VIRUS-L Digest Wednesday, 11 Dec 1991 Volume 4 : Issue 234 Today's Topics: Administrivia - getting ready for Volume 5 Re: possible virus? (PC) MDISK? (PC) Musical Virus ?? (PC) Dir II in Norway (PC) M.Angelo Virus (PC) PC problem - possible virus? (PC) Latest version of SCAN V85 - validation codes ? (PC) Information request re: Voronezh virus (PC) Viral myths New Release of VIRUSCAN (PC) McAfee virus utilities (ver 85) updates (PC) new mcafee programs (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 11 Dec 91 14:16:45 -0500 >From: Kenneth R. van Wyk Subject: Administrivia - getting ready for Volume 5 As I indicated previously, I'm soliciting for suggestions for improving VIRUS-L/comp.virus so that we can get 1992 (and Volume 5 of the digests) off to a good start. So far, I've gotten two real good selections, which I'll be implementing. The first is effective immediately, and the second will get started with Volume 5. - - Re-organize the product reviews into separate "pc" and "mac" directories. Effective immediately, all PC product reviews are archived on cert.sei.cmu.edu (192.88.209.5) in: pub/virus-l/docs/reviews/pc ...and all Macintosh reviews are in: pub/virus-l/docs/reviews/mac (Reviewers - I have a bit of a backlog of reviews that I'll be posting over the next week or two. I haven't forgotten about it.) - - Change the numbering scheme of the archived issues. Up until, and including all of Volume 4 (the current volume), the filenames for the digests themselves have been "v#i#" (e.g., v4i1, v4i11, v4i222). Starting with Volume 5, I'll be numbering them as "v#i###" (e.g., v5i001). This will make it easier to read alphabetized directory listings. (Pray - and not just for this reason - that we never reach v#i1000... :-) Thanks to everyone who has taken the time to jot me a note. Keep 'em coming. Ken Kenneth R. van Wyk Moderator VIRUS-L/comp.virus Technical Coordinator, Computer Emergency Response Team Software Engineering Institute Carnegie Mellon University krvw@CERT.SEI.CMU.EDU (work) ken@THANG.PGH.PA.US (home) (412) 268-7090 (CERT 24 hour hotline) ------------------------------ Date: Mon, 09 Dec 91 17:20:36 +0000 >From: bdh@gsbsun.uchicago.edu (Brian D. Howard (CS)) Subject: Re: possible virus? (PC) It sounds like your problem with the Epsons is a hardware one rather than a virus. Those machines are rather old and I know the wear and tear the computing lab enviroment causes. (I'm labs manager here at the UC-GSB) You didn't mention it, but does the machine boot and ask you to hit ? Often times when the battery that backs up the CMOS memory starts to go that is the first symptom. The solution is to get a new battery pack. What kind of drives are in the Epsons? The 3-1/5-inch in 5-1/2-inch frame 20M drives that were in a lot of them (Tandons I seem to recall) tended to fail. As the machines all tend to get the same number of hours use in a lab, failures tend to cluster in time. (We have HP EGA monitors that all started dying the same time) If its the drive, consider replacing the HD, HD controller and Floppy controller with an IDE drive and controller. We did that will all of our HP Vectras and breathed new life into obsolete hardware (also get DOS 5 at the same time, makes the machines noticably faster to the users.) You chould be able to get a 40M drive and controller for about 250.00 (if you can't get it locally I can give you the name and phone number of the Chinese Bookstore that we buy our computer parts from.) - -- _______________________________________________________________________________ This space intentionally left what would otherwise be blank were this not here. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ------------------------------ Date: 09 Dec 91 16:13:51 +0000 >From: tuura!mattij@fuug.fi (Matti Joutkoski) Subject: MDISK? (PC) This is very short question: What is MDISK, which is mentioned in McAfee documentation in some Virus infected cases? Is it like FDISK, which will 'clear' boot-sectors, FAT etc. and build them without new installation of operating system? Just wondering. - -- Matti Joutkoski ICL Personal Systems Oy/PC Div. mattij@tuura.icl.fi International Technical Support tel. + 358-0-567 3866 PL 780, 00101 HELSINKI fax. + 358-0-567 3238 FINLAND ------------------------------ Date: 10 Dec 91 16:49:45 +0100 >From: Carl Bretteville Subject: Musical Virus ?? (PC) Does anyone out there know of a PC virus playing X-mas tunes ?? Two tunes have been heard. They are: "Jingle bells" and "Rudolf the readnosed raindeer". ------------------------------ Date: 10 Dec 91 16:47:08 +0100 >From: Carl Bretteville Subject: Dir II in Norway (PC) Vesselin Bontchev writes in his VALERT message of DEC 05 that the "Dir II" virus has 6% "of the Norwegian infections". Happy I am to say that this is not so. He has misunderstood the graphs he got from me in Washington DC last week at the Anti Virus Prod. Developers Conference. Vesselin has encuraged me to explain the facts of the matter: A Norwegian compagny with offices in Sofia "imported" the virus to Norway. 12 machines at one site was infected. The incident was reported to us on 14NOV91 at wich time we confirmed the virus to be "Dir II". It seems that we have been successful in stopping the virus this time, no other incidents have been reported so far (I guess it is just a matter of time...). Carl Bretteville Arcen Data AS ------------------------------ Date: Tue, 10 Dec 91 11:30:02 -0500 >From: JOHNSON@tarleton.edu Subject: M.Angelo Virus (PC) We have been infected with the M.Angelo virus in our student computer lab. I would like to know what this virus does and how to remove and innoculate against it. ------------------------------ Date: Tue, 10 Dec 91 14:14:46 -0500 >From: "SFC Kenneth J. Acord" Subject: PC problem - possible virus? (PC) As a 'sometimes' DOS support person within my organization, I was asked to take a look at one of the user's PCs Monday morning. This particular machine was one of a series of 31 that were recently acquired by the Laboratory. A description of the machine, and the problems I encountered, along with a listing of what I attempted to do follows. I do not know the cause of the problems, but the user stated that the machine was functioning properly on Saturday, was shut down and not turned on again until Monday morning. Is it possible that a virus, not detected by vscan82, caused this condition, or are you aware of anything else that could cause such a complete scrambling of a hard drive? System Description: IQ System IBM clone, mid-tower case 33 Mhz 80386DX AMI Bios 4 Mb RAM 120 Mb Conner hard disk drive Drive A: 1.2 Mb high-density 5.25" floppy disk drive Drive B: 1.44 Mb high-density 3.5" floppy disk drive Trident TVGA video card with 512 Kb of RAM AAMAZING brand super vga monitor 3COM 3C503 networking card with PC-NFS software Z-NIX Inc mouse MicroSoft MS-DOS 5.0 operating system MicroSoft Windows 3.0 Autoexec.bat: @ECHO OFF prompt $p$g path c:\WINDOWS;c:\dos;c:\nfs;c:\kermit DOSKEY explosiv d100 e15 m3 c15 p2 C:\MCAFEE\VSHIELD /COPY /CHKHI /M /WINDOWS Config.sys: DOS=HIGH DEVICE=C:\MOUSE\MOUSE.SYS /C1 /Y device=c:\windows\smartdrv.sys 2048 512 FILES=20 Description of Problem: The system was used on Saturday, 30 November 1991, and no problems were noticed. System refused to boot on Monday morning, 2 December 1991. The error message was a non-system disk message. A check of the CMOS setup showed that the hardware configuration information pertaining to the drives, both floppy and hard, was missing. The CMOS showed no floppy or hard drives installed. The clock and the RAM sizes were correct, however. The setup information was replaced, and an attempt was made to re-boot the system. The same error message appeared. A check of the setup showed the proper information, but the machine would not boot from the hard drive. The computer was booted from a floppy disk, and vscan82 was run on drive c:, with the result of 'No viruses found'. I attempted to use the DOS sys command, and the error message 'Not enough room to install system' was returned. I next tried the DOS 'chkdsk c:' command, and the error messages scrolled off the screen continuously, until I grew weary and did a Ctrl break to stop it. While the drive test was running, the list of files being tested filled the screen to overflowing, then continued to scroll off the screen. The screen was filled with lines similar to the following: C:\DOS\DOS\DOS\DOS\DOS\DOS\DOS\DOS\DOS\DOS\DOS\DOS\DOS\DOS\DOS\Windows\**** ****.*** (*******.*** represents various files), error message. C:\DOS\DOS\DOS\DOS\DOS\DOS\DOS\DOS\DOS\DOS\DOS\DOS\DOS\DOS\DOS\Windows\**** ****.***, error message. My next step was an attempt to use Norton Utilities' Norton Disk Doctor (NDD) in an attempt to resolve the problem. Version 4.5 was the version of Norton's which was used. NDD found the following errors, which I indicated it should 'fix': 1. Media descriptor byte error 2. Error in partition table 3. Error in FAT tables 4. File size allocation error 5. Cross-linked files After supposedly fixing these problems, NDD asked if I wished to test all of the drive surface for defects, and I answered yes. After completion of the NDD program, an attempt was made to boot the machine from the hard drive. The original error message was again displayed. A second attempt was made to run NDD, but the following message was displayed: 'Drive identifier type error. Return to setup and correct the drive identifier for the hard drive then attempt to execute NDD.' A check was made of the CMOS, and the correct drive type identifier was displayed: Cyln Head WPcom LZone Sect Size 47 = USER TYPE 874 16 875 875 17 116MB Another attempt was made to run NDD, but the invalid drive type identifier message was again displayed. Vscan was again run, with no viruses found. I tried to execute the dos 'tree' command and pipe the results to a file, but the PC simply 'locked up' and had to be rebooted from the floppy drive. I tried this twice before giving up on it. I acquired a copy of XTree Gold and used it to log onto drive C:. Xtree Gold told me that there was 220Mb of files on drive C: with 112 Mb of free space available, and the tree structure looked exactly as expected after seeing the multiple \DOS subdirectories. The \DOS branches of the tree extended all the way across the screen, and at the bottom of each branch were the MCAFEE, KERMIT, UTILS, and WINDOWS subdirectories, each with copies of the files from the original directories. I attempted to 'PRUNE' the erroneous \DOS subdirectory branches, but received an error message that the directories were not empty. A further check revealed that each copy of the branch had a directory with files with read-only and hidden attributes set. I went to the second from the left branch and manually, using Xtree Gold, changed the file attributes, erased the files, and deleted the directories under the \DOS directory. When I tried to move to another branch, the message 'Drive has been changed' was received. I quit Xtree Gold, then immediately restarted it. All of the \DOS sub-directories were still there, but no other sub-directories, or files, showed up. However, the drive window still showed 220 Mb of files and 112 Mb of space available. I exited Xtree Gold and attempted to do a 'dir c:', and the system locked up. I rebooted from a floppy, then executed the dos command fdisk. I deleted the drive partition table, then re-partitioned the drive (one large, bootable, dos partition), then re-formatted the drive as a system drive. After re-installing the dos, windows, mcafee, and some utility files and re-creating the autoexec.bat and config.sys files, the system booted from the hard drive with no problems. Vscan82 was again run, with no virus found. Any assistance or information you can provide about this problem would be greatly appreciated. You may reach me at the following address: Director U.S. Army Ballistic Research Laboratory ATTN: SLCBR-SE-A (SFC Ken Acord) Aberdeen Proving Ground, MD 21005-5066 DSN 298-6272 Comm. (410) 278-6272 Internet acord@brl.mil ------------------------------ Date: Wed, 11 Dec 91 13:43:10 +0000 >From: mathews@kong.gsfc.nasa.gov (Jason Mathews - 514) Subject: Latest version of SCAN V85 - validation codes ? (PC) New release of McAfee Associate Software Version 85 of SCAN, VSHIELD, and CLEAN programs. These were uploaded to garbo.uwasa.fi in the directory pc/virus. The validation data is as follows: CLEAN.EXE 6251 110C SCAN.EXE 02B9 0486 VSHIELD 57AA 0E66 Can this be officially confirmed by McAfee Associates? It was mentioned that a frequently-asked-questions list be maintained in this news group. This list should include a standard check summing method of validating the latest anti-virus programs. Whether McAfee's validate methods or a RSA method, there should be a way to confirm the integrity of these critical programs. Jason Mathews ------------------------------ Date: Tue, 10 Dec 91 19:47:00 +0000 >From: dittrich@milton.u.washington.edu (Dave Dittrich) Subject: Information request re: Voronezh virus (PC) One of the generally available computers in the Chemistry Department here at the University of Washington was recently infected with the Voronezh virus. To date I have not encountered any information on this virus. In order to best handle the infection here in the department, as well as helping to stem the spread on this capmus, I need some more information about this virus. I would appreciate it if someone could provide me with information on this virus, similar to that in a recent post on the Michalangelo virus, Message-ID: <0015.9112041458.AA14139@ubu.cert.sie.cmu.edu>, (which I also had the pleasure of having to disinfect this week :-( Thanks in advance! - -- Dave Dittrich dittrich@u.washington.edu ...!{uunet|ihnp4|ncsu}!u.washington.edu!dittrich ------------------------------ Date: Fri, 06 Dec 91 18:51:24 -0800 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Viral myths DEFMTH1.CVP 911206 Viral Myths - Malice The old saw "it ain't that folks is so ignorant, it's that they know so much that ain't so" is true in the computer virus field as in no other I have ever been involved with. For a variety of reasons, hard facts about computer viral programs are extremely hard to come by, while rumours, innuendo and outright lies abound. The terms "virus" and "damage" are so closely connected in the minds of most computer users that "virus" is now being used to describe any situation in which a computer is damaged, unavailable or simply not doing what the user wants. (This leads to the "Hurricane Hugo Virus", the "I-hit-Exit-and-the- word-processor-stopped Virus" and, the favourite of all technical support people, the "Not-Plugged-In Virus".) By the same token, many users fear *any* viral program, regarding all of them as if they carried the Black Death. The truth is, relatively few viri perform any overt "damage" to a system. Of the hundreds of viral strains, only a small number carry a "payload" intended to corrupt data or erase random files, and these tend to be correspondingly rare in terms of number of infections. Those few viral variants which "destroy" their target files or disks are, by definition, self revealing and self limiting. (Of course, I now have to back pedal by defining "overt" damage. All viral programs make some kind of change to the system. Even those which are designed to be "benign" may cause unforseen problems in new situations. It is quite certain that the author of the "Stoned" virus did not intend any kind of damage to result from its spread; he just never knew anything about RLL disk controllers or high density disks. Most "header" or "integrity" checks in programs were intended only to trap bad copies or disk sectors; they still stop programs from operating if a viral infection occurs. In these days of increasingly multi-layered operating systems and "background" utility programs, the addition of a resident virus is increasingly likely to result in unforseen interactions. It is also important to note that all viri, trojans and hacking/breaking erode, and may ultimately destroy, the trust and community which currently supports so much international research and cooperation on the nets.) If viral programs are not intended to cause damage, why are they written? My personal opinion is that this is a kind of self-reproducing electronic graffiti. Basically, it is an unsightly nuisance, perpetrated by tiny minds in search of some place in life. Most of them don't think they are harming anyone. Most of them don't think. copyright Robert M. Slade, 1991 DEFMTH1.CVP 911206 ============= Vancouver p1@arkham.wimsey.bc.ca | "Metabolically Institute for Robert_Slade@mtsg.sfu.ca | challenged" Research into CyberStore | User (Datapac 3020 8530 1030)| politically correct Security Canada V7K 2G6 | term for "dead" ------------------------------ Date: Wed, 11 Dec 91 03:33:13 +0000 >From: mcafee@netcom.com (McAfee Associates) Subject: New Release of VIRUSCAN (PC) NEW RELEASE OF McAFEE ASSOCIATES SOFTWARE Version 85 of the VIRUSCAN, VSHIELD, CLEAN-UP and NETSCAN programs has been released. Seventy-six viruses have been added. Viruses that have been reported at multiple sites include the Barcelona virus in Spain, the Haifa virus in Israel, the Hary and Irish viruses in the U.K., the New 1701 virus in Finland and Norway, the SBC, Stoned III, and SVC 5.0 viruses in North America. Other viruses added in this release are the 123, 233, 370-B, 408, 487, 621, 640, 658, 709, 712, 737, 7th Son, 802, 812, 1193, 1241, 1463, 1530, Ada, Argentina, ASC, Brothers, Cara, Caz, Color, COP, CRF, CSL, Day10, DM400, Dutch, Einstein, Error, Got-You, Grape, H-2, Hero-b, Invol, Joke, Karin, Kiev-1, KU-448, LC, Mono, MPS-11, MSTU, Parasite, PathHunt, Pirate, Plov, Poem, Pregnant, QML, Reset, SCT, Sentex, Socha, Suriv 4.02, Squeeker, Stink, Sys, SX, Tony, Travel, V82, V-5, VTS, and Word-1 viruses. Version 85 of VIRUSCAN adds several new options as well as enhancing existing ones: The ability to NOT add validation codes to files with the /AV option by creating an exception list of files to ignore, the option of beeping whenever a virus is found with the /BELL switch, the option of displaying messages in Spanish with the /SP switch, the ability to search a system for files that do not have validation codes with the /CERTIFY switch, the option to speed up VIRUSCAN's output with the /FAST switch, the option to skip scanning inside of PKLITE-compressed files with the /NPKL switch, the abilty to display a help screen by typing /?, /H, or /HELP, and the ability of storing the options to run VIRUSCAN in a configuration file. CLEAN-UP version 85 adds the ability to display messages in Spanish when run with the /SP switch Disinfectors have been added for the 903, 1008, 1024, 1253, 1554, V2000, 2560, 3445, Boys, Cara, Devil's Dance, Enigma, Flash, Greemlin, Irish, M128, Possessed, SBC, SVC 5.0, SVC 6.0, and V730 viruses. Clean-Up also now removes generic boot sector viruses and generic partition table viruses. Version 85 of VSHIELD adds one new option as well as a new supplemental program. When VSHIELD is run with the /NOBREAK option, it can not be broken out of during installation with a Ctrl-C or Ctrl-Break key combination. The CHKSHLD program can check to see if VSHIELD is loaded in memory. This is primarly for for network administrators who want to prevent network access to uses who are not running VSHIELD. Compatibility with Quarterdeck's QEMM memory management software has been improved as well. V85 also now checks the B: drive for boot viruses if the /COPY option is used. FTP AVAILABILTY The files have been uploaded to wsmr-simtel20.army.mil in the directory. The files have also been uploaded to garbo.uwasa.fi and are currently in the /pc/incoming directory. The filenames are: SCANV85.ZIP Scans stand-alone and networked PC's for viruses CLEAN85.ZIP Virus removal program for PC's and LAN's VSHLD85.ZIP Infection-prevention TSR for PC's NETSCN85.ZIP Scan network file servers for viruses The validation data is as follows: CHECKSHIELD 0.3 (CHKSHLD.EXE) S:7,789 D:12-10-91 M1: F9AB M2: 01D2 CLEAN-UP V85 (CLEAN.EXE) S:83,241 D:12-09-91 M1: 6251 M2: 110C NETSCAN V85 (NETSCAN.EXE) S:59,074 D:12-10-91 M1: B7D3 M2: 1258 VIRUSCAN SCANV85 (SCAN.EXE) S:61,149 D:12-10-91 M1: 02B9 M2: 0486 VSHIELD VSHLD85 (VSHIELD.EXE) S:35,789 D:12-10-91 M1: 57AA M2: 0E66 Regards, Aryeh Goretsky McAfee Associates Technical Support - -- - - - - McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com (business) 4423 Cheeney Street | FAX (408) 970-9727 | aryehg@darkside.com(personal) Santa Clara, California | BBS (408) 988-4004 | "Il est mort, Jean-Luc" 95054-0253 USA | v.32 (408) 988-5190 | CompuServe ID: 76702,1714 ViruScan/CleanUp/VShield | HST (408) 988-5138 | or GO VIRUSFORUM ------------------------------ Date: Wed, 11 Dec 91 06:49:01 +0000 >From: ts@uwasa.fi (Timo Salmi) Subject: McAfee virus utilities (ver 85) updates (PC) >From: Harri Valkama Subject: Re: your mail To: mcafee@netcom.com (McAfee Associates) Date: Wed, 11 Dec 91 7:50:54 EET > I have uploaded to garbo.uwasa.fi > > /pc/incoming > SCANV85.ZIP Scans stand-alone and networked PC's for viruses > CLEAN85.ZIP Virus removal program for PC's and LAN's > VSHLD85.ZIP Infection-prevention TSR for PC's > NETSCN85.ZIP Scan network file servers for viruses > > NEW RELEASE OF McAFEE ASSOCIATES SOFTWARE > > Version 85 of the VIRUSCAN, VSHIELD, CLEAN-UP and NETSCAN programs has > been released. > > The validation data is as follows: > CHECKSHIELD 0.3 (CHKSHLD.EXE) S:7,789 D:12-10-91 M1: F9AB M2: 01D2 > CLEAN-UP V85 (CLEAN.EXE) S:83,241 D:12-09-91 M1: 6251 M2: 110C > NETSCAN V85 (NETSCAN.EXE) S:59,074 D:12-10-91 M1: B7D3 M2: 1258 > VIRUSCAN SCANV85 (SCAN.EXE) S:61,149 D:12-10-91 M1: 02B9 M2: 0486 > VSHIELD VSHLD85 (VSHIELD.EXE) S:35,789 D:12-10-91 M1: 57AA M2: 0E66 Thanks. These are available now as: garbo.uwasa.fi:/pc/virus/scanv85.zip garbo.uwasa.fi:/pc/virus/clean85.zip garbo.uwasa.fi:/pc/virus/vshld85.zip garbo.uwasa.fi:/pc/virus/netscn85.zip - -- == Harri Valkama, University of Vaasa, Finland ========================== P.O.Box 700, 65101 VAASA, Finland (tel:+358 61 248426 fax:+358 61 248465) Anon ftp garbo.uwasa.fi (128.214.87.1) and nic.funet.fi (128.214.6.100) Mailserver: mailserv@garbo.uwasa.fi,Subject:garbo-request,body:send help "If you do not know how to go about getting these packages you are welcome to email me for the prerecorded garbo.uwasa.fi instructions, Keith Petersen (w8sdz@wsmr-simtel20.army.mil) for SIMTEL20 information, or Craig Warren (ccw@deakin.oz.au) for Oceanian garbo mirror information. North American users are advised first to search on SIMTEL20 or its mirror wuarchive.wustl.edu. Oceanian users are referred to rana.cc.deakin.oz.au (for recent files)." ................................................................... Prof. Timo Salmi Moderating at garbo.uwasa.fi anonymous ftp archives 128.214.87.1 School of Business Studies, University of Vaasa, SF-65101, Finland Internet: ts@chyde.uwasa.fi Funet: gado::salmi Bitnet: salmi@finfun ------------------------------ Date: Wed, 11 Dec 91 07:27:00 -0500 >From: HAYES@urvax.urich.edu Subject: new mcafee programs (PC) Hello. The "85" serie of McAfee's product is now available from either: oak.oakland.edu in: /pub/msdos/trojan-pro or urvax.urich.edu in: [.msdos.antivirus] for anonymous FTP. The files are: SCANV85 .ZIP CLEAN85 .ZIP NETSCN85.ZIP VSHLD85 .ZIP Regards, Claude - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET) University of Richmond hayes@urvax.urich.edu (Bitnet or Internet) Richmond, VA 23173 ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 234] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253