VIRUS-L Digest Monday, 4 Mar 1991 Volume 4 : Issue 35 Today's Topics: Boot Sectors and Viruses (e.g. STONED) (PC) New Scan, High-memory, researchers (PC) SCORES and Mac virus lethality (Mac) Windows antivirals (PC) Scan 75 new features (PC) New files on MIBSRV (PC) Re: Norton rebuttal (PC) Re: Windows v3.0 / F-Prot (PC) Virus BBS Re: File reduction virus? (PC) Can [Stoned] remain in hard-drive? Low-level signature checking protection re: unknown virus--help (pc) The new version of the Stoned Virus (PC) Reviews and Norton Antivirus (PC) computer virus (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Tue, 26 Feb 91 12:42:01 -0500 >From: padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) Subject: Boot Sectors and Viruses (e.g. STONED) (PC) More and more we are seeing reports of institutions being hit by the STONED and other BSI viruses. Unless there is a trojan involved, the only way for a machine to become infected by one of these is by booting from a floppy. What amazes me is that boot records contain no integrity checking whatsoever (this includes the DOS 5.00 beta we are testing) particularly since the code would take only a few bytes. Following with the DISKSECURE experiment, I wrote a Boot Record program that just replaces the executable on a non-booting disk with such a check procedure. If all goes well, it tells you. If the disk has become infected, it also tells you, not what has infected the disk, but that something has. In the future, I expect large organizations to remove FORMAT and SYS from most machines and either use a central formatting facility or purchase preformatted disks. Putting a new boot record on a disk takes 2-3 seconds. Since the difficulty of putting such checks into disk approaches zero. My feeling is that use of such disks should be one of the layers of protection for the "safe" PC model. Padgett Would you trust ANY computer in Kuwait today ? ------------------------------ Date: 28 Feb 91 23:20:31 +0000 >From: ms@pogo.ai.mit.edu (Morgan Schweers) Subject: New Scan, High-memory, researchers (PC) Introductory Note: The opinions stated here are mine, as a programmer working in the field of anti-viral software. They do not in any case represent the opinions of McAfee Associates. Greetings, In regards to the bugs reported in SCAN V74 and 74B, they have been repaired since, and the new version (V75) is available. The programmer responsible has since been flayed. :-) I recieved an interesting spate of mail from folks who purported to be aware of some secret conspiracy to create a high-memory virus. Frankly, I find it unfortunate that there are some people out there who know WHO virus writers are, and are unwilling to expose them. It shows a certain irresponsibility and a degree of acceptance of what is being done. It bothers me, as a programmer, when a person sends me a virus and STATE that it will never show up in the public domain. Further, when *ONE* person is the link to a virus writer (or writers) it is even more irksome to know that they are under no obligation to expose the authors of this code. It has been suggested to me by one nameless individual that they are, 'only interested in new and unusual techniques of viruses.' The major problem is that this person has been the *SOLE DISTRIBUTOR* of a virus which he claimed used an unusual technique. He is possibly soon to be the sole distributor of another. This appears to be an encouragement of these virus writers. It also appears to be an ego boost for the individual in particular, since they seem to wish the anti- viral workers to waste time on these viruses. Frankly, research viruses in general are a Bad Thing, IMHO. What need do we have for supposed researchers writing viruses and distributing them all over? The virus authors are annoying enough on their own without contributions from the AV community. One of the major problems that I see is this: the anti-viral community treats as commonplace and acceptable the writing of 'research viruses.' Perhaps it's merely the silence of the people which leads me to believe this. Perhaps all the other AV people believe that they are Bad Things also. Speak up. I'd like to hear your opinions. Respond if you do or don't think that RV's should be condoned. Tell me why. I'll concatenate it all and put it all up to the moderator, if he's interested. (If he's not, I'm sure he'll tell me. I'd like to know anyway.) I'd like to hear opinions (and I'm sure I will, this *IS* Usenet after all... ;-) ) on this issue. On a more serious note, th Swedish virus has been eliminated and subsumed into the Stoned Virus general description. (It is sufficiently similar to not warrant a different name.) Further, the following viruses are new to V75: Cancer (.COM), V-299 (.COM), Phantom (.COM), V-555 (.COM/.EXE), Lazy (.COM) and Yap. The bigger-than-512 byte partition table problem, and the false alarms have been dealt with. -- Morgan +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | I don't *KNOW* what my employers opinions are, so I can't | | possibly reflect them here. -- ms@albert.ai.mit.edu | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ------------------------------ Date: Thu, 28 Feb 91 22:56:39 -0800 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: SCORES and Mac virus lethality (Mac) fau@po.CWRU.Edu (Francis A. Uy) writes: > Another important thing to note is that none of the Mac virii > known as of Disinfectant 2.4 are specifically malignant: i.e. > they only attempt to spread, rather than trying to destroy files. Well, I suppose it depends a bit on your definition. No, no Mac viri have *destroyed* files, but the Mac does have the distinction of being home to the first virus *known* to be targetted at a commercial program. The program containing the ERIC and VULT resources never did get released, but the bomb was waiting, nonetheless ... ============== Vancouver p1@arkham.wimsey.bc.ca | "It says 'Hit any Institute for Robert_Slade@mtsg.sfu.ca | key to continue.' Research into (SUZY) INtegrity | I can't find the User Canada V7K 2G6 | 'Any' key on my Security | keyboard." ------------------------------ Date: Thu, 28 Feb 91 23:04:09 -0800 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Windows antivirals (PC) JSP105@PSUVM.PSU.EDU (Jeff Payne) writes: > I was curious if there was a Windows 3.0 version (or even aware) of > any anti virus software? I am currently evaluating F-Prot and Of the commercial products I have received for review so far, none indicate any plans for Windows versions, nor do any of the "leads" that are published advertising material. I wonder if Windows versions would be easy. The "received wisdom" for Windows users is that you stop running any TSRs before running Windows. Scanners, of course, don't need to be TSR, but then, do they not run well enough as a "non-Windows" program? ============== Vancouver p1@arkham.wimsey.bc.ca | "It says 'Hit any Institute for Robert_Slade@mtsg.sfu.ca | key to continue.' Research into (SUZY) INtegrity | I can't find the User Canada V7K 2G6 | 'Any' key on my Security | keyboard." ------------------------------ Date: Thu, 28 Feb 91 14:30:54 -0800 >From: ozonebbs!aryehg@apple.com (Aryeh Goretsky) Subject: Scan 75 new features (PC) WHAT'S NEW Version 75 of VIRUSCAN adds seven new viruses and fixes a problem that caused Version 74-B to false alarm on diskettes formatted with Easy-Format. We apologize for any inconvenience we may have caused due to this problem. The new viruses added were: The Phantom virus is a memory-resident .COM file infector sent to us from Budapest, Hungary by Dr. Szegedi Imre. It contains a message stating that it was written by the PHANTOM of the "Hungarian Virus Developing Laboratory." The Azusa virus is a memory-resident floppy disk boot sector and hard disk partition table infector reported from multiple sites in the U.S. The V-299 is a direct-action .COM file infector based on the Amstrad virus. It is not memory-resident. The V-555 virus is a memory-resident .COM, .EXE, and overlay infector. The Lazy virus is a memory-resident .COM file infector. When it is resident, it slows down the processor and screen output significantly. For more information about these viruses, please refer to the enclosed VIRLIST.TXT file. Version 75 of CLEAN-UP adds removal of the Azusa virus, a floppy disk boot sector and hard disk partition table virus that has been reported in multiple sites in the U.S. Version 75 of VSHIELD and NETSCAN add prevention against and network detection of the above-listed viruses, respectively. - ------------------------------------------------------------ NB: I've received several pieces of mail regarding Version 74 incompatibilities with the NEC and Zenith OEM Versions of DOS 3.3. The NEC version of DOS uses a nonstandard partitioning scheme to "get around" the 32Mb hard disk size limit imposed by DOS. VIRUSCAN Version 74 was unable to recognize this and as a result would give a false alarm. Version 74 also misidentified the Zenith OEM version of DOS as having the Swedish Diaster (yet another Stoned variant) virus in the boot sector of formatted disks (hard and floppy). This is due to the fact that the boot sector contained the same code we were looking for in the Swedish Diaster virus. We've also found this code in 10Mb Iomega Bournoulli disk cartridges and disks formatted with DR-DOS 5.0. Version 74-B corrected this problem. We are sorry for any inconvenience or panic caused by our error. Aryeh Goretsky PS: I've also gotten several messages about my internet address. To the best of my knowledge, the site I'm calling from, "ozonebbs.uucp" is on the networks maps and I can be reached as "aryehg@ozonebbs.uucp" if this fails, please try "ozonebbs!aryehg@apple.com" which should reach me. In the event this one bounces also, Mr. Keith Peterson has graciously set up the following mail address "aryehg@tacom-emh1.army.mil" A special note of thanks to all who have persevered in their efforts to reach me (thanks Keith!). -- Aryeh [Ed. The ".uucp" is not supported by Internet Domain Name Service; Internet users should use the @apple.com address.] +----------------------------------------------------------------+ | Aryeh Goretsky, Tech Support vox (408) 988-3832 | | McAfee Associates fax (408) 970-9727 | | 4423 Cheeney Street bbs (408) 988-4004 | | Santa Clara, California 95054-0253 // | | Internet: aryehg@ozonebbs.uucp // | | UUCP: apple!netcom!nusjecs!ozonebbs!aryehg \X/ | | "Opinions expressed are my own and do not neccessarily reflect | | those of my employer."--universal disclaimer applied herein. | | "How is a cat like a meatloaf?"--John R. De Palma, M.D. | +----------------------------------------------------------------+ ------------------------------ Date: Mon, 04 Mar 91 08:23:13 -0600 >From: James Ford Subject: New files on MIBSRV (PC) The following files have been placed on MIBSRV (130.160.20.80) in the directory pub/ibm-antivirus: scanv75.zip - McAfee's Scan v75 clean75.zip - McAfee's Clean v75 netscn75.zip - McAfee's NetScan v75 vshld75.zip - McAfee's VirusShield v75 validate.crc - McAfee's list of validation numbers 0files.9103 - Listing of files available on mibsrv. - ---------- The more heavily a man should be taxed, the more power he has to avoid it. - ---------- James Ford - JFORD@UA1VM.UA.EDU, James_Ford@mib.eng.ua.edu The University of Alabama (in Tuscaloosa, Alabama) ------------------------------ Date: 01 Mar 91 09:19:10 +0000 >From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: Norton rebuttal (PC) In a quote "YUSUF HASSAN General Manager Symantec UK" quoted the Virus Bulletin, and as the Technical Editor I just wanted to clarify two minor details. >%"PC performance drops noticeably": in the December issue of the Virus >Bulletin, Nav was rated better than the competition ... Better than some of the competing products in some areas. >%"Percentage of files in which viral activity was detected--80%": >Virus Bulletin stated that Nav had a 99% capability. ... 99% only when scanning the standard test set of only 100 common viruses. If the full set of 400+ variants was scanned, the performance is not nearly as good. It must of course be noted that the same applies to all other anti-virus products. - -frisk Fridrik Skulason University of Iceland | Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 | ------------------------------ Date: 01 Mar 91 09:40:53 +0000 >From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: Windows v3.0 / F-Prot (PC) JSP105@PSUVM.PSU.EDU (Jeff Payne) writes: >I was curious if there was a Windows 3.0 version (or even aware) of >any anti virus software? I do not (yet) offer a Windows version of my programs, but I seem to recall that Ross Greenberg is working on that (sorry, Ross if I'm not right). There is not very serious pressure to develop a Windows-specific anti-virus package - there are no Windows-specific viruses yet, and many current anti-virus products do work quite well with Windows. In the case of my own program, I do not recommend using F-LOCK/F-POPUP with Windows - they are just character-based TSR, and may cause problems. The F-DRIVER program works without problems, however, and should provide sufficient protection from known viruses. I am looking into the possibility of developing a Windows anti-virus program, but I think that is 8-12 months away. >Also, has anyone tested F-Net with 3Com or Microsoft LanManager >networks? I've loaded it and it didn't crash, but without a virus to >test it, I can't really tell... You may have to run the F-NET program after you run the network programs, to redirect some interrupts back to F-DRIVER, baut as you said, it is difficult to determine whether is is necessary without a virus. In version 1.15 of F-PROT (almost finished now), I will include a small TESTVIR.COM program, which can be run to determine if the package is working correctly. F-DRIVER should stop the program, and report it to be infected with the "Test" virus, but if F-DRIVER is not installed, or not working, a warning message will be displayed. >Which brings me to my last question, Is there a "harmless" virus that >I could use to test my configurations (in an isolated environment) ? I would recommend the Cascade virus - it is widely available, well known and all anti-virus programs should be able to detect it. The "standard" variant is also one of the most harmless viruses around. - -frisk ------------------------------ Date: Fri, 01 Mar 91 09:58:00 +0000 >From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Virus BBS Virus BBS One of the most serious developments recently is the creation of virus Bulletin Board Systems, where viruses and disassemblies are freely available. The availability of source code creates a serious problem - it is much easier to create a working virus from a disassembly, than from just a sample, and I fear we may see an explosion in the number of virus variants soon - the 400 variants we know today may multiply and become 1000 or so before the year is over. In this area the Bulgarians lead the way - virus writers there often making their sources freely available - I have several assembly listings in my collection, with comments in Bulgarian, and even the names and addresses of the authors. It should not surprise anyone that the best-known virus BBS is in Bulgaria, and anyone uploading a new virus can download other viruses. The BBS is accessible by anyone in the west, but luckily the telephone connections to Bulgaria are quite bad. However, I am more worried about the (reported) virus BBS in Germany and the UK - I have no confirmation they exist, but naturally I would be very interested in hearing from anyone who can confirm their existence. Patricia's list Now that the VSUM list is no longer available on SIMTEL20, I was wondering how to obtain it - as the Technical editor of the Virus Bulletin, I often have to select names for new viruses, and I like to compare my list with hers, although the information on the viruses published there is often incredibly inaccurate. - -frisk Fridrik Skulason University of Iceland | Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 | ------------------------------ Date: 01 Mar 91 09:15:00 -0500 >From: "zmudzinski, thomas" Subject: Re: File reduction virus? (PC) In VIRUS-L Vol 4 #33, Dan Sline said: > I know viruses sometimes increase file lengths, but can a > virus decrease a file length? The reason why I was asking was on a > bank of PCs in a lab, the ipx.com file was 26666, but on one machine > in the bank, the size was 25500, and the file had the correct date. > Another problem was that the machine was notreading the autoexec.bat > file when the computer was booted up. I ran scan 72, but it did not > detect anything. I can only offer theoretical knowledge on this as I know of no virus that actually does what I'm about to describe, but yes, it is possible for a virus to compress an executable and preface it with itself (including the necessary expansion code) such that the file length decreases. However, it would be sloppy of the illegitimate vermin who coded such not to pad the file out to its original size. I suggest you compare the two files. One dead giveaway: compress- ed files don't look anything like uncompressed ones. Tom Zmudzinski | Internet: ZmudzinskiT@IMO-UVAX.DCA.MIL "Better to trade knowledge than something of value" -- Sergio Aragones ------------------------------ Date: 28 Feb 91 11:38:14 +0000 >From: eam3427@tesla.njit.edu Subject: Can [Stoned] remain in hard-drive? Hello everyone! I've got a question for anybody who knows abou the [Stoned] virus: Every time I clean it off the hard-drive (a Seagate st-238-r), it will appear to be clean for some time, but then will re-appear. Is it possible for [Stoned] to remain in my partition table, or do I also have it on another disk, and it gets put back on? I've checked most of my disks, but to check all the disks I use would be almost impossible. Any chance of it staying on the drive after being cleaned? (I'm using McAffee's SCAN, and CLEAN) Please reply through E-Mail, I don't read the net often. EAM3427@Tesla.NJIT.EDU emauro@mars.njit.edu Thanks! ------------------------------ Date: Fri, 01 Mar 91 11:38:00 -0500 >From: JHSangster@DOCKMASTER.NCSC.MIL Subject: Low-level signature checking protection I agree with Bob Bosen that signature checking is the ONLY anti-viral protection that will detect future viruses as well as known ones. My "preferred implementation", however, is to put the checking in the BIOS ROM so that any executable can be checked while it is being loaded. With the checker in ROM, I don't think it is "too easy to fake the all clear signal" as Bob says. What is probably needed to get the manufacturers to go along is either Federal legislation forcing every commercial software vendor to provide a signature or else a Federal standard requiring it on all software bought by the Federal government. Or maybe if MicroSoft, AMI, Phoenix Technologies, IBM, and RSA Data Systems all got together and offered it as an option for people who wanted it... Unfortunately, we have here an example of what I like to call the "Railroad Problem" (literary reference, Heinlein's "Door Into Summer"): If there are no tracks, who wants to spend money to develop locomotives, but if there are no locomotives, who wants to spend money to lay down tracks? And in the present case, there may well be software vendors who don't like the idea that someone can prove their negligence if an employee sneaks a virus into their shipped products. That's why legislation may be necessary. - -John Sangster SPHINX Technologies, Inc. / (315) 446-8800 / (617) 235-8800 ------------------------------ Date: Fri, 01 Mar 91 08:02:10 -0500 >From: DTHURMON@UTCVM.BITNET Subject: re: unknown virus--help (pc) this note is in reply to Christie Kell's note concerning a virus infecting the file WIN386.EXE on a pc. my guess would be that the virus came from a floppy inserted into the pc at some time. your best bet, rather than investing in an expensive virus killer, is simply to remove the WIN386.EXE file and re-install it from the factory copy. if this is not possible, however, i would reccomend VIRUCIDE by McAffee and Associates. i work in a microcomputer lab, and we have found it to be very effective in keeping things cleaned up. this should be available to any non-profit organization, but is not licensed for business use. if you cannot get the address of McAffee and Associates, i will be happy to mail it to you. good luck! dave thurmond (dthurmon@utcvm) ------------------------------ Date: Fri, 01 Mar 91 10:31:54 -0800 >From: westk@cgrb.orst.edu (Ken West - Entomology) Subject: The new version of the Stoned Virus (PC) I have also encountered a new version of the stoned virus. The message in the boot sector is "This pc is stoned Legalise Marijuana". F-disinf from the fprot package version 1.14a cannot cure it. It reports "no boot sector found". f-inoc reports an "unusual DOS boot sector". Does anyone have any more information about this beast? Thanks in advance. ------------------------------ Date: Fri, 01 Mar 91 11:30:25 -0800 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Reviews and Norton Antivirus (PC) I have, after three months of continuous phone calls to various Symantec offices, received NAV for review. It is now at the bottom of the pile, but given the recent postings here, is there interest in having it moved up ahead of other reviews? (I think Ken would appreciate it if you replied directly to me ...) ============== Vancouver p1@arkham.wimsey.bc.ca | "It says 'Hit any Institute for Robert_Slade@mtsg.sfu.ca | key to continue.' Research into (SUZY) INtegrity | I can't find the User Canada V7K 2G6 | 'Any' key on my Security | keyboard." ------------------------------ Date: Sat, 02 Mar 91 12:33:45 -0600 >From: ras0052@cec1.wustl.edu (Rozita Abdul Samad) Subject: computer virus (PC) Hello... I've been reading the RN and particularly interested in the computer virus problems. And now I'm doing a final paper for my technical writing class about computer virus. The topic is a proposal about how to destroy one kind of virus in ibmpc and compatibles. I know that there are many viruses like stone, ping-pong, lehigh but I still haven't decided which I want to specify. I'd like to write about the virus, how it affect, which part it affects, how to avoid, protect the parts, make recovery of the parts and the most important thing is how a technique can be used to get rid of the virus. I do not have many knowledge about these viruses but I want to do a paper on it. So if you have any suggestion or ideas , please do contact me. My e-mail address is : ras0052@cec1.wustl.edu Thanks a lot. I'm looking for your reply. Bye. Cheers, Rozita ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 35] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253