VIRUS-L Digest Wednesday, 6 Mar 1991 Volume 4 : Issue 39 Today's Topics: Stoned Again (PC) M-disk, scanv67c.exe IBM PC (PC) Re: Virus BBS Re: How to disable boot up from A: (PC) Need information on FLIP (PC) more on 'Virus Protection and Universities' Reporter seeks help on story about a Mac virus (Mac) Plastique/Taiwan 3/Anticad 2 (confused!) (PC) TELEFONICA virus information? vshield V75 and QEMM 5.00 (PC) AZUSA - New Virus (PC) Aircop (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Tue, 05 Mar 91 17:01:00 -0400 >From: "Kamran Farahi" Subject: Stoned Again (PC) Hi, One of our faculty members has been hit twice with this nasty virus. On both occasions, he had installed F- DRIVERS on the hard disk, the partition table was gone so he could not reboot from the hard disk. As a result he had to do a low level format. My question is , how is it possible that the F-DRIVER did not protect the hard disk?. Although , the warning message was given by the DRIVER on both occasions. We lost everything because of the low-level format, do we have to go through this each time we get infected or is there a way to recover the data? Thanks. ------------------------------ Date: Tue, 05 Mar 91 22:02:28 +0000 >From: rfink@eng.umd.edu (Russell A. Fink) Subject: M-disk, scanv67c.exe IBM PC (PC) Does anyone have a copy of a shareware program M-DISK, referred to by the scanv67c.exe program for the IBM-PC? It is supposed to remove the boot disk viruses. If you have it online, please send me the UUencoded version, or the same of another program that can remove boot sector viruses. Maybe you have Norton's wipedisk? I can't seem to get access to simtel20, and I need this in a hurry. Thanks, - -- //===== //===== Russ Fink =============== // //____ rfink@eng.umd.edu // // University of Maryland //===== //===== College Park ============ ------------------------------ Date: 06 Mar 91 03:27:38 +0000 >From: mrs@netcom.COM (Morgan Schweers) Subject: Re: Virus BBS Frisk says: > Virus BBS > >One of the most serious developments recently is the creation of virus >Bulletin Board Systems, where viruses and disassemblies are freely >available. Agreed. The problem in the USA isn't the dissassemblies as much as the viruses themselves. I am aware of a number of BBS's (esp. here in the CA area) which provide viruses to anyone who expresses an interest and any amount of ability. >sample, and I fear we may see an explosion in the number of virus variants >soon - the 400 variants we know today may multiply and become 1000 or so >before the year is over. Also agreed. If the past maps of the increase in viruses and variants are any guide, we can expect to be getting approximately one new virus every day. (That is, one new virus or a variant of an old one.) Currently, we at McAfee Associates are getting approx. 2 to 3 new strains/viruses a week. Up from about 1 a week when I started working here. >Now that the VSUM list is no longer available on SIMTEL20, I was >wondering how to obtain it - as the Technical editor of the Virus >Bulletin, I often have to select names for new viruses, and I like to >compare my list with hers, although the information on the viruses >published there is often incredibly inaccurate. If you are willing to call California, you could get the updates from either our BBS (McAfee Associates @ (408) 988 4004) or from Patricia's BBS @ (408) 244-0813. I'm surprised that it was taken off of Simtel20, however. You can also Fidonet-FileRequest it from the Excalibur! BBS, but I'm not sure of the methods for that. -- Morgan Schweers +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Yep, I am... ms@albert.ai.mit.edu, mrs@netcom.com, Morgan Schweers at | | (408) 988-3832 (McAfee Associates), and I've been called many things | | that aren't appropriate for a family.newsgroup. My opinions are my own| | created out of hard work. They are MY responsibility, SO THERE! ;-) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Note: I don't officially speak the McAfee Associates Line. Thus, any product recommendations, etc. hold no real water. Think for yourself, dammit! ;-) ------------------------------ Date: Wed, 06 Mar 91 12:20:00 +0700 >From: "Jeroen W. Pluimers / Jeroen Smulders" Subject: Re: How to disable boot up from A: (PC) >>From: eldar@lomi.spb.su (Eldar A. Musaev) >>That is very simple, if you have only one floppy. Open your computer >>and set DIP switches and cable connections to make A: as B:... > >I used to think that this would work also but was chagrined (shimatta) >to learn that many PC BIOSes check for floppy A as part of POST and >will generate a "601" error and halt the boot process if drive A does >not respond to the controller. Older BIOS versions will bump if they don't find a disk-drive. Some BIOS versions will boot from drive B: Best solution I have found is to disconnect the disk-drives (pull the data-connector out of the disk-drive) or modify the CMOS. Both methods are incompatible with some BIOS versions, so be arware! A may-be solution is to use an encreption method on the hard-disk for which the user has to us a password, or modify your BIOS to disable floppy-disk booting. These methods are very tricky and only suitable for people that know what they are doing. >(about difference between writing virusses for Mac or PC) >magnatude less than producing a good word processor. Also in the PC, a >user must request a boot/execution of a virus while a MAC will execute >floppy code without being asked. The "scan on floppy insertion" is >possible (and should be a part of any good protection scheme) on the >PC, it just hasn't been done yet (or has it, I am sometimes behind ?). In the PC that is rather difficult. It is possible if you dig into DOS very deep. This would be incompatible for many DOS versions. It is a very good idea however, but the PC doesn't give a signal when a new disk inserted. Only a changeline-signale if the drive door has been opened. I'll pass this suggestion over to the author of TBSCAN. - ------------------------------------------------------------------------ >From: James Ford >The file "innoc.zip" has been replaced with a new version. This new >version has the following files in it: Where can I get this? And what is INNOC? - ------------------------------ >From: p1@arkham.wimsey.bc.ca (Rob Slade) > >VPCSCAN is amazingly fast. File checking is at least twice as fast as >either FPROT or SCAN across all platforms tested. Another amazingly fast product is TBSCAN. Where can I upload this - public domain - virus scanning product? - ------------------------------ Jeroen W. Pluimers work: +31-71-274245 9.00-17.00 CET P.O. Box 266 home: +31-2522-11809 19:00-23:00 CET 2170 AG Sassenheim email: 2:281/521 or 2:281/515.3 The Netherlands email: PLUIMERS@HLERUL5.BITNET ------------------------------ Date: Wed, 06 Mar 91 13:54:30 -0500 >From: "Javier H. Diez de Baldeon" Subject: Need information on FLIP (PC) I need all kind of information about the FLIP VIRUS. May anybody send me the SIGNATURE FILE of this particular virus????? I noticed yesterday that I had got it and it hasn{t done any damage yet. The FLIP virus seems to be a mixed one. I thing it infects the boot sector and some of the root directory files. One more thing. It looks indetectable for most known virus-detector. I{ve tried several thing with no result. Any help will be usefull. ************************************************ * ___________ Javier H. Diez de Baldeon * * |_ | Servicio de Informatica * * | | Universidad Autonoma de Madrid * * | 0 / Ctra de Colmenar Km. 15 * * < | 28049 Madrid (SPAIN) * * |_ ___/ Telephon: +34 1 397 40 29 * * \/ Fax: * * E-mail: * ************************************************ ------------------------------ Date: Tue, 05 Mar 91 18:34:16 +0000 >From: Mr Gordon S Byron Subject: more on 'Virus Protection and Universities' >More on MACs than on PCs? Not at all just a much more efficient virus checking system. Being able to tell if a disk is inserted and scanning it on insertion ensures a check of all known viruses. with applications such as Sam it is possible to update the virus checking system when new viri are identified. The ability to do this on a PC is much more problematic, too many potential loopholes. Mac's invariably have more immediate virus checking procedures set up in public areas because they CAN All our public Mac labs have automatic scanning for viri on disk insertion. this is much less trustworthy technique on DOS boxes. :-) ******************************************************************************* Snailmail: Gordon Byron, Arts Computing Advisor,Pathfoot Building, University of Stirling,FK9 4LA Stirling, Scotland, UK. Voice: 0786 73171: Ext 7266 Fax: +78651335 ******************************************************************************* ------------------------------ Date: Tue, 05 Mar 91 18:40:01 +0000 >From: Mr Gordon S Byron Subject: Reporter seeks help on story about a Mac virus (Mac) >It's not a question of Bias, the mac system is very powerful, but part >of that power comes from openness. Openness leaves one vulnerable. >(I am generally biased against macs, with the exception of their >usefullness for desktop publishing) Don't you find DOS a much easier environment to hack than a Mac? Getting into the Mac toolbox is a much more daunting prospect than hacking DOS. The Mac openness exists in terms of the user front-end. The operating system is however far from "open". This in fact is one of the reasons Mac-bashers give for not liking the Mac. You can customise your Mac more delightfully with start-up screens alterations to details in the interface but it is by no means a foregone conclusion that it is easier to write a virus for the Mac# ******************************************************************************* Snailmail: Gordon Byron, Arts Computing Advisor,Pathfoot Building, University of Stirling,FK9 4LA Stirling, Scotland, UK. Voice: 0786 73171: Ext 7266 Fax: +78651335 ******************************************************************************* ------------------------------ Date: Wed, 06 Mar 91 09:37:11 +0700 >From: James Nash Subject: Plastique/Taiwan 3/Anticad 2 (confused!) (PC) I have a copy of a virus that seems to confuse the various virus checkers I'm evaluating (and trying to convince my superiors to buy lots of!!!). Fridik's F-PROT calls it Plastique McAffee's SCAN calls it Taiwan 3 (as does AVSEARCH) Solomon's FINDVIRUS calls it Anticad 2 Now, I know that all these virii are related in some way or another but I am confused as to whether they are all the same or not. VIRUSSUM does not help much as it calls Taiwan 3 and Plastique seperate virii. >From the description I have been given of what this virus does (I'm too chicken to experiment myself :-), it infects COM/EXE and boot sectors and at some point plays a tune. It also trashes some data files. Beyond that I know nothing. Anyone kind enough to lift the fog of confusion from my eyes? - -- James Nash, Computing Services, Coventry Polytechnic, England ccx020@uk.ac.cov.cck ------------------------------ Date: Wed, 06 Mar 91 15:20:53 +0000 >From: "Pete Lucas" Subject: TELEFONICA virus information? Has anyone any experience of the Telefonica virus? I am pretty sure that i have acquired a copy of this (from Barcelona). Details of detection, removal, symptoms etc. eagerly sought! Pete Lucas PJML@UK.AC.NWL.IA G6WBJ@GB7SDN.GBR.EU Please use the following addresses for reply: + \/Natural + \/\Environment JANET : PJML@UK.AC.NERC-WALLINGFORD.IBMA + \/\/Research Internet : PJML%IA.NWL.AC.UK@NSFNET-RELAY.AC.UK + \/\/\Council EARN : PJML%UK.AC.NWL.IA@UKACRL + NERC Computer Services RADIO : G6WBJ@GB7SDN.GBR.EU {144.650MHz} + Holbrook House SPAN : STAR::\PJML%IA.NWL.AC.UK@NSFNET-RELAY.AC.UK + Station Road PHONE : +44 (0)793 411613 + SWINDON SN1 1DE FAX : +44 (0)793 411503 + GREAT BRITAIN ------------------------------ Date: Wed, 06 Mar 91 17:20:00 >From: Peter Arien Subject: vshield V75 and QEMM 5.00 (PC) Trying to loadhi vshield gives a 'not enough memory to load hi' message. How comes, when I've got 31K and 96K free high memory? Installing vshield with the /SWAP option gives a 'loadhi EXEC error' on all the following loadhi's. Any suggestions? Thanks. Peter. ==================================== = = = = = = = = = = = = = = = = ==== Peter Arien = LAAAA43@cc1.kuleuven.ac.be = Academic Computing Center = LAAAA43@blekul11 = K.U.Leuven - Belgium = 'It was clear as mud ...' = ==================================== = = = = = = = = = = = = = = = = ==== ------------------------------ Date: 6 March, 1991 >From: Padgett Peterson Subject: AZUSA - New Virus (PC) >From: smash@oucsace.cs.ohiou.edu (Scott Mash) >Subject: Weird Stuff Happening to Pc's Here at Ohio Univ. (PC) >In one of our computer labs we have developed a very serious problem >with our pc's. Most of the computers will not recognize the printers. Just possibly, what you have is the AZUSA (SCAN v75 catches it). It bombs by "losing" COM1 and LPT1. AZUSA is a boot sector and partition table infector that is at least as effective as the STONED and infects both floppies and hard disks. It takes up 1k of memory from the TOM (CHKDSK "total bytes memory" is reduced by 1024 bytes - 640k machine will report 654336 instead of 655360). No stealth is involved and it may be recognized by the long jump (E9 8B) at the start of an infected sector. [Ed. Make sure that you use v75 since v74B will not find AZUSA. There have been a few infections of this new virus in the northeast recently. If anyone has a good, freely distributable technical description of AZUSA, please send it in to this group.] Good luck, Padgett ------------------------------ Date: Mon, 04 Mar 91 17:08:04 -0800 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Aircop (PC) BL161926@TECMTYVM.BITNET (Jesus Barrera Ramos) writes: > Last week I detected AirCop virus in two disks of mine (in my systems > disks to be exact), well I "removed" them with scan72 but in the > finish of the clearing it said me that "Virus cannot be safely removed SCAN version 72 is supposed to be able to clear the "Aircop" infection, but this kind of message is often received if there is a slight variation in the code. (This would indicate a new "variant" of this virus.) Yes, SYS B: should remove the virus. Hoffman's list indicates that the viral code itself is restricted to the boot sector, and therefore replacing the boot sector should eliminate the code. ============== Vancouver p1@arkham.wimsey.bc.ca | "It says 'Hit any Institute for Robert_Slade@mtsg.sfu.ca | key to continue.' Research into (SUZY) INtegrity | I can't find the User Canada V7K 2G6 | 'Any' key on my Security | keyboard." ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 39] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253