VIRUS-L Digest Thursday, 21 Mar 1991 Volume 4 : Issue 46 Today's Topics: Re: Stoned Again (PC) Re: PKLITE scanning (PC) Stoned- new version? (PC) Integrity Checking, programs & system lab policy programmatic autoexec tampering? (PC) Italian 'viruskit' is ordinary 'hack' Question ? (PC) Plastique 5.21 IBM Virus Report (PC) Alternatives to Floppy booting Re: PKLITE and hidden virus (PC) Plastique Virus (PC) CD ROM as virus protection PKLITE and hidden virus (PC) DPMA Talk - "A NEW STRATEGY FOR COMPUTER VIRUSES" VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Tue, 19 Mar 91 12:56:00 +0100 >From: Subject: Re: Stoned Again (PC) In a message of <13 Mar 91 08:57:12> Fridrik Skulason wrote: > You never need to low-level format a disk infected by 'Stoned', > to get rid of the virus. If the virus manages to infect the hard > disk successfully, you should be able to remove it by booting from > a 'clean' system disk and running a disinfector program. I thought so too, but lately got into trouble with some Olivetti M24 pc's ... a [Stoned] infection immediately resulted in some subdirs full of illegal file entries, lost clusters, and crosslinks. The same thing happened again within a day after low-level formatting the system, when another user didn't think it necessary to check his disk or even removing it while rebooting. So I'm pretty sure it's the Stoned infection that's causing the FAT and/or DIR problems, it may be because of a non-standard FDISK that comes with Olivetti's MS-DOS 3.2. Anyhow, it helps to have a backup :-) Jan van 't Ent, Apparatuurbeheer (microcomputer support & maint dept) ERASMUS VANTENT@HROEUR5.bitnet UNIVERSITEIT telefoon +31 10 4081337 jvte@cs.eur.nl usenet ROTTERDAM telefax +31 10 4081372 ------------------------------ Date: Tue, 19 Mar 91 10:04:00 -0600 >From: TUCKER@RCKHRST1.BITNET Subject: Re: PKLITE scanning (PC) In reply to the PKLITE question. I do not know of any program that scans an executable that has been compressed using PKLITE. As a matter of fact I have just been infected by the 1260 virus that was hidden in a file that was compressed using PKLITE. Scan75 does not detect the virus until the file has been uncompressed. jtucker@rckhrst1 ------------------------------ Date: Tue, 19 Mar 91 12:09:00 -0400 >From: "Kamran Farahi" Subject: Stoned- new version? (PC) Hi; This is my second posting to this group; I'd like to thank everybody for responding so promptly to my first message. Now let me ask you another question. We have encountered a new version of STONED on our pc's. We ran SCAN V75 but did not recognize there is a virus. However, when we ran F-DISINF V114 this message was displayed: "This boot sector is infected with a new version of the stoned virus" but did not remove it!! Does anybody know the cure to this problem?? Are Mr. McAfee and Mr. Skulason aware of this virus ??. Thanks again. ------------------------------ Date: 19 March, 1991 >From: Padgett Peterson Subject: Integrity Checking, programs & system Note: 44 was the first posting received since 39. Apologies if something was missed in the middle. >From: ***CURTIS*** >Subject: Unknown virus help! (PC) >Yesterday, I ran my virus checker from hard disk. It came up with the >warning "Virus checker Infected. Do not use" So I ran the >write-protected version I had on floppy, No virus's found. Many times virus removal programs will pad the end of a program to an even boundary following disinfection since the original program size has been lost. This is usually noticed on .EXE files. If this happens to a quality anti-virus program, the internal validation routine will detect the change and flag the user such as Mr. Curtis noticed. I suspect that he will find that the file on his hard disk is now a few bytes longer than the original and if DEBUG (yes you can, rename) is used to remove the "extra" bytes, the program will execute normally. - ----------------------------------------------------------------------- >From: CAH0@gte.com (Chuck Hoffman) >Subject: Preformatted disks, flopticals, etc. >Why can't the disks be formatted? Is the problem related to software or >hardware, or both? I was told this by people at both Brier and Insite. At the time I did not ask why but suspect that a consumer drive may not be able to properly detect "weak" sectors or that tracking correction information may be hard-coded at the factory. In the case of fixed disks, I have heard it both ways & suspect that it may depend on the drive/manufacturer (rumor has it that Packard-Bell is shipping a "special" version of Ontrack's DISK MANAGER {ver 4.01 ?} to customers reporting the MusicBug). The point I was trying to make was that a physically sound disk NEVER has to be "low-level formatted" just because a virus attacked it, but is often used as a substitute for proper training. - ---------------------------------------------------------------------------- >From: "Mark Aitchison, U of Canty; Physics" Subject: Re: PC MS-DOS vs BIOS protection (PC) HOORAH ! An intelligent discussion (not that I agree with all of the concepts but at least Mr. Aitchison has done his homework). >If DOS became the sort of standard that CPM or (better) >Unix is, where all manner of incompatible hardware run the same o/s, >then viruses would have a tough time spreading. Unix is a very good platform but the O/S diversity requires that most imported files (from Ultrix to Sun say) must be recompiled from the source code to run properly. Few of the 80+ million DOS users have this kind of expertise available. The stability and ease of use that has made the IBM-PC so popular is also favorable for malicious software. (I live in Florida because I like the climate. Insects also like the climate. I do not support changing the climate to eliminate the bugs but do have very fine mesh window screens.) >So a good anti-virus approach is going to consider the whole system: >hardware, BIOS, DOS, applications and end-user education. That, I >think, is a good idea, but you soon end up with something that looks >nothing like the present PC (or Mac or whatever). Not necessarily, at least not from the user or software level. I do not think that users would have a problem with a screen that popped up during installation or modification, and informed the user that something was going to happen and did he/she/it mind so long as it was not constant. For some time I have been using such a package and when installing a new program from 'leventy floppies received (and scanned) from a trusted vendor, just turn off the directory the installation is to be into from checking for the duration. Similarly, following a modification to WordStar, the next invocation pops a screen before loading informing me that it has changed and do I want the signature updated ? A single keystroke returns everything to normalcy & I would be more disturbed if the screen did not appear. Admittedly, this is not a "normal" DOS function, but can be added without affecting performance or functionality. {am running everything including Prodigy from Windows on the 386KS (kitchen sink) with 120k of TSRs loaded high (QEMM/DOS 5.00) and 636k "free" (trade and service marks mentioned). Testing done by wife, son, and assorted cats}. Point is that it can be layered on to DOS effectively and transparently, without "expert" help, but needs more than just a simple program, (some assembly reuired). Would love to continue this discussion at your place, I hear New Zealand is beautiful. - -------------------------------------------------------------------- Not sure if this is from Stan Pickthall or Robert Slade - app > SCAN does have an "internal" self check, but if a >"stealth" virus is active in memory, it will defeat any kind of >integrity check. NO ! It will not defeat "any kind of integrity check" though "stealth" will defeat SCAN's if the /nomem switch is in use (wish we had italics) While the "stealth" seen so far will defeat a program integrity check, it will NOT defeat a system integrity check (the six bytes). The fact that few anti-virus programs bother to check system integrity first does not mean that it can't be done or even that it is difficult. Even CHKDSK will reveal most "sucessful" anomalies when resident and "stealth" MUST be resident to work. Padgett ------------------------------ Date: Tue, 19 Mar 91 16:14:57 +0200 >From: Baruch Even Subject: lab policy Hello, My father needs to take care of the computers at his work place. The computers are aranged in a Lab (12 computers) and other computers in offices. The main need is to protect the lab as this can be the main place for viruses to spread from. My father need some guidelines on how to protect the lab from viruses... If you have some knowledge experience or any idea that might work (including suggestions for anti-viruses programs) please send them to me. If there will be interest I'll summarize to the list... Thanks in advance, Baruch Even. P.S. I know the discussion was some time ago but neither me nor my father had interest in the topic... (digests to look for are welcomed too). +-------------------------------------------------------+ | Baruch Even | | | | BitNet - NYEVENBA@WEIZMANN.BITNET | | InterNet - nyevenba@weizmann.weizmann.ac.il | | S-Mail - Ehad Ha'am 19/2, Rehovot 76260, Israel | | | | If Murphy's law can go wrong - it will! | +-------------------------------------------------------+ ------------------------------ Date: Tue, 19 Mar 91 18:49:42 -0500 >From: rreiner@nexus.yorku.ca (Richard Reiner) Subject: programmatic autoexec tampering? (PC) A mighty strange thing happened on one our departmental PCs today. I had just finished using the machine, in the process noting that the new screen saver I had installed a few days ago was working well. I moved to another machine in the room, and someone else sat down to work at the PC in question. Within minutes, she was complaining about a misbehaving screen saver that would not go away. But it was *not* the same screen saver I had seen working -- it was an old one we had removed from autoexec.bat a week before. All this woman had done was to reboot the machine and then start a comms program -- nothing she had done should have altered autoexec.bat in any way, but when I inspected autoexec.bat, its contents were those of a week ago! I had booted the machine a short time earlier, and the current autoexec had run, as evidenced by the presence of the new screen saver. So something replaced autoexec.bat with an old copy of it in the interim between my booting the machine and her booting the machine. I am at a loss to explain this. Is there a known virus or trojan which tampers with autoexec.bat like this? //Richard ------------------------------ Date: Wed, 20 Mar 91 20:10:00 +0700 >From: "Jeroen W. Pluimers" Subject: Italian 'viruskit' is ordinary 'hack' Hello all, I received the following trough bitnet. It is a very bad example of an ordinary hack. _ # (_) Jeroen W. Pluimers (Alias: Charly Chaplin) \___ | _ |~| \ snail: P.O. Box 266 |_| \_ 2170 AG Sassenheim / \ # The Netherlands / \ | phone: +31-2522-11809 18:00-21:00 UTC \ / | fidonet: 2:281/521 (The White House) __\ /__ | fidonet: 2:281/515.3 (Proxyon) bitnet internet - --------------------------------------------------------- PLUIMERS@HLERUL5.BITNET pluimers@rulcri.LeidenUniv.nl FTHSMULD@HLERUL52.BITNET fthsmuld@rulgl.LeidenUniv.nl >By: Righard Zwienenberg >Re: Itialian Virus Board >At: Sun 17 Mar 91 19:51 >---------------------------------------------------------------------- >I just found out one of the most brutal and ordinary 'hacks' I >have ever seen. I am talking about a 'Viruskit', which was sent >to me, abusing Frisk (Parts of F-PROT), McAfee (VIRLIST.TXT), Patricia >Hoffman (VSUM) and Jan Terpstra >(VIRSCAN.DAT). > >The package, being a shareware package, is 'created' by Mauro Bollini >of the Italian Virus Board. While unarchiving the file VKIT600.ZIP, >the following message was be displayed inside a graphic box: > >VIRUSKIT ADVANCED RELEASE 6.00 >Il primo vero anti-virus Made in Italy >Created by Mauro Bollini 1991 >* Shareware Version * > >The first thing I noticed was a 4588 byte .SYS-file named SYSCHECK.SYS. >It tookmy attention because it had the same length as F-PROT's >F-DRIVER.SYS (1.14a). >After a short inspection it turned out to be F-DRIVER.SYS, with >the text translated into Italian and the FRISK001-identifier removed. > >This made me susspicious and I checked out some other files. The >result: > >VIR1.LST => SIGN.TXT of F-Prot, but the virusnames are also coded >VIR2.LST => Slightly modified VIRSCAN.DAT >VIRDOC.TXT => Virus Summary Headers and Reference Chart >VIRUS => Modified VIRLIST.TXT > >I have not had the time to look at all the other files, but on >run-time, most most of them look very familiar to the F-Prot package... >Some of the files were missing because those will be send to one >if one registers... > >The registration-fee for this package is 60.000 lire (about $45)... >Although all documentation is in Italian and I do not read Italian, >there isn't a single document stating the source of all the above >and I doubt if the owners of the original documents/files will >receive a single penny from it... > >The Italian Virus Board recently popped up in the Virus Echo persuading >people to call it. The one sending me this package logged his session >(including a chat with the sysop). It is nice to know that this >system is an 'official member of the european virusnet'. There >was a list displayed with all >'members' and our good 'friend' Todor Toderov was on that same >list as some other known participants of this conference!!! > >It is even more sceptical now, because Mr. Bollini loged on into >INFOdesk claiming to be a researcher and wanted to exchange viruses >to include new ones in his anti-virus-package... > >All data has been or will be forwarded to McAfee, Patti Hoffman, >Frisk and Jan Terpstra so that they can take appropiate action >on this. > >I do not have to state that downloading this package is a waste >of money and unethical, do I? > >[RiZwi] ------------------------------ Date: Wed, 20 Mar 91 14:30:08 -0500 >From: Padgett Peterson Subject: Question ? (PC) Does anyone know of a way to set the return code (ERRORLEVEL) in DOS without using Int 21 Fn 31 or 4C - I need to be able to do this from a TSR. If a method is only available with some versions, please let me know but any thoughts on the subject would be helpful. Thank you, Padgett ------------------------------ Date: Wed, 20 Mar 91 15:42:00 -0400 >From: Dan Wheeler Subject: Plastique 5.21 IBM Virus Report (PC) Several IBM PS/2 computers have been infected at Le Moyne (Syracuse, NY) with what has been reported by IBM's VIRSCAN as the Plastique 5.21 virus (source unknown). We're virus novices - besides removing the machines from use and scanning other machines and disks, what should I do now before using the infected machines? [Ed. Follow-ups on VIRUS-L/comp.virus or private email, please.] - -------------------------------------------------------------------------- Dan Wheeler, Academic Support Specialist Information Systems, Le Moyne College, Syracuse, NY 13214-1399 Office (315) 445-4582/4565 Home (315) 655-8193 WHEELER@LEMOYNE.BITNET - -------------------------------------------------------------------------- ------------------------------ Date: Wed, 20 Mar 91 06:59:55 +0000 >From: rmason@netcom.COM (Bob Mason) Subject: Alternatives to Floppy booting Bob Eager outlines a revision of a method given in the first reference for getting boot sectors onto a floppy diskette. jai@lab.ultra.nyu.edu (Benchiao Jai) states that the NYU Ultra Lab is running MINIX as a process under DOS. Our MINIX-OS class is presently using floppies to boot the system (v1.2) on AT-clones. We would like to eliminate all booting from floppies by recabling the drives. This is needed to prevent the spread of the stoned virus on the C: partition (Minix is on the D: partition). I see at least two solution strategies: either start up MINIX as a process under DOS (as NYU Ultra does), or have MINIX booting directly off the D: partition. The second method requires us to put MINIX boot sectors on the D: partition and provide some "user transparent" switch-active-partition software that is accessible from either partition. Perhaps a .logoff file on the MINIX side could access the switch program directly, since we run DOS most of the time. If anyone has experience using these methods, or any others, to eliminate booting from floppy, please post a message to this newsgroup. We need your help. You can also send mail directly to me (rmason@netcom.com) or to Ken Majithia (majithia@calstate.bitnet). Thanks very much. - --------------------------------------------------------------------------- Bob Mason - Computer Engineering student at SJSU. (rmason@netcom.com) - --------------------------------------------------------------------------- ------------------------------ Date: Wed, 20 Mar 91 18:30:32 +0000 >From: mrs@netcom.COM (Morgan Schweers) Subject: Re: PKLITE and hidden virus (PC) JPINSON@uga.cc.uga.edu (Jim Pinson) writes: >I know some of the virus scanners will look within executable files >that have been compressed with LZEXE. I believe they scan both before >and after expansion. Specifically we decompress partially in memory and check for the virus in the decompressed code as well as doing a standard check on the outside of the file. >Lately I have been using PKLITE to compress executables, and wonder if >any Virus scanners are capable of looking within the compressed files. > >Does anyone have any info on the subject? > >Thanks. > >Jim Pinson University of Georgia Greetings, I've spent a long amount of time attempting to provide PKLITE protection, but the method used for compression makes it difficult. I've attempted to talk to Phil Katz about the problem, but I've met a stonewall. I don't have enough knowledge of compression techniques to be able to decompress the code at any reasonable rate of speed. For right now, the only thing I can suggest is to PKLITE -X the files, scan them, and re-PKLITE them. This is, IMHO, a serious security problem. I will point out that the author of LZEXE was quite willing to work with us when the problem was pointed out. I'm sure Mr. Katz would also be, if he considered it a problem. As a general policy, do you think that it would be better to warn users that a file is PKLITE'ed and unscanable or to simply ignore it? Another problem is that PKWare is planning on coming out with a 'professional' version of the program which includes an encryption portion that can not be -X'ed. -- Morgan Schweers +------- All opinions stated herein are the author's only. So there. Neh! I *AM* mrs@netcom.com and ms@albert.ai.mit.edu. One or the other *WILL* reach me. Enjoy! ------------------------------ Date: Thu, 21 Mar 91 01:27:00 -0400 >From: Subject: Plastique Virus (PC) HAS ANYONE COME ACROSS A VIRUS CALLED PLASTIQUE. IT HAS JUST COME UP N THE IBM PC LAB HERE AT LE MOYNE COLLEGE. WE IDENTIFIED IT VIA IBM'S 12/90 VIRUS SCAN PROGRAM. SO FAR, INDICATIONS HAVE BEEN THAT AN INFECTED PC WILL START PLAYING A SONG AFTER IT HAS BEEN ON FOR HALF AN HOUR. NONE OF THESE PC'S ARE HOOKED INTO AN LAN. THE VIRUS HAS COPIED ITSELF INTO THE EXE FILES. OFTEN, THE INFECTED MACHINES WON'T BOOT. THEY ACT AS IF THERE IS A NON-SYSTEM DISK IN THE DRIVE UPON BOOTING. ONE OF THE HARD DRIVES HAS GONE COMPLETELY DOWN, AND THAT COMPUTER CAN'T EVEN BE BOOTED WITH DOS FROM A FLOPPY. IF YOU HAVE ANY INFO/QUESTIONS/ETC., PLEASE GET IN TOUCH WITH ME THANK YOU. JAY AMORIELL LE MOYNE MICROLAB STUDENT MGR AMORIEWJ@LEMOYNE 315/445-4106/6465/6320 ------------------------------ Date: Thu, 21 Mar 91 16:46:41 +0000 >From: hagins@gamecock.rtp.dg.com (Jody Hagins) Subject: CD ROM as virus protection I do not know the current state-of-the-art, but it seems to me that by acquiring software via CD-ROM will eliminate virus occurances. At least, there is someone to hold responsible, namely, the distributer. Is it practical to expect this to come about? Would distributers take the responsibility of guaranteeing their distributions of being virus-free? In this way, even if the disk changed hands, there is not much chance of it being infected with a virus. If you start with a clean system, and use clean disks for all trabsfers to the computer, this would eliminate alot of problems. This is just a thought. Any feedback? Jody Hagins hagins@gamecock.rtp.dg.com Data General Corp. 62 Alexander Dr. RTP, N.C. 27709 (919) 248-6035 Nothing I ever say reflects the opinions of DGC. ------------------------------ Date: 21 Mar 91 11:36:56 -0500 >From: "PKWARE Inc." <75300.730@CompuServe.COM> Subject: PKLITE and hidden virus (PC) McAffee's scan program will support PKLITE'd files in the future. Doug - -- Douglas Hay PKWARE Inc. 75300.730@CompuServe.COM ------------------------------ Date: Sun, 17 Mar 91 12:24:00 -0500 >From: WHMurray@DOCKMASTER.NCSC.MIL Subject: DPMA Talk - "A NEW STRATEGY FOR COMPUTER VIRUSES" [Ed. The complete text of this paper is available by anonymous FTP on cert.sei.cmu.edu in the pub/virus-l/docs directory under the filename of virus.strategy.whm] William H. Murray Deloitte & Touche Wilton, Connecticut A New Strategy for Computer Viruses PREFACE This presentation was prepared for and delivered to the "DPMA 4th Annual Virus and Security Conference" on March 14, 1991. ABSTRACT This presentation argues that it is time for a new strategy for dealing with computer viruses. It reviews the present strategy and suggests that it was adopted before we knew whether or not viruses would be successful. It points out that this strategy is essentially "clinical." That is, it treats the symptoms of the virus without directly dealing with its growth and spread. It presents evidence that at least two computer viruses, Jerusalem B and Stoned, are epidemic, that more copies are being created than are being killed. It argues that simply the growth of the viruses, without regard to their symptoms, is a problem. It argues that it is now time for an epidemiological approach to viruses. A keystone of such an approach will be the massive and pervasive use of vaccine programs. These programs are characterized by being resident, automatic, getting control early, and acting to resist the very execution of the virus program. The presentation notes that there is significant resistance to such a strategy and, specifically, to the use of such programs. It addresses many of the arguments used to justify this resistance. It concludes that we will ultimately be forced to such a strategy, but that, given the growth of the viruses and the resistance to stragtegy, we will not likely act on a timely basis. ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 46] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253