VIRUS-L Digest Thursday, 23 May 1991 Volume 4 : Issue 88 Today's Topics: PKZ120.EXE trojan? (PC) Unidentified virus? (PC) Stoned (Was: Re: Dead vs Live) (PC) Re: Detecting Spanish Telecom ?? (PC) Re: Into the 1990s SPANISH VIRUS Software Upgradable BIOS (PC) Re: Bug in VirusScan (PC) Virex-PC question for you re: The Shape of the World (PC) Re: Tequila virus (PC) Product Test, Flu_Shot+ (PC) New mailing list for Macintosh security discussion (Mac) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 22 May 91 08:50:00 +0100 From: Subject: PKZ120.EXE trojan? (PC) L.S., Rumors are going around here that versions of PKZ120.EXE (the self-extracting archive containing PKZIP & PKUNZIP version 1.20 with their accompanying other files) exist that contain a trojan or some virus. I have no more information. Can anybody give comments? Some time ago I downloaded a copy from TRICKLE (European shadow of SIMTEL20 more or less) and never observed any strange behavior, nor did virus-scanning reveal any problems. [Ed. As with the case of *all* unfounded rumors, I would like to urge everyone to NOT jump to any conclusions unless/until we have an accurate statement from someone of authority on this matter.] Sincerely, Pim Clotscher Erasmus University Rotterdam Computer Support Group ------------------------------ Date: 22 May 91 09:47:16 -1200 From: ACDL004@SAUPM00.BITNET Subject: Unidentified virus? (PC) Hi All: I am afraid I have got a virus. But SCAN77 does not identify it.. What happened to me is that the system syddenly reboots when I am working. I noticed this when I was drawing a plan in AUTOCAD. When I display the object with hidden lines removed ,It started rebooting.. Later I noticed that there were 3 hidden files created in the ACAD directory . Those files are some parts of MTE directory.. The file names were different and hidden and not the complete file but a small part of a file about 6k. This rebooting continued even when I was in Norton commander.. I turned the system off and on again.. There were No problem at the beginning.. But after 30 minutes( or so) It started rebooting as if the reset button is pressed.. And the same files were again created ( I erased those file before positively). So I thought that something wrong from the MTE and I erased the whole MTE Directory.. ( No BBS calls yesterday) I also chaned the AUTOCAD directory by erasing it and installing it again from a fresh DIFFERENT AUTOCAD software. Now I do not have that rebooting problem upto now . But the three hidden files are still created in ACAD directory with some contents from MTE software. Note that I do not have MTE in my Hard disk NOW. How do those files are created. Did anybody hvave such an experience before.. I dought that this is a VIRUS. But SCAN77 says NO. Can anyone give me a suggestion what to do... Thanks in Advance.... Nasir (ACDL004@SAUPM00.BITNET) ------------------------------ Date: 22 May 91 08:20:54 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Stoned (Was: Re: Dead vs Live) (PC) ccx020@cck.coventry.ac.uk (James Nash) writes: >How many times have you seen a student >put their disk in the PC then switch it on? I do it by mistake myself >sometimes. Whether the author was a great visionary(!) or got lucky >doesn't matter, he was the first(?) to use the technique. Not quite the first. According to the chronological list by Y. Radai, the first boot sector virus (Brain) was discovered in January '86, and Yale/Alameda in March '87 - both those viruses spread by the same method. Stoned and Ping-Pong were discovered later, in early '88. - -frisk ------------------------------ Date: 22 May 91 08:46:38 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: Detecting Spanish Telecom ?? (PC) A.C.G.Saunders@newcastle.ac.uk (Aidan Saunders) writes: >Having checked the documentation of the F-PROT (1.14) & McAfee SCAN (v77) >packages, I don't find any reference to these. So: F-PROT 1.14 is a bit outdated - the current version (1.15A) will detect the virus without problems, as will 1.16 which will be released around June 1st. In the meantime, you can detect the virus on boot sectors, by adding the following line to SIGN.TXT 1.14 Telecom 1DuoWjeMGmqkUXUlq+wl5ajj5XOOM54Z06tFd8NGJAbqkOJjl9Rwj8DFTmdKy4W4BX Detecting infected program is a slightly larger problem - as the virus does not seem to be able to infect files. Don't misunderstand me, it is clearly intended to - but testing, as well as a study at Oxford where the virus has been spreading recently has only revealed spreding by boot sector infections. The following string can be used to detect the original .COM file I have, but it is not 100% certain to detect all instances of the virus - - I have heard of a different variant, but not yet received a sample. Telecom xyJnWmtj2mDuGkjAVFHRl0AeAK9nxtmS74gBbEAG8K9NJdMLZplgBhZEkK If you want hex patterns for some other program, the following patterns are the Virus Bulletin patterns: Telecom Boot: 8A 0E EC 00 BE 70 00 03 F1 8A 4C 02 8A 74 03 C3 Telecom Program1: 8B 1D B2 00 83 FB 00 74 18 BF 55 00 B2 Telecom Program2: 83 ED 09 BE 20 01 03 F5 FC B6 Regarding disinfection - F-DISINF 1.15A can remove the infection from boot sectors - This was thoroughly tested as I managed somehow to infect one of my own computers by accident with the virus. I have not yet added code to "clean" infected files, as I have not been able to generate them - if anyone has been able to get Spanish Telecom to infect files, I would very much like to hear about it. - -frisk Fridrik Skulason Technical Editor of the Virus Bulletin (UK) (author of F-PROT) E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 ------------------------------ Date: Wed, 22 May 91 13:12:00 +0300 From: Y. Radai Subject: Re: Into the 1990s Among Ross Greenberg's points in his reply last week to Padgett Peterson was the following: >You mentioned a few products and their methods, so its obvious that >this integrity checking *IS* being done (FLU_SHOT+ has had integrity >checking on program run for about three years, I guess). Now, is this >integrity checking being done *properly*? Interesting question and >one that only the marketplace can answer by what they select for their >purchase (or freeware usage). Sorry, but I just can't pass over that without comment. Whether integrity checking or any other software function is being done properly is not a question which can be settled by asking the marketplace. If it were, we could completely dispense with all the quality comparisons that are continually being made in the literature and simply quote sales figures. Because of many other factors such as marketing skill, luck, etc., the correlation coefficient between pro- duct quality and volume of sales, in computer software as in other products, may be closer to 0 than to 1, even if we consider only pro- ducts in the same price range. (Some cynics claim that this coeffi- cient is negative. I'm not sure that they're far off.) (No offense meant, Ross, but I'm sure it won't come as a surprise to you if I mention that in my opinion, a good example of poor product quality despite presumably good sales figures is the integrity-check- ing feature of FLU_SHOT+. But since I've discussed FSP enough in the past, I won't repeat my arguments unless someone asks.) >Resident integrity checking, and access control, is a worthy goal of >any of the anti-virus products. However, remember that it can and >*will* be circumvented the first time somebody boots off a floppy. That does not have to be true; details in a couple of weeks. Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL ------------------------------ Date: 22 May 91 11:13:20 +0000 From: "Alan J Jones" Subject: SPANISH VIRUS A.J.Jones University of Manchester Has anyone got some information on this virus. It has been reported at Oxford University and it is bound to get here sometime. ------------------------------ Date: Wed, 22 May 91 13:55:21 -0400 From: Padgett Peterson Subject: Software Upgradable BIOS (PC) >From: "William Walker C60223 x4570" >I feel that the prominent anti-virus researchers (and some of us >others) ought to collectively rise up and protest the software- >upgradable BIOS before it gets any acceptance. As one who a few careers ago made a living designing digital control systems ("flew" some digitally controlled gas-turbine engines with 8080s at Tullahoma in the seventies - Hi Bill), there does not have to be a problem if the hardware designers do their job. A EEPROM requires a special signal on one lead to tell it to write. If that lead is under hardware control and accessable only with the case open and a special plug in place that disables everything except a "load & verify BIOS" program, risk can be minimal. The point is not to "protest" the concept, it sounds like a good idea, but demand adequate safeguards (dare I say "standards") for its use. ------------------------------ Date: Wed, 22 May 91 13:55:21 -0400 From: Padgett Peterson Subject: Re: Bug in VirusScan (PC) >From: mcafee@netcom.com (Aryeh Goretsky) > Since the Jerusalem (and sundry variants) infects overlays >in addition to .COM and .EXE files, it's always a good idea to run >SCAN (and CLEAN) with the /A option, or use the /E option and list the >extensions you would like to add. Have done some more checking & v74B-earlier operate correctly, 75, 77 (& I assume 76) are the ones that need the /A switch, something shared with CLEAN and NETSCAN. BTW, I tried using /E OVL and it still did not pick it up, only the /A (or, I would assume, an /EXT) seem reliable. What I tell people is when an infection is confirmed (the parent .EXEs are picked up just fine) or no other explination is reached, always use the /A switch & take a coffee break. Warmly, Padgett ------------------------------ Date: Wed, 22 May 91 16:55:57 From: microsoft!c-rossgr@uunet.uu.net Subject: Virex-PC question for you VIRX, Version 1.4, is available for download from my BBS (212-889-6438), as well as CIS and BIX -- those are places I personally uploaded some copies, so they are 100% safe. Additionally, I uploaded a copy directly to Keith's board and it should be available on SIMTEL-20 by now. Ross M. Greenberg Author, Virex-PC. ------------------------------ Date: Wed, 22 May 91 16:44:52 From: microsoft!c-rossgr@uunet.uu.net Subject: re: The Shape of the World (PC) >From: rebill02%ULKYVX.BITNET@jade.Berkeley.EDU (Russell E. Billings) >I'm curious, did you tell the ones [at the Trenton Computer Fest] >who had been hit by those three to >drop their hands, or did you ask that those who had *ONLY* been hit by >those three to drop their hands? A subtle difference, but an >important one, nonetheless. I had asked them to keep their hands up until all the viruses they had been hit with were accounted for. I believe that only one person in the audience had been hit with more than one virus. Ross ------------------------------ Date: Wed, 22 May 91 16:53:37 From: microsoft!c-rossgr@uunet.uu.net Subject: Re: Tequila virus (PC) >From: mrs@netcom.com (Morgan Schweers) > > *Chuckle* It's a variant of the Flip virus, actually. A bit of >psuedo-encryption code was added, and a bit of infection code was >removed, but otherwise it's mostly flip-like. Interesting phrase, "psuedo-encryption". What, exactly, does it mean? > Mr. McAfee gave me a scan string quickly after I handed it to >him, and it'll be in the upcoming release of Scan as well. (Clean, >of course, will remove it.) It's *VERY* rarely 'impossible' to find >a scan string for something. Sorry: I don't count "wild card" strings as a search pattern. There's too much chance for false positives. But, true, if you don't mind the occasional false positive, I guess you could state that a search string was available for Tequilaa. > Dave Chess mentioned to me that the Tequila displays a low resolution >Mandelbrot set upon activation. I haven't confirmed it, but I plan to. >(Anybody want GIF copies when I do? *chuckle*) Sorry, I'l wait for the sequel: Tequila Part II: The Resolution Improves! Ross ------------------------------ Date: Tue, 21 May 91 14:54:49 -0600 From: Chris McDonald ASQNC-TWS-R-SO Subject: Product Test, Flu_Shot+ (PC) [Ed. The following is the first part of Chris McDonald's product review of Flu_Shot+. The complete text to this review, along with the rest of Chris's (and Rob Slade's) reviews, is available for anonymous FTP on cert.sei.cmu.edu (IP # 128.237.253.5) in the pub/virus-l/docs/reviews directory.] ******************************************************************************* PT-27 May 1991 ******************************************************************************* 1. Product Description: Flu_Shot+ is a shareware program to assist a user in detecting "suspicious" activity which may be indicative of a malicious program. 2. Product Acquisition: Flu_Shot+ is available from Software Concepts Design, 594 Third Avenue, New York City, NY 10016. The cost for version 1.81 is $15.00 plus $4.00 handling charges. Site licenses are available. The program is available on the Internet to include the host simtel20 in the path: pd1: fsp_181.zip. The author of the program is Ross Greenberg, who is also associated with the commercial program Virex-PC (see PT-23, Revised May 1991). 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN: 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. I acquired version 1.5 in January 1989 from the simtel20 repository. Then the registration fee was $10.00 plus $4.00 handling. I registered my copy at that time and have continued to download revisions to the program through version 1.81 to look for any significant changes. At version 1.7 Mr. Greenberg indicated that future upgrades to Flu_Shot+ might end because he had entered into an agreement with a commercial firm to market the program's protection features with additional viral scanning and disinfection capabilities. The commercial firm is now Microcom Software Division which markets Virex-PC. While Mr. Greenberg actually sold Microcom Flu_Shot++, not Flu_Shot+, I was somewhat surprised when version 1.81 reached the repository in December 1990. This version came bundled with a demonstration copy of the viral scanning capability of Virex-PC. Subsequent electronic communications with Mr. Greenberg suggest that Microcom may view continued releases of Flu_Shot+ as a commonsense marketing strategy to migrate users to their commercial product. ... ------------------------------ Date: Tue, 21 May 91 23:30:00 -0400 From: kovar@eclectic.com Subject: New mailing list for Macintosh security discussion (Mac) I have established a mailing list for people interested in Macintosh security. This can be used to: * Discuss existing security problems in various Macintosh applications. * Discuss security applications, hardware, and solutions. * Discuss potential problems and their solutions. * Announcements of new Macintosh viruses and virus control software. (Discussion of viruses in depth should be carried out on virus specific mailing lists.) * Just about anything else related to Macintosh security and access control. With the arrival of System 7.0 and it's wealth of information sharing facilities, Macintosh security has entered a new era. Originally you only had to worry about someone getting into your Macintosh via the keyboard, or stealing it outright. Now it's much easier to browse through information on someone else's Macintosh over the network. If you're interested in joining the list, please send a message to: mac-security-request@eclectic.com Contributions to the list should go to: mac-security@eclectic.com At present, the list is unmoderated and will immediately distribute any incoming messages to the list. If conditions change, the list will change to a moderated list, a digest, or some other form. Also, we can look into making it a newsgroup at some point but I'd like to start it in this form and see what develops. Please redistribute this message, particularly to whoever maintains the list-of-lists since I can't figure out how to get onto that list, or even where it is. - -David C. Kovar Consultant ARPA: kovar@eclectic.com Eclectic Associates AppleLink: ECLECTIC Ma Bell: 617-643-3373 MacNET: DKovar "It is easier to get forgiveness than permission." ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 88] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253