VIRUS-L Digest Thursday, 16 May 1991 Volume 4 : Issue 84 Today's Topics: Re: PC-security/password re: The Shape of the World (PC) PKWare ZIP -AV cracked (PC) Partition Table Viruses (PC) Virus destroys data at Oxford Univ (England) VIRUSSUM format New Boot Infector (PC) RM_NOINT Virus Remover (PC) New INNOC (Version 5) (PC) Revised Product Test - - VIREX-PC, version 1.20 (PC) Review of Eliminator (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Sat, 11 May 91 09:17:00 -0400 From: "Ignorance HATES Knowledge..........!!" Subject: Re: PC-security/password Resent-From: "A. Andrew Brennan" Thought you might be interested in seeing this - don't know if you are on this list ... A. Andrew Brennan {you don't know me from Adam - but he didn't have a belly button ... } - ----------------------------Original message---------------------------- I agree that Disk Manager PC is a fantastic product. It uses a boot block protetcion scheme which doesn't let the user bypass it when they boot with a floppy disk. It also has some interesting side effects that may be worth noting --- since this program doesn't allow modifications to the boot-block of a hard disk -- it tends to inhibit the reproduction of boot-block type viruses. This program is NOT marketed by mentioning this -- it simply seems to be an artifact of the program. I attempted to infect a DMPC protected disk with a LIVE boot block virus (of the stealth variety) and it just didn't work. Hope that helps a bit! Bob Martin -- Eastern KY U -- Academic Computing Bitnet: acsmartin@eku ------------------------------ Date: Wed, 15 May 91 17:12:49 -0400 From: padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) Subject: re: The Shape of the World (PC) >From: microsoft!c-rossgr@uunet.uu.net >Remember that we can't even get the user community (the folks who >spend their hard earned money to buy my products!) to make backups to >protect themselves. Partly our fault: we have never taught good hygene to people. I generally back up my data files as they are created. Since my program disk is fixed, it is backed up as part of my weekly defrag. True, most people who have not had losses do not understand backing up - one reason why we are looking at things like Bernoulli Transportables as part of out weekly maintenance and CD-ROMS for standardised software, and have an annual computer security briefing that emphasizes such things as backups & how to recognize unusual behaviour. >Maximal Protection! That's what the market seems to clamour for. Because part of the education we have failed to provide is what the risks really are. My opinion is that a good regimen (screening & briefings) plus an integrity routine that will detect anomalies is what the general population needs. Detecting intrusion immediately reduces risks to the point that even quarterly updates (as a scanner would require) cannot be justified. A linited number of scanners for the techs and administrators are justifiable both from a maintenance and a training standpoint. For large corporations, the cost of a site license can be lost in the noise compared to the cost of trying to administer several thousand updates (5000 PCs x 10 minutes per update x 4 times per year = 1 2/3 manyears not to mention the distribution nightmare). Much easier to take a one-time installation hit plus automatic installation at the warehouse as part of the distribution process. >And the marketing dudes I work with closely at Microcom tell me what >we can lose a site license because of and where our strong points are: So be the first to offer BIOS level checking & authenticated paths as part of the boot process. >So, when one of our competitors says "Yes, but do you want to risk >even the slightest chance of getting infected with this virus if it >escapes into the wild.", my marketing can respond "Ha! We already >protect you against that nasty virus!". How about "There are only x ways a virus can get into a system, if it is a virus we have seen, we will identify it. If it is something else, we will detect the change and warn the user immediately. Nothing can identify an unknown virus, but its activity can be detected." Of course the biggest problem is elimination of false positives but a dollup of AI should permit the program to learn who is permitted to do odd things. In my experience, most corporate environments are stable enough to make the learning period short. In the last year we installed such a package on many thousands of PCs with nearly every known program and every OS from DOS 2.x to beta versions of DOS 5 and the major problems (development machines, Zeniths writing to boot sectors, word processor quirks) were annoying but relatively easy to solve. Today, when a user gets a warning screen, it is usually a virus or other "anomaly" that we needed to know about anyway. As far as what the user wants, quantum economics applies. There are certain things that are automatic disqualifiers: noticably degraded performance, insufficient free memory to run programs, excessive false alarms, failure to detect well known viruses. Only once these step functions are satisfied will relative merits/demerits such as cost (no. 1), ease of installation, documentation, & support come into play on a linear decision basis. Today, the sheer diversity of anti-viral products demonstrates that, as in pointing devices and user interfaces, the One True Answer has yet to be found. Warmly, Padgett everything herein my own opinion & may or may not have any relation to reality ------------------------------ Date: Wed, 15 May 91 17:13:00 -0600 From: Keith Petersen Subject: PKWare ZIP -AV cracked (PC) I have received word from a reliable source that there is now a PKWare ZIP authentication varification (-AV) cracker going around called MAKEAV. It will generate registration numbers so that people can create their own serialized ZIPs. MAKEAV was apparently used to make the bogus SCANV78.ZIP which was warned about in a recent posting by McAfee Associates. PKWare has been notified. Keith - - - - Keith Petersen Maintainer of SIMTEL20's MSDOS, MISC and CP/M archives - [192.88.110.20] Internet: w8sdz@WSMR-SIMTEL20.Army.Mil or w8sdz@vela.acs.oakland.edu Uucp: uunet!wsmr-simtel20.army.mil!w8sdz BITNET: w8sdz@OAKLAND ------------------------------ Date: Wed, 15 May 91 21:39:50 -0230 From: "Anthony H. Galway" Subject: Partition Table Viruses (PC) Our PC labs have been recently become victim of several partition table viruses, namely Bloody!, Azusa and Stoned. I find that McAfee's CLEAN works well on the STONED allowing it to clean the partition table almost all the time (rarely, though it happens, it seems to be to far gone and I end up doing a format), but the BLOODY! virus seems to be a bit more advanced more often than not the CLEAN program claims that it can not safely remove the virus from the partition table ... and so ....format C:! Now am I the absolute soul of niavete by taking this action, or am I doing the only thing possibly? Is there any better anti-viral around that can handle partition table problems? If not is there any way to better protect ourselves. FYI: We use the latest version of Scan, Vshield, and Clean taken from Simtel (we have the site licence), plus we are not adverse to getting a better package commercially if it will satisfactorally protect us. P.S. Where can I get a comprehensive list of the effects and symptoms of known viruses? I appreciate any help. - -- Anthony H Galway |\_/| I tried to think up something either tony4@garfield.cs.mun.ca (` ') profound or witty to put here ...... tony@piglet.engr.mun.ca |"| I couldn't. ------------------------------ Date: Thu, 16 May 91 09:09:52 +0100 From: Anthony Appleyard Subject: Virus destroys data at Oxford Univ (England) (from Daily Telegraph (UK national newspaper), Wed 15 May 1991) [University computer virus wipes out studies] The work of dozens of students and researchers at Oxford University has been destroyed by a computer virus. The virus was brought into the university on a contaminated floppy disk and unwittingly passed on from terminal to terminal. As a result, thousands of hours' work were lost, including several enties theses. The virus had been designed in Spain as a protest against telephone charges. Once fed into a computer's memory, it lay unnoticed, growing each time the machine was switched on. On the 400th occasion, it came to life, garbling everything stored in the computer and filled the screen with a message in Spanish saying "Lower tariffs, more service". Thames Valley police Fraud Squad are to link up with Spanish police to try to trace the culprits, although Det Sgt Gerald Causer said it was unlikely that any charges could be brought. "Students and researchers move from computer to computer within the university and unwittingly spread the virus. This is a particularly nasty one and the university is the first place in Britain where it has been discovered." he said. {A.Appleyard} (email: APPLEYARD@UK.AC.UMIST), Thu, 16 May 91 09:00:08 BST ------------------------------ Date: Thu, 16 May 91 16:09:14 +0000 From: kuhnle@ait.physik.uni-tuebingen.de (Volkmar Kuhnle) Subject: VIRUSSUM format For about half a year, I regularly acquired the new VIRUSSUM.DOC by Patricia Hoffman. Compliments to Mrs. Hoffman for her excellent and detailed work! But over the months al lot of new viruses (and strains of existing ones) have been uncovered, so that VIRUSSUM.DOC grew in size. Since the current version is about more than 500 K in length, is is getting harder and harder to find informations about a special virus in a file of this size, since I have to use a normal editor. I came to the conclusion that an ASCII file is not appropriate for the distribution of so much data. Therefore I would suggest to supply future versions as DBF files (dbase format). Database programs which are able to read DBF files are very common in the PC world. And it would be much easier to find information about a virus quick in an DBF file than in an ASCII file. Any suggestions? Please e-amil them to this list, because I want to start a dioscussion about the distribution of virus information. Volkmar Kuhnle kuhnle@aitxu2.ait.physik.uni-tuebingen.de ------------------------------ Date: Thu, 16 May 91 02:55:07 -0400 From: MMCCUNE@sctnve.BITNET Subject: New Boot Infector (PC) Here is a new boot infector. I have a removal utility called NO_NOINT that remvoes it. It is will be available on most FTP sites soon. I have also updated my INNOC utility to INNOC5 to handle this new virus. .... Noint Virus ----------- (The Furtive Stoned Virus) The Noint Virus was reported by Todd Fisher of Cleveland, OH, in May of 1991. This is a furtive Boot Sector infector capable of infecting Hard disks as well as diskettes. It was reported that Noint can infect Novell networks. The action of Noint is reminiscent of that of the Stoned virus. (Stoned is the most prevalent Boot-sector virus in the US). Since Noint has, in addition, the ability to hide itself -which the Stoned does not- it's possible that Noint may become even more widespread than the Stoned in time. The virus spreads ONLY by booting (or attempted booting) from an infected disk(ette). If an infected diskette is left in a clean machine, and the machine turned off without removing the disk, the next time the computer is turned on, the virus will become RAM- resident as soon as the machine reads and executes the Boot sector of the diskette in Drive A:, even though a "Non-System Disk or Disk Error" is issued. By the time the operator removes the infected diskette and presses any key to continue booting, the virus has already infected the hard disk. It remains active in RAM, waiting for the next diskette to be inserted. From then on, every time the computer is booted from the hard disk, the virus will become TSR and continue infecting new diskettes. A simple dir read of a diskette is sufficient to infected it. Noint does not infect files. Like the Stoned, the virus moves a diskette's original Boot Sector to Track 1, Sector 3 and and writes itself in the Boot Sector's place. In the case of hard disks, it's the Partition Table that gets displaced to Track 0, Sector 7; the virus then writes itself into its place. If an infected system is booted from a clean, non-infected system diskette, however, the virus will not be active. Files may then be copied and disks accessed without fear of infection. This is the approach to use when cleaning up an infected system. The virus checks diskettes to see whether they are already infected by itself. If so, it doesn't try to infect them again. This feature has been used to develop an immunization program that effectively fools the virus into thinking that the immunized diskette is already infected, thus preventing infection. The program is included. It will immunize fresh diskettes and clean up infected ones, as long as the process is carried out on a clean system. A separate utility is provided to clean up infected hard disks. This utility has been tested on DOS systems only. Read the accompanying DOC files. Additional work to allow cleaning up the virus in Novell systems without lengthy reformatting and reinstallation needs to be done. No manipulation tasks (damaging or otherwise) have been detected. However, since the virus stashes away the original Boot Sector of infected diskettes to the end of the Directory table, some diskette directory entries may be corrupted or overwritten. This may give the effect of displaying "unusual" filenames when a dir of the diskette is listed. There are two major differences between the action of the Stoned and that of Noint: Noint doesn't use any BIOS calls (INT calls) as such. (thus: "No-Int"). Instead, it calls Int 13 by its direct address to do all reading/writing to disk. Therefore, while the Noint virus will probably work on most IBM-compatible machines, it may not be able to run on all hardware. The second difference between Noint and the Stoned is that Noint is a furtive ("stealth") infector, while the Stoned is not. It hides its code on disk as long as it's present in memory. Again, this is accomplished by means of a direct JMP to Int 13 code, causing a redirection. If the Boot Sector/Partition Table are examined while the Noint virus is in memory, the virus will not allow its code to be visualized, will redirect the Read and display instead the original Boot Sector which it has stashed away. This furtiveness works on some machines but not on all. A suitable search string for the Noint virus is: ------------- FF 2E 0C 01 00 53 51 52 56 57 06 BE 02 00 B8 01 02 B9 01 00 BB 00 02 0E 07 32 F6 9C 2E FF 1E 0C 01 73 0F 33 The above string contains an instance of bypassing a DOS Int call, as well as part of the read-redirection routine, so it should be typical of this virus and not cause false alarms. This string should be found in all Boot Sectors/Partition Tables of disks infected by it. If desired, either the upper or lower half only of the above string may be used with fair reliability to detect the virus. The string may be used with Norton Utilities, or with any of the virus scanners that accept replaceable, user-provided search strings, such as IBM's VIRSCAN. The characters may need to be reformatted or re-spaced to comply with the format requirements of each scanner. - ------------------------------------------------------------------ This file and the attached utilities are provided as a public service by: CompuService Norwalk P.O. Box 385 Norwalk, CT 06852 (203) 847-8992 May, 1991 ------------------------------ Date: Thu, 16 May 91 03:20:57 -0400 From: MMCCUNE@sctnve.BITNET Subject: RM_NOINT Virus Remover (PC) [Ed. This program has been sent to the VIRUS-L/comp.virus archives.] RMNOINT - removes the Noint Virus from Hard drives. - ------ - ------------------------------------------------------------------- This program may be freely used by anyone. If you find the program useful, a donation of $5.00 in US funds is requested. My mailing address is: Mike McCune 1100 S. Marietta Pky., Box 9007 Marietta, Ga. USA 30060 - -------------------------------------------------------------------- This program will remove a newly discovered partition infector. First, cold boot (turn the machine off, then on) from a clean, write protected diskette. Then type rmvirus You should see one of these messages: RMVIRUS messages - ---------------- Virus Removed - The virus was found and removed from the partition table of the hard disk. Virus not found - The hard disk is not infected or the virus is in memory. Virus can not - Either the partition record is corrupted or you have be removed a new variation of the virus. Read Error - The program aborted because there was an error read- ing the hard disk. It could also be cause by the Virus being in memory. Write Error - The program aborted because there was an error writing to the hard disk. - ------------------- Disclaimer ------------------------- When dealing with viruses, there is always a danger of losing programs or data. Thus, I offer no warranty on these programs. They may be freely distributed as long as they are not altered in any way. I may be reached on the FidoNet Virus Echo, on the Ilink Virus and RIME Data Protection Conferences, and on VIRUS-L. I can also be reached on as MMCCUNE@SCTNVE (BitNet) or MMCCUNE@SCTNVE.PEACHNET.EDU (InterNet.) Mike McCune. ------------------------------ Date: Thu, 16 May 91 03:22:34 -0400 From: MMCCUNE@sctnve.BITNET Subject: New INNOC (Version 5) (PC) INNOC5 Boot-Virus Immunizer - -------------------------- (c) Mike McCune 1991 - All rights reserved. - --------------------------------------------------------------------- If you find this program useful, please send $5.00 in US funds to: Mike McCune 1100 S. Marietta Pky., Box 9007 Marietta, Ga. USA 30060 - --------------------------------------------------------------------- Boot-Sector infectors are among the most prevalent of computer viruses in the US. Commercial programs that detect and clean out these viruses do not confer any immunity, and the same diskettes can be reinfected at a later date by the same virus. INNOC5 is a general-purpose Boot virus immunizer for diskettes. It will not only destroy Boot Sector infectors, but will `inoculate' against some of the more common Boot viruses. To use it, copy the program to the hard drive of a clean system, insert the desired diskette in Drive A: and type: innoc INNOC5 will immediately destroy any Boot infectors present on the diskette and will simultaneously immunize it against the following viruses: Ashar Azusa Brain Disk Killer Joshi NoInt (A new one discovered in early May 1991) Ping-Pong Stoned (Including the Swedish variant) Diskettes immunized by INNOC5 will not be infected by any of the viruses against which INNOC5 confers immunity. Such diskettes will be immune to infection from the viruses that cause most of Boot infections in the US. The immunization is achieved by writing special code sequences into the Boot Sector. A side-effect of immunization is that immunized diskettes can no longer be used as Booting disks. Since most disks are never used in that manner, this is not a major problem. If you should need to make a diskette bootable again, simply use DOS's SYS.COM (SYS A:.). This, however, will destroy the immunization conferred by INNOC5. INNOC5 issues the following messages: - ----------------------------------- Read Error | An error occured while reading from the diskette. Simply run the program again. Usually a hardware/media problem. Write Error | An error occured writing to the diskette. Same as above. Try again. Diskette A: | Any Boot Sector viruses have been disabled, and the diskette Innoculated | is now immunized against infection. DISCLAIMER ---------- In order to avoid getting sued, I offer no warranty on this or any other program. I do appreciate suggestions, though. I can be reached on the ILink and FidoNet virus conferences. I can also be reached on the RelayNet DataProtect and Virus-L conferences. My BitNet address is MMCCUNE@SCTNVE and my InterNet address is MMCCUNE@SCTNVE.PEACHNET. EDU.... ------------------------------ Date: Wed, 15 May 91 12:42:33 -0700 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Revised Product Test - - VIREX-PC, version 1.20 (PC) cmcdonal@wsmr-emh03.army.mil (Chris McDonald ASQNC-TWS-R-SO) writes: > part, even though they were under no obligation to do so. In May 1991 I > received Version 1.20 directly from Microcom. This was a surprise since I > expected to have to pay for any upgrade and because I had not subscribed to > their annual update service. A telephone conversation with a Microcom > represented confirmed that the vendor had chosen to send out the upgrade to a > registered users free of charge. I have no idea how long this will continue. Coincidentally, today an update disk from Microcom fell through the mail slot for me too. The date on the postmark is May 8, 1991. ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ Date: Tue, 14 May 91 16:26:37 -0700 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Review of Eliminator (PC) Comparison Review Company and product: International Computer Virus Institute 1257 Siskiyou Boulevard, Suite 179 Ashland, OR 97520 USA 503-488-3237 503-482-3284 BBS 503-488-2251 British Computer Virus Research Centre 12 Guildford Street, Brighton, East Sussex, BN1 3LS, England Tel: 0273-26105 Joe Hirst Eliminator/Virus Monitor/Virus Clean, version V1.17, Oct. 1990, Rel B, also Virus Simulation Suite Summary: Resident and manual virus scanning and disinfection, also demonstration virus simulators. Cost: range from $190 (single copy with updates) to volume $8.50/CPU (US) Rating (1-4, 1 = poor, 4 = very good) "Friendliness" Installation 2 Ease of use 3 Help systems 1 Compatibility 2 Company Stability Support Documentation 3 Hardware required 4 Performance 3 Availability Local Support General Description: Virus Monitor is a resident scanning program which checks disks as accessed, and programs when invoked. Virus Clean is a manual scanner and disinfector. The programs are suitable for intermediate users in the average computing environment. The suite of virus characteristic simulator programs are interesting, and may be useful in boosting attention in virus awareness training. Comparison of features and specifications User Friendliness Installation The programs are shipped protected, but on a writable disk. There is no installation program, as installation consists merely of copying the files to the system they are to be run on. Virus Monitor (VM.COM) is a resident checker, and the user is instructed to add it as the first line in the AUTOEXEC.BAT file, but no direction is given as to how this is to be done. The package comes with a printed manual. There is also a file on disk (MANUAL.TXT) which is the same information in softcopy. The disk label directs the user to type "ICVI" to get information. Doing this presents a menu which offers to list onscreen or print out the manual (as well as the documentation for the virus simulators.) The documentation is brief, but fairly clear aside from the lack of installation instructions. There is no discussion of dealing with pre-existing infections. Ease of use The resident scanner, VM.COM, has no options and, the documentation suggests, should be started at boot time. When invoked, it will examine memory for viral infections, and then go into the background. (If any infection is found, the program will disable it.) As disks are accessed, VM will examine the boot sector, and will alert the user to known virus code. No other action is taken or suggested, the user is merely prompted to "Press any key to continue." If an infected program is called, the program will alert the user and refuse to run the file. The Virus Clean program (VC.COM) accepts command line switches to check only boot sectors, check only files, check files with specific extensions, check all files, list files checked, pause when the screen has filled, output to a file, delete infected files or remove infections. The removal option has five sub-options, boot sector only, .COM ONLY, .EXE only, all and none. The default settings are stated to be to check boot sectors, .COM and .EXE files, not to list checked files and to remove only boot sector and .COM infections. (This is suggested by the documentation because of the possible overwriting of overlay portions of .EXE files.) However, in testing the program did not attempt any removal of infections. When removal is attempted on a write protected disk, the program will generate an error message. The virus simulator programs that come with the disk are amusing, and can be useful in demonstrating to users the type of activities that viral programs *may* demonstrate. I have found that they stimulate great interest in seminars, but must be used with caution so as not to suggest that all viral programs demonstrate these, or similar, characteristics. (Joe Hirst is to be congratulated on the TSR expertise that allows Cascade, Ping-Pong/Italian, Oropax and Yankee Doodle to play simultaneously. Note that attempts to run Cascade on 386 systems have not been successful.) Help systems None provided. Compatibility Given the old release date (as supplied), the program finds a significant number of common viral programs. Of interest is the fact that the program checks for variation in known viral strains, and alerts the user to keep a copy for forwarding to the distributor for study. Company Stability Unknown. Company Support Unknown. Documentation The documentation is brief, in terms of program operation, but clear. Over two thirds of the documentation is given to a description of the operation of the viral programs that the program will detect. This section has about the same level of detail as that supplied with FPROT, but with fewer viral programs listed. Hardware Requirements No special hardware required. Performance Although the program does not match the number of viral programs detected by some others, the speed of operation ranks with the fastest scanners tested. Local Support Unknown. Support Requirements Although the program is not very complicated, the lack of automated installation, the lack of detail in the installation section of the documentation, and the command line switches used by VC.COM suggest that novice users will need some assistance. copyright Robert M. Slade, 1991 PCELMNTR.RVW 910514 ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 84] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253