VIRUS-L Digest Wednesday, 26 Feb 1992 Volume 5 : Issue 43 Today's Topics: Re: Simple IBM PC virus (PC) Re: Stoned, Michaelangelo, Boot Sector ReLocation (PC) Re: V-Care Antivirus Expert System (PC) Re: Virus on CPAV (PC) Re: VirX 2.0 (PC) A quick Michelangelo question (PC) Re: Which Package is Best? (PC) Device Drivers, Enough with the AUX awreddy (PC) Re: F-Prot 2.02D/DOS 2.11 (PC) Joshi information, please (PC) Review of ViruSafe (PC) Revision to Product Test 41, VIRx, Version 2.0 (PC) Revised Product Test 23, Virex-PC, Version 2.1 (PC) Revision to Product Test 12, Virucide, Version 2.37 (PC) Revised Product Test 17, F-PROT, Version 2.02D (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: 24 Feb 92 18:43:48 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Simple IBM PC virus (PC) brymastr@pepsi.eng.umd.edu writes: > I ran into this Virus which added 2K to .EXE files (but not .COM > files for some reason). Every time you executed the .EXE, 2K would be > added on. The virus was also resident in memory. Oh, in the 2K > segment would be the string "MsDos" which I used to find infected > files, but I'm not 100% sure I got rid of it entirely. Anyone heard > of this virus or something similar and know whether it might still be > lurking on my hard drive somewhere? Something "very similar" is the Jerusalem virus and its more than 94 different variants... :-) However, you probably have the main one. It is memory resident, infects files when you are executing them, append 1805 bytes to the COM files (yeah, they -do- get infected) and 1813 (plus up to 15 bytes for padding) to the EXE files. The latter are infected each time you execute them, since the virus does not mark them as already infected. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 24 Feb 92 18:50:10 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Stoned, Michaelangelo, Boot Sector ReLocation (PC) austin@tecnet1.jcte.jcs.mil writes: > The question I have concerns what appears to me to be conflicting > information from the two sources above. One source states that the > Stoned virus and the Michaelangelo virus both copy the original boot > sector information to the same location. The second source states > that the two viruses copy the original boot sector information to two > different locations. Am I reading this wrong? Which one is correct? > Could they both be right because they may be writing about two > different versions of the Stoned virus? Thank you for any insight > into my confusion. ---Randy Michelangelo and Stoned put the original boot sector at one and the same place on hard disks and on 360 Kb floppies. They put it on a different place on high-capacity floppies. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 24 Feb 92 19:08:10 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: V-Care Antivirus Expert System (PC) EATER@MICF.NIST.GOV (Chuck Eater) writes: > Does anyone have any experience/comments concerning the subject > antivirus software which is produced by NetZ Computing Ltd., Israel, > and marketed in the US by Sela Consultants Corporation? The product > claims to be a generic virus detector/disinfector. I have not been While I have not seen the product, I bet that is cannot disinfect "all future viruses", or even all the existing ones for that matter. However, there -is- a generic disinfector, which can remove all possible viruses, if it is applied before the infection takes place. It is shiped with every DOS disk. It is called BACKUP. :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 24 Feb 92 19:14:51 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Virus on CPAV (PC) AMELMN02@YSUB.YSU.EDU writes: > I was told that F-Prot was finding Flip on two files of CPAV. F-Prot > said it could not remove the virus, question who is right CPAV does > not find Flip on itself, but, F-Prot does... Should one believe > F-Prot over CPAV??? Ken, I got the impression that this is a FAQ too... [Moderator's note: Added to the FAQ file, thanks!] CPAV does not encrypt the scan strings is uses. Therefore, and program that scans for scan strings and uses the same scan strings as CPAV, will flag it as infected. In general: Every virus scanning program -MUST- encrypt the scan strings it uses. Furthermore, good anti-virus programs (like F-Prot) do not rely on just finding a signature somewhere in the file, but also require it to be at a specific place, otherwise they refuse to try to remove the virus. The even better anti-virus programs (like Dr. Solomon's Anti-Virus ToolKit) even perform a checksum on the non-variable parts of the virus, and refuse to remove the virus, if it is not identified exactly. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 24 Feb 92 19:19:48 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: VirX 2.0 (PC) jguo@cs.NYU.EDU (Jun Guo) writes: > I downloaded virx20.zip. The $toc file didn't match the zip file. > Size, time stamp, CRC are all ok, but the compressed size are > different. Apparently the zip file was repacked using a different > zipper than the one generated $toc. Can someone upload an original Right, according to the text in the $TOC file, the original has been created with PKZIP 1.01 (Ross, aren't you going to update your archiver?). Probably someone re-packaged it with PKZIP 1.10, since version 1.01 is buggy and sometimes causes CRC errors to appear in the archives. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 24 Feb 92 14:22:08 -0400 >From: LARRY MATEO Subject: A quick Michelangelo question (PC) >From information I've read about the Michelangelo virus, it seems that the virus can be spread from an infected floppy diskette to a hard drive only by attempting to boot from the floppy. A recent article in a local newspaper sta ted that the virus can be spread from a floppy diskette to a hard drive simply by doing a DOS dir of the floppy disk. I think this is an incorrect statement. Can someone substantiate it for me? Thanks again for all the help. ------------------------------ Date: 24 Feb 92 19:27:23 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Which Package is Best? (PC) 72571.3352@CompuServe.COM (Wolfgang Stiller) writes: > Considering the rapid appearance and spread of new viruses scanning is > becoming increasingly dangerous to depend upon. Yet, this is the core > technology that the leading anti-virals depend upon for their > effectiveness. In fact, there is one reason that even a good checksumming program needs a pretty up-to-date scanner. How else are you going to make sure that the system you are installing the checksums on is virus-free? (OK, I know that you know that; it was aimed mainly at the other readers.) > >If you decide to consider checksumming products, probably the > >Untouchable is the currently most secure one. However, have in mind > >that its other capabilities (scanning and disinfection) are quite > >miserable... And, at last, if you want a shareware checksummer (which > >is not as secure as the commercial one, however), take a look at the > >Integrity Master. > Thank you for mentioning my product but I am appalled that you > consider Integrity Master(tm) less secure than Untouchable. If you I got this impression the last time I dicussed this with you. I'll send you a more specific question about the security in private mail. > come to this conclusion based on anufacturer's claims or perhaps the > tremendous price difference in our two products, I can understand No. It was based on the fact that (sometimes in the past) I asked you whether it is able to detect a particular kind of attack. As far as I recall, you answered that you have not been aware of the possibility of this attack. My apologies if it wasn't you :-) or if you have fixed the problem. > customers who use both this product and Integrity Master. They report > that Integrity Master is more thorough and faster than Untouchable. I never objected speed. I objected security. > It apparently detects more known viruses with its scanner component Yeah, I clearly mentioned that the Untouchable's scanner has a miserable detection rate. Something around 50 %. And nowdays anything that has a detection rate below 90 % is considered not worth to use. > master more secure. If this involves sensitive information feel free > to continue this via private mail. BTW, the latest version of Will do. > Integrity Master is 1.11. It should be at most distribution points > shortly if it's not there already. The latest thing I have seen is definitively older. 1.02b or something like that. Hope the security problem has been already fixed. Otherwise I agree that your integrity checker is one of the best available - as Frisk's F-Prot is one of the best scanner/removers... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Mon, 24 Feb 92 14:42:44 -0500 >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Device Drivers, Enough with the AUX awreddy (PC) [Moderator's note: This is a re-posting of Padgett's earlier posting.] >From: KARGRA@GBA930.ZAMG.AC.AT >Subject: auxfiles (PC) Ok folks, this has gone far enough to be confusing so lets sort it out once and for all. MS-DOS provides the capability for device drivers to intercept character based transfers to themselves as if they were files. One of the effects of this is the ability to "pipe" the output from various sources. For example "dir >dir.lst" will redirect the output from a directory listing to a file called "dir.lst". In the same way "dir >prn" will redirect the output to the printer. Most can also be used bi-directionally as the classic "copy con autoexec.bat" demonstrates. In DOS there are many such character devices that can look to DOS like files: CON, PRN, AUX, CLOCK$, LPT1, LPT2, NUL, COM1 et al (installed as part of IO.SYS). Memory managers often are installed in the same way e.g. SMARTAAR & EMMXXXX0. Additionally, at least one anti-viral product (Enigma-Logic's Virus-Safe - also one of the few that can be installed from CONFIG.SYS) uses this to return validation that it is installed ("type swvsvers" will return the logo if installed, fail if not). The "DIR" command supplied with DOS is smart enough to be able to separate a real file from a device driver but many other programs are not - note that the intercept only occurs if the explicit name is used - - CON or CLOCK$ will work, C* will not. This happens because the device driver is doing the interception, not DOS, and it only reacts to an explicit name, not wild cards. Consequently, those programs that follow DOS rules or use the DOS "dir" mechanism (DDIR - Double Dir is one) will not pick up device drivers. Those that do not (e.g. SDIR - Sorted Dir) will display the driver. Evidently, Norton's FF is one of this, as will probably be any program which does not look for attribute bits. Since these programs simply use DOS rules to change directory and then look for the file, AUX, CON, or NUL for that matter will be found in every directory and will probably report the current time and date. Hopefully, this will answer the question. Warmly, Padgett ------------------------------ Date: 24 Feb 92 20:08:56 +0000 >From: sigurd@chopin.udel.edu (Sigurd Andersen) Subject: Re: F-Prot 2.02D/DOS 2.11 (PC) LZM@UVMVM.BITNET (Lynne Meeks) writes: : We're having some trouble getting F-Prot (2.02D) to run successfully : with AT&T DOS 2.11 ... : : What happens is we run F-Prot and get the message: : '*.TX0 not found' : then we get the DOS prompt : : The English.TX0 file IS there; the same F-prot disk works fine on : the same machine with 3.2 or 3.3 DOS. : ... : Anyone else with old DOS experiencing this? ... I had similar problems last week trying to run F-Prot 2.02D on an old Zenith MS-DOS computer. I think it, too, was running DOS 2.11. I first tried unsuccessfully to boot from a diskette with DOS 5.0 on it. I formatted a diskette (/S) using the DOS on the hard disk, went to another machine, tested for infection and found none (two other PCs in that office had been infected with Stoned), then transferred F-Prot to the just-formatted diskette. It booted OK, but when I attempted to run F-Prot, I got the same message as above, "*.TX0 not found". I have not had a chance yet to try an intermediate version of DOS. - -- Sigurd Andersen Internet: sigurd@brahms.udel.edu CNS User Services Bitnet: ACS20833@UDELVM 115 Newark Hall Phone: (302) 831-1992 Univ. of Delaware fax: (302) 831-4205 Newark, DE 19716 ------------------------------ Date: Mon, 24 Feb 92 15:09:57 -0600 >From: UD156844@VM1.NoDak.EDU Subject: Joshi information, please (PC) Greetings! I've just been infected by my first virus, it turns out to be Joshi. It seems to only infect 3.5" diskettes, I used F-prot 2.02 and the newest version of Scanv86 to detect it. F-prot described Joshi as the SBC virus, anyone know what that is? My question to everyone is what does Joshi do? I would even appreciate an FTP site which contains virus documention. My second question is how do I remove this virus? F-prot said it could not remove the virus, but I did rename the file. I cannot use my cleanv85 because the floppy turned out to be an infected. Help please! roberto alvarez university of north dakota ------------------------------ Date: Sat, 25 Jan 92 00:31:05 -0800 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Review of ViruSafe (PC) [Moderator's note: I'm finally trying to get through a big backlog of product reviews. This review and the others in this digest are available by anonymous FTP on cert.sei.cmu.edu (192.88.209.5) in the pub/virus-l/docs/reviews/pc directory. Please refer to the archive for up to date reviews.] PCVIRSAF.RVW 920124 Comparison Review Company and product: EliaShim Microcomputers 520 W. Hwy. 436, #1180-30 Altamonte Springs, Florida USA 407-682-1587 fax: 407-869-1409 VirusSafe 4.01LAN Summary: TSR and manual scanner, change detection, operation restriction, utilities Cost Rating (1-4, 1 = poor, 4 = very good) "Friendliness" Installation 2 Ease of use 3 Help systems 1 Compatibility 1 Company Stability 2 Support ? Documentation 2 Hardware required 2 Performance 2 Availability ? Local Support ? General Description: Menu or command line driven resident and non-resident scanner and change detection software. Operation restricting features remain untested. Comparison of features and specifications User Friendliness Installation The program is shipped on one write protected 5 1/4" disk. The program can be run off the disk, or installed on the hard disk through an installation program. Ease of use The menu interface is generally straightforward and simple. There are some exceptions; in particular the list of viri that can be dealt with. The screen format, and cursor movement keys, of the list and the resulting information do not match. However, it is helpful to have this feature onscreen. Help systems Limited. Compatibility Additional virus signatures can be added in an external text file. The format for the signatures is given in the READ.ME text on disk, and is not difficult to figure out. However, the format is not compatible with the fairly widely used IBM VIRSCAN format. Also, a maximum of 64 signatures can be added in this way. Program testing on machines fitting the hardware requirements occasionally failed. Company Stability Unknown. Company Support Unknown. The package, as received from the manufacturer, was somewhat mislabelled as to the contents and version of the program. Documentation The documentation is quite brief. The first page basically states that the program can be run without reading the documentation, and the remainder, while clear, is quite terse and seems to be designed for the more advanced user. Much of the documentation is a description of how the menuing system and command line switches work. No specifics are given as to how functions (such as "revealing the presence of" unknown viral programs in memory) are accomplished. A very helpful feature is a "latest information" button on the menu interface which presents the disk READ.ME file. Thus the latest program info, helpful hints and the hardcopy errata can be browsed onscreen. Hardware Requirements At least two disk drives, one of which must be a floppy, 512K memory and DOS 3.0 or higher. Performance It is gratifying to note the importance that EliaShim gives to boot sector viri. The package contains provisions to save and restore the boot sector and partition records for the hard disk. Testing of this program was very problematic. The program would not run properly on the primary testing machine (a NEC Multispeed). The system locked up, repeatedly on most attempts to invoke any of the programs in the package, including the installation and menuing program. Testing of the programs is not as complete as I would prefer. However, it can be said that the claims made for this package exceed performance. The package is able to detect known viral programs, and can deal with most effectively. Performance with viral programs not known to the authors/program indicates that these viri are able to bypass protections. Local Support Not provided. Support Requirements Users at any level should be able to run the program without assistance. General Notes The package has a multilayered approach to virus detection and prevention. It should be suitable for most users in situations of normal risk. While the package would effectively deal with the bulk of infections one would normally encounter, some of its claims would appear to be overrated. Nevertheless, its use would significantly reduce risk of infection. copyright Robert M. Slade, 1992 PCVIRSAF.RVW 920124 ============== Vancouver p1@arkham.wimsey.bc.ca | "A ship in a harbour Institute for Robert_Slade@sfu.ca | is safe, but that is Research into CyberStore Dpac 85301030 | not what ships are User rslade@cue.bc.ca | built for." Security Canada V7K 2G6 | John Parks ------------------------------ Date: Tue, 18 Feb 92 11:41:30 -0700 >From: Chris McDonald ASQNC-TWS-R-SO Subject: Revision to Product Test 41, VIRx, Version 2.0 (PC) ******************************************************************************* PT-41 July 1991 Revised February 1992 ******************************************************************************* 1. Product Description: VIRx is a copyrighted program written by Ross M. Greenberg to detect computer viruses and malicious programs. VIRx is the detection portion (VPCScan) of the commercial protection program Virex-PC (reference PT-23, revised February 1992). This product test addresses version 2.0, 7 February 1992. 2. Product Acquisition: The program is freely distributed by Microcom Systems, Inc., with special instructions for business and corporate users. These users have only a 30 day license for product evaluation, after which they must contact Microcom for site license authorization. THIS MAJOR LICENSING CHANGE OCCURRED AT VERSON 1.9. Microcom has made VIRx available on many bulletin boards and software repositories, to include the MS-DOS repository on simtel20 [192.88.110.20]. The current path on simtel20 is pd1:virx20.zip. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN: 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. [Moderator's note: Available in its entirety via anonymous FTP on cert.sei.cmu.edu (192.88.209.5) in pub/virus-l/docs/reviews/pc.] ------------------------------ Date: Wed, 19 Feb 92 08:25:53 -0700 >From: Chris McDonald ASQNC-TWS-R-SO Subject: Revised Product Test 23, Virex-PC, Version 2.1 (PC) ******************************************************************************* PT-23 March 1991 Revised February 1992 ******************************************************************************* 1. Product Description: Virex-PC is a software package to detect, disinfect and prevent computer viruses and malicious programs for the MS-DOS environment. This product test addresses version 2.1. 2. Product Acquisition: Virex-PC is available from Microcom Software Division, P.O. Box 51489, Durham, NC 27717. The telephone number is 919-490- 1277. The price is $99.00. Site licenses are available. There are several third party vendors who sell single copies at a significantly reduced cost. Registered users receive discounts on product upgrades. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN: 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. [Moderator's note: Available in its entirety via anonymous FTP on cert.sei.cmu.edu (192.88.209.5) in pub/virus-l/docs/reviews/pc.] ------------------------------ Date: Tue, 18 Feb 92 12:29:19 -0700 >From: Chris McDonald ASQNC-TWS-R-SO Subject: Revision to Product Test 12, Virucide, Version 2.37 (PC) ******************************************************************************* PT-12 June 1990 Revised February 1992 ******************************************************************************* 1. Product Description: VIRUCIDE is a commercial anti-virus program to detect and to repair known computer viruses for the MS-DOS computer environment. The report addresses version 2.37, released 29 January 1992. 2. Product Acquisition: The product is available from Parsons Technology, Inc. The address is Parsons Technology, Inc., One Parsons Drive, Hiawatha, IA 52233. The company has a toll free number for orders, 1-800-223-6925. The cost of a single copy, as of 28 October 1991, was $49.00. Each of five program upgrades has been $15.00 which includes shipping and handling. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. [Moderator's note: Available in its entirety via anonymous FTP on cert.sei.cmu.edu (192.88.209.5) in pub/virus-l/docs/reviews/pc.] ------------------------------ Date: Thu, 20 Feb 92 10:26:56 -0700 >From: Chris McDonald ASQNC-TWS-R-SO Subject: Revised Product Test 17, F-PROT, Version 2.02D (PC) ******************************************************************************* PT-17 August 1990 Revised February 1992 ******************************************************************************* 1. Product Description: F-PROT is a program designed to provide malicious program detection, disinfection, and protection. This product test addresses version 2.02D, 7 February 1992. 2. Product Acquisition: F-PROT is a shareware program distributed by Fridrik Skulason, Box 7180, IS-127 Reykjavik, Iceland. Mr. Skulason has posted F-PROT on a number of Internet sites. The program is on the USAISC-White Sands host simtel20. With version 1.14 the program became free if a user utilizes it on a single personally-owned computer. There is a registration fee for commercial and government users. Site licenses are available as well as discounts for multiple copy registrations. The path on simtel20 [192.88.110. 20] for anonymous ftp downloading is: pd1:. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. [Moderator's note: Available in its entirety via anonymous FTP on cert.sei.cmu.edu (192.88.209.5) in pub/virus-l/docs/reviews/pc.] ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 43] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253