VIRUS-L Digest Thursday, 21 Nov 1991 Volume 4 : Issue 223 Today's Topics: Re: System 7 vs. viruses (Mac) Do I have a virus or a hardware fault (PC) Re: Hardware... Re: Norton SI 6.01 and Cascade? (PC) "Stealth" Viruses (4096 in particular) (PC) Liberty virus (PC) Re: Norton SI 6.01 and Cascade? (PC) Re: Generic scanning - a small test (PC) Re: Stoned on 3.5" disks / "1590" virus (PC) Dir-II at Rutgers University (USA) (PC) virus ? (PC) Re: System 7 vs. viruses (Mac) Strange symptoms include COMMAND.COM disappearing (PC) Jerusalem Virus Questions (PC) Mark Washburn (was: Hardware? How about software...?) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Sun, 17 Nov 91 06:03:50 +0000 >From: lunde@casbah.acns.nwu.edu (Albert Lunde) Subject: Re: System 7 vs. viruses (Mac) LISSA@WHEATNMA.BITNET writes: >>AB5891A@ACAD writes: >>>constantly be shut off. On a Mac, (OR IBM for that matter) if you >>>want to increase the ANTI-virus protection, just after EACH >>>application shut the system off. The virus MAY still spread, but then >>>again, it may not. >>DON'T DO THIS ON A MAC! [...] >>..and some Mac viruses will continue to spread anyway. In fact, most of >>them will if you are using MultiFinder or System 7. I agree - the disk caches need to be flushed properly. Since common Mac viruses take control at or soon after an application is launched, and can infect stuff run again at startup, powering down between applications is not generally a useful strategy for day-to-day use. >It should be noted that the "Desktop" viruses (WDEF and CDEF) do _not_ >infect System 7. This is explained in the online Disinfectant manual. > >"...System 7 is completely immune to the 'Desktop' viruses (WDEF and CDEF). >These viruses never activate, spread or cause any damage under System 7.... >..Under MultiFinder, the Desktop files are always 'busy'..." > >This goes on to say that Disinfectant cannot affect changes in MultiFinder. >Since it cannot chnage it to repair it, it is safe to assume that the file ?????????????? >cannot undergo changes to be infected with the virus in the first place. > >Hmmm...maybe Apple is finally getting smart. :-) You seem to be assuming a connection between facts not causally related: 1 - Desktop file viruses do not spread easily under system 7, because the Finder is more careful about how it opens the Desktop file. (This may be related to the use of the Desktop database except on floppies or to the Finder rewrite in C++, I don't know. This *could* be Apple getting smart.) 2 - Disinfectant 2.5.1 cannot repair some files under 6.0.x Multifinder/Finder or System 7 Finder, because the files are "busy" i.e. already open. (This is not an insurmountable problem, because AppleEvents could be used to make the Finder quit, and re-launch. But this feature is not in 2.5.1) 3 - It is *not* safe to assume that because Disinfectant cannot repair a file that the file cannot be infected in the first place. A virus could infect from an INIT running before the Finder was launched, from booting from a floppy or various other ways. Disinfectant "plays by the rules" more than viruses - the scanning and repair runs as a regular application. Viruses are executed by several means, each with its own limitations. This is not based on a detailed study of viruses under system 7, but on general considerations - and a healthy dose of paranoia. - -- Albert Lunde Albert-Lunde@nwu.edu alunde@nuacvm.bitnet ------------------------------ Date: Sun, 17 Nov 91 16:39:24 +1100 >From: coptn@marlin.jcu.edu.au (Peter Nixon) Subject: Do I have a virus or a hardware fault (PC) I'm having a problem with a CCS brand XT. This uses a clone motherboard, that features a VLSI chip that I assume handles the timer / dmi functions etc. The problem is that the machine is going into 'error' mode every 9 - 10 minutes. Error mode either results in the machine locking up or if I am at the dos prompt , a string of ^ (as in the character above the 6) get printed at the prompt, and the machine is still accessible. Initially I considered this may have been a hardware problem associated with the VLSI chip. But I found that when I disconnected the hard disk and booted of a FDD, the fault did not occur. But if I leave the HDD connected but still boot of the FDD the fault occurs. I wondered if there may have been a virus in the partition table. I have scanned with two virus checkers both found nothing. (But they are both slightly old). So I then did a low level format on the hard disk, and reloaded dos(4.01). I did turn the machine off between LLF and reload. I had also tried disconnecting the keyboard, but the string of ^^^ still happened. The number of ^ printed is not always the same. I have also tried removing the multifunction card (which has the real time clock), but the fault still occurred. So do you think it is hardware related, or do I have a particularly persitent virus. Oh yes, one other thing, the size of the command.com file in the root directory was correct, but a copy of the command.com in the dos subdir was different. The system used the \dos copy. But even when i replace this still no good. Thanks for any help... Peter Nixon School of Commerce James Cook University Australia coptn@groper.jcu.edu.au coptn@marlin.jcu.edu.au ------------------------------ Date: Sun, 17 Nov 91 10:40:14 +0000 >From: Fridrik Skulason Subject: Re: Hardware... In Message 13 Nov 91 09:12:21 GMT, bontchev@fbihh.informatik.uni-hamburg.de (Vesselin writes: >This won't help, since you'll inevitably miss some - the general >question whether a program is infected or not is undecidable... Only on a Turing-machine - not on a real-world computer - It is perfectly well possible in theory on any finite machine, although it would not be practical. - -frisk ------------------------------ Date: Sun, 17 Nov 91 15:35:00 +0200 >From: Y. Radai Subject: Re: Norton SI 6.01 and Cascade? (PC) Ken West writes: >I just installed Norton Utilities version 6.01 with DOS 5.0 running on >my 386-25. The SI (system information) utility has a function to list >hardware interupt usage. When I make this selection, it reports >[Cascade] grabbing interrupt 2 (IRQ 02). I scanned the machine with >McAfee Scan v. 84, and F-prot version 2.01 and neither report >infection. Can anyone tell me what is going on here? Has anyone else >seen this with Norton 6.01? > >I realize that Cascade is harmless but I don't want it around. The word "[Cascade]" in the SI report has nothing to do with the Cascade virus. It refers to a method (on ATs and higher models) by which additional levels of external hardware interrupts are obtained by "cascading" 8259A Programmable Interrupt Controllers, i.e. by connecting the INT line of the new ("slave") PIC to the IRQ2 line of the existing ("master") PIC. Thus the above report is perfectly normal and has nothing to do with a virus. Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL ------------------------------ Date: 18 Nov 91 02:05:55 +0000 >From: sam9361@tamuts.tamu.edu (Shawn Adrian Mchorse) Subject: "Stealth" Viruses (4096 in particular) (PC) I've been doing some research into computer viruses for my philosophy class, and I've been rather intrigued by some of the so-called "stealth" viruses. In particular, I have a couple of questions about the 4096 virus (aliases: Century Virus, FroDo, IDF Virus, Stealth Virus, 100 Years Virus). It is supposed to be able to find the original interrupt vector addresses for both the 13h and 21h interrupts, thus bypassing all active detectors that trap these interrupts. I have gone through several technical references, but have been unable to find where in BIOS or DOS it located this information. I assume it must be in one of the several tables of information in memory that are initialized at boot-time, but I cannot seem to locate it. I would prefer responses by e-mail, considering the volume of posts to this group. Thanx. Shawn McHorse sam9361@tamuts.tamu.edu ------------------------------ Date: Mon, 18 Nov 91 13:35:37 +0200 >From: grdo@botik.yaroslavl.su (Dmitry O. Gryaznov) Subject: Liberty virus (PC) McAfee's VIRLIST.TXT says about the Liberty virus: Infects Fixed Disk Partition Table-----------------------+ Infects Fixed Disk Boot Sector-------------------------+ | Infects Floppy Diskette Boot ------------------------+ | | Infects Overlay Files------------------------------+ | | | Infects EXE Files--------------------------------+ | | | | Infects COM files------------------------------+ | | | | | Infects COMMAND.COM--------------------------+ | | | | | | Virus Remains Resident---------------------+ | | | | | | | Virus Uses Self-Encryption---------------+ | | | | | | | | Virus Uses STEALTH Techniques----------+ | | | | | | | | | | | | | | | | | | | Increase in | | | | | | | | | | Infected | | | | | | | | | | Program's | | | | | | | | | | Size | | | | | | | | | | | | | | | | | | | | | | Virus Disinfector V V V V V V V V V V V Damage - ----------------------------------------------------------------------------- Liberty [Liberty] Clean-Up . . x x x x x . . . 2862 O,P Patricia Hoffman's VSUM says: Virus Name: Liberty .... V Status: Common .... Type Code: PRfAK - Parasitic Resident .COM & .EXE Infector .... General Comments: .... Liberty is a self-encrpyting virus. It is not yet known if it is destructive. .... Fridrik Skulason's F-PROT 2.01 (Viruses/Information) says: .... Type: Resident COM/EXE-files .... The effects of Liberty are not fully known yet. Four days ago I'd received a sample of the Liberty (Liberty-C according to Patricia Hoffman) virus from my E-mail pen-pal from South Africa. I'd disassembled and examined the virus. The first and the main feature missed in the above descriptions is that the Liberty virus infects not only COM/EXE files but a BOOT sector of floppies as well. However, a floppy infection occurs rather rare and is possible on PC XTs only. When an infecting of a file fails due to a lack of free disk space - INT 21H/AH=40H returns with Carry flag clear but the number of bytes actually written is less then required (AXFrom: Daryanani Subject: Re: Norton SI 6.01 and Cascade? (PC) westk@cgrb.orst.edu (Ken West - Entomology) writes: >I just installed Norton Utilities version 6.01 with DOS 5.0 running on >my 386-25. The SI (system information) utility has a function to list >hardware interupt usage. When I make this selection, it reports >[Cascade] grabbing interrupt 2 (IRQ 02). I scanned the machine with >McAfee Scan v. 84, and F-prot version 2.01 and neither report >infection. Can anyone tell me what is going on here? Has anyone else >seen this with Norton 6.01? That [Cascade] is not the Cascade virus, rather it is refers to the hardware interrupt cascade. The interrupt controller chip (PIC) can only support 8 IRQs, so starting with the PC/AT IBM put in 2 of these chips and cascaded all interrupts from the second to IRQ 2 on the first. That way you now have 15 IRQ lines and old PC/XT programs still work, thinking there are only 8 IRQ lines. Raju - -- Raju M. Daryanani raju@dcs.qmw.ac.uk ------------------------------ Date: Mon, 18 Nov 91 12:06:41 -0500 >From: Otto Stolz Subject: Re: Generic scanning - a small test (PC) On Sat, 09 Nov 91 17:39:08 +0000 Frisk said: > I just did a small test and I hope the results are of general interest. ... > Sample name: TERROR-N.COM > 2.01-Secure: not detected > 2.01-Quick: Infection: Terror > Scan 84: not detected > Analyse: No virus-like code found ... > Sample name: NUMLOCK.COM > 2.01-Secure: not detected > 2.01-Quick: Infection: PC-Flu > Scan 84: not detected > Analyse: This program modifies itself in a highly suspicious > way. It is either infected, or a badly written program > which overwrites code with data. > > So, what can be said about the results? How can it be that in these two cases a Quick scan detected something, a Secure scan missed? Before that test, I was under the impression that a Secure scan will never find less viruses or variants than a Quick scan. Does this result mean that we will have to run both scans to be on the safe side? Bewildered, Otto or ------------------------------ Date: Mon, 18 Nov 91 18:02:18 -0500 >From: Otto Stolz Subject: Re: Stoned on 3.5" disks / "1590" virus (PC) Sorry for replying so late. On 10 Oct 91 09:56:35 -0500 Don Medal said: > We are currently infected with an apparently new strain > of the "Stoned" virus. We ran tests last year and determined that the > Stoned virus we had at that time could not infect our 3.5" disks, > suddenly we are overwhelmed by Stoned on our 3.5" machines also. This is not necessarily a new strain. The (ordinary) Stoned virus infects only diskettes in drive A. As the infection always comes from the same drive A (by accidently booting from an infected diskette), this virus will stick to one sort of diskettes, under normal circumstances. However, it can equally spread in an 5.25" or in an 3.5" environment. Hence, to the (ordinary) Stoned virus, the MS-DOS world consists of two mutually exclusive populations of PC, viz. those with 3.5" drives as A, and those with 5.25" drives as A. In rare cases, a copy of the virus may make it to the other sort of diskettes, e.g. after re-configuring a PCwith an infected hard disk (making A a drive of the other sort), or after mounting an infected hard disk into another PC with different diskette drive A. This copy will subsequently spread in the other part of the PC population. Of course, a Stoned virus could be modified to infect B drives, as well; this variant could easily propagate to the other sort of diskettes, as many PCs are equipped with two different dikette drives. I do not know, whether such a variant exists, however. Best wishes Otto ------------------------------ Date: 18 Nov 91 19:31:09 +0000 >From: mmartin@elbereth.rutgers.edu (Michael Martin) Subject: Dir-II at Rutgers University (USA) (PC) On November 11, I stated that DIR-II had been found at Rutgers University. At the same time, my incoming news feed was out, so I have no idea what discussion may have occurred. However, by email, Vesselin Bontchev of the University of Hamburg suggested that this might be a misidentification. I now have a second identification of DIR-II from Skulason's F-PROT v2.01. Discovery of the infection was accidental, the result of a scan out of idle curiosity. The virus was removed by McAfee clean 7.9v84. The only snag was that McAfee CLEAN was unable to remove the virus when executed from a boot disk. It was necessary to copy CLEAN to the (infected) hard disk first. Beyond that, everything went smoothly. The affected lab is back to normal, but is now protected by McAfee VSHIELD. F-PROT's TSR, VIRSTOP was also effective in detecting the virus. The F-PROT version I have cannot remove this virus. Too bad one of these programs was not installed before the virus arrived. mike martin mmartin@caip.rutgers.edu ------------------------------ Date: 18 Nov 91 22:56:02 +0000 >From: gcs90579@zach.fit.edu ( WIDJAJA) Subject: virus ? (PC) Hi, there ! I don't know if I put this article in the right place. I have problem with my computer, IBM PC 286. I used MSDOS 3.2, then I changed/installed with MSDOS 3.3. Now, the problem is that sometimes my hard disk does not response when I boot the computer. I have to reboot it again to make it works. Before I installed MSDOS 3.3, I did not have any problems at all with the hard disk. I use Scan virus to detect the computer and I do not find any virus. Is there any new virus in my computer that the Scan can not detect it?. I use Scan v76. Can someone help me?. Thanks. Wan ------------------------------ Date: 18 Nov 91 22:35:06 +0000 >From: smithd@professor.eng.tulane.edu (David Smith) Subject: Re: System 7 vs. viruses (Mac) LISSA@WHEATNMA.BITNET writes: > It should be noted that the "Desktop" viruses (WDEF and CDEF) do _not_ > infect System 7. This is explained in the online Disinfectant manual. > > "...System 7 is completely immune to the 'Desktop' viruses (WDEF and CDEF). > These viruses never activate, spread or cause any damage under System 7.... > ..Under MultiFinder, the Desktop files are always 'busy'..." > > This goes on to say that Disinfectant cannot affect changes in MultiFinder. > Since it cannot chnage it to repair it, it is safe to assume that the file > cannot undergo changes to be infected with the virus in the first place. > > Hmmm...maybe Apple is finally getting smart. :-) Well I do not know about Multifinder under sys 7 but under 6.8 running AUX in which multifinder is always running the desktop and the system have been infected and Disenfectent cannot remove it, it must be reinitilized. ??????????????????????????????David Smith????????????????????????????????????? ?? ?? ?? I am surrounded by fools. There are people all around me. ?? ?? God made us in his image. Therefor is God a fool? ?? ?? "He's dead Jim!" ?? ?? /Std. disclamer, My views are only my own.../ ?? ?????????????????????????????????????????????????????????????????????????????? ------------------------------ Date: Tue, 19 Nov 91 14:04:00 -0600 >From: Ken De Cruyenaere 204-474-8340 Subject: Strange symptoms include COMMAND.COM disappearing (PC) A colleague has two machines (pc compatibles - one is a COMPAQ 386) down with strange symptoms. COMMAND.COM CONFIG.SYS and AUTOEXEC.BAT have all disappeared ! Both machines were running OK but hung up when the user tried to exit to DOS (from LOTUS in the case of the COMPAQ). The latest anti-virals were run and turned up nothing. I have scanned thru back issues of this digest but don't recall seeing these symptoms before. Does anyone know of any virus, trojan -OR- user error that would result in the above files disappearing? Ken - --------------------------------------------------------------------- Ken De Cruyenaere - Computer Security Coordinator - Computer Services University of Manitoba - Winnipeg, Manitoba, Canada, R3T 2N2 Bitnet: KDC@CCM.UManitoba.CA Voice:(204)474-8340 FAX:(204)275-5420 ------------------------------ Date: 19 Nov 91 15:27:54 -0400 >From: Larry Mateo Subject: Jerusalem Virus Questions (PC) I'm looking for information on how the Jerusalem virus and its various strains are spread. Could someone point me to an authority or provide me with the information? Thank you. ------------------------------ Date: Wed, 20 Nov 91 19:13:00 +0200 >From: Y. Radai Subject: Mark Washburn (was: Hardware? How about software...?) Frisk writes: >The usefulness of SECURE is subject to debate. My opinion is however >that the simple fact that is written by Mark Washburn is a pretty good >reason to ignore the program - as well as all other programs written by >known virus authors. I don't suppose this is something we can achieve agreement on since it has little to do with facts. Anyway, I do not agree that a program should be ignored simply because it was written by a known virus author. I suspect that quite a few anti-viral people have written at least one virus for test purposes. Should we ignore their software too? I suppose, however, that you meant people who have released viruses publicly, not just for test purposes. True, Washburn released a virus publicly, but many of us distinguish between writers of deliberately destructive viruses and those of non-destructive ones. And Mark's vi- ruses are not destructive. True, someone else used his virus to create a destructive one, and mainly because of the possibility that this would happen, Washburn's decision was a mistake. But perhaps he has realized his mistake? And even if he has not repented, I'm not sure the public should be deprived of knowledge of a good product because of this. As you will no doubt recall, several months ago (long before Fred Waller appeared on the scene), I expressed the opinion in Virus-L that SECURE was the best generic monitoring program I had seen, at least from the point of view of minimizing false negatives (and perhaps false positives too, though it leaves something to be desired from the user interface as- pect). So why should the program be ignored? Just to get revenge on Washburn? Well, as I said, this has little to do with facts, so I suppose neither of us will convince the other. Still, I thought it would be a good idea to point out that other opinions are possible on this issue. Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 223] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253