VIRUS-L Digest Tuesday, 17 Dec 1991 Volume 4 : Issue 236 Today's Topics: Re: "Bloomington" Virus (PC) Re: Booting from clean floppy (PC) Password program (PC) IDE dead sector viruses (was: potentially cute idea (PC)) Re: Booting from a clean floppy (PC) DIR-2 vs CLEANv84 (PC) Virus source in BBS's (PC) Re: password program (PC) Identifying a BSI virus (was Re: Generic boot sector virus (PC) Untouchable From Fifth Generation Systems (PC) Source code on Fidonet (PC) Re: Low-cost Macintosh anti-virus software (Mac) Mac virus?: system crash (HELP!) (Mac) Hardware damage VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 12 Dec 91 16:39:31 -0500 >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Re: "Bloomington" Virus (PC) >From: david.lannigan@dsp.analog.com (David K. Lannigan) >Having just purchased Norton Anti-Virus, we discovered a strain of the >"Bloomington" virus on a floppy we have. The strange thing is that we >can't find it on any hard drives we have, just a floppy that we copied >some files onto. "Bloomingtom" is another name for the "NOINT", a "stealthy" MBR and boot sector infector. Not a very nice virus, if you ask for the partition table you are likely to get garbage. If DOS gets garbage, bye,bye disk. CHKDSK will report 2k less "total bytes memory" (640k usu reports 655360 - 653 or less is a danger sign). Padgett ------------------------------ Date: Thu, 12 Dec 91 16:38:16 -0500 >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Re: Booting from clean floppy (PC) Victor Smith writes: >Hello >Let me disagree with You. I think if "virus scanner" can realy >desinfect virus in memory it does not matter from where You booted >computer, for example it is very easy to stop activity of 4096 just >replace 3rd call to jmp in virus and it will stop activity, and "virus >scanner" can try to scan any file. Of course if "virus scanner" can >not cure virus in memory it is very dangerous to scan files... Further on: >Hello Aryeh, >Only one thing You forgot, for example my computer has very interesting key - >"Reset" :-). >I mean that usualy people reboot computer by pressing this key or switching >power on, of course I agree that it is very useful feature, but somethimes it >does not work. On the dirt tracks of North Carolina where I learned "offensive driving" there was a saying for this kind of attitude: "More guts than brains". Padgett ------------------------------ Date: 12 Dec 91 16:50:00 -0600 >From: "351SMWDOV" <351SMWDOV@sacemnet.af.mil> Subject: Password program (PC) This letter is in response to S. D. Law's article on the same subject: In the June 91 Computer Shopper is an article on virus-detection programs on page 352. In it is a review of a program called Virus Prevention Plus by PC Guardian. Included in the program is a security feature that makes the computer unusuable unless a password is entered. The computer will even bypass a bootable floppy if present and require the password to be entered. The article stated that an emergency access route was built in, but provided no details. The author of the article is Steven J. Vaughan-Mills, and can be reached on MCI Mail as sjvn. Mike Taylor 351smwdov ------------------------------ Date: Fri, 13 Dec 91 12:48:16 +0000 >From: he@sup.stollmann.de (Helge Oldach) Subject: IDE dead sector viruses (was: potentially cute idea (PC)) hobbit@ftp.com (*Hobbit*) writes: ^^^^^^^^ ...whatever you real name is... | Do enough partition table viruses hide stuff in the "dead" sectors | around the rest of cyl/head 0/0 to make the following hack worthwhile: | Low-level format your HD such that the first sector of 0/0 is good and | the rest are flagged bad. | [...] | Of course, it probably wouldn't work on IDE drives, but then again... This is actually a very bad idea for IDE hard disk drives. Since these drives have an on-drive controller specialized for controlling that particular drive, it usually also has the ability to fumble with odd drive geometry. For example, manufacturers may place more sectors in the outer region of the surface than in the inner region while the drive geometry seen externally (i.e. for software) appears straightforward with a fixed number of sectors per track. As a result: One should never, repeat: NEVER, low-level format an IDE drive! By incident, a friend of mine just has a virus on one of the "dead" sectors and no virus scanner available to delete this virus. :-( Does anybody in Netland know a virus scanner that handles these odd viruses and repairs IDE drives? - -- Helge.Oldach@stollmann.de Helge.Oldach@sephh.hanse.de ------------------------------ Date: Fri, 13 Dec 91 14:55:00 +0000 >From: Nick Hilliard Subject: Re: Booting from a clean floppy (PC) In Virus-l, 12-DEC-91, Victor Smith writes: > > The first ability is the reason it is recommended to boot from a "clean" > > floppy before you run a virus scanner. > >Hello >Let me disagree with You. I think if "virus scanner" can realy >desinfect virus in memory it does not matter from where You booted >computer, for example it is very easy to stop activity of 4096 just >replace 3rd call to jmp in virus and it will stop activity, and "virus Writing virus scanners which have to cope with the problem of already-resident viri is an unnecessary complication. It could be done, of course, but it just means more work for the programmers, *and* it would not be fail-safe. Remember just how many viri there actually _are_ out there [no comments about names and classification, please ;-)]. Writing the code to disable each one of them, restore all the interrupts they hook, reclaim memory, etc. is superfluous when all you have to do is stick in a clean floppy, and press the reset button.... >scanner" can try to scan any file. Of course if "virus scanner" can >not cure virus in memory it is very dangerous to scan files... If you boot off a clean floppy, you avoid all these problems. >BTW should do users who has no floppy drives ? :-) All PC's with hard drives have floppy drives, and if they don't, they should. ************************************************************************** * Nick Hilliard * If you pick up a starving dog and * * e-mail: hilliard_n@csvax1.ucc.ie * make him prosperous, he will not * * s-mail: Too slow, don't bother. * bite you. This is the principal * * * difference between a dog and a man * * Standard disclaimers apply.... * -- Mark Twain * ************************************************************************** ------------------------------ Date: Thu, 12 Dec 91 18:41:55 +0700 >From: Cezar Cichocki Subject: DIR-2 vs CLEANv84 (PC) Hi| My computer catch an DIR-2 virus, and I try to clean it with McAffe's CLEAN v 84. And what I saw ? 1) SCAN and CLEAN ignore last sectors on disk, so virus live normally there. 2) CLEAN can not clean DIR-2, it can only DESTROY (erase) all infected files. So, when I scan an empty disk with DIR-2 virus, SCAN tell me that all is right. When I have virus in system CLEAN erase all my .exe and .com files and DO NOT CLEAN MY DISK. It is rather abnormally situation, is't it ? Virus was cleaned with DIR2CURE.COM by Marek Sell. Cezar Cichocki Dep. of Psychology Warsaw Uniwersity Poland ------------------------------ Date: Fri, 13 Dec 91 16:08:58 +0700 >From: KADLOF@PLEARN.BITNET Subject: Virus source in BBS's (PC) Vesselin Bontchev in Virus-l 4/231 writes about DIR-2: >Unfortunately, just minutes ago I got a report that somebody has >posted the SOURCE (!) of the virus (not a disassembly, the original >source) on a public FidoNet conference, which is distributed around >the world... The same person (alias: Ahmed Dogan) at the same time posted source code of the following viruses: DIR-2, The Diamond Virus, Darth Vader, MG 3 and Anti-Pascal version AP-400. The source of the last one is a really good disassembly prepared by Vesselin Bontchev in July 1990. It contains copyright note and remark: "This listing is only to be made available to virus researchers or software writers on a need-to-know basis." I do not claim that Vesselin has made his disassembly available to persons like "Ahmed Dogan" or Todor Todorov. It is just an example that the distribution of virus source among even the most "trusted researchers" is never safe. Maybe some day I will see in some public forum my own disassembly. The problem is more general: how to organize safe and effective cooperation between different anti-virus centers? How to decide which anti-virus center is a real responsible anti-virus laboratory, especially in countries which authorities do not care about the problem, where victims of Anti-Telephonica or Disk Killer are talking about practical jokes instead of crimes? Poland is not bad example of such a country. Andrzej Kadlof Department of Mathematics, University of Warsaw, Poland Editor-in-chief of PCvirus Bulletin ------------------------------ Date: Sun, 15 Dec 91 18:14:58 +0000 >From: dlinder@cse.unl.edu (Daniel Linder) Subject: Re: password program (PC) In comp.virus, someone writes: >We have recently found on our public pc's some sort of password >program that I think has somehow been put into the cmos. It seems to >be a "commercial type product" that has been put on for fun. Does >anyone know of this and abviously more importantly, how do I get into >the pc to get it off. Booting from floppy does not work as cmos is >run before this. If you have an IBM PS/2 line, then some user might have set the hardware password. If this is the case, all you need to do is open the case, and look for a small jumper (I believe in the back). Just move this to the "reset password" position, and the machine should boot up like normal. I think that if you leave this jumper in this position, the machine will automatically reset the password each time it is powered up, so no password will be able to be set. If this is a clone motherboard, I believe you can reset the CMOS back to the factory defaults by holding down the [INSERT] key while turning the system on. (I think it's the insert key, may be the [DELETE] key...) Hope this helps!! Dan dlinder@cse.unl.edu - -- | Dan Linder - Comp. Eng. - Junior | Ensign Ro: "Who are you?" | dlinder@cse.unl.edu | Guinan: "I told you; I am Guinan, | University of Nebraska - Lincoln | I tend bar, and I listen." | Disclaimer: My university does not listen to me, why would I speak for them? ------------------------------ Date: Mon, 16 Dec 91 12:35:00 +1300 >From: "Mark Aitchison, U of Canty; Physics" Subject: Identifying a BSI virus (was Re: Generic boot sector virus (PC) NVCARLE@VCCSCENT.BITNET (Eric Carlson) writes: > I also ran into a floppy that SCANv84 said had a GENERIC BOOT SECTOR VIRUS > I also tried CPAV 1.0, NAV, and F-Prot 2.01. The only thing that said > anything (other than SCAN) was the ANALYZE function in F-PROT 2.01 and > it agreed with scan. > > I didn't do anything to the disk after that, but I saved a copy of > the BOOT sector to a file using NORTON 6.01 DISKEDIT. I have that file if > anyone wants it. Just tell me how to transfer it (if that is possible). > > What should I have done to the disk? It was some sort of spreadsheet > file disk used in some courses. Good question. I have two programs, BOOTID and CHECKOUT, both free (BOOTID source is also free), designed specifically for such cases, i.e. someone has a suspicious boot sector and wants identification of it without the risk of broadcasting the entire boot sector in any way that could result in "the wrong people" reconstituting a live virus. Both programs are available via anonymous ftp from: cantva.canterbury.ac.nz [IP address: 132.181.30.3] in the pc directory, or newton.phys.canterbury.ac.nz [132.181.40.1] in the pub/local directory. The BOOTID program generates a relatively short "ID number" for the boot sector, which people with a collection of viruses, plus the program, can use to identify the virus, or to at least get an idea of what general type of boot sector it is (in the case of new viruses or valid-but-strange boot sectors). I'm still interested in comments on the program, by the way, and almost have enough to make it worth writing a new version. (At that stage I'd be happy to see the program on many ftp sites). CHECKOUT can do everything that BOOTID can, plus has the ability to give quite a bit of information about the boot sector, including a description (giving reasons why it thinks the boot sector is good or bad). But, like any heuristic, be careful not to assign too much significance to its conclusions. The part that does a reverse-assemble and tries to work out register contents at the time of interrupt calls is downright buggy - I include it in CHECKOUT at the moment only because it is of some help as it stands, so long as people understand enough to ignore some of what this part of the program says! Checkout also can look up a database of "known" hashcodes, and give the conventional name for a virus, or at least the closest virus in the database... but (again) that bit in the version that's publicly released needs improving. In case you missed my earlier postings on the subject, the "boot id's" created are of a form where the first part tries to assign a unique number to the basic contents of the diskette's boot sector, ignoring changes in size & serial number but otherwise sensitive to the slightest version/generation change; the last part of the code tries to identify what the boot sector is doing - indicating family relationships, etc. It is possible to get an idea of what the boot sector is up to simply by looking carefully at the code (or applying CHECKOUT to the code produced by BOOTID on somebody else's machine). It is possible to create a boot sector which isn't a virus but still gets reported by CHECKOUT as "probably a virus", although it would definately be strange and contrived. Some valid, non-bootable, diskettes do get a "seems strange" warning, especially those that deliberately try to look like infected diskettes to avoid viruses infecting them. It is possible, but difficult, to make a virus that CHECKOUT thinks is normal. It is also possible, but very, very difficult, to make such a virus get the same identification code as some known, genuine DOS diskette. And even if someone does waste their time doing that, such viruses can still be caught by true virus detectors (in fact, something required to get around one test would make the virus even easier to spot by at least one type of virus detector, so I don't mind making the source of BOOTID free to everyone - - but I don't want to say any more on why any virus specially written to fool the program would be easy to spot by some methods!) The aim of H(ash)codes is to assign names to boot sectors (viruses and good ones) for which no other knowledge is required. Many present names are based on somebody's idea of a good name, e.g. where it was discovered, or a word from a message that one version produces. With my program, you get a name for a BSI virus given only the diskette and the program, and people on the other side of the world can arrive at the same name for the same virus. The only problem is that some mutating viruses can get lots of different names, which is a nuisance, but then the "family" part of the identification is helpful. That's one of the areas I'd like comments on - whether to increase the "family" part of the code. If anyone wants to chat about the technique, or the extension of the code to non-BSI viruses (which is possible, but a lot of work), feel free to e-mail me. Certainly I am happy for others to include the naming scheme in their software, so long as they ask first (in case there's a better version to include). Mark Aitchison, Physics, University of Canterbury, New Zealand. ------------------------------ Date: Sun, 15 Dec 91 13:10:14 -0800 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Untouchable From Fifth Generation Systems (PC) A-GROS@vm1.spcs.umn.edu writes: > I recently received an ad for an antivirus program called Untouchable > from Fifth Generation Systems which I have not heard of or seen My understanding is that this is a repackaging of V-Analyst, by B.R.M. of Israel. Fifth Generation has promised me a copy for review, so I should have something to post here .. say, before 1994? :-) (My apologies to those companies which have sent product and still not seen reviews. An in-laws 50th anniversary plays hob with your work schedule ...) ============= Vancouver p1@arkham.wimsey.bc.ca | "Metabolically Institute for Robert_Slade@mtsg.sfu.ca | challenged" Research into CyberStore | User (Datapac 3020 8530 1030)| politically correct Security Canada V7K 2G6 | term for "dead" ------------------------------ Date: Sun, 15 Dec 91 13:29:16 -0800 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Source code on Fidonet (PC) Vesselin has noted the publishing, on the unmoderated "VIRUS" echo on Fionet (not to be comfused with the moderated "VIRUS_INFO" and "*WARNINGS*" echoes) source code for five previously known viri. Although this is a blow, thanks to Tim Martin I have been able to test all five against SCAN 85, VIRx 1.8 (by the way, Ross, where/when is 1.9?), FPROT 2.01 and TBSCAN 2.8 with the VS911009 signatures. All programs will identify the viral code produced, with the exception of TBSCAN, which does not identify the DIR-II/Creeping Death code. ============= Vancouver p1@arkham.wimsey.bc.ca | "Metabolically Institute for Robert_Slade@mtsg.sfu.ca | challenged" Research into CyberStore | User (Datapac 3020 8530 1030)| politically correct Security Canada V7K 2G6 | term for "dead" ------------------------------ Date: Fri, 13 Dec 91 17:57:03 +0000 >From: csfed@ux1.cts.eiu.edu (Frank Doss) Subject: Re: Low-cost Macintosh anti-virus software (Mac) I would like to thank every one who answered my request for Mac anti-virus software. Here is my summary of responses: Disinfect seems to be the most popular package, followed by GateKeeper. Of the commercial packages, only SAM (Symantic's Anti-virus for Macs) was mentioned. Thanks, again. Frank E. Doss Academic Computing csfed@eiu.edu Eastern Illinois University ------------------------------ Date: Sat, 14 Dec 91 15:18:00 -0500 >From: SWVX@VAX5.CIT.CORNELL.EDU Subject: Mac virus?: system crash (HELP!) (Mac) Does anyone have any information about a Mac virus that causes programs to frequently "unexpectedly quit due to error type 1" It happens under both system 7 & system 6, on various machines. If this is a virus, is there a utility to get rid of it? (I have already run Disinfectand 2.5.1) Christopher Manly swvx@vax5.cit.cornell.edu swvx@cornella.cit.cornell.edu ------------------------------ Date: Sun, 15 Dec 91 13:35:56 -0800 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Hardware damage DEFMTH2.CVP 911215 Hardware damage The myth of viral programs damaging hardware seems to be one of the more enduring. *No viral program yet found has been designed to damage hardware, and THERE HAS NEVER BEEN ANY CONFIRMED CASE OF A VIRAL PROGRAM DIRECTLY CAUSING PHYSICAL DAMAGE TO COMPUTER HARDWARE.* Is that plain enough? It *is* possible for certain pieces of hardware to be damaged by software or programming. To the best knowledge of the international virus research community, no such programming (with the exception of low level formatting, see below) has ever been found on an existing virus "in the wild." Monitors - certain older types of monitors (notably early IBM mono graphics adapters) could be made to "freeze" the sweep of the electron beam, and thus "burn in" a section of the screen phosphors. No one has ever burned a hole in a monitor, nor have they ever caused one to overheat and "blow up" with software. Power supplies - cannot be addressed by software. No one has ever "melted down" a power supply with software. Printers - as with any physical device can be damaged by getting them to do any one thing for too long. This, of course, depends upon the machine running unattended for a long time. Drives - some drives can be damaged by "pushing" the heads beyond normal limits. On others, this is a good way to find more disk space. Certain drives can be damaged by having the heads "seek" back and forth at a resonant frequency. (Usually older drives, for mainframes, are more susceptible to this. There is also a story, likely apocryphal, that one computer company set up a "portable" computer, including banks of disk drives, in a semi-trailer for demos. The first time the truck took a turn with all the drives running, it flipped over due to the enormous stored angular momentum of the spinning platters.) IDE controllers and drives do not allow for the normal calls to low level format the drive. If such a call is made, the results are uncertain. The drive will not be formatted, but it will not be left in a usable state. IDE drive manufacturers have not, in the past, shipped programs for low level formatting, and so a call for a low level format on an IDE drive has been, to the normal user, no different than hardware damage. As this has become known in the user community, more IDE manufacturers have been shipping the formatting programs. Hardware damage by software is possible, but extremely rare. copyright Robert M. Slade, 1991 DEFMTH2.CVP 911215 ============= Vancouver p1@arkham.wimsey.bc.ca | "Metabolically Institute for Robert_Slade@mtsg.sfu.ca | challenged" Research into CyberStore | User (Datapac 3020 8530 1030)| politically correct Security Canada V7K 2G6 | term for "dead" ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 236] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253