VIRUS-L Digest Wednesday, 4 Dec 1991 Volume 4 : Issue 229 Today's Topics: Administrivia - Seeking volunteers FORM-virus / documentation (PC) Re: NIST Naming Proposal Re: What's special about LAN's? (PC) Re: Telefonica (PC) Computer Sounds Like Telephone--Virus? (PC) F-PROT 2.01 (PC) Request for help on removing the DIR-II virus (PC) Re: VIRUS: DIR-II (PC) Re: Latest version of McAfee Scan?? (PC) Re: Secure DOS... (was: What the user wants) (PC) Re: A couple questions (Mac) (Commodore) New Joshi Variant (PC) Washburn et al Re: Michelangelo Virus (PC) directory update VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 04 Dec 91 09:47:35 -0500 >From: Kenneth R. van Wyk Subject: Administrivia - Seeking volunteers Hi gang, A few people have suggested to me that we put together an FAQ (Frequently Asked Questions) list, to be distributed periodically as well as made available on the archives. It would also be useful for sending to people who ask FAQs, in lieu of posting these messages to the group itself. This, of course, could help cut traffic on the list somewhat - at the very least, it should reduce the number of FAQs that get posted. So, what I'm looking for is a couple volunteers to help put together an FAQ list, complete with questions and answers. I will collate the Qs and As into one FAQ sheet. I'd like to see the FAQ be small enough to post periodically (say, once a month, along with the list of archive sites). Any takers? I'm also (always) interested to hear feedback on how to improve the group. I think that an FAQ will do a lot to improve the quality of the group, and hopefully reduce the quantity a bit, and I can't imagine anyone objecting to either. :-) So, with the new year (and VIRUS-L Volume 5) approaching, lets get those ideas in, so that we can start the new year by improving the group. Cheers, Ken Kenneth R. van Wyk Moderator VIRUS-L/comp.virus Technical Coordinator, Computer Emergency Response Team Software Engineering Institute Carnegie Mellon University krvw@CERT.SEI.CMU.EDU (work) ken@THANG.PGH.PA.US (home) (412) 268-7090 (CERT 24 hour hotline) ------------------------------ Date: Thu, 28 Nov 91 10:24:31 +0000 >From: "Olivier M. Zaech-Liesegang" Subject: FORM-virus / documentation (PC) Hi there, I recently got a couple of texts on several diskettes. Some of them were infected by the FORM-virus (VSHIELD, SCAN84, VIRX). Although I was able to clean them with CLEAN84 I'd like to know what the form virus can do, how it operates and so on. I took a hexdump of the boot sector before and after cleaning and saw some differences. Is there any documentation (short descriptions) available about the most popular viruses? Thanks for any help & greetings from the mountains (yes, it's Switzerland). olivier m. zaech-liesegang ------------------------------ Date: Thu, 28 Nov 91 16:37:59 +0000 >From: Fridrik Skulason Subject: Re: NIST Naming Proposal In Message 23 Nov 91 07:09:02 GMT, KADLOF@PLEARN.BITNET writes: >collection any file with name like RCE-1834 then it is from Soviet Union >archives. The problem with this naming sceme is that although it may have been usable when there were only a few viruses, but now that we have broken the "two new viruses per day" limit, it simpley becomes useless - it is helpful as a primitive description of the functionality of the virus, but unusable as a reaL name. Anyhow - some real progress was made regarding virus namiong at the NCSA conference (which I just returned from)....more about that later.. - -frisk ------------------------------ Date: Thu, 28 Nov 91 16:45:56 +0000 >From: Fridrik Skulason Subject: Re: What's special about LAN's? (PC) In Message 25 Nov 91 04:55:00 GMT, TSHAPIN@BIIVAX.DP.BECKMAN.COM (TED SHAPIN) writes: >What if anything is special about virus on a LAN? Is it simply a >matter of needing to scan all the network drives when looking for >possible virus? I can think of the following significant differences: * Boot sector viruses cannot spread over the LAN. * If the LAN software is installed properly, it can provide excellent virus protection - under Novell Netware one can for example make files "Execute-only" - which effectively protects them from all file viruses - (well, unless you log in as an infected SUPERVISOR, of course). * Some scanners and anti-virus products to not operate 100% on all LANs. - -frisk ------------------------------ Date: Thu, 28 Nov 91 16:51:13 +0000 >From: Fridrik Skulason Subject: Re: Telefonica (PC) >Does anyone have experience of this virus, and if so, can they tell me >how to recover a totally corrupted hard disc. If the virus has thashed the dish, you probably cannot recover anything - just repartition, reformat and restore from the latest backup...(You do keep backups, I hope). >Also, is there any way of removing this virus safely from a floppy disc? Try F-PROT 2.01 - I have huccessfully used it to handle a major outbreak here in Iceland. Actually, when people are talking about Spanish telecom they may refer to two separate things. Spanish Telecop is really only a file virus, but it contains another virus - "Campanja" or "Campana"...which is only a boot sector virus - and it sounds as you got hit by that one... - -frisk ------------------------------ Date: Thu, 28 Nov 91 19:15:29 +0000 >From: mholtz@sactoh0.sac.ca.us (Mark A. Holtz) Subject: Computer Sounds Like Telephone--Virus? (PC) I am not sure if this is a virus or not, so I'm asking..... Ocasionally, while running a MS-DOS program, my PC will stop for a second and ring twice, like a telephone. This will occur wither in SHEZ, or when I am executing a MS-DOS 5 command. No other harm, al least, not yet. According to McAfee's SCANV84, using SCAN C: turns up no viruses. This is occuring on both a Everex 386/20 Cache and a clone 386/33 cache. Both have AMI BIOS's and MS-DOS 5. Maybe someone ought to make a weekly posting of external virus identification strings for use with McAfee's scan to identify viruses that pop up since the last scan.... - -- A man, trapped in the past, facing <:> UUCP: PacBell.COM! -> mholtz!sactoh0 mirror images that are not his own... <:> ucbvax!csusac! / QUANTUM LEAP! Wednesdays at 10 on NBC <:> (9p Central/Mountain/Sacramento, CA) <:> Internet: mholtz@sactoh0.sac.ca.us ------------------------------ Date: Fri, 29 Nov 91 10:20:58 +1100 >From: pjc@melb.bull.oz.au (Paul Carapetis) Subject: F-PROT 2.01 (PC) I sent an enquiry to Frisk earlier this month but have not had a reply. I know that he is a very busy man so I am sending this post to this group as I know that he and many very talented and knowledgeable people read it. Please have patience with me for asking this question, but I think it may be of interest to more people than just myself. Background: I work in a software development group that is split into several sub-groups each being responsible for different pieces or packages of software. One sub-group have the need to alter information in the boot sector of their DOS machines and have written a utility to perform this alteration. I am nervous about them utilising such a utility however they have the requirement that it be used. Utilising F-PROT 1.16, each time they ran the utility, they were presented with a window informing them of the intended "suspicious" activity of writing to the boot sector and prompted them to specify whether the program should be allowed to continue or not. This window was the result of running F-LOCK and F-POPUP. Now we have loaded F-PROT 2.01 and the situation has changed such that the above utility runs without interruption. The question: Does F-PROT 2.01 support the detection of suspicious activity and, if not, will future versions? I may have missed something in the documentation, but I don't believe I have. Any enlightenment would be greatly appreciated. Regards, Paul | Paul Carapetis, Software Advisor (Unix, DOS, C)| Phone: 61 3 4200944 | | Melbourne Development Centre | Fax: 61 3 4200445 | | Bull HN Information Systems Australia Pty Ltd |---------------------------| | Internet: pjc@melb.bull.oz.au | > Cogito Ergo Sum < | | #define STD_DISCLAIMER _my_opinion_only | "What, the curtains?" | ------------------------------ Date: 29 Nov 91 20:04:38 -0400 >From: Subject: Request for help on removing the DIR-II virus (PC) The DIR-II virus has been detected on one of our PC's , used for transferring files around our LAN. As we have read in your List, in order to remove this virus completely you must use the DIR2CLR or DIR2CURE.COM programs. Can you tell us where we can find any of these programs, or any other that effectively removes the virus? Thanks in advance for any information Giannis Siahos Computer Engineering Dpt. University of Patras , Greece Please reply to : siahos@grpatvx1 ------------------------------ Date: 30 Nov 91 08:14:17 +0000 >From: stella@remus.rutgers.edu (Ricky Suave Stella) Subject: Re: VIRUS: DIR-II (PC) > I heard & read abaut the viruses above,(DIGEST-4). > We tryed all kind of anti viral softwer (CLEAN 84,F-PROT,etc). all of them > infformed me abaut "my" virus's, NO ONE of them CLEAN this virus. > your concept requested KUICKLY as possible. If you are talking about the DIR-II... About two weeks ago two micro-labs at Rutgers University, the DIR-II virus infected almost every PC. They were discoverd as version 84 of McAfee's virus scanner was installed (Vshield, Scan Clean and NetScan) Clean version 84 got rid of the virus on every computer. Vshield has detected every infection thereafter (Some users still had floppies infected). BTW, the lab I manage, was not infected. Ricardo - ------------------------------------------------------------------------------ Ricardo Stella stella@remus.rutgers.edu RUCS US - CCF stella@elbereth.rutgers.edu Owl's Roost Manager stella@zodiac.rutgers.edu Hill 118 - (908)932-2491 Rutgers University, NJ ...suave... - ------------------------------------------------------------------------------ ------------------------------ Date: Sat, 30 Nov 91 13:41:51 +0000 >From: heli@eichow.tuwien.ac.at (Helmut Dier) Subject: Re: Latest version of McAfee Scan?? (PC) The latest Versions are (all available from wsmr-simtel20.army.mil) SCANV84.ZIP, CLEAN84.ZIP, NETSCN84.ZIP, VSHLD84.ZIP, VCOPY82.ZIP. >... Is there a program that can check floppies for viruses immediate- > ly upon palacing the floppy in the drive? VSHIELD does a good job in checking the loaded EXE and COMs for viruses while loading them into memory. So if it isn't a Boot-floppy you want to use all files will be checked because as long as your machine is clean you can READ from it without coming into danger. Helmut ------------------------------ Date: Sun, 01 Dec 91 01:28:51 +0000 >From: frotz@dri.com (Frotz) Subject: Re: Secure DOS... (was: What the user wants) (PC) PHYS169@csc.canterbury.ac.nz (Mark Aitchison, U of Canty; Physics) writes: ]As I see it, it is hard to get users to make the effort unless it is ]either built into the operating system or provides some other ]advantage that is worthwhile (like extra disk space), or preferably ]both. ... ] ]Possibly a new "secure DOS" is it. ... Possibly a hardware add-on ]that gives security plus something else that is attractive. Overall, ]the problem is selling the idea to users... not only the idea of any ]security at all, but the concept that it is not (can never be) 100% ]effective (as anyone determined enough, with a big enough ]sledgehammer, can always beat any security system) - yet is worth ]having. There is a story running around our marketing department about a user who wanted to return product after the following situation developed. He installed DRDOS 6.0 with security over DOS 4.01. He then had a problem (lost password), improperly removed DRDOS 6.0 without removing security and tried to reinstall DOS 4.01 on his hard disk. Naturally, 4.01 did not recognize the partition type and failed to install on his C: drive. His complaint was that our security shouldn't be so difficult to break, as it was costing him time and money to get around the problem! Here is an example of an end-user wanting the security to be sub-standard! This emphasizes the need to train end-users in the value (and cost) of adding security (and/or virus protection). If you want it, there are somethings that you will have to give up in return. Either data accessibility, time, or diskspace. - -- Frotz "Just do it!" -- Nike ------------------------------ Date: Mon, 02 Dec 91 10:12:31 +0000 >From: alexis@panix.com (Alexis Rosen) Subject: Re: A couple questions (Mac) (Commodore) notarus@ux1.cso.uiuc.edu (Mark Notarus) writes: >alexis@panix.com (Alexis Rosen) writes: >>>I also own a Commodore 128. Strangely, over the 6 years I have had it >>>I have never once had a single virus in it. Recently a few trojan >>>horses appeared, but they were easy to spot. >>>Another reason why my Commodore can't be infected is that it has its >>>DOS in ROM not in a modifyable DISK which is then loaded into RAM. >>>Both are loaded into RAM, but on the Commodore, it cannot be changed >>>with software. > this isnt quite true. The Commie 128 often has it's rom-based OS [etc.] Damnation. Watch who you're quoting. I did NOT write that- I explained why inferring Mac behavior from that statement was foolish. - --- Alexis Rosen Owner/Sysadmin, PANIX Public Access Unix, NYC alexis@panix.com {cmcl2,apple}!panix!alexis ------------------------------ Date: Wed, 27 Nov 91 15:59:01 +0000 >From: "Vaughan.Bell" Subject: New Joshi Variant (PC) A new variant of the Joshi virus has appeared on some machines at Polytechnic South West Plymouth, which seems to be able to intercept BIOS calls. When Joshi is in memory and the boot sector is examined with Defiant System's Virus Hunter package (the 'Non-DOS' sector editor which uses only BIOS calls) it appears as a normal DOS boot sector. Also VISCAN (from The Virus Information Service) when using BIOS calls only, crashes on some machines although it detects the virus succesfully on others. However this has not happened with previous versions of the virus that have been encountered. Has any one else encountered this version of the virus as we have had several new variants over the past few months and we suspect some-one local may be altering this virus. If any one could help with this matter I would be very grateful. Contact: Vaughan Bell or:- Vaughan Bell Room 112 Babbage Building 162 Dunstone View Polytechnic South West Plymouth Drake Cirus Devon Plymouth PL9 8QL or vaughan@cd.psw.ac.uk ------------------------------ Date: Mon, 02 Dec 91 10:27:24 -0500 >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Washburn et al I have tried (obviously unsuccessfully) to stay out of this one primarily because it is an ethical issue and therefore a personal one. At one time in my life, time was spent in a warm place where the use of deadly weapons was not only condoned but encouraged (of course the object had similar intentions). Consequently, I do have a certain amount of sympathy for obviously talented people who were unlucky enough to have been in the right place at the wrong time. As I recall, all of Mr. Washburn's viruses were claimed to be written written to demonstrate the fallibility of virus scanners. ISFAICA this seems to be true and the code was distributed only to "researchers". Prior to October 1989, there was no real stigmata associated with writing a computer virus and recall seeing the Scientific American "Mathematical Games" issue a number of years ago dealing with the subject as something worth exploring. Of course the DataCrime panic changed that and since then have had enough viruses to study that there was no need to write one. Personally, I find developing integrity management techniques applicable to all of the myriad systems that abound to be more challenging. As far as PCs were concerned, my experience with viruses began with a series of Brain & Merrit infections at a place I was working at in 1988. Like many others, I wrote a simple discovery/eradication mechanism, dismissed them as trivial, and went back to what the company was payng me for. My opinion is still that what makes a virus a virus is the least interesting part. Though I have seen some useful techniques, they had nothing to do with being a virus - propagation is only difficult if you are selective about it. Consequently, I do not feel it proper for fallible humans to try judge another. In fact, while I cannot think of any beneficial use for a virus, that does not necessarily mean that there will never be one. Certainly evolving techniques for distributed network authentication begins to sound suspiciously similar (of course we will find a different name for it - AI maybe 8*). However, when I was a member of the United States Air Force, to be an officer, there was a requirement that the candidate had to have a college degree, not because there were not good people without them, but because the needs of the service, when compared to the pool of applicants, allowed them to be more selective. Padgett "What is a Dove, willing to be the best possible Hawk so that others will not have to be ?" - anon Disclaimer: my employer does not necessarily share my opinions, but I am working on that. ------------------------------ Date: 28 Nov 91 08:30:58 +0000 >From: @sunic.sunet.se:goran@infovax (G|ran Bostr|m ) Subject: Re: Michelangelo Virus (PC) ZMSKB@SCFVM.GSFC.NASA.GOV (Scott Bringen) writes: >I recently discovered that my 386 compatable was infected with the >Michelangelo virus. stuff deleted Here a sample from an earlier article of this subject: ================================================================ >From: ry15@rz.uni-karlsruhe.de Subject: Michelangelo virus info (PC) Date: 17 Sep 91 04:26:10 GMT Name: Michelangelo virus Aliases: none sofar! Family: Stoned virus First occurence: summer 1991 Place: n/a Type: bootsektor / partitiontable virus Length: fits well into the code space of the partitiontable Operating system: not of interest, just uses BIOS interrupts Version: any Computer: PCs and up Direct detection: The original partition table or the original boot sector can be found in sector 7 with hard disks, sector 3 with 12 bit FAT media, and sector 14 with 16 bit FAT media. Type of infection: Upon boot up from an infected floppy the virus will go memory resident and infect the partition table. Any INT13 is intercepted thereafter. Any floppy A: operation will infect the disk in drive A: provided the motor was off. (This cuts excessive infection testing) Infection trigger: Bootup from an infected disk will infect a computer. Usage of the floppy A: drive (read, write, or format) can cause an infection of that medium. Infection targets: Partition table with harddisks and bootsectors with floppy disks. Interrupts: INT 13 and INT 1A Payload: Data destruction by overwriting the medium, from which the computer was booted from. (with harddisks it will overwrite sector 1..17 on head 0..3 of all tracks, with floppies sector 1..9 or 1..14 on both heads and all tracks depending on FAT type) Payload trigger: Date equal 6th of Mach of any year, which is Michelangelo's birthday. Families: The virus seems to be an enhanced Stoned virus. Removal: Boot up from a clean disk and move the original sector to its proper location (sector 1 head 0 track 0) on some systems FAT copy 1 might be damaged, so an additional copying of FAT 2 onto FAT 1 might be necessary. Analysis: Christoph Fischer Micro-BIT Virus Center University of Karlsruhe Germany ================================================================ Hope this helps. ------------------------------ Date: Thu, 28 Nov 91 08:13:00 -0500 >From: HAYES@urvax.urich.edu Subject: directory update The following new files are now available for anonymous FTP on our site: V-FAQ .ZIP Frequently Asked Questions about PC viruses. Version 2 By: Tapio Keihanen. ANSIKILL.ZIP Kill embedded escape sequences which can be included into "comment files" in self-extracting .ZIP archives. Contra- ry to STRIPZIP, the comment file is *not* removed. Use against "ansi bombs". Shareware. VIRLAB14.ZIP Virus simulator from Germany. This program is a great training and teaching tool. Fetched from RISC. IMAST101 ZIP Integrity Master version 1.01a is an easy to use, anti-virus an d data integrity program. Uploaded by the author ( member) to a local BBS (sysop being also member). Shareware. Site address: urvax.urich.edu, IP# 141.166.1.6 Directory: [anonymous.msdos.antivirus] (you will be placed in the [anonymous] directory at logon.) login: anonymous password: Regards, Claude - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET) University of Richmond hayes@urvax.urich.edu (Bitnet or Internet) Richmond, VA 23173 ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 229] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253