VIRUS-L Digest Wednesday, 26 Feb 1992 Volume 5 : Issue 44 Today's Topics: Norton AntiVirus Michelangelo Edition (PC) Another Michelangelo question... (PC) Help Needed to Recover from the Stoned Virus (PC) Information on FORM and Azusa sought (PC) On reformatting floppies to remove infections (PC) Re: Cinderella virus/ does VSHIELD work? (PC) IBM PC Virus or Set Up Problem? (PC) re: Surviving warm reboot (PC) Michelangelo and 3.5" diskettes (PC) DOS 5 FDISK /MBR (PC) Re: F-prot and non-executable files (PC) Re: Will re-formatting a floppy remove ALL vires (PC) Re: WP.EXE appended to, up front (PC) Bootable floppies and FixFBR (PC) MBDF Suspects Arrested (Mac) Alleged MBDF virus-creators arrested at Cornell (Mac) book recommendation???? VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 24 Feb 92 16:24:44 -0500 >From: James Williams Subject: Norton AntiVirus Michelangelo Edition (PC) While I think that the Norton AntiVirus Michelangelo Edition is smart business by Symantec. I thought the program was shoddy at best. Why does this program scan all exe and com files when Michelangelo is a boot sector infector? - -------------------------------------------- | James Williams | | Bitnet: JWW%ESS%NIAID@NIH3PLUS.BITNET | | Internet: JWW@ESS.NIAID.PC.NIAID.NIH.GOV | | CompuServ: 70304,2462 | - -------------------------------------------- ------------------------------ Date: 24 Feb 92 18:25:30 -0400 >From: LARRY MATEO Subject: Another Michelangelo question... (PC) Actually, this is a question about viruses that infect the boot sector of a hard drive. If I boot a Novell network (version 2.x, 3.x) from an infected disk, can the boot sector on the server become infected? If so, what happens when the server is brought up? Does the virus get loaded into memory where it CANNOT infect floppies, or what? Thanks again. ------------------------------ Date: 25 Feb 92 00:52:44 +0000 >From: ccicpg!mendip!jmp@uunet.uu.net (Jim M Paugh) Subject: Help Needed to Recover from the Stoned Virus (PC) I am attempting to help a friend, who's PC286 w/DOS 4.01 was struck by the Stoned virus. The system has a 40m IDE HD, which was the boot disk. After the virus struck, the HD was total inaccessible. Attempts to access the HD (after booting from a floppy) results in a "invalid drive specification" message. At this point, I have given up recovery, and am attempting to reformat and reinstall the hard drive. When I use the DOS 4.01 installation disks (from Leading Technology, the manufacturer of the PC) I get an error message about half way through, stating "an unrecoverable error has occured, enter F3 to exit", then the installation procedure aborts. I'm not exactly sure what the installation is doing when it reports this error, but I believe it occurs when it attempts to format the HD. I then attempted to partition and format the HD myself. The partitioning was sucessful(using fdisk), but then when I attempted to format the HD, with the following: A> format c: /s I get the message: "invalid drive specification" I then ran the ROM diagnostics and was able to format the HD from there, as well as successfully run some read/write verify tests. But I still get the same results mentioned above, when trying to install DOS 4.01 or format the HD. I heard something about problems with IDE drives, requiring a low level format to recover from viral damage, something that has to be done by the manufacturer of the drive, or at least something that is difficult to do. Does anyone know anything about this, or have some information on low level formats for IDE drives?? Perhaps there is just an oversight on my part as far as installing DOS on a HD, but when I originally installed this HD new, I just used the 4.01 installation disks, and they did everything for me, no problems. As for the Stoned virus, we are pretty sure it was contracted from the computers in the computer lab at Golden West Junior College, in the computer lab. A diskette was used in the computers in the lab, and then brought home to the PC in question. My friend is taking a class on DOS to learn about her new computer and how to use it, and is learning the HARD WAY :( When the virus struck, it left the following message on the monitor: "you are stoned" Any help will be greatly appreciated, as the PC is now dead in the water, and my friend's paranoia of computers is now ten fold :-( ------------------------------ Date: Tue, 25 Feb 92 12:44:56 +0100 >From: enda purcell Subject: Information on FORM and Azusa sought (PC) Could somebody out there tell me what the following viruses do? 1) FORM 2) AZUSUA is azusuz the bastard son of the combination of FORM and STONED. Our computer system has recently been attacked by the above three. Help greatly appreciated!!!! Enda Purcell.. ------------------------------ Date: Tue, 25 Feb 92 12:02:21 -0500 >From: James_Williams%ESS%NIAID@nih3plus.BITNET Subject: On reformatting floppies to remove infections (PC) I have seen a couple postings recently recommending using an electro- magnet to erase infected floppies. Wouldn't running Norton's WIPEDISK from a clean PC work just as well? - -------------------------------------------- | James Williams | | Bitnet: JWW%ESS%NIAID@NIH3PLUS.BITNET | | Internet: JWW@ESS.NIAID.PC.NIAID.NIH.GOV | | CompuServ: 70304,2462 | - -------------------------------------------- ------------------------------ Date: Tue, 25 Feb 92 17:38:05 +0000 >From: mathews@kong.gsfc.nasa.gov (Jason Mathews - 514) Subject: Re: Cinderella virus/ does VSHIELD work? (PC) tapio@nic.funet.fi (Tapio Keih{nen) writes: >> I have recently had a very bad run in with Cinderella, losing >>about 200 files. I think i found my problem after a while, but i'm >>still a bit paranoid. > >Interesting... This virus was found here in Finland on September 1st >1991 and this is the very first time I've heard it has spreaded >outside Finland. One the other hand, this virus is becoming more and >more common here in Finland - during past few weeks I've received >reports only of it and Michelangelo. > >F-Prot from Fridrik Skulason removes Cinderella just OK. BTW, did you >see a file named CINDEREL.LA anywhere? Cindrella should create such >file after certain number of keys have been pressed. I've examined the Cinderella virus, but I couldn't make it do this. What's the contents of this file is any? Is there is a more clearly defined triggering description to do this? >If you have Cinderella resident in memory, it'll infect files when you >execute or open them. Cinderella has a kind of bug in it which causes >it to infect files with 'wrong' extensions. The author of the virus >has probably tried to make it infect .COM files only, but it will >infect also files with .DOC and .CO extensions as well as some other >extensions too. Of course, virus can't spread via those non-executable >files. I've tried this and it will infect any file opened with the *.CO? file pattern; e.g. TEST.COM, TEST.CO, TEST.CO_, etc. However, I could not infect any .DOC or any other such files. Can anyone confirm or deny this? Can Cinerella infect files other than with a CO? extension? There seems to be a problem with SCAN V85 and SCAN V86B because it cannot detect Cinderella in memory, even with the "/M /CHKHI" options. If you run SCAN while Cinderella is resident then every file that is scanned will become infected. McAfee's SCAN program, however, does detect it in every infected file, but it should find it in memory. Norton Anti-Virus detects Cindy at memory location 0024:000D. CLEAN cannot safely remove the virus from the infected files, but it offers to delete them. F-PROT V2.01D is able to detect and disinfect all infected files successfully. Jason ------------------------------ Date: Tue, 25 Feb 92 15:15:51 -0500 >From: mds1@ihlpb.att.com (Marc D Sayre) Subject: IBM PC Virus or Set Up Problem? (PC) Does anyone know of a virus that would cause the following type of problems? The machine is a Zeos 386 SX portable with a 40 MB hard drive and single floppy drive, 3.5 inch, 1.44 MB. If the system is booted from the hard drive any application or DOS command that trys to access the floppy disk returns sector read errors. After further investigation I found that the applications and DOS think the drive is a 5.25 inch , 360K drive. If the system is booted off of a DOS disk in the floppy drive the applications have no problem reading or writing to the drive. Further investigation now shows that the application thinks the drive is a 3.5" 1.44 MB. I have gone into the CMOS set up and the configuration settings are for one 3.5inch 1.44MB drive. It seems that something is resident on the hard drive or in the boot memory which is corrupting the CMOS configuration. I have seen this problem on several other PC's I frequently use so I beleive it is some sort of virus. It is not the disks, I have tried an assortment of disks and they all are either readable on the machine or not. I have run the latest version of SCAN V8.5? virus checker and found nothing. Does this sound like a known virus? Does anyone have some other virus checkers/cleaners I can run to verify this is or is not a virus? HELP ANYONE??? Marc Sayre AT&T Network Systems att!ihlpb!mds1 ------------------------------ Date: 25 Feb 92 15:30:28 -0500 >From: "David.M.Chess" Subject: re: Surviving warm reboot (PC) >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) > >Sorry to disagree, Dave, but this is a pet peeve of mine, so I >couldn't resist. :-) > >In short, no virus is able to survive the Alt-Ctrl-Del IN GENERAL. An interesting argument (we can take it offline if you like; I'd claim that there are viruses that can do it in virtually any configuration), BUT not of interest to end users. As far as the user is concerned (and that includes even us expert-types when we're actually using machines!) if there are -some- viruses that can -sometimes- survive a three-key reboot, it's safest to assume that any virus might, and to always do a poweroff reboot if it's important to have the machine in a clean state. It's just too easy to make a mistake otherwise! So, to present an alternative to your statement: In short, since some viruses ARE able to survive the Ctrl-Alt-Del sometimes, it's best to always poweroff reboot when it's important to have a clean boot. DC ------------------------------ Date: 25 Feb 92 15:34:58 -0500 >From: "David.M.Chess" Subject: Michelangelo and 3.5" diskettes (PC) There have been a few posts talking about the Michelangelo and 3.5" diskettes. We just did some tests, and here are the findings: - Because of some assumptions it makes about media types, it will generally not even try to infect a 720K 3.5" diskette (because it will try to save the original boot record to a sector 15, which will fail, and it will give up on infecting altogether). (It's possible to produce a 3.5" 720K diskette that the virus *will* infect, but they are unlikely to exist in the real world, as the BPB has to lie about the disk format.) - It will successfully infect a 1.4M 3.5" diskette, in the sense that it will put itself into the boot record, and stash away the orginal boot record, BUT such diskettes often cannot be read by DOS (because the virus doesn't preserve the BPB area). Trying to read such a diskette will often produce critical "Abort, Retry, Ignore" style messages (depending on your exact configuration, DOS version, and what drivers are running the drive in question). Trying to boot from such a diskette WILL cause the hard drive to become infected, but the boot will often fail (presumably because DOS can't read COMMAND.COM off the diskette). So in general I wouldn't expect to see 720K 3.5" diskettes getting infected, and I wouldn't expect an infected 1.4M 3.5" to go unnoticed long in many environments. (On the other hand, they CAN infect hard disks, and there may be DOS versions that have no trouble reading them, so people with 3.5" A: drives should -not- assume they don't have to worry!). DC ------------------------------ Date: 25 Feb 92 15:54:11 -0500 >From: barnold@watson.ibm.com Subject: DOS 5 FDISK /MBR (PC) I'v seen comments that FDISK /MBR can clean up any master boot record infector. For the record, this is not strictly true. - - The Joshi virus (and other viruses I'm sure:), infect a second physical hard drive if it is present. FDISK /MBR will only clean up the first physical hard drive. Some of the other undocumented FDISK options take a drive number as a (undocumented) parameter, but FDISK /MBR ignores this drive number parameter. Since the system does not load and run the master boot record of the second hard drive, an incomplete cleanup using FDISK /MBR won't generally cause problems, but it could be a problem if the second hard drive becomes the first hard drive for some reason, for example if the drive cables were swapped, or the second hard drive moved to another machine, etc. - - FDISK /MBR will replace the code in the master boot record with the code in a DOS 5 master boot record. This new master boot record will work on most systems, but (as A. Padgett Peterson has noted periodically) security or anti-virus software that replaces the master boot record may be adversely affected if the master boot record is replaced with generic master boot record code. This problem may be why FDISK /MBR isn't documented. Padgett's suggestion to use DOS 5 to check for the presence of security software is a very good idea. Here's a reasonable procedure. Please remember that it uses an *unsupported*, *undocumented* option, and don't use this procedure if you are using security software (or anything other software (except for a virus :)) that replaces the master boot record. The procedure calls for PC-DOS 5, but MS-DOS 5 should work as well. o Power off the infected machine. o Put the uninfected, write-protected PC-DOS 5 install diskette (diskette 1) into the A: drive. o Power on the machine. o When the machine has finished booting, press F3 o Press Y to get a DOS command prompt. o If the PC-DOS 5 install diskettes are 5.25 inch diskettes (i.e. they are not 3.5 inch diskettes), then a. Remove the PC-DOS 5 install diskette (diskette 1) b. Insert the PC-DOS 5 diskette 2. o Type DIR C: If the directory of the C: drive is *not* displayed, then *DO NOT* continue to the next step! Use another disinfection procedure. o Type FDISK /MBR o Remove the diskette in the A: drive, and reboot the machine. o Carefully scan the disk for viruses again. Bill Arnold ------------------------------ Date: Tue, 25 Feb 92 22:22:28 +0000 >From: tvv@robin.tsg.tandem.com (Tom VanVleck) Subject: Re: F-prot and non-executable files (PC) I disagree. Viruses can live and propagate in text or non-executable files. (I hasten to add that no interesting examples exist.. yet.) Every file is used as instructions to some program to do something. .COM and .EXE files instruct COMMAND.COM to create a core image and transfer control into them. "text" files instruct TYPE etc to produce characters on the screen. Every file is interpreted by some interpreter. If the interpreter can be instructed to write files, you can write a virus in its language; the HyperCard virus on the Mac is an example. A second, more interesting case arises if the interpreter has any escape that allows data to be passed to some other interpreter. This includes the case of bugs or errors in the interpreter. The sendmail bug exploited by the Internet Worm is of this class. So are the various function key reprogramming trojans. Mac and PC applications that read structured data files can be tricked into executing a trojan horse by an ill-formed input file. Given garbage input, word processors, picture displayers, and spreadsheets sometimes crash by executing an illegal instruction. I have seen MS Word, Excel, MacPaint, MacDraw, and Digital Darkroom crash on bad input files on the Mac; I am sure that PC examples abound. A bad guy could create an input file to MS Word (for example) that caused it to overwrite an executable instruction and execute trojan code. Can datafile trojan horses be prevented? Not easily. The immediate cause of the problem is that applications use values from the data file as lengths, indexes, or relative pointers without checking them for reasonableness. (All application manufacturers should change all their code to check for bad references and not make them.) Errors and bad references caused by undefended programming allow trojan horses to gain a toehold because the memory containing executable programs is writeable and has the same kind of addresses as data memory. (Operating systems should protect the memory blocks containing executable code, including the operating system, from modification.) Can datafile trojan horses be detected? Maybe. Trojan code can be found in any data, not just resource forks (Mac) or .COM and .EXE files (PC). (Virus scanners will have to scan all data, not just executables.) A given bit string may be noxious or not depending on what application program interprets it. The number of data formats, interpreters for data formats, and bugs and variations in the interpreters is too large for a virus scanner to know and keep up with. (False positives will be unpreventable.) Tom Van Vleck ------------------------------ Date: Tue, 25 Feb 92 21:38:32 +0000 >From: ampex!russest@decwrl.dec.com (Steve Russell) Subject: Re: Will re-formatting a floppy remove ALL vires (PC) "frank@evax2.engr.arizona.edu"@Arizona.edu writes: >Does anybody know if a bulk tape eraser would be practical for erasing >floppies? If so, it would be the ideal solution for quandaries like >this one. Use the video tape eraser from Radio Shack (about $30.00). It will wipe floppies, mag tape, audio cassette, and video cassette in about 30 seconds. It won't put much of a dent in metal-oxide 8mm tape, however. - -steve ------------------------------ Date: Tue, 25 Feb 92 21:41:16 +0000 >From: ampex!russest@decwrl.dec.com (Steve Russell) Subject: Re: WP.EXE appended to, up front (PC) FRYSTD@ACAD.LVC.EDU (Michael Fry) writes: >On Zenith XT hard drive: > >We found several files on a directory with WordPerfect 5.0 with size >increases ranging from 380 to 3000+ bytes. > >When the contents of WP.EXE were inspected, the bodies of several text >files (.BAT files from a different directory) were at the top of the >file, with names and a few bytes of data between them. The names >were, like, "WP.BAT" in 6 characters, so not directory entries. >Format looked a little like WP .SET file entries, but no open space >(0's) between bodies of text. The file started with the text of a >.BAT file, not its name. These were tightly packed (not caused by FAT >shuffling). Not sure if original WP.EXE is still in there, but >suspect this strange data appended to the front of WP.EXE. File size >increased by 2101 bytes. > ... CHKDSK didn't report any problems??? - -steve ------------------------------ Date: Tue, 25 Feb 92 17:48:01 -0500 >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Bootable floppies and FixFBR (PC) >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) >padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) writes: >>This is the reason I do not bother in the FixFBR program to try to retrieve >>the original boot sector. >Please, note also that this will make an infected system diskette >non-bootable, while disinfecting it with a virus-specific program >might (in most, but not all) cases preserve bootability... Vess is correct, however if you want the disk to be bootable, SYS A: will also remove the virus from a floppy. Since an adequate solution existed for that case, I did not take the time to make my generic boot record bootable, rather it displays a warning about booting from floppies. It is designed for non-bootable disks. Warmly, Padgett ps don't forget, this is my hobby, not what I get paid for. ------------------------------ Date: Tue, 25 Feb 92 10:10:14 -0500 >From: mha@baka.ithaca.ny.us (Mark Anbinder) Subject: MBDF Suspects Arrested (Mac) The Cornell Daily Sun reported in this morning's issue that two Cornell University sophomores, David Blumenthal and Mark Pilgrim, were arrested Monday evening and arraigned in Ithaca City Court on one count each of second degree computer tampering, in connection with the release of the MBDF virus that infected Macs worldwide over the last several days. The two are being held in Tompkins County Jail. Further charges are pending. [Moderator's Note: See press release, below] - -- Mark H. Anbinder 607-257-2070 - FAX 607-257-2657 BAKA Computers, Inc. QuickMail QM-QM 607-257-2614 200 Pleasant Grove Road mha@baka.ithaca.ny.us Ithaca, NY 14850 ------------------------------ Date: Wed, 26 Feb 92 08:42:17 -0500 >From: Tom Coradeschi Subject: Alleged MBDF virus-creators arrested at Cornell (Mac) Forwarded from Info-Mac. tom coradeschi <+> tcora@pica.army.mil - ----- Forwarded message # 1: Date: Tue, 25 Feb 1992 11:47:32 PST >From: lipa@camis.stanford.edu (Bill Lipa) Subject: Alleged MBDF virus-creators arrested at Cornell "Computer Virus Traced to Cornell Students" by Jeff Carmona [The Cornell Daily Sun, 25 February 1992] Two Cornell students were arrested yesterday for allegedly creating and launching a computer virus that crippled computers around the world, according to M. Stuart Lynn, the University's vice president for information technologies. David Blumenthal '94 and Mark Pilgrim '94 were arrested by Department of Public Safety officers and arraigned in Ithaca City Court on one count of second-degree computer tampering, a misdemeanor, Lynn said. Both students were remanded to the Tompkins County Jail and remained in custody early this morning. They are being held on $2,000 cash or $10,000 bail bond, officials said. Cornell received national attention in Nov. 1988 when Robert T. Morris Jr., a former graduate student, was accused of unleashing a computer virus into thousands of government and university computers. Morris, convicted under the 1986 Computer Fraud and Abuse Act, was fined $10,000, given a three-year probation and ordered to do 400 hours of community service by a federal judge in Syracuse, according to Linda Grace-Kobas, director of the Cornell News Service. Lynn would not compare the severity of the current case with Morris', saying that "each case is different." Lynn said the virus, called "MBDFA" was put into three Macintosh games -- Obnoxious Tetris, Tetriscycle and Ten Tile Puzzle. On Feb. 14, the games were launched from Cornell to a public archive at Stanford University in Palo Alto, Calif, Lynn said. From there, the virus spread to computers in Osaka, Japan and elsewhere around the world when users connected to computer networks via modems, he added. It is not known how many computers the virus has affected worldwide, he explained. When computer users downloaded the infected games, the virus caused "a modification of system software," Lynn said. "This resulted in unusual behavior and system crashes," he added. Lynn said he was not aware of anyone at Cornell who reported finding the virus on their computers. The virus was traced to Cornell last Friday, authorities were quickly notified and an investigation began, Lynn said. "We absolutely deplore this kind of bahavior," Lynn said. "We will pursue this matter to the fullest." Armed with search warrants, Public Safety investigators removed more than a dozen crates full of evidence from the students' residences in Baker and Founders halls on West Campus. Public Safety officials refused to disclose the contents of the crates or issue any comment about the incident when contacted repeatedly by phone last night. "We believe this was dealt with very quickly and professionally," Lynn said. The suspects are scheduled to appear in Ithaca City Court at 1 p.m. today and additional charges are pending, according to Grave-Kobas. Because spreading a computer virus violates federal laws, "conceivably, the FBI could be involved," she added. Officials with the FBI could not be reached to confirm or deny this. Blumenthal and Pilgrim, both 19-year-olds, were current student employees at Cornell Information Technologies (CIT), Lynn said. He would not say whether the students launched the virus from their residence hall rooms or >From a CIT office. Henrik N. Dullea '61, vice president for University relations, said he thinks "the act will immediately be associated with the University," not only with the individual students charged. Because a major virus originated from a Cornell student in the past, this latest incident may again "bring a negative reaction to the entire institution," Dullea said. "These are very selfish acts," Lynn said, referring to the intentional distribution of computer viruses, because innocent people are harmed. Lynn said he was unaware of the students' motive for initiating the virus. Lynn said CIT put out a notice yesterday to inform computer users about the "very virulent" virus. A virus-protection program, such as the new version of Disinfectant, can usually cure computers, but it may be necessary to "rebuild the hard drive" in some cases, he added. A former roommate of Blumenthal said he was not surprised by news of the arrest. Computers were "more than a hobby" for Blumenthal, said Glen Fuller '95, his roommate from last semester. "He was in front of the computer all day," Fuller said. Blumenthal, who had a modem, would "play around with viruses because they were a challenge to him," Fuller said. He said that, to his knowledge, Blumenthal had never released a virus before. - ----- End of forwarded messages ------------------------------ Date: Mon, 24 Feb 92 23:21:54 -0500 >From: JAC6@ns.cc.lehigh.edu (Joseph Costanzo) Subject: book recommendation???? Hello all, Put it like this: I know NOTHING about viruses, but would like to learn simply what they're all about. I don't want anything too technical, and nor do I want something that's written for pre-schoolers. Any suggestions on some simple reading so I can understand what is going on in this newsgroup? Thanks in advance. Joseph Costanzo Lehigh University JAC6@NS.CC.LEHIGH.EDU ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 44] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253