VIRUS-L Digest Monday, 11 Mar 1991 Volume 4 : Issue 42 Today's Topics: Re: Research viruses Help ! Fellowship virus on IBM-386 (PC) VIRUSCAN Version 1.51 is Available (PC) Stoned again (PC) FLIP (PC) Confusion of names (PC) Latest VSUM (PC) Re: File format for virus signatures (PC) Re: Life, Turing Machines, viruses. Testing help wanted (PC) Bug in SCANV75? (forwarded) (PC) Review of Antivirus (not -Plus) (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: 08 Mar 91 10:30:32 >From: keir@vms.macc.wisc.edu (Rick Keir, MACC) Subject: Re: Research viruses XRJDM@SCFVM.GSFC.NASA.GOV (Joe McMahon) writes... >Research viruses: just say no. (goes on to quote rumor that the Mac Scores virus author "didn't expect it to get out", with implication that it was a "research" virus.) Several points: I said "rumor" since no one has ever admitted to being the author of Scores (numerous news stories in MacWeek, etc., quoting FBI and EDS officials as saying they "suspect" they know who it it -- i.e. no one has said they're the one). This makes is hard for the Vaxene documentation to quote the author of Scores in any believable fashion. Second, the comment about "didn't expect it to get out" is also subject to the interpretation that he/she meant "I just thought I'd screw up computers at EDS in Dallas and not anyone else's computers." While Scores does specifically target internally developed software of EDS, it infects all bootable systems and all applications that it comes in contact with, and does not distinguish the EDS systems from any other. This makes a claim that he/she was surprised by its spread not very believable. "Research" is becoming the computer equivalent of the claim that "I didn't know the gun was loaded", whether uttered by the virus writer or by the geek who abuses the net. Research is noted for : publication, sharing of information, useful purpose, and most importantly ETHICS OVERVIEW by one's peers. The so-called research of the average virus writer would fail on all counts: no knowledge is published; there is no knowledge to be gained; and no group of one's peers would judge the writing and release of the virus to be ethical. There can be useful research done on viruses, and for those purposes viruses may be written; however, those authors are working openly, publishing their work, and experimenting in conditions that prevent the spread of a virus to the general public. I can count the number of legitimate researchers I know of on one hand, and have fingers left over. ------------------------------ Date: Fri, 08 Mar 91 15:04:16 -0500 >From: Daniel Pan Subject: Help ! Fellowship virus on IBM-386 (PC) DO ANY ONE KNOW HOW DOES THE "FELLOWSHIP VIRUS" WORK AND IS THERE ANY ANTI VIRUS SOFTWARE CAN CLEAN IT ? ONE OF MY FRIEND'S HARD DRIVE GETS THIS VIRUS ON HIS HARD DRIVE. IT CAN NOT FIND OUT USE MCAFEE'S SCAN VERSION 72 BUT VIRXDEMO - PC-VIREX, GREENBERG'S, COULD FIND IT OUT. WHAT SHOULD HE DO ? ANY HELP WILL BE APPRICIATED. --- DANIEL PAN I87BC@CUNYVM (BITNET) (718)-253-3393 ------------------------------ Date: Fri, 08 Mar 91 18:21:00 -0800 >From: "David K. Mickle" Subject: VIRUSCAN Version 1.51 is Available (PC) I got my copy through our PC vendor, Microage of Beverly Hills. They obtained it at my request from their IBM rep who downloaded it from an IBM internal service. The version number 1.51 is correct. ------------------------------ Date: Fri, 08 Mar 91 17:37:50 -0800 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Stoned again (PC) KAMRAN@Vax2.Concordia.CA (Kamran Farahi) writes: > On both occasions, he had installed F- DRIVERS on the hard disk, the > partition table was gone so he could not reboot from the hard disk. As > a result he had to do a low level format. My question is , how is it One despairs, one really does. When F-DRIVER.SYS is installed, it will detect the presence of the "Stoned" virus and lock up the system. This does not mean that your computer is ruined. I assume it is intended to *force* you to deal with the problem. The solution is simple. Boot from a clean floppy. Run F-DISINF and "cure" the hard disk. Reboot the computer normally. Simple. And effective. There was no need to reformat the disk. As to "prevention" of infection by a boot sector virus, that is not so simple. If you stick an infected disk into the A: drive and boot up, you are going to be infected before *anything* can come into play. The only solutions involve specialized boot ROMs, cards or mechanical disabling of the A: drive. ============== Vancouver p1@arkham.wimsey.bc.ca | "It says 'Hit any Institute for Robert_Slade@mtsg.sfu.ca | key to continue.' Research into (SUZY) INtegrity | I can't find the User Canada V7K 2G6 | 'Any' key on my Security | keyboard." ------------------------------ Date: Fri, 08 Mar 91 17:51:39 -0800 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: FLIP (PC) JHOYO@vm1.uam.ES (Javier H. Diez de Baldeon) writes: > I need all kind of information about the FLIP VIRUS. May anybody send > me the SIGNATURE FILE of this particular virus????? I noticed > yesterday that I had got it and it hasn{t done any damage yet. The > FLIP virus seems to be a mixed one. I thing it infects the boot sector > and some of the root directory files. One more thing. It looks > indetectable for most known virus-detector. I{ve tried several thing > with no result. Any help will be usefull. There is a "Flip" virus which infects both files and the boot sectors of hard disks. FPROT should be able to deal with it for you. If it is the same one that you are seeing it will "reverse" the screen (horizontally) on the second day of the month, between 4 and 5pm. You could set your system clock to that, and see what happens ... ============== Vancouver p1@arkham.wimsey.bc.ca | "It says 'Hit any Institute for Robert_Slade@mtsg.sfu.ca | key to continue.' Research into (SUZY) INtegrity | I can't find the User Canada V7K 2G6 | 'Any' key on my Security | keyboard." ------------------------------ Date: Fri, 08 Mar 91 17:59:02 -0800 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Confusion of names (PC) ccx020@cck.coventry.ac.uk (James Nash) writes: > I have a copy of a virus that seems to confuse the various virus > checkers I'm evaluating (and trying to convince my superiors to buy > lots of!!!). > > Fridik's F-PROT calls it Plastique > McAffee's SCAN calls it Taiwan 3 (as does AVSEARCH) > Solomon's FINDVIRUS calls it Anticad 2 If you look up the FILVIR-2.TXT that came with the FPROT package, you will see that they are all variants of the same family, albeit quite different. Naming conventions have been a difficulty for a ong time, especially since so many viri are modifications of others. Q - How many virus writers does it take to change a lightbulb? A - 17. One to change the bulb, and an average of 16 to watch him do it, and then all try it again a slightly different way ... ============== Vancouver p1@arkham.wimsey.bc.ca | "It says 'Hit any Institute for Robert_Slade@mtsg.sfu.ca | key to continue.' Research into (SUZY) INtegrity | I can't find the User Canada V7K 2G6 | 'Any' key on my Security | keyboard." ------------------------------ Date: Sat, 09 Mar 91 07:37:00 -0500 >From: John Perry KG5RG Subject: Latest VSUM (PC) I consider Pat Hoffman's VSUM to be a very good document on viruses. I was wondering where I could FTP the latest version from? I maintain the viral archives on beach.gal.utexas.edu and would be tickled if I could post a current version there for others to have access to. [Ed. Note that VSUM is $hareware.] John Perry KG5RG University of Texas Medical Branch Galveston, Texas 77550-2772 You can send mail to me at any of the following addresses: DECnet : BEACH::PERRY THEnet : BEACH::PERRY Internet : perry@beach.gal.utexas.edu Internet : john.perry@f365.n106.z1.fidonet.org BITNET : PERRY@UTMBEACH SPAN : UTSPAN::UTADNX::BEACH::PERRY FIDOnet : 1:106/365.0 ------------------------------ Date: 10 Mar 91 16:44:41 +0000 >From: mrs@netcom.COM (Morgan Schweers) Subject: Re: File format for virus signatures (PC) Greetings, Hmmm... I'll point out that the VIRSCAN/TBSCAN file format is similar enough to the ViruScan external data file that a conversion utility SHOULD be relatively trivial. For reference, our strings are one line/one virus, no 'BOOT' or 'COM', etc. seperators. The string format is similar, but rather than have a single hex-digit after the '*' you put a number in parentheses. (I.E. "01020304 *(4) 050607?090a" ) The '?' wildcard ignores that hex-byte, the '*' will detect the next byte if it is within (x) bytes. Now for another 'flame' from me... "Unreadable/non-clear update scan strings." This makes it difficult for a user to add their own strings. These products might as well not have user-updatability, in effect. Unless the user has access to documentation on creating a virus 'string' through that particular utility, they can't expand it. I've got an open mind on this subject, however. (Not so open that my brain falls out, but anyhow...) If someone who uses this method can explain the rationale to me, I'll respond. I can think of two products which do this, and MAYBE a third. -- Morgan Schweers +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | I *AM* mrs@netcom.com, and ms@albert.ai.mit.edu. I'd prefer you use | | the netcom.com address, since MIT is now a WEE bit further away from | | me than I like calling... In any case, I don't represent my | | employers. They don't listen to what I say, and I return the | | compliment whenever possible. | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ------------------------------ Date: Sun, 10 Mar 91 19:47:54 -0500 >From: The Sanj-Machine aka Ice Subject: Re: Life, Turing Machines, viruses. Quick question I've been wanting to ask for a while. If automata are capable of reproducing themselves, by following the laws of a Turing machine, for a particular hardware architecture and instruction set, how do you determine the minimum number of bytes that this can be achieved in? On a related note, I was talking with a friend about how CDs have error correcting codes through redundancy. Does anyone know if viruses yet exist which are capable of being fault tolerant so that if they try to mutate, and the mutation inhibits its ability for continued self reproduction, it will return to its former state and try again? Ice. "Flesh and blood, sacrifice, melts the heart like fire and ice."-Poison - -- "No one had the guts... until now!" $anjay $ingh Fire & "Ice" ssingh@watserv1.[u]waterloo.{edu|cdn}/[ca] ROBOTRON Hi-Score: 20 Million Points | A new level of (in)human throughput... !blade_runner!terminator!terminator_II_judgement_day!watmath!watserv1!ssingh! ------------------------------ Date: Sun, 10 Mar 91 22:20:04 +0100 >From: jerry@tornado.gen.nz (Jeremy Buckley) Subject: Testing help wanted (PC) We need people who have access to one or more viruses to help beta-test a new antiviral product developed here in New Zealand. Quite a number of unique detection/sterilization techniques are used which provide a good overall level of protection against file infectors, trojans and boot sector viruses. It has the ability to detect and sterilize viruses as opposed to just suspicious activity. The entire program is written as a device driver, which adds a litte more security. So far it has only been tested on the 4096, slow, dark avenger, cascade, stoned variants and a number of research viruses, all with good results but we need a wider range of testing due to the limited number of viruses in this part of the world. Any help would be more than appreciated, however the only remuneration we can provide is free mailed updates of the package as we release them (if wanted). Please e-mail if you are interested in beta-testing this program and we will send you the latest version in UUEncoded or other format of your choice. Please also e-mail details of virus(es) that you will be able to test with. Thanks in advance, Jerry. - ------------------------------------------------------------------------------- Jeremy Buckley jerry@tornado.gen.nz - ------------------------------------------------------------------------------- ------------------------------ Date: Mon, 11 Mar 91 12:18:00 +0700 >From: "Jeroen W. Pluimers" Subject: Bug in SCANV75? (forwarded) (PC) Original-Date: Mon, 11 Mar 91 01:14:09 +0100 Original-From: P7MAI016@FRCIRP81 Hello everyone, Today I ran into a problem that can be serious, and if somebody can forward this message to Mac Afee & Associate, thanks. Here it is: a friend of mine show me a file that was infected by the "Whale" virus. Scann v75 reports it, good. BUT when I run clean v75 on that file, NOTHING ! Clean didn't report any virus at all. I was happy to have clean v74b at hand and it identify and kill that damned virus. I think all of ours are interested... Best regards and happy computing, - --Ollivier /-------------------------------+-----------------------------------\ | Ollivier ROBERT | INTERNET: roberto@germinal.ibp.fr | | Universite de Jussieu PARIS 7 | BITNET: p7mai016@FRCIRP81.BITNET | | PARIS, FRANCE | | \-------------------------------+-----------------------------------/ ------------------------------ Date: Fri, 08 Mar 91 18:07:26 -0800 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Review of Antivirus (not -Plus) (PC) Comparison Review Company and product: Fink Enterprises 11 Glen Cameron Road, Unit 11 Thornhill, Ontario L3T 4N3 416-764-5648 Telecopier: 416-764-5649 IRIS Antivirus Summary: Vaccine program with scanner. Cost $199 CDN, site licenses available Rating (1-4, 1 = poor, 4 = very good) "Friendliness" Installation 3 Ease of use 3 Help systems 1 Compatibility 3 Company Stability 3 Support 2 Documentation 2 Hardware required 3 Performance 3 Availability 2 Local Support ? General Description: The forerunner of Antivirus-Plus (reviewed earlier, cf PCANTIVP.RVW), Antivirus makes no claims of artificial intelligence. The program structure is very similar. For simple virus detection, Antivirus is recommended over Antivirus- Plus. Comparison of features and specifications User Friendliness Installation The disk is shipped write protected. The accompanying documentation is very terse (less than one loose leaf sheet), but sufficient to install and run the programs. (The distributor has stated that he is increasing the documentation, but is interested in keeping it short so as not to be too intimidating.) Further documentation is available on disk. Installation can only be performed from the A: drive. Installation is, however, very simple, although the options that are available are not explained. Ease of use Options for use of the CURE program (scanner/disinfection portion) are available from the command line, but also from an onscreen menu if invoked with no parameters. Alerts to the presence of a virus are not clear as to which program or disk is infected. The problem in Antivirus-Plus of not being able to run certain programs which amend or delete program files is not present in Antivirus. Any access to a boot sector infected disk will trigger an alert. The infected disk is not identified, but attention to which disk is being accessed will make this clear. How a boot sector is identified as being infected is not clear, but the behaviour of the program is indicative of "scanning" type operation. Therefore it is unlikely that "new" boot sector viri will be detected. However, there is some "change checking" with regard to the boot sector. How this is accomplished is not stated, and it did give one false alarm (showing a changed boot sector on a write protected disk.) Help systems None provided. Compatibility The program will detect and stop most common viri. The problem in Antivirus-Plus of not being able to run certain programs which amend or delete program files is not present in Antivirus. Company Stability IRIS has been a small but consistent presence in the antiviral field. Company Support Little available. Documentation Documentation is brief but clear, although the information given deals almost exclusively with installation. Reasons for choosing various options are not given. Hardware Requirements No special hardware required, but will only install from drive A: (shipped on 5 1/4" media). Performance The program will detect most common viri. The IMMUNE program will detect and "eliminate" a virus within a program, but will usually be able to allow the original program to run unhindered. Boot sector infections are "detected" on each access to the disk. When the system is booted from a viral infected disk, the viral program will become resident in memory. At the invocation of the IMMUNE program, the alert for an infected disk will appear. (Interestingly, the IMMUNE program will state that "!!No virus detected!!" on completion.) Memory scanners will still detect the virus resident in memory, but disks will no longer be infected. Disk editors are still able to write to the boot sector. (Note that this has only been checked with common boot viri. Others may not yield the same behaviour.) Local Support None available. Support Requirements The program is simple enough that support should not be needed for most instances. General Notes The Antivirus program appears, in most respects, to be better behaved than its Antivirus-Plus successor. copyright Robert M. Slade 1991, PCANTIVR.RVW 910308 ============== Vancouver p1@arkham.wimsey.bc.ca | "It says 'Hit any Institute for Robert_Slade@mtsg.sfu.ca | key to continue.' Research into (SUZY) INtegrity | I can't find the User Canada V7K 2G6 | 'Any' key on my Security | keyboard." ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 42] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253