VIRUS-L Digest Wednesday, 13 Mar 1991 Volume 4 : Issue 43 Today's Topics: Re: VIRUSCAN v1.51 available (PC) Norton's Diskmon and viruses (PC) PROTEC System & Stoned Virus (PC) Correction/apology re Michael Harding in Virus-L vol3 index new virus program from ibm available (PC) FLIP Virus (PC) Re: Plastique/Taiwan 3/Anticad 2 (confused!) (PC) Dyslexia/Subliminal and PckSPL.com (PC) Help on (key press) virus Re: Standarized virus signatures Re: Stoned Again (PC) Re: Plastique/Taiwan 3/Anticad 2 (confused!) (PC) Re: Life, Turing Machines, viruses. Re: Research viruses VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Mon, 11 Mar 91 14:34:47 -0500 >From: Arthur Gutowski Subject: Re: VIRUSCAN v1.51 available (PC) >From: "David K. Mickle" >Subject: VIRUSCAN Version 1.51 is Available (PC) > >They obtained it at my request from their IBM rep who downloaded it from an >IBM internal service. The version number 1.51 is correct. Not to quibble (much :-), but you mean VirScan. Viruscan is McAfee's product. I know, I know with all the AV products on the market these days, it's getting harder to keep them straight. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- l\/\/\/\/l Arthur J. Gutowski, System Programmer l l MVS & Antiviral Group / WSU Computing Center l l Bitnet: AGUTOWS@WAYNEST1 l (e) (e) Internet: AGUTOWS@WAYNEST1.BITNET *or* (c _) AGUTOWS@cms.cc.wayne.edu \ ,_____\ PH: (313) 577-0718 +-------------------------------+ l / | I will not Xerox my butt... | /_____| +-------------------------------+ ------------------------------ Date: Mon, 11 Mar 91 21:59:46 +0000 >From: westk@cgrb.orst.edu (Ken West - Entomology) Subject: Norton's Diskmon and viruses (PC) Has anyone had any experience using the Norton Utilities version 5.0 disk monitor program to protect disks from virus infection? Apparently, it will protect the boot sector, partition table, etc.... from being written to without your permission. =-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-- Kenneth J. West Ever notice how war is particularly ugly westk@bionette.cgrb.orst.edu when you try to explain it to children? =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ------------------------------ Date: Mon, 11 Mar 91 15:20:10 -0700 >From: rtravsky@CORRAL.UWyo.Edu (Richard W Travsky) Subject: PROTEC System & Stoned Virus (PC) In one of our public labs, we have a Zenith 159 with hard disk attached to a laser printer. We have SOPHCO's PROTEC system installed on said Zenith and we offer 3 flavors of Word Perfect (and charge a quarter per page for printing). We had been experiencing problems accessing files and printing (users have their documents on their floppy; we don't want them playing too much with the hard disk, hence the PROTEC system). Upon examination we found the Stoned virus on the hard disk. I didn't do the scanning, but the person who did said Stoned didn't show up in memory (the scan was done by exiting out of PROTEC by using the supervisor's password). Said person also cleaned things up. (The virus got on the machine by some student trying to break in to the machine by booting off a floppy that happened to be infected.) I find this interesting. Short of re-infecting the machine to investigate further, I'm curious as to why Stoned didn't show in memory when a boot from floppy hadn't been done. I'm also curious about the mechanism of transferral under PROTEC. Does anyone have any insight to offer? Thanks. Richard Travsky Bitnet: RTRAVSKY @ UWYO Division of Information Technology Internet: RTRAVSKY @ CORRAL.UWYO.EDU University of Wyoming (307) 766 - 3663 / 3668 ------------------------------ Date: Tue, 12 Mar 91 09:22:36 +0000 >From: Anthony Appleyard Subject: Correction/apology re Michael Harding in Virus-L vol3 index [CORRIGENDUM AND APOLOGY] (Matthew D.Harding is not a virus spreader) (1) In Virus-L vol3 #167, (Subject: Beware of some virus researchers) said what may be summarized as "Don Sheffer (who asked me for a copy of the "1022" alias Fellowship virus) is not a genuine virus researcher, and the 'University of Waterloo Virus Response Team' (that Don Sheffer allegedly belongs to) does not exist.". (2) In Virus-L vol3 #171, (Subject: Re: Beware of some virus researchers) said what may be summarized as "the username emailed to me wanting a copy of the Yankee Doodle virus, but in the light of message (1) hereinabove that request seems suspicious to me.". and I accordingly by routine put these two entries in Virus-L vol 3 index:- - --------------------------------------------------------------------------- [Beware of some virus researchers] "Don Sheffer" & "University of Waterloo Virus Response Team" are bogus 167 [Re: Beware of some virus researchers] "Matthew D.Harding" is bogus 171 - --------------------------------------------------------------------------- On 11 March 1991 (Subject: Incorrect info. in virus-l indexes) emailed to me to say that "a student named Don Shaeffer at the Univ of Waterloo indeed gained unauthorized access to several accounts there, and used them for some purpose or another; but Matthew Harding (a student at the University of Waterloo) knew nothing about this and has no connection with viruses.". It seems that the suspicious request was from , and that <>. Therefore this entry in Virus-L vol 3 index:- [Re: Beware of some virus researchers] "Matthew D.Harding" is bogus 171 should read:- [Re: Beware of some virus researchers] suspicious request for virus by someone logged in unauthorizedly under a reputable user's username 171 I apologize for any imputation thereby caused. ------------------------------ Date: Tue, 12 Mar 91 13:39:27 +0000 >From: cfor@ciba-geigy.ch (Rainer Foeppl) Subject: new virus program from ibm available (PC) we were notified this morning, that flash214 in ibmlink (or dial-ibm in europe) has been updated with the newest version of the ibm virus-check utilities. i do NOT distribute them. please contact your pc-dealer or ibm or download them yourself. we are just in progess of testing them against known virus. if anybody has some results, we would like to discuss them. regards rainer - -- Rainer Foeppl email: cfor@ciba-geigy.ch ------------------------------ Date: Tue, 12 Mar 91 10:36:16 -0100 >From: Genaldo Subject: FLIP Virus (PC) Hi, Does someone out there knows how to eliminate the Flip Virus? I got my hard disk infected and after using CLEAN.EXE the virus came back in new copy of COMMAND.COM . Genaldo ______________________________________________________________ GENALDO LEITE NUNES | HOME ADDRESS DEPARTAMENTO DE MATEMATICA-UFSC | RUA LAURO LINHARES, 360/U-102 88049-FLORIANOPOLIS-SC-BRASIL | 88040-FLORIANOPOLIS-SC FAX: (482)344069 | BRASIL PHONE: (482)-319232 | PHONE: (482)-340115 _______________________________|______________________________ ------------------------------ Date: Wed, 13 Mar 91 14:19:00 +0100 >From: "Mark Aitchison, U of Canty; Physics" Subject: Re: Plastique/Taiwan 3/Anticad 2 (confused!) (PC) ccx020@cck.coventry.ac.uk (James Nash) writes: > Fridik's F-PROT calls it Plastique > McAffee's SCAN calls it Taiwan 3 (as does AVSEARCH) > Solomon's FINDVIRUS calls it Anticad 2 > > Now, I know that all these virii are related in some way or another > but I am confused as to whether they are all the same or not. VIRUSSUM > does not help much as it calls Taiwan 3 and Plastique seperate virii. This, plus other recent comments about difficulties in naming variants of viruses, suggests a better approach to naming viruses is needed. I posted a note recently about naming/identifying boot sector viruses - anyone who missed that can get a copy of BOOTID.ZOO and/or CHECKOUT.ZOO by anonymous ftp to 132.181.30.3 - these are still experimental, but worth looking at. [Ed. The hostname of 132.181.30.3 is cantva.canterbury.ac.nz] What I am suggesting now is a naming system for all types of virus (such as trojans), which depends on the contents of the virus, not where it was discovered or a piece of text one version displays. This isn't as easy as naming boot sector viruses, but should be possible. (Read: I haven't made a nice demo program this time; let's discuss it before anyone goes to the effort of programming something). If you've already looked at BOOTID.PAS, you may have noticed a range of hashcodes left unassigned (in byte 2), so I do intend to extend the hashcode into other areas. My guess is that a naming scheme would... 1. Use only letters and digits, 2. Not try to be pronouncable, but be short (up to 12 characters) and maybe have a "popular name" tacked on the end for convience. The reason is that good, descriptive "real" words becode easily exhausted, and may be just as difficult to pronounce in some countries as computer-generated names! 3. Certain bytes would flag what the virus attacks (.EXE, .COM, .SYS, .BAT files, and so on), whether it overwrites or appends to the original file, what interrupts it uses, and other distinguishing features of its effects. 4. The rest of the code would be a sophisticated checksum of the virus code, hopefully weighting important code in some way to give similar viruses similar codes. The aims, as with BOOTID, are to positively identify viruses, avoiding confusion as mentioned above. The method, I suspect, would be to isolate the virus fromn what it has infected (e.g. compare an infected .EXE file with the uninfected original, or (better still) use some automated dis- assembly software which works out what instructions are executed before the original program is executed). As I said, it probably won't be easy. But what do you think? Is it worthwhile? Essential? Mark Aitchison, Physics, University of Canterbury, New Zealand. ------------------------------ Date: 13 Mar 91 05:47:23 +0000 >From: "Daniel H Marx" Subject: Dyslexia/Subliminal and PckSPL.com (PC) I just ran FPROT114's F-FCHK on my hard drive and received the following message: C:\PCKWIK\PCKSPL.COM Possibly infected: Dyslexia/Subliminal Number of files checked: 1 Infected files: 1 Infections removed: 0 I never received any prompt while the program was running. Can anyone tell me what's going on? Am I really infected? What should I do next? I know PCKSPL is my print spooler. It comes form PC-Kwik Power Pak v 1.57 by Multisoft. Any help gratefully appreciated. ------------------------------ Date: 13 Mar 91 10:49:53 -0700 >From: CCA3607@SAKAAU03.BITNET Subject: Help on (key press) virus how we remove this type of viruse ,is this type of virus dammage the scan also what aliases and more information about this virus thanks in advance Terry jawberha king abdul aziz unversity jeddah -saudia cca3607@sakaau03 ------------------------------ Date: 13 Mar 91 08:41:53 +0000 >From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: Standarized virus signatures Should virus identification strings be published in hex form ? My personal opinion is that they should be kept secret or published in an encrypted form. The reason is quite simple - anybody who obtains a copy of the virus can easily patch the section containing the published signature string, in order to make it non-detectable by any scanner using that string. Another danger of publishing the strings is that several scanners might use the same strings - so no extra security would be gained by using multiple scanners - if a new variant of an old virus appears, they would all fail or all succeed in finding it. - -frisk ------------------------------ Date: 13 Mar 91 08:57:12 +0000 >From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: Stoned Again (PC) KAMRAN@Vax2.Concordia.CA (Kamran Farahi) writes: >My question is , how is it >possible that the F-DRIVER did not protect the hard disk?. Although , >the warning message was given by the DRIVER on both occasions. No drivers, TSR programs etc, can prevent you from being infected by a boot sector virus, like the 'Stoned' for a simple reason - the virus is executed and gets a chance to infect the hard disk before it can be intercepted by any other program. You need some special hardware to prevent this. The best any normal program can do is detecting the infection, displaying a warning message and halting the computer, just like F-DRIVER did. >We lost everything because of the low-level format, do we have to go >through this each time we get infected or is there a way to recover >the data? You never need to low-level format a disk infected by 'Stoned', to get rid of the virus. If the virus manages to infect the hard disk successfully, you should be able to remove it by booting from a 'clean' system disk and running a disinfector program. If that fails, use NU (or a similar program) to zero out the partition table, and then use NDD to generate a new one. - -frisk ------------------------------ Date: 13 Mar 91 09:23:29 +0000 >From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: Plastique/Taiwan 3/Anticad 2 (confused!) (PC) ccx020@cck.coventry.ac.uk (James Nash) writes: >Fridik's F-PROT calls it Plastique >McAffee's SCAN calls it Taiwan 3 (as does AVSEARCH) >Solomon's FINDVIRUS calls it Anticad 2 Don't forget the anti-virus programs which call it 'Invader' ..... :-) Anyhow - it is like this. This is a group of several viruses from Taiwan, created by disassembling the Jerusalem virus, modifying it and releasing it again. There are at least 6 viruses in the family: one 2576 bytes long one 2900 bytes long - the one you have. one 3012 bytes long three 4096 bytes long In addition, the (non-working) HM2 virus may be related, and a variant around 3000 bytes long has also been reported. Some of the variants contain the text "Plastique", either in plain text or encrypted - they also produce "explosion" sounds occasionally. All the viruses are targeted against the AutoCAD program - When a program named ACAD.EXE is run or sometimes when Ctrl-Alt-Del is pressed, the viruses will activate, overwriting data on floppy disks and hard disks, as well as garbling the contents of the CMOS. This behaviour produced the 'AntiCAD' name. The three 4096 byte variants also contain code for infecting the boot sector. The "Taiwan" name should IMHO not be used, as there is already a family of 4 viruses which have been called Taiwan-1, Taiwan-2, Taiwan-3 and Taiwan-4, but they are not related to the family discussed above. - -frisk Fridrik Skulason University of Iceland | Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 | ------------------------------ Date: 12 Mar 91 20:08:46 +0000 >From: vail@tegra.com (Johnathan Vail) Subject: Re: Life, Turing Machines, viruses. ssingh@watserv1.waterloo.edu (The Sanj-Machine aka Ice) writes: If automata are capable of reproducing themselves, by following the laws of a Turing machine, for a particular hardware architecture and instruction set, how do you determine the minimum number of bytes that this can be achieved in? Since there are so may variables involved I don't think that you can get an answer for this by theory. It is entirely emperical. For example for an OS virus to "reproduce" all it needs to do is call the OS routine that writes the boot sectors (this is how at least one Apple ][ virus worked). A couple bytes is all it takes. For other designs the constraints involve the file system operations and how much the OS does and hides for you. On a related note, I was talking with a friend about how CDs have error correcting codes through redundancy. Does anyone know if viruses yet exist which are capable of being fault tolerant so that if they try to mutate, and the mutation inhibits its ability for continued self reproduction, it will return to its former state and try again? You could do this but why bother? It would serve no real purpose for a virus writer and be easily defeatable by the modifier. "Gravity pulls the trousers down Morality pulls the trousers up" -- Bedful of Metaphysicians _____ | | Johnathan Vail | n1dxg@tegra.com |Tegra| (508) 663-7435 | N1DXG@448.625-(WorldNet) ----- jv@n1dxg.ampr.org {...sun!sunne ..uunet}!tegra!vail ------------------------------ Date: 13 Mar 91 13:05:58 +0000 >From: CAH0@gte.com (Chuck Hoffman) Subject: Re: Research viruses keir@vms.macc.wisc.edu (Rick Keir, MACC) writes: > I can count the number > of legitimate researchers I know of on one hand, and have fingers left > over. I'll bet I know which finger(s)! I agree that "research" has become synonomous with "experimenting." Someone who is trying something out, unsupervised, with no intention of publishing, and with no go/nogo decision by peers with respect to ethics, may be "experimenting," but hardly is doing "research" in the sense that professional researchers use it. I guess I might note the same about about the use of the term "ethics." Same thing. Someone trying to understand the ethics of a situation, but unsupervised, with no intention of publishing or a go/nogo decision by peers, may be "deciding" about something, but hardly is going through the process of ethics review in the sense that professionals do. - - Chuck Hoffman, GTE Laboratories, Inc. | I'm not sure why we're here, cah0@bunny.gte.com | but I am sure that while we're Telephone (U.S.A.) 617-466-2131 | here, we're supposed to help GTE VoiceNet: 679-2131 | each other. GTE Telemail: C.HOFFMAN | ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 43] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253