VIRUS-L Digest Thursday, 2 May 1991 Volume 4 : Issue 73 Today's Topics: STONED Info Needed (PC) Re: What's so bad about self-extracting archives? Virus help sought (PC) New Viruses ? (PC) FRODO (4096) found at NIH (PC) New files on MIBSRV (PC) Re: PREVENTION of Drive A: boots - Suggestions Please (PC) Info on PRINT SCREEN P-2 VIRUS (PC) F-prot v1.13 (PC) Product Test - IBM Anti-Virus Product (PC) Questionnaire VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 30 Apr 91 21:56:54 +0000 >From: red@iti.org (Ronald E. Dalton) Subject: STONED Info Needed (PC) I would greatly appreciate any information readers may have on how Stoned is spread, especially in a Novell environment. Since this is probably a repeated request please mail replies. (red@iti.org) Thanks in advance. ------------------------------ Date: Wed, 01 May 91 10:20:00 >From: Murray_RJ@cc.curtin.edu.au Subject: Re: What's so bad about self-extracting archives? magnus%thep.lu.se@Urd.lth.se (Magnus Olsson) writes: > I'm sorry if this question seems a bit naive, but why are people so > concerned about the risk of virus-infected self-extracting archive > files? > > Can't you just first run the archive file through your favourite virus > checker, and if it passes the test extract it, and then test the > individual files that were inside it? Or have I missed something? Well, yes, I suppose you could, but it involves an extra step which is unnecessary. The other objection I have with self-extracting archives is that you're stuck with extracting the whole lot, even if you only want to find out what the !@#$%^&*() thing does. If it's not a self-extracting archive, you can use a shell like SHEZ (or, even, just extract the .doc files) and do it much faster and easier. .....Ron =============================================================================== Internet: Murray_RJ@cc.curtin.edu.au | "You can lead a horse to ACSnet: Murray_RJ@cc.cut.oz.au | water, but if you can Bitnet: Murray_RJ%cc.curtin.edu.au@cunyvm.bitnet | get him to float on his UUCP : uunet!munnari.oz!cc.curtin.edu.au!Murray_RJ | back you've really got Amateur Packet Radio: VK6ZJM@VK6BBS.#WA.AUS.OC | something" TCP/IP: 44.136.204.14, 44.136.204.19 | -- Murphy's Law I =============================================================================== ------------------------------ Date: Wed, 01 May 91 13:27:25 +0100 >From: T Dowling Subject: Virus help sought (PC) I wonder whether anybody can help me please ? I have managed to pick up a virus, on a PC, which adds between about 1580 and 1595 bytes to the end of .COM, .EXE, .OVL, and several other files. Apart from this, there seems to be no other effect to the system. A friend ran a virus checker program on one of the files, which identified the virus as 'A mutation of the Green Catapiller virus', but was unable to remove the virus. Does anybody have any information on this virus please, or know what event will trigger it off ? Thanks in anticipation, Tim Dowling. (csc216@uk.ac.lancs.comp). ------------------------------ Date: Wed, 01 May 91 10:34:48 -0400 >From: padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) Subject: New Viruses ? (PC) Recently, I have received questions from two different people concenting activities that sound suspicious yet do not match any of the charactoristics that I am aware of. If anyone has further information, elucidation would be appreciated. Oddity #1: Several XT class machines exhibit the following: all Master Boot Records (partition table) have 17 bytes written into offset ACh-BDh (immediately before P-table). These bytes are an executable fragment containing the following assembly code: 1E PUSH DS 07 POP ES BB007C MOV BX,7C00 B90100 MOV CX,0001 BA8000 MOV DX,0080 000000 I am told that any attempt to replace the MBR results in an unbootable machine and if the locations are zero'd using Norton, the code immediately reappears. Oddity #2: Single 386/SX20 found the an unusual MBR which appears to be the second half of "something". The MBR will operate normally if called with DX=0. If called with a non-zero DX and if a data area from offset 03-15 is filled, amoung other activities, an interrupt between 42h and 59h will be trapped (which one is found in the data region, unfilled in the fragment I received). The code has all of the normal error messages and appears otherwise normal e.g. no attempt to modify 413 is made. If any reader has seen anything like this, a reply would be appreciated. Warmly (only 93 yesterday) Padgett ------------------------------ Date: Wed, 01 May 91 12:10:49 -0400 >From: Subject: FRODO (4096) found at NIH (PC) Just wanted to report that we were recently infected by virus FRODO (4096) in PC and network server. This virus apparently was imported from Israel. It appears that Norton Anti-virus works well in destroying this virus. We would appreciate any more information/comments about this virus from readers. Bob Ketterlinus NIH/LCE/SSED ------------------------------ Date: Wed, 01 May 91 15:26:43 -0500 >From: James Ford Subject: New files on MIBSRV (PC) New files have been uploaded to MIBSRV for anonymous FTP in the directory pub/ibm-antivirus. They are: clean77.zip - McAfee's Clean version 77 scanv77.zip - McAfee's Scan v77 netscn77.zip - McAfee's NetScan v77 vshld77.zip - McAfee's VirusShield v77 vsum9104.zip - Hoffman's Virus Summary List, April 1991 edition (binary) vsum9104.txt - Hoffman's Virus Summary List, April 1991 edition (text) - ---------- All progress stems from change but all change is not necessarily progress. - ---------- James Ford - JFORD@UA1VM.UA.EDU, JFORD@mib333.mib.eng.ua.edu The University of Alabama (in Tuscaloosa, Alabama) ------------------------------ Date: 01 May 91 16:23:50 +0000 >From: chap@art-sy.detroit.mi.us (j chapman flack) Subject: Re: PREVENTION of Drive A: boots - Suggestions Please (PC) davidsen@crdos1.crd.ge.COM (Wm E Davidsen Jr) writes: >I mailed this to the original poster, but here's my idea. I suggested >it to a vendor, but they haven't used it, or at least not yet. > >Have in the CMOS a "boot path" which works like the PATH variable, and >specifies which devices are to be tried, in what order. This allows >disable of floppy boot, as well as boot from B: if A: fails or if you >have one 5-1/4 and one 3-1/2, etc. > >Use a password to allow access to change the configuration. If the >password takes too much room, save three bytes of CRC20 plus a value >for length range 1-15 characters. Length zero could mean "no >password." AST Research implements all of this. They included every detail needed to make a workable system: 1) you can set a boot path in the CMOS, 2) the setup program is in firmware, so you can change the boot path if you can't boot, 3) a password can be required to get into the firmware setup. Then they added a "feature": if the hard drive won't boot, it will automatically override your boot path and boot the diskette. Grr. Furthermore, if your hard drives are on a SCSI, it NEVER believes you have a hard drive, so it ALWAYS overrides your boot path. GRR. This is because it only checks the CMOS to see if you have a hard disk, rather than following the drive parameter table vector to see if there's a table. This is /* flame ON */ inexcusable, because there are tons of disk subsystems, not just SCSI, that have their own firmware and build their own parameter tables. This is common knowledge. *Sigh*. They were close... I think IBM got it all right in the PS/2 firmware. But you have to buy a PS/2 to get it.... - -- Chap Flack Their tanks will rust. Our songs will last. chap@art-sy.detroit.mi.us -Mikos Theodorakis Nothing I say represents Appropriate Roles for Technology unless I say it does. ------------------------------ Date: 01 May 91 19:54:36 +0000 >From: salim@zach.fit.edu (Salim) Subject: Info on PRINT SCREEN P-2 VIRUS (PC) I am looking for information on the Print Screen P-2 virus. Seems like there is no cure except to reformat the disk. If anyone knows of a vaccine to cure this virus, I would be very thankful for the name of the vaccine and where I could find it. Any help or advice would be greatly appreciated. Salim. ------------------------------ Date: 02 May 91 14:01:44 >From: hemmo@machina.hut.fi (Juha Hemminki) Subject: F-prot v1.13 (PC) I would like to know why the version of F-chk I have (1.13) wants to write a temporary file called LZ__TEMP.TMP to DOS current directory. That happens only when f-fchk scans INST_DSK.EXE from hyperdisk speedkit. The tmp file is always deleted after scan. Size of the TMP file si 22888 bytes and it seems to have code from the scanned file in it. I would like to know what causes this. None of the virus scanners I have available has reported any virusinfection. Any suggestions or information is appreciated BUT PLEASE REPLY BY E-MAIL. - -- H E M M O Juha Hemminki hemmo@machina.hut.fi The last true gentleman alive ------------------------------ Date: Mon, 29 Apr 91 15:09:01 -0700 >From: Chris McDonald ASQNC-TWS-R-SO Subject: Product Test - IBM Anti-Virus Product (PC) ******************************************************************************* PT-34 April 1991 ******************************************************************************* 1. Product Description: The IBM Anti-Virus Product is a program to detect computer viruses in the PC-DOS (MS-DOS) and OS/2 environments. [Ed. The remainder of this product review has been placed on cert.sei.cmu.edu, for anonymous FTP, in pub/virus-l/docs/reviews/mcdonald.ibm.anti-virus. Thanks Chris!] ------------------------------ Date: 09 Apr 91 16:10:40 +0100 >From: P.A.Taylor@edinburgh.ac.uk (Paul A. Taylor) Subject: Questionnaire [Ed. I would simply like to emphasize that this questionnaire is entirely optional.] Here's a questionnaire concerned with computer security and its related issues. Please complete it by replying with the question number and the number of the option listed with it, that most closely corresponds to your view. I am in the second year of a PhD investigating the issue of computer security in its social context. All responses will be treated with total confidentiality and none of their content will be used verbatim in the research without the prior consent of the respondent. I EMPHASISE THAT THIS RESEARCH IS FOR PURELY ACADEMIC PURPOSES. VERIFICATION OF MY ACADEMIC STATUS AND NATURE OF THE RESEARCH CAN BE SUPPLIED UPON REQUEST, AS WILL THE FINDINGS WHEN EVENTUALLY COLLATED AND ANALYSED. Q1) What is your nationality? Q2) What is your gender? [1] Male [2] Female Q3) What is your age? [3] 15-20 [4] 21-30 [5] 31-40 [6] Over 40 Q4) What is your job title? Q5) Which of the following best describes your organisation? [7] academic [8] commercial manufacturing [9] commercial R&D [10] consultancy [11] commercial services (e.g. banking) [12] public serivices [13] other (please state) Q6) Which of the following are features of your computing environment? [14] central multi-access mini/mainframe(s) [15] single-worker workstations [16] local area network(s) [17] wide area network(s) Q7) How would you describe the computing security arrangements and practices within your organisation? [18] too strict [19] adequate [20] lax Q8) Do you have any formal qualifications in computing? e.g. [21] B.Sc. [22] M.Sc. [23] Ph.D. [24] other (please state) Q9) What's the length of your professional experience? [25] 1-5 years [26] 6-10 years [27] 11-15 years [28] more than 15 years Q10) Name any professional or computer-orientated interest group to which you belong. Q11) How long have you maintained a serious interest in computing? [29] 1-5 years [30] 6-10 years [31] More than 10 years Q12) Would you describe this interest as: [32] mainly professional [33] professional and recreational (please describe the latter) Q13) Have you ever had experience of... [34] a malicious hack [35] a harmless browse [36] a viral-type incident [37] none of these Q14) If so, how many times? [38] 0-5 [39] 6-10 [40] more than 10 Q15) Was it... [41] a virus [42] a worm [43] a trojan horse [44] none of these, please specify. Q16) How serious were the problems it caused? [45] very [46] not very [47] not at all serious Q17) Would you say that the computing industry's concern about viruses has been... [48] about right [49] insufficient [50] excessive [51] hysterical Q18) Would you describe non-destructive unauthorised access to data as a crime? [52] yes [53] no [54] don't know Q19) Are you happy with current legislation concerning computer security? [55] yes, it's about right [56] no, it's too draconian [57] not strong enough [58] don't know Q20) Do you think the computing industry would gain from a more professional structure? [59] yes [60] no [61] don't know Q21) In your view, who poses the greatest threat to systems/data security? [62] "insider" disaffected employees [63] "external" cracker/browsers [64] about the same risk Q22) Do you think there are any potentially useful aspects to virus- producing techniques? (e.g. serendipitous improvements in programming methods) [65] yes, please specify [66] no [67] don't know Q23) Are there any beneficial (side) effects to system-breaking? [68] yes, please specify [69] no [70] don't know Q24) Do you have any knowledge or interest in "Cyberpunk" culture/ fiction? [71] yes [72] no Q25) Do you think that browsing/cracking/virus incidents, will, in the future... [73] increase [74] decrease [75] stay the same THANK YOU FOR YOUR TIME AND EFFORT, PLEASE CONTACT ME BY E-MAIL IF YOU WOULD LIKE TO DISCUSS THESE ISSUES IN MORE DEPTH OR IF YOU ARE INTERESTED IN THE RESULTS OF MY RESEARCH. Paul A. Taylor, Depts of Economics and Politics, University of Edinburgh. ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 73] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253