VIRUS-L Digest Monday, 28 Oct 1991 Volume 4 : Issue 200 Today's Topics: Can you help me with this? (Apple ][) Re: New virus - advanced symptoms (PC) Re: DIR II Removal Information (PC) Re: DIR II virus and DOS 3.31 (PC) Re: Pakistani/Ashar (PC) Re: Virus on Mac (Mac) Re: What is CoolCapture? (Amiga) Possible new virus (PC) Re: Problems with formatting (PC) DOS 5.0 ANSI (PC) Hardware vs Software (PC) michelangelo virus at Z-Soft (Paintbrush) (PC) Re: michelangelo virus (PC) McAfee VIRUSCAN at bootup (PC) Latest NAV 1.5 Virus Definitions (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: 18 Oct 91 19:34:15 +0000 >From: scm3775@tamsun.TAMU.EDU (Sean Malloy) Subject: Can you help me with this? (Apple ][) Okay, a friend of mine sent me a copy of an article which claims to have been posted to usenet (I assume it was to here). It dealt with one of the earilest documentable computer viruses, written for the Apple ][ in 1981-2, at Texas A&M. This friend of mine would very much like to talk to the author of this article, but doesn't have Usenet access. If anyone remembers this article, or can provide me with an email address of the author, I'd appreciate it. First part of the article to follow... (I don't want to waste bandwidth by posting the whole thing again). - ---------------------------------------------------------------------------- $_Article Sorry this article is rather long, but if you still have any old DOS 3.3 Apple ][ disks lying around please read it! (Feel free to read it for general entertainment value too, of course, even if you don't possess any such historical disks.) I have been asked by Gene Spafford to write an article detailing the life story of a Virus I wrote for Dos 3.3 on the Apple ][ in December, 1981 for one of his journals. Spafford wants me to write the story up because it's the earliest _documentable_ personal computer virus he's heard of. I'm trying to get more information that I plan to use to make that article more complete. 1) Why did I write a virus? Am I an evil scum? At the time (remember, this was 1981) I was an undergraduate at Texas A+M. There was an active community of Apple ][ users in my dorm (Shuhmacher), with an _incredible_ amount of copying of pirated game programs going on. I noted that most games were damaged in various sorts of ways, but they were almost always still playable despite the damage. (For example, there was one popular Star Trek game in BASIC that had occasional garbage control characters in non-critical REM and PRINT statements; space war games often had random junk replacing some pictures of ships, etc.) I decided that I could explain this by invoking a sort of "evolution". [...] - ------------------------------------------------------------------------- Thanks for your help - -Sean /*--------------------------------------------------------------------------*\ | Sean C. Malloy = ("x041sc@tamuts.tamu.edu" || "scm3775@tamsun.tamu.edu") | \*--------------------------------------------------------------------------*/ You'll pay to know what you REALLY think. ------------------------------ Date: Wed, 23 Oct 91 22:48:03 +0300 >From: grdo@botik.yaroslavl.su (Dmitry O. Gryaznov) Subject: Re: New virus - advanced symptoms (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: > ish@ire.msk.su (Shulman Ilya A.) writes: > >> No, I mean that it is very simple to identificate is virus present >> when it is active :-) > >What symptoms did you have in mind exactly? This one is pretty >stealthy... Insert write protected diskette into drive A: and try to delete a file from it - DOS won't report "Write protect" error. >> Yep. Two times I found virus on the hard disk in the cluster 714 and >> 2371 (I can't remember this numbers exactly but) which are the last >> clusters on the 5" 1.2Mb and 3.5" 730Kb diskettes respectivly. I can't >> explain why there were the last clusters but not the pre-last but it >> was so. Also I know the other abnormal effects when virus infects disk >> but didn't write itself to the last cluster. May be it is an error >> too, but anti-virus developers _HAVE TO_ know this. > >Maybe this referes to the COMPAQ DOS 3.31 situation that was described >by Dimitri Gryaznov? The situation described by me refers only to hard disk partitions larger than 32Mb. I've also observed two strange situations with floppies. In first case on a 5.25" 720Kb (formatted using software similar to 800.COM) floppy all executable files were cross-linked to the proper clusters (two-clusters chain, the last being marked as 0FFEH) but those did *NOT* contain the virus. In second case a normal 360Kb floppy was infected properly but it wasn't possible to restore affected files since their real start clusters (being decrypted) were also cross-linked to the cluster appropriate for 720Kb floppy. - -- Sincerely, Dmitry O. Gryaznov | PSI AS USSR grdo@botik.yaroslavl.su or grdo1@node.ias.msk.su | Pereslavl-Zalessky Phones: office: (08535)-2-0715 home:(08535)-2-1465| 152140 USSR ------------------------------ Date: Wed, 23 Oct 91 23:49:36 +0300 >From: grdo@botik.yaroslavl.su (Dmitry O. Gryaznov) Subject: Re: DIR II Removal Information (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >grdo@botik.yaroslavl.su (Dmitry O. Gryaznov) writes: > >> First of all - a disinfection must be made only when there is no the >> virus in RAM. > >...or when it is not active. For instance, my disinfector is able to >find it in RAM and to deactivate it. MY disinfectant does the same... But did you ever try to disinfect files after deactivating the virus in RAM without rebooting? The DOS will report an error when infected files on a hard disk will be accessed. The reason is that DOS continues to use an in-memory copy of BPB (or DPB following your terminology) modified by the virus. This BPB reports several blocks less than the actual size of a disk is. Hence, the last cluster (to where all infected files are cross-linked) will seem to be (partially) beyond the disk space. Since a hard disk is non-changable media, DOS normally asks driver to build the BPB only once and then uses this BPB parameters. To force DOS to rebuild BPB you are to use the same trick the virus does - find an appropriate DOS Device Control Block and mark it as never been accessed. >> *REALLY* contains the virus - you could get an infected file by >> copying it on a not infected PC. In the latter case a disk most likely >> is not infected and a file contains just the virus body, its directory >> entry being quiet normal. > >Yeah, that's what I mean... My disinfector does not delete such files. >Maybe it should? Definitely *YES*! Such a file is just the virus itself - safe and sound! Being executed the virus will go resident and start its dirty work. When the file will be reexecuted by the virus the virus again will be loaded since the disk is not (or rather WAS not) actually infected. This will cause the second copy of the virus to terminate (do you remember INT 20H in the virus?). So a user will see that the program just terminated. But the virus will already be active and working and replicating... - -- Sincerely, Dmitry O. Gryaznov | PSI AS USSR grdo@botik.yaroslavl.su or grdo1@node.ias.msk.su | Pereslavl-Zalessky Phones: office: (08535)-2-0715 home:(08535)-2-1465| 152140 USSR ------------------------------ Date: Wed, 23 Oct 91 23:27:50 +0300 >From: grdo@botik.yaroslavl.su (Dmitry O. Gryaznov) Subject: Re: DIR II virus and DOS 3.31 (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >grdo@botik.yaroslavl.su (Dmitry O. Gryaznov) writes: > >> BUT COMPAQ DOS 3.31 USES DIFFERENT REQUEST HEADER LAYOUT! This leads >> to the virus body being written to sectors 65535-65536 (FFFFH-10000H) >> instead of the last cluster. If any file occupies these sectors - >> ... > > Hmm, I didn't notice that... Well, my disinfector will not corrupt Well, I'll give more details. DOS 4.0+ disk driver uses the following request layout: Offset Size Contents - -------------------------- +0 1 length of the request packet +1 1 unit number +2 1 command code +3 2 Device Status Word +5 8 reserved +0DH 1 media descriptor byte +0EH 4 DWORD address of a data transfer buffer +12H 2 sector count +14H 2 starting sector number +16H 4 DWORD address of ASCIIZ string of Volume ID +1AH 4 DWORD starting sector number (if starting sector number at offs. +14H equals to 0FFFFH) DOS 3.31 driver's request layout: Offset Size Contents - -------------------------- ... +14H 2 starting sector number +16H 2 starting sector number highword (if length of the reguest packet - offs. +0 - equals to 18H) So, DOS 4.0+ driver distinguishes between short and long sector number by using the special value 0FFFFH for the sector number at offset +14H while DOS 3.31 driver distinguishes them by the length of a request. They also use different locations for the DWORD sector number. The DIR-II virus uses request header layout for DOS 4.0+. If long sector numbers are used DOS 3.31 driver will interpret such a request as being regarded to sector 0FFFFH (offs. +14H). >information in this case, but it will report that a mutation of the >virus has been found. It is not very clear how this situation could be I don't know the method your disinfectant uses to detect the DIR II virus but I doubt it'll report an infection in the case. The affected (not really *INFECTED*) files are cross-linked to the cluster which DOES NOT contain the virus body. Or does you disinfectant rely just on (F)FFEH mark? >handled - since when the disinfector is run, it is not safe to assume >that the DOS version active in memory is the same that was used to >access the infected disk... Rather simple - read sectors 0FFFFH-10000H and check whether they contain the virus body or not. If yes - compare the cluster number from the virus body with this from the directory entry, etc. - -- Sincerely, Dmitry O. Gryaznov | PSI AS USSR grdo@botik.yaroslavl.su or grdo1@node.ias.msk.su | Pereslavl-Zalessky Phones: office: (08535)-2-0715 home:(08535)-2-1465| 152140 USSR ------------------------------ Date: Thu, 24 Oct 91 05:23:12 +0000 >From: mcafee@netcom.com (McAfee Associates) Subject: Re: Pakistani/Ashar (PC) MGUERRA@UCRVM2.BITNET (Mario Guerra) writes: >One machine in my university (a PS/30 with a Seagate 30 MB. disk) was >infected with the Pakistani Brain/Ashar virus (according to Viruscan 84). >If I run Viruscan from a clean disk it does not detect the virus, but if >I boot from the hard disk, the same program says it is in memory. [rest of message deleted] Hello Mr. Guerra, By any chance are you running the VDEFEND.SYS device driver from Central Point Software that comes with PC Tools 7.1 or Central Point Anti Virus? If so, the report of the Brain/Ashar in memory could be a result of having this program in memory, which contains a search string for the virus which overlaps/matches ours so that VIRUSCAN reports the viruses' presence in memory. This will occur with anti-viral programs that do not encrypt (cipher) their search strings in memory and match up against another anti-viral program's search strings. Regards, Aryeh Goretsky McAfee Associates Technical Support - -- - - - - McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com (business) 4423 Cheeney Street | FAX (408) 970-9727 | aryehg@darkside.com(personal) Santa Clara, California | BBS (408) 988-4004 | 95054-0253 USA | v.32 (408) 988-5190 | CompuServe ID: 76702,1714 ViruScan/CleanUp/VShield | HST (408) 988-5138 | or GO VIRUSFORUM ------------------------------ Date: Thu, 24 Oct 91 08:48:28 +0000 >From: alexis@panix.com (Alexis Rosen) Subject: Re: Virus on Mac (Mac) dave@gergo.tamu.edu (Dave Martin) writes: >I have always wondered something about nVIR, though, [...] I booted from a >clean, locked System floppy and used ResEdit to clean out the nVIR >resources and correct the CODE resources. I copied rather than cut or >cleared the nVIR resources so I could move them to a separate disk to >examine them later. Immediately an alert popped up saying that it >couldn't write to the System file (disk locked). It seems that simply >by copying the nVIR resources was enough to activate it. [...] Not quite. What happened was that when you tried to copy, ResEdit tried to make a scrap file in which it would stash the resources you were fiddling with. Guess where ResEdit wanted to put the scrap? On your locked System floppy... nVIR and all its variants are only activated on program launch. - --- Alexis Rosen Owner/Sysadmin, PANIX Public Access Unix, NYC alexis@panix.com {cmcl2,apple}!panix!alexis ------------------------------ Date: Thu, 24 Oct 91 12:35:38 +0000 >From: cs_b152@ux.kingston.ac.uk (Vlod Kalicun) Subject: Re: What is CoolCapture? (Amiga) consp11@bingvaxu.cc.binghamton.edu (Brett L. Kessler) writes: |> For example, I have heard of CoolCapture, WarmCapture, ColdCapture, |> and one or two other common entry points for viri (RomTagPtr? |> KickTagPtr? I can't remember...). What do all of these places do |> that make them so attractive to virus-writers? Some programs can survive a warm reboot () by linking to the vectors that you meantion. The cool/warm/cold captures get processed when you do a cold reboot and so virus programs like to live there. i.e. When you reboot the virus is already in memory waiting to chomp your disks. KickTagPtr is something to do with making programs resident( Im not to sure about this) which virus's like to do as well. Most virus checkers check these vectors out (warm/cold/cool) and they should be zero. Although nowadays theres quite a few utilities that link to these vectors, eg RAD drives etc.. Hope thats useful... Vlod kalicun. cs_b152@ux.kingston.ac.uk ------------------------------ Date: Thu, 24 Oct 91 14:51:32 +0000 >From: kgermann@shl.com (Kevin Germann) Subject: Possible new virus (PC) We suspect that we have a virus that destroys the hard drive on our PCs. We have had four occurrances of a very similar problem. Three times while doing an XCOPY /s from a network drive to the C: drive, the xcopy has failed, followed by completely losing the contents of the drive. On trying to reboot the system, we get the message "No fixed disk". The disk is unusable afterwards. This happened on three different Panasonic FX-1925S machines after installing an ATI Graphics Ultra card. We believe that the card is not the problem, because we have installed it successfully on five other identical machines. We have experienced exactly the same problem while installing Windows 3.0 on a IBM PS/2 model 50. There was no ATI graphics card in this machine. Any help with this problem would be appreciated. Kevin Germann kgermann@shl.com ------------------------------ Date: Thu, 24 Oct 91 18:54:37 +0700 >From: Cezar Cichocki Subject: Re: Problems with formatting (PC) Hi Fred! Try use the Norton`s SafeFormat programm. In Norton Utility 5.0 it is very nice to use. Best wishes, Cezar ============================================ THE BEST PREVENTION IS NOT TO BUY COMPUTER ! ============================================ Cezar Cichocki Warsaw Uniwersity Dep. of Psychology Virus Buster (it is translated from Polish) ------------------------------ Date: Thu, 24 Oct 91 09:08:52 -0400 >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: DOS 5.0 ANSI (PC) Does anyone know why the key-redirection ([xx;xxp) portion of older ANSI drivers written for 3.3 and before do not work under DOS 5.0 ? (might also not work with 4.x - haven't tested this) - when upgrading, was forced into using the limited ANSI.SYS that came with the DOS distribution. Note: the DOS 5.0 ANSI.SYS currently in use is 9029 bytes long & dated 3-22-91. In this version, protection from ANSI trojans can be had by simply changing the byte containing 70h (p) at offset 61h from the start to some other ASCII letter that is not already assigned to an ANSI command. In this manner, you will still be able to use key-redirection (I use alt-letter to switch drives), just anything trying to do this using [xx;xxp (e.g. something you did not ask for) will not work. However, I really would like to go back to using my extended redirection set so if anyone knows why older versions do not work, the information would be appreciated. Warmly (just back from Toronto), Padgett ------------------------------ Date: Thu, 24 Oct 91 13:59:13 -0400 >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Hardware vs Software (PC) Wrote I: > Major disagreement. It is easier to protect a single platform > with a "mission-adaptive" approach loaded first than it is to > subvert one. >From: turtle@darkside.com (Fred Waller) > I hope the disagreement is not with the *facts* as stated in my > message: "There are more defense variations than ever. There are > also more viruses than ever. They infect more machines than ever." > Those facts are a little difficult to disagree with. O.K: have to make two points here. First, the quoted statement had nothing to do with virus spread. What I was taking exception to was the statement that any software defense can be breached by software. This is a case of "true in theory but impractical in practise": the effort required to breach a software defense is greater than that required to erect it. This comes about because the defender has the advantage of being on home ground & has a "world view" of the system. The attacker on the other hand is faced with a two-dimentional viewpoint and must peel away a layered defense like an onion: each layer may reveal a new defense structure - a very hard task to automate since the attack being via software means that the attacker must anticipate ALL possible strategies while the defender needs only one (hopefully unknown). Consider that mainframes all use software defenses yet direct attacks that do not exploit "holes" rarely suceed. Consider also that the B2 (orange book) certification necessary for compartmented information is possible with software. > The incidence of infection may be dependent on protection (if the > protection is effective, a big "IF"), but it has nothing to do with > the creation of hundreds and hundreds of new viruses whose main > effect seems to be the eager encouragement of frequent updates of > the virus scanners. This is the second point: ("...has nothing to do..."). The statement that "virus defenses result from virus attacks" is true however the reverse is not. Only a small portion of the viruses seen are directed attacks on defenses, most are simple adaptaions of things that appear to work. Just to toss out a bit of controversy, IMHO the first "steath" virus, the Pakistani BRAIN was not designed with "stealth" in mind, rather the virus would not have worked otherwise. Fred again >( If that's the only kind of hardware solution one can envision, >then it must indeed seem so ). It may be `possible', or it may be >`impossible', but the software methods we've seen so far haven't >been good enough. I said that all that hardware (actually the BIOS had to do was to be able to select the boot drive. This was not the only kind envisioned, just the minimum that would be "enough" and be non-intrusive. Fred: >... if the software antiviruses haven't suceeded in defeating or >even stalling viruses by now, then it might be time to try something >different. Stronger medicine? Stronger medicine. > Searching for stronger medicine, the idea occurred that hardware > means of protection had never been breached by any virus - and > never could be. True: the BIOS has never been breached but at *some* point you must begin using software and THIS is where attacks will start. Further, if things become too difficult for the user or if favored applications cease to work, the solution will be abandoned. Fred: > Yes, if your aim is to install a new BIOS, then you might reasonably > expect to have to install a new BIOS . I wonder why one would want > to do such a thing, though... But darn it, let's put things in > proper perspective: how much does it cost to buy a software > antivirus package? This much: (long list of prices deleted) > (From the listings in PC Mag latest issue First - while I read the article, my feeling was that most of the packages tested would in fact have stopped the so-called "totally hidden virus" *once an infected file was executed*. e.g. SCAN /av if VSHIELD's switch to test was used or Enigma-Logic's Virus-Safe. In fact they must have disabled some things for that kind of virus (a DATACRIME clone) to work at all. > Anyway, that comes to an average price of $90 per package Full list quantity 1 ! How many people pay that ? There are many good shareware and freeware products out there and still people do not bother to use them even though the effective cost is $0 if the user does not care to register it. > Software usually needs to be upgraded, and the true cost over time can become > very high! Compare that with the quoted one-time price of $70 > per machine and it will become apparent that hardware protection > (defined by Padgett as "changing the BIOS") may indeed seem rather > inexpensive. True, the key is "may". For the single user, the essential cost is that of a phone call. For a LAN, once loaded on the server and set for automatic validation/update on login, we are back to (effectively) zero cost again. (why I have been pushing so hard for LAN checking/updating). However, at this point I am not considering cost - we are still in a very dynamic period. What we aree looking for now are different options that work. Only when you have equal options does cost enter the equation. We are not there yet (but getting closer). However, I propose that BIOS boot selection/validation (and password if desired) @ zero cost if the proper manufacturer is selected is all that is needed from HARDWARE, SOFTWARE can provide provide everything else necessary including protection of integrity from malicious software as well as mistakes and, in the long run, will be a lower cost option than anything involving more hardware. What do you propose ? Padgett ------------------------------ Date: Thu, 24 Oct 91 13:30:53 -0600 >From: "Don't quote me...You might get it right!" Subject: michelangelo virus at Z-Soft (Paintbrush) (PC) Last week, a local newspaper reporter came in to the office to ask me a few questions about the Michelangelo virus, which had apparently been detected by a local computer store (17 cases!). I started doing some digging on my own, and found out that the virus was apparently on a commercial "8-in-1" type program (I don't know the name yet, but when I do...). A few minutes ago, another user came into the office with the same virus on his disk, but he told me that he got the virus "straigt from Z-Soft". He reported some problems with PC Paintbrush, and they sent him (an obviously used) a disk with a few update files on it (and the virus ;-) Just lettin' y'all know. On another note, I now have firsthand experience and knowledge of why computer virus articles in newspapers get so screwed up :) I even told this reporter how upset I (and the anti-virus "community") get with articles written by non-literates and she offered (and did!) let me review the article before it went to press. But what ended up in the paper was the original (uncorrected) version. Most of the mistakes were "picky" to the non-literate, but to the literate are essential. For example: "Shareware is software in the public domain...which can be used for a certain period of time without paying for it". "NEVER boot a hard drive computer from a floppy disk". and my favorite :) "BBS' often spread viruses". I wrote a letter to the editor correcting these mistakes, but to date it has not been published. So there's probably some poor kid out there with a game which requires him to boot from floppy, but some unknown "local virus expert" says "Don't". I have yet to login to any of the BBS' for fear of the flames :) (what I said was "Viruses are often spread via a BBS', but very few BBS' spread viruses and it's just as possible to get a virus from a commercial program".) Sorry for the tirade, John-David Childs Consultant, University of Montana con_jdc@lewis.umt.edu ------------------------------ Date: Thu, 24 Oct 91 16:44:00 -0600 >From: "Doran L. Barton / Fozziliny G. Moo" Subject: Re: michelangelo virus (PC) EENG6719%Ryerson.CA@VM1.gatech.edu (Anthony Di Nardo) writes: > Recently my friend's system was infectedwith the Michelangelo virus. > Does any one have any information on it, or know where I could obtain > some. SCANV82 identifies it, but in the included virlist.txt it is > not metioned at all. I seem to remember that V80 had [Mich] listed on VIRLIST.TXT. I know that V84 does. -Fozz - -- ^*&^#*&^$%^*@#&^%$^&*@&#^$%@!*&^%@#$&^%#$&^~!^%*&!^@%#*&^%$%@^#*&^%@!$%#@^*&^%@$ ____ Doran L. Barton -- Fozziliny G. Moo EE-CEE Lab Consultant |_ __ ___ ___ The OMNI-Consultant CS Lab Instructor | |__| /_ /_ slcjm@cc.usu.edu USU FTP File Manager Uses DOS, VMS, & UNIX "There is no gravity. . . The Earth just sucks!" -XLC in IS2 ------------------------------ Date: 24 Oct 91 23:02:11 +0000 >From: psgrbbc@prism.gatech.edu (Brian Cooper) Subject: McAfee VIRUSCAN at bootup (PC) I would like to have my PC run McAfee's SCAN whenever I turn on my computer. Is there any problem with doing this??? For example, suppose a virus entered my system and immediately altered SCAN so that it would not detect the virus. Is this possible? Does scan check itself before SCANning the rest of the disk? Any comments would be appreciated. Thanks in advance. Brian Cooper - -- Brian Cooper Georgia Institute of Technology, Atlanta Georgia, 30332 uucp: ...!{decvax,hplabs,ncar,purdue,rutgers}!gatech!prism!psgrbbc Internet: psgrbbc@prism.gatech.edu ------------------------------ Date: Fri, 25 Oct 91 01:48:26 +0000 >From: edc242u@monu6.cc.monash.edu.au (n. michelis) Subject: Latest NAV 1.5 Virus Definitions (PC) Can someone please tell me what the latest NAV 1.5 virus definitions are. The latest ones SYMANTEC AUSTRALIA has on their BBS is 15all04.def dated the 27th September 1991. I have found that they are always 3-4 weeks behind SYMANTEC in the USA. This information will be appreciated. Also if there is a new file definition can somone please mail it do me. Nick Michelis Monash University Melbourne, Australia ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 200] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253