VIRUS-L Digest Tuesday, 16 Apr 1991 Volume 4 : Issue 62 Today's Topics: Is virus infection by inserting floppy disk possible? (PC) (Mac) Do any viruses affect Novell? (PC) EMPIRE Virus (PC) Self-extracting archive files (PC) SCUD Virus (PC) Re: Joshi Virus in part. table (PC) Joshi Virus (IBM) Re: Infoworld article Re: Azusa (PC) EMPIRE virus (contd) Gatekeeper 2.0 (Mac) scan76-c.zip / vshld76c.zip (PC) Re: Is virus infection by inserting floppy disk possible? (PC) (Mac) Azusa Virus (PC) Stoned removal from memory (PC) Amiga Virus Listing (Amiga) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 11 Apr 91 19:11:52 -0700 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Is virus infection by inserting floppy disk possible? (PC) (Mac) diblasi@mail-gw.ncsl.nist.gov (Thomas DiBlasi) writes: > Is it possible for a virus, trojan, worm, etc. to infect a hard disk > or RAM simply by inserting an infected floppy into a drive without > execution?? A short answer: on a Mac, yes. However, most of the Mac virus protection programs do automatic detection on disk insertion. On a PC: no. Or at least, not with standard machines. (I use an old NEC laptop for my comm sessions, and it growls at every disk insertion so it must be doing *something*. But most PC's don't.) ============= Vancouver p1@arkham.wimsey.bc.ca | "Is it plugged in?" Institute for Robert_Slade@mtsg.sfu.ca | "I can't see." Research into (SUZY) INtegrity | "Why not?" User Canada V7K 2G6 | "The power's off Security | here." ------------------------------ Date: Thu, 11 Apr 91 19:26:02 -0700 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Do any viruses affect Novell? (PC) dweissman@amarna.gsfc.nasa.gov (WiseGuy) writes: > What viruses (if any) affect Novell local area networks? Any DOS > virus? Over a broadband/ethernet LAN? I used to tell people that "why should a virus work on a network? Nothing else does!" However, that doesn't appear to be the case. Because of remapping of interrupts by network "shells", many viral programs will not work properly on a network. However, a number do. Network protection seems to be fairly effective against most, but not necessarily all, of these, so networks do seem to provide a measure of protection above that of "plain" MS-DOS. The people at Novell do not like unsubstantiated claims of viral programs that purportedly bypass network security, and you can't blame them. Unfortunately, substantiation is not always easy to come by, vis the company that called me about a program which reported itself as the "ICK virus" and was trashing their system. In spite of the fact that *they* were calling *me* as an expert in the field, they would not allow me to examine their system. Odd ideas of security there ... ============= Vancouver p1@arkham.wimsey.bc.ca | "Is it plugged in?" Institute for Robert_Slade@mtsg.sfu.ca | "I can't see." Research into (SUZY) INtegrity | "Why not?" User Canada V7K 2G6 | "The power's off Security | here." ------------------------------ Date: Fri, 12 Apr 91 14:21:16 -0400 >From: padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) Subject: EMPIRE Virus (PC) In my previous alert on the EMPIRE virus, I had not yet seen the second sector with the transposed text. Since then I have received this also and thanks to WordStar (plug) here is the decrypted text. Note that each sentance is a single line and relies on text-wrapping by the terminal for legibility. After study, I suspect that the virus was written at first, possibly with a different message, and had this message inserted later, possibly by a different person - is this a quote ? Warmly, Padgett Text of encrypted message follows: I'm becoming a little confused as to where the "evil empire" is these days. If we paid attention, if we cared, we would realize just how unethical this mpending war with Iraq is, and how impure the American motives are for wanting to force it. It is ironic that when Iran held American hostages, for a few lives the Americans were willing to drag negotiation on for months; yet when oil is held hostage, they are willing to sacrifice hundreds of thousands of lives, and refuse to negotiate ....... ------------------------------ Date: Fri, 12 Apr 91 11:12:54 -0700 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Self-extracting archive files (PC) We've had various discussions on the merits of "archived" and "self- extracting" files for virus protection. The following is from a local bulletin board: Original message from: Rene Blais, to: All -ffected by the presence of header a nd trailer information. However, in the case of the newer "spawning" viral programs, this procedure does nothing at all for detection, because "spawning" viri never touch the original file, relying on MS-DOS's "execution order preference" for .COM files, and creating a separate virus file. The separate file may be hidden from detection in various ways, and still be "infectious." ============= Vancouver p1@arkham.wimsey.bc.ca | "Don't buy a Institute for Robert_Slade@mtsg.sfu.ca | computer." Research into (SUZY) INtegrity | Richards' First User Canada V7K 2G6 | Law of Data Security | Security ------------------------------ Date: 12 Apr 91 20:01:34 +0000 >From: ray@philmtl.philips.ca (Ray Dunn) Subject: SCUD Virus (PC) We are investigating a possible minor infection by a virus which infects the master boot partition record of IBM compatibles and which can be identified by the letters SCUD appearing in its body. At present we know very little about it other than the fact that it appears to corrupt the hard disk and may also (in another incarnation?) corrupt the CMOS, specifically be changing the floppy disk type configuration. We are still at a very early stage of the investigation, i.e. we haven't separated the facts from the misinformation yet, so I apologize for the vagueness. If anyone has any knowledge of such a virus, I'd appreciate it if they got in touch with me ASAP. Thanks, I'll post the eventual outcome. - -- Ray Dunn. | UUCP: ray@philmtl.philips.ca Philips Electronics Ltd. | ..!{uunet|philapd|philabs}!philmtl!ray 600 Dr Frederik Philips Blvd | TEL : (514) 744-8987 (Phonemail) St Laurent. Quebec. H4M 2S9 | FAX : (514) 744-9550 TLX: 05-824090 ------------------------------ Date: 13 Apr 91 02:25:56 +0000 >From: paul@parsifal.econ.yale.edu (Paul McGuire) Subject: Re: Joshi Virus in part. table (PC) padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) writes: >>From: awl@extro.ucc.su.oz.au (Tony Locke) > >>We have a machine with Joshi on it and can't find something to kill >>it. Anyone have any ideas (have tried SCAN 74B) > >As I recall, the Joshi stores the real MBR (partition table) code in >cyl 0 head 0 sector 9 (should be able to tell by looking). >To recover, just cold boot from a known clean write-protected floppy and >use DEBUG to copy the real MBR back to sector 1. The rest of the virus code >will still be on (hopefully) unused sectors on cyl 0 but will be cut off from >execution & harmless. I have an IBM-AT that won't boot from drive c:, but comes up fine from a floppy, at which point the c: drive seems to be okay. FPROT114 f-fchk tells me my files are fine, f-syschk tell me my memory is fine, however f-disinf tells me I have joshi but fails to cure it. I tell f-disinf to cure it, it says I'm cured, but if I run it again it again tells me I'm infected and the computer still won't boot from the hard disk. Is this an FPROT bug? Am I prehaps multiply infected? Can I trust the identification of Joshi and preform the above sector 9 to sector 1 copy, or does FPROT's failure indicate more serious problems that the copying won't fix or will make worse? Thanks for any help, Paul McGuire ------------------------------ Date: Sat, 13 Apr 91 13:51:00 -0400 >From: "MICHAEL L. LERNER" Subject: Joshi Virus (IBM) My friend's hard drive has been infected by the Joshi Virus. It's taking up about 4-6K at present, and it's messing with his 5 1/4 drive... He ran a program that is supposed to kill viruses, but it didn't help. Does anyone know how to get rid of this particular virus? Any help will be appreciated. Mike ------------------------------ Date: 13 Apr 91 17:16:16 +0000 >From: tssi!dsndata!nolan@uunet.UU.NET (Michael Nolan) Subject: Re: Infoworld article padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) writes: >ps I left a similar message on Mr. Cringely's voice mail system. It > has not been returned. Try cringe@mcimail.com. You're much more likely to get a reply by e-mail. ------------------------------ Date: Sun, 14 Apr 91 01:18:43 -0700 >From: 128a-1ha@web-4e.berkeley.edu () Subject: Re: Azusa (PC) padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) writes: > > It seems that quite a few folks are getting hit by the AZUSA >virus. Removing it, while not very difficult, is complicated by the >fact that the virus has completely overwritten the master boot record >code so that the original cannot be simply retrieved from another >location as with most such viruses (STONED, JOSHI, etc). Since the >virus has also overwritten the ASCII warning messages, simple patching >of the virus code to remove the infection is not a good solution. > ...source code deleted... I got a copy of the virus from my friend. I did find a copy of the original boot sector on the disk (floppy) not sure about the partition table though since my hard drive is not infected, it was located on the second to the last sector. Does anyone know does this virus infect all floppy or just some? I am planning to write a program to write the orig boot sector back. Since my version of clean does not reconize it yet. Are there any virus expert against this? Say so fast, my program is almost ready.. - --Nelson - --128a-1ha@web.berkeley.edu ------------------------------ Date: Mon, 15 Apr 91 08:36:15 -0400 >From: padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) Subject: EMPIRE virus (contd) Since the last posting (Virus-L and Valert-L), yet another strain of the EMPIRE virus has appeared. For the moment it would seem that the University of Alberta (Canada) is the only victem. The second strain has the same charactoristics except that this one is encrypts each infection differently. For the moment, the best detection is by the intitial JMP which is the same in both strains and is the viruses signature to itself. "EA 9F 01 C0 07" - jmp 07C0:019F, this will pick up both. Warmly, Padgett ------------------------------ Date: Mon, 15 Apr 91 12:47:40 +0000 >From: bgrubb@hpuxa.ircc.ohio-state.edu Subject: Gatekeeper 2.0 (Mac) In responce to my comp.virus post I got this e-mail message from ntg!dplatt@apple.com (Dave Platt) of New Technologies Group, Inc. Palo Alto CA: <2.0 will probably be some time in arriving... it turned out to be a> Can anyone out there validate this. If so what does the Version 1.2 interface look like and exactly what has been improved. And this time post the answer on comp.virus on comp.virus but that's just a guess. ------------------------------ Date: Mon, 15 Apr 91 09:52:32 -0500 >From: James Ford Subject: scan76-c.zip / vshld76c.zip (PC) The following files have been placed on mibsrv (130.160.20.80) in the directory pub/ibm-antivirus: scan76-c.zip vshld76c.zip These files replace scanv76.zip and vshld76.zip. The file clean76.zip has been removed until a maintance release is issued from Homebase. Clean75.zip is still available for downloading. - ---------- A road map always tells you everything except how to refold it. - ---------- James Ford - JFORD@UA1VM.UA.EDU, JFORD@mib333.mib.eng.ua.edu The University of Alabama (in Tuscaloosa, Alabama) ------------------------------ Date: 15 Apr 91 15:28:37 +0000 >From: CAH0@gte.com (Chuck Hoffman) Subject: Re: Is virus infection by inserting floppy disk possible? (PC) (Mac) diblasi@mail-gw.ncsl.nist.gov (Thomas DiBlasi) writes: > > Is it possible for a virus, trojan, worm, etc. to infect a hard disk > or RAM simply by inserting an infected floppy into a drive without > execution?? Yes, the WDEF virus on the Macintosh can do this. By the time the icon for the floppy appears on the screen, ALL the disks shown on the screen will have been infected, both hard disks and floppies. WDEF is benign, and is easily deleted, and is detected by Virex before the icon appears on the screen, but the answer to your question is yes. WDEF is the only virus I have been hit with. A friend sent me a text file with a description of (you guessed it) WDEF infections! I also got a shrinkwrapped diskette from a software subscription service which had WDEF on it, but by then I had Virex on the system so the system did not pick up the WDEF. - - Chuck Hoffman, GTE Laboratories, Inc. | I'm not sure why we're here, cah0@bunny.gte.com | but I am sure that while we're Telephone (U.S.A.) 617-466-2131 | here, we're supposed to help GTE VoiceNet: 679-2131 | each other. GTE Telemail: C.HOFFMAN | ------------------------------ Date: Mon, 15 Apr 91 13:08:17 -0600 >From: J Picazzo Subject: Azusa Virus (PC) Hi, Last week, I was told I was stroke by Azusa virus... I was told to use McAffee's SCANv75. What I found was not Azusa virus, but a one called AirCop. Can this virus reside in a network? How does it work? J Picazzo ITESM Campus San Luis - MEXICO ------------------------------ Date: 16 Apr 91 05:12:37 +0000 >From: Paul Evans Subject: Stoned removal from memory (PC) I am writing a virus protection utility and am wondering if someone could give me some insight in how to remove Stoned from memory (besides rebooting) thanks Pevans@jarthur.claremont.edu ------------------------------ Date: Tue, 16 Apr 91 16:10:00 +1000 >From: BOXALL@qut.edu.au Subject: Amiga Virus Listing (Amiga) Does anybody have a list of AMIGA viruses and their actions? There is an excellent list available for the IBM PC. Any info would be appreciated. Thanx Wayne. ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 62] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253