systems, have more smarts built into them than MESS-DOS. This is a factor that causes infection numbers to look like they do. Also has to do with population and the types of people that work on these other systems. That's not to say that we'll never see an MVS virus, because it is quite possible, but it's a lot less likely to happen. > > ...who's to say that there won't come a day when we can create > > (or encounter) infectious "beings"?).. > We encounter them all the time, in the air we breathe, the water we > drink, the food we eat and the things we touch. Zillions of them > live within and on our bodies - permanently. As for creating new > ones, we've done that, too. The tongue-in-cheek reference to the hardware "mites" that infected the Enterprise in TNG was merely to point out that even hardware, may, way in the future, may not be invulnerable either. But, let us not worry about that now, and go on with the assumption that it is. Tongue removed from cheek, I continue... > I feel Peterson's post was extremely interesting and appropriate. > The ideas presented there (and in several other articles of his) > were the sort of thing that should be explored seeking more definite > solutions to this problem. They should be pursued further. Yes, they should. Hardware and software can be used together to produce a more effective solution than hardware alone. As has been pointed out before, we do have ignorant operators. > NOBODY is proposing to make it impossible to share data. Such a > suggestion was NEVER advanced by me. And the ideas I did mention > were NOT equivalent to `not sharing data'. Stopping viruses by > hardware means DOES NOT equal `stop the flow of data'. It does, > however, restrict and regulate the *uncontrolled* flow of > executables, which is the main thing that enables virus spread. > (It may also restrict a kind of programming that's becoming very > popular, but will not eliminate it; only a modification is needed). That was the mistaken impression I got. I apologize. The Holy Grail in this case is complete eradication. That is unattainable, as long as people share data. Giving up on that, we are left with a "reasonable minimum" of infections. This is attainable. It is attainable through a combination of software, hardware, and training. If we can bring these three elements together, then we can achieve this goal. > Of course it's easier to infect MS DOS systems (Can many users > write to a mainframe executable or system file?). But another (not > minor) consideration is that there are some 60 million MS DOS PCs > out there. That's a market. Both viruses and antiviruses must > perceive that fact. It's likely to be a main motivator. > In both cases. Yes, it is much easier to infect MS DOS than a mainframe, both for stated above and the following. Mainframe OSes tend to keep their operations secret, much like Apple does. But, that's not to say that a good techie (like several we have around here), couldn't infiltrate the OS with a virus. But global access to the OS or to all user files isn't necessary either. All that is required is *some* access. Consider this: User A has execute access to user B's program libraries. User A's libraries have a program which contains a resident virus. User A has run this program in his own address space, and managed to spread the infection to all of his programs (because he has access to all of his own stuff). User B executes A's program in his address space and infects all of his stuff (again by normal accesses). Along comes C who has execute access to B...beginning to get the picture? And nobody had write access to anything but their own stuff. Granted, this is difficult to do, but a good assembler programmer may know enough about the assembler, the system, the link editor, etc., to do such a deed. > And a comment on etiquette: > (...Stuff deleted...) > People who are tired of repetition should have grown EXTREMELY > tired of the virus/antivirus repetition. Currently, that's the > grandmother of all repetitions. Yes, I have grown tired of the virus/antivirus repetition. And I don't mean to discourage discussion of topics on this forum. It is at times very informational; it is at times *very* repetetive. I am merely attempting to confront what you have admitted to as being sometimes- confrontational postings. We are all concerned professionals here. Etiquette should be a given on this (or any) forum. The bursting flames, have, I think, subsided for the most part some time ago. When addressing an issue of import confrontationally, one should expect to see people who hold (even slightly) different views to react with a degree of confrontation as well. I apologize for the length and delay in posting, but through the mounds of recent articles, of which I am about to contribute even more mounds, I managed to miss Fred's response the first time through. Warm (Indian Summer here in Michigan) Regards, Art Agutows@cms.cc.wayne.edu Agutows@Waynest1 ------------------------------ Date: Wed, 23 Oct 91 16:59:00 +0000 >From: Nick Hilliard Subject: Info on Tequila virus (PC) Hi, Does anyone out there have any info on the Tequila virus, about how it works, what it does to the hard disk partition and files? Things like that? If you do, you might drop me a line at the address above. Thanks, Nick Hilliard. ------------------------------ Date: Wed, 23 Oct 91 23:30:00 +0000 >From: "Albert M. Berg" <0001177220@mcimail.com> Subject: Is this a Mac Virus? (Mac) Has anyone had experience with: A Mac virus that displays a dialog box containing the phrase "HO HO HO" followed by assorted punctuation on the screen and then seems to roach track 0 and/or delete files? Symantec's Anti Virus does not seem to recognize this critter. Mac viruses that will damage and/or delete on NetWare file servers that the infected Mac is attached to via Novell's Mac NLM? The NetWare server looks like a normal Mac volume to the Mac, so if the Mac virus deletes the files using relatively high level calls, this seems possible. Any help on this would be *much* appreciated. Please email to me directly - I'll summarize responses for the digest. Thanks! - ---------------------------------------------------------------------------- Al Berg | alberg@mci.com NETLAN Inc. - 29 W 38th Street - NYC, NY 10018 | Phone 212/768-2273 No one else deserves the blame for my ravings. | Fax 212/768-2301 - ---------------------------------------------------------------------------- ------------------------------ Date: Wed, 23 Oct 91 23:55:00 +0000 >From: Joe Wells <0004886415@mcimail.com> Subject: Sneaky Multi-Partites (PC) Note to people analyzing the SVC 6.0 virus. The virus is a multipartite. It will write to the hard drive partition table. It modifies the table and DOS 5 (I was using) won't recognize it as a valid drive. The rest of the virus code is written in the sectors just after the table. On drives that use this area damage will occur. To aid in disassembly, a convient jump table is found in the virus as shown below. JMP TABLE FROM THE SVC 6.0 (More viruses should have such aids to disassembly) 5893:01FB E96A0A JMP 0C68 ===> terminate 5893:01FE E9070A JMP 0C08 ===> write handle 5893:0201 E97403 JMP 0578 ===> exec (al=1 or 3) 5893:0204 E90006 JMP 0807 ===> close handle 5893:0207 E9CF05 JMP 07D9 ===> create file 5893:020A E9C000 JMP 02CD ===> exec 5893:020D E97205 JMP 0782 ===> open handle (from above) 5893:0210 E9C704 JMP 06DA ===> 1st/next FCB 5893:0213 E90F05 JMP 0725 ===> 1st/next handle 5893:0216 E9BF07 JMP 09D8 ===> set file ptr eof 5893:0219 E9F207 JMP 0A0E ===> open handle (from below) 5893:021C E94508 JMP 0A64 ===> read handle 5893:021F E97F0A JMP 0CA1 ===> get/set file time/date 5893:0222 C3 RET 5893:0223 E80300 CALL 0229 ===> called from 02D3 (exec) 5893:0226 EB22 JMP 024A This table occurs in the virus's INT 21 handler. Another multipartite that some researchers may want to look at again is the 3445 virus. Most references fail to note its habit of infecting the partition. The virus also contains an encrypted message from the GRUPO HOLOKAUSTO in Spain. The message is similar but not identical to the Telecom (holo) 1. Joe Wells Virus Specialist (deprogrammer) Co-developer of NOVI by Certus Certus International 216-752-8181 ------------------------------ Date: Wed, 23 Oct 91 21:29:15 -0400 >From: Allan Heinicke Subject: Protection for Desqview users (PC) Do the standard TSR virus-protection schemes (F-Prot, Vshield, Central Point's anti-virus for example) work inside a DOS window if one is operating under Desqview? I ask this because I had F-Prot installed (at bootup) as a TSR. When I ran the program F-test (from ver 1.16 of F-prot) before invoking Desqview I got the `access denied' message as I should, but when I ran Desqview, opened a Dos window, and ran F-test, the message that came back was that the TSR was not installed or not working. This applied to VIRSTOP from v2 as well. I looked at the documentation for VSHIELD, F-prot and Central Point but didn't see any mention of behaviour under DV. Nor have I seen any comments on this point in comp.virus. ------------------------------ Date: Wed, 23 Oct 91 22:48:03 +0300 >From: grdo@botik.yaroslavl.su (Dmitry O. Gryaznov) Subject: Re: New virus - advanced symptoms (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: > ish@ire.msk.su (Shulman Ilya A.) writes: > >> No, I mean that it is very simple to identificate is virus present >> when it is active :-) > >What symptoms did you have in mind exactly? This one is pretty >stealthy... Insert write protected diskette into drive A: and try to delete a file from it - DOS won't report "Write protect" error. >> Yep. Two times I found virus on the hard disk in the cluster 714 and >> 2371 (I can't remember this numbers exactly but) which are the last >> clusters on the 5" 1.2Mb and 3.5" 730Kb diskettes respectivly. I can't >> explain why there were the last clusters but not the pre-last but it >> was so. Also I know the other abnormal effects when virus infects disk >> but didn't write itself to the last cluster. May be it is an error >> too, but anti-virus developers _HAVE TO_ know this. > >Maybe this referes to the COMPAQ DOS 3.31 situation that was described >by Dimitri Gryaznov? The situation described by me refers only to hard disk partitions larger than 32Mb. I've also observed two strange situations with floppies. In first case on a 5.25" 720Kb (formatted using software similar to 800.COM) floppy all executable files were cross-linked to the proper clusters (two-clusters chain, the last being marked as 0FFEH) but those did *NOT* contain the virus. In second case a normal 360Kb floppy was infected properly but it wasn't possible to restore affected files since their real start clusters (being decrypted) were also cross-linked to the cluster appropriate for 720Kb floppy. - -- Sincerely, Dmitry O. Gryaznov | PSI AS USSR grdo@botik.yaroslavl.su or grdo1@node.ias.msk.su | Pereslavl-Zalessky Phones: office: (08535)-2-0715 home:(08535)-2-1465| 152140 USSR ------------------------------ Date: Thu, 24 Oct 91 00:04:56 +0300 >From: grdo@botik.yaroslavl.su (Dmitry O. Gryaznov) Subject: Re: Version 84 of McAfee anti-virus programs now available (PC) >For those of you without FTP: >I have downloaded and uuencoded SCANV84.ZIP, CLEAN84.ZIP, VSHLD84.ZIP, and >NETSCN84.ZIP. I would be happy to e-mail them to anybody who wants them. > >- --Barry (bdrake@oxy.edu) >Occidental College Computer Center You can also send an E-mail to mailserv@garbo.uwasa.fi with a subject being 'garbo-request': ... Subject: garbo-request send pc/virus/scan84.zip send pc/virus/clean84.zip < etc. > quit - -- Sincerely, Dmitry O. Gryaznov | PSI AS USSR grdo@botik.yaroslavl.su or grdo1@node.ias.msk.su | Pereslavl-Zalessky Phones: office: (08535)-2-0715 home:(08535)-2-1465| 152140 USSR ------------------------------ Date: Thu, 24 Oct 91 00:11:58 +0300 >From: grdo@botik.yaroslavl.su (Dmitry O. Gryaznov) Subject: Re: Several subjects (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >frisk@complex.is (Fridrik Skulason) writes: > >> ... > >> The release of version 2.01 has been delayed by a week, so I can add >> 60 (or so) new viruses from Poland. > >There are a few interesting ones, aren't they? BTW, they are not only >from Poland; most of the new ones are from the Soviet Union >(Andrzej?). Which reminds me that the hackers out there are quickly >catching up after the Bulgarian ones... :-( My latest acquisition is somewhat like 100 new viruses most of them being Soviet... New Soviet threat, eh? - -- Sincerely, Dmitry O. Gryaznov | PSI AS USSR grdo@botik.yaroslavl.su or grdo1@node.ias.msk.su | Pereslavl-Zalessky Phones: office: (08535)-2-0715 home:(08535)-2-1465| 152140 USSR ------------------------------ Date: Wed, 23 Oct 91 23:57:38 +0300 >From: grdo@botik.yaroslavl.su (Dmitry O. Gryaznov) Subject: Re: Pakistani/Ashar (PC) Mario Guerra writes: >One machine in my university (a PS/30 with a Seagate 30 MB. disk) was >infected with the Pakistani Brain/Ashar virus (according to Viruscan 84). >If I run Viruscan from a clean disk it does not detect the virus, but if >I boot from the hard disk, the same program says it is in memory. > >I have tried everything: a Sys, running Norton 6.0 Disktool, using DE >for writing a new boot sector from other machine with a similar hard disk, >rewriting the partition table (once again, from a similar disk), etc. It seems to be a false positive since Pakistani Brain/Ashar does not infect hard disk at all - only floppies... - -- Sincerely, Dmitry O. Gryaznov | PSI AS USSR grdo@botik.yaroslavl.su or grdo1@node.ias.msk.su | Pereslavl-Zalessky Phones: office: (08535)-2-0715 home:(08535)-2-1465| 152140 USSR ------------------------------ Date: Sat, 26 Oct 91 00:00:37 -0700 >From: mcafee@NETCOM.COM (McAfee Associates) Subject: Typo in Validation Data for NETSCAN V84 (PC) Hello, It has been reported to me (by several people!) that I made a mistake in posting the filesize for Version 84 of NETSCAN.EXE. The correct size is 50,347 bytes, not 50,345. My apologies for any alarm. Regards, Aryeh Goretsky McAfee Associates Technical Support PS: I promise to wear my glasses when typing from now on! :-) ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 199] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253