VIRUS-L Digest Monday, 2 Mar 1992 Volume 5 : Issue 50 Today's Topics: New Virus? (PC) Re: Possible virus? (PC) More on SCAN87 (albeit belatedly) (PC) Re: Surviving warm reboot (PC) "2,400" PC infected with Michelangelo virus (PC) Re: Will re-formatting a floppy remove ALL viruses (PC) What does the Tequilla virus do? (PC) Virus protection in OS? (PC) Re: Will Write Protection Prevent Virus Infection? (PC) Re: F-Prot 2.02D/DOS 2.11 (PC) RE: F-PROT on DOS 2.xx (PC) re: A quick Michelangelo question (PC) Michelangelo Confused w/Joshi (PC) joshirep.doc/ps on risc (PC) about Michelangelo (PC) Re: Preventing virus infection by disabling the hard disk (PC) Alamo Virus? (PC) Re: Disinfectant 2.6 (Mac) Viruses in general New files on risc.ua.edu (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: 28 Feb 92 21:34:21 -0700 >From: S0BQ6@starburst.uscolo.edu Subject: New Virus? (PC) I have recently encountered a virus wich seems to only infect .com files and add 322 bytes to infected files. I have not (as of yet) had a chance to s study this "new" virus. Infected .com files contain the text "The Troi Virus". This virus escapres detection from both scan85 (I do not have the newest version) and F-prot202d. While running the heuristics scan from f-prot I get the warning that "it is most likely virus infected" on a purposefully infected file. I have "watched" this virus attempt any new .com file being executed to be infected once it is memory resident. I have sent a copy to one expert allready -- I have no idea of the others locations to send virii to. Stephen Zamarripa Thanks to Integrity Master for early detection :) ------------------------------ Date: Sat, 29 Feb 92 06:29:22 +0000 >From: rslade@sfu.ca (Robert Slade) Subject: Re: Possible virus? (PC) VM@CSPGIG11.BITNET (Vera Marvanova) writes: >caused by a virus? In two computers (386-SX AND 386 - 33) after some >time of operation suddently all look like CAPS LOCK would be touched. >All letters changes to upper case. After "SHIFT" all is O.K., but Actually, this is extremely common behaviour in MS-DOS machines in general. I have often had machines that would suddenly behave as if all the keys were "shift"ed, "ctrl"ed or "alt"ed. Some could be recovered, and some couldn't (at least I never found a way to do it.) None were virally infected. ============== Vancouver | "Don't buy a Institute for Robert_Slade@sfu.ca | computer." Research into rslade@cue.bc.ca | Jeff Richards' User CyberStore Dpac 85301030 | First Law of Security Canada V7K 2G6 | Data Security ------------------------------ Date: Sat, 29 Feb 92 07:26:01 +0000 >From: rslade@sfu.ca (Robert Slade) Subject: More on SCAN87 (albeit belatedly) (PC) A trojan horse that pretends to be the latest version of McAfee's SCAN program has been seen locally. So far all versions have had -AV codes, although none have been reported with the McAfee license number (NWN405). The "parent" file is titled "CLEANV87.ZIP", and contains most of the files from the normal SCAN package, including file called SCAN.EXE. (SCAN.EXE is normally distributed in an archive named SCANVxx.ZIP, while the associated CLEANUP program is generally shipped in an archive named CLEANxx.ZIP.) The SCAN.EXE file is slightly shorter, 65,765 bytes, than SCAN version 86B. The SCAN87.DOC file contains validation codes which match those for the trojan. The program initially runs similarly to the normal SCAN program, identifying itself as SCAN8.5A87. It finds no viri in memory or on disk, and then says it will write REPORT.SCN. At this point, if the system does not have a hard disk, the program crashes with "Runtime error 105 at 0000:2725". If the system does have a hard disk, the program will display a message about the Illuminati and will then erase, and "zero out", all files on the disk. Directory structure is left intact. There is one report that the REPORT.SCN file contains a message to the sysop of the Gallows Howe BBS, referring to the BBS number in the West Point Grey area of Vancouver, with reference to a voice number in Richmond. ====================== Vancouver Institute for Research into User Security, Canada V7K 2G6 Robert_Slade@sfu.ca rslade@cue.bc.ca Fidonet 1:153/733 CyberStore p1 (Datapac [3020] 8350 1030) 604-526-3676 "If you do buy a computer, don't turn it on." - Richards' 2nd Law of Security ------------------------------ Date: Sat, 29 Feb 92 03:10:27 +0000 >From: ampex!russest@decwrl.dec.com (Steve Russell) Subject: Re: Surviving warm reboot (PC) CHESS@YKTVMV.BITNET (David.M.Chess) writes: >>From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) >> >>In short, no virus is able to survive the Alt-Ctrl-Del IN GENERAL. > >An interesting argument (we can take it offline if you like; I'd claim >that there are viruses that can do it in virtually any configuration), >BUT not of interest to end users. As far as the user is concerned >(and that includes even us expert-types when we're actually using >machines!) if there are -some- viruses that can -sometimes- survive a >three-key reboot, it's safest to assume that any virus might, and to >always do a poweroff reboot if it's important to have the machine in a >clean state. It's just too easy to make a mistake otherwise! So, to >present an alternative to your statement: > > In short, since some viruses ARE able to survive the Ctrl-Alt-Del > sometimes, it's best to always poweroff reboot when it's important > to have a clean boot. Running multiple configurations of memory management and network/non-network set ups, I've had any number of occasions where something was left hanging in memory which wasn't cleared up by a warm boot - either c-a-d or one of the software types. - -steve ------------------------------ Date: Sat, 29 Feb 92 10:46:00 -0500 >From: "David Bridge" Subject: "2,400" PC infected with Michelangelo virus (PC) News item in The Washington Post, Sat. Feb. 29, 1992, Page B1. "The Michelangelo computer virus has infected roughly 80 percent of the 3,000 personal computers at the New Jersey Institute of Technology. Computer specialists at the Newark Campus have launched an emergency effort to test each machine and remove the virus before it can activate and destroy stored data on March 6, the Italian Renaissance artist's birthday." If the above facts are accurate, I think this might be of the largest (ca. 2,400) Michelangelo virus infections recorded so far. David Bridge Smithsonian Institution ------------------------------ Date: Sat, 29 Feb 92 18:37:02 +0000 >From: cpbeaure@descartes.waterloo.edu (Chris Beauregard) Subject: Re: Will re-formatting a floppy remove ALL viruses (PC) ZMUDZINSKIT@imo-uvax.dca.mil (zmudzinski, thomas) writes: > I've noticed various folks talking about bulk magnetic erasers, and >they're fine if you happen to have one handy. But I picked up a floppy >zapper at a trade show that's the cheapest one around (free, that is): >it's just a refrigerator magnet (one of those thick, flexible jobbies). >One slow scrub up & down, then left & right, and presto! Those annoying >little magnetic particles have been thoroughly confused. The key here A little caution with this is in order however. Someone told me about attemting to wipe a disk with a magnet. The final results was a 3.5" disk whose metal cover could lift a pen. While it would undoubtably erradicate any evil code on the disk, it would also do wonders to the drive head of the system in question... - -------------------------------------------+--------------------------------- Chris Beauregard | Live, free(), cpbeaure@descartes.waterloo.edu | and exit(0). "If you can't beat 'em, take 'em with ya!" | - Me ------------------------------ Date: 01 Mar 92 00:10:17 +0000 >From: fredrick@acd.ucar.edu (Timothy Fredrick) Subject: What does the Tequilla virus do? (PC) We found several PC's that were infected with the Tequilla virus [Teq] using McAfree's scan 86b program. We were able to use clean to remove the viruses from the infected hard disks, although it destroyed the boot sector and we needed to restore it with Norton's Disk Doctor. Does anyone have any experiences or comments about the Tequilla virus? Does it have a trigger date? How does it spread? Are there any machines or operating systems that are "immune"? How long has the virus been around? Is it a particular problem in Belgium or has it been more prevalent here? Any information would be appreciated. I guess the publicity over the Michelangelo virus is helping us to ferret out the other ones. Thanks in advance. Tim Fredrick (fredrick@ncar.ucar.edu) Ntl Center for Atmospheric Research, Boulder, CO 80307-3000 ------------------------------ Date: Sat, 29 Feb 92 14:57:38 -0500 >From: "Mark W. Schumann" Subject: Virus protection in OS? (PC) padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) writes: > Incidently it takes a whole 10 (decimal, not hex) generic bytes at > BIOS time to detect every MBR infector I have seen thusfar (including > Brain, Yale, Evil Empire, Stoned, Joshi, Michelangelo, and all their > cousins). "Stealth" just makes it easier. When are the O/S > manfacturers going to wake up ? Is it practical to include virus protection in an operating system? - -- Mark W. Schumann/3111 Mapledale Avenue/Cleveland, Ohio 44109-2447 USA Bang: ...!ncoast!nshore!wariat!whizbang!mark (WAY off the Internet..) Domain: mark@whizbang.ncoast.org CIS: 73750,3527 "Aren't you glad you didn't marry someone dumber than you?" --my wife ------------------------------ Date: Sun, 01 Mar 92 11:14:24 -0500 >From: David Lesher Subject: Re: Will Write Protection Prevent Virus Infection? (PC) Yes, write protection will absolutely protect you. Note, however, that this must be H A R D W A R E write protection such as provided by floppy disk tabs. Few off_the_shelf winchester hard disks offer this option, although it used to be standard on HDU's on minis. The RK-05 and RL-02 come to mind. It's no big deal to add a HW write protect switch to a MFM/RLL drive. I have not looked at doing this to an IDE or a SCSI, though. - -- A host is a host from coast to coast.....wb8foz@mthvax.cs.miami.edu & no one will talk to a host that's close.......................... Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433 ------------------------------ Date: Sun, 01 Mar 92 17:33:17 +0000 >From: Fridrik Skulason Subject: Re: F-Prot 2.02D/DOS 2.11 (PC) In Message 19 Feb 92 21:02:27 GMT, LZM@UVMVM.BITNET (Lynne Meeks) writes: >We're having some trouble getting F-Prot (2.02D) to run successfully >with AT&T DOS 2.11 (Yes, I know this is very old but fiscal >constraints what they are not everyone has upgraded to a modern >version of DOS) > >What happens is we run F-Prot and get the message: >'*.TX0 not found' >then we get the DOS prompt Well, this is a bug, I admit. I have fixed it in 2.03 which is due very soon. - -frisk ------------------------------ Date: Sun, 01 Mar 92 13:57:45 -0500 >From: FRYSTD@ACAD.LVC.EDU (Michael Fry) Subject: RE: F-PROT on DOS 2.xx (PC) > We're having some trouble getting F-Prot (2.02D) to run successfully > with AT&T DOS 2.11 ... (Trouble with F-PROT finding ENGLISH.TX0) I might have missed the response from Frisk on this. I suspect a similar problem may arise when F-PROT is run from certain menu packages. When a program is executed, DOS 3 and up passes a message telling the program it's name and path. It seems F-PROT uses this feature for locating its own directory, at least on my machine running DOS 3.30. The absence of this message under DOS 2.xx may be tripping up F-PROT. Menu systems have been known to fail to pass this message, too, even under DOS 3 or higher. In case of similar ("Can't find .TX0...") trouble with F-PROT.EXE being run from a menu under DOS 3 or higher, a workaround is to instead run COMMAND.COM with command line parameter "/c path\F-PROT". A workaround for DOS 2.xx is possible, too. Mike Fry Lebanon Valley College Annville, PA 17003 frystd@acad.lvc.edu ------------------------------ Date: Sat, 29 Feb 92 21:05:26 -0800 >From: msb-ce@cup.portal.com Subject: re: A quick Michelangelo question (PC) In VIRUS-L Digest V5 #46 Pagett Peterson (padgett%tccslr.dnet@mmc.com) wrote: > Incidently it takes a whole 10 (decimal, not hex) generic bytes at > BIOS time to detect every MBR infector I have seen thusfar (including > Brain, Yale, Evil Empire, Stoned, Joshi, Michelangelo, and all their > cousins). "Stealth" just makes it easier. When are the O/S > manfacturers going to wake up ? Is there not a danger that, once there exists a "standard" way in which such infectors are detected, a virus could reach into the boot code and disable this checking at the time that it infects? Fritz Schneider (msb-ce@cup.portal.com) ------------------------------ Date: Sat, 29 Feb 92 21:21:02 -0800 >From: msb-ce@cup.portal.com Subject: Michelangelo Confused w/Joshi (PC) In VIRUS-L Digest V5 #46 Rob Lustig (LUSTIG@wsmc-mis.af.mil) wrote: > I read some disturbing news in a SIG on a BBS that said if you type > HAPPY BIRTHDAY MICHELANGELO at the DOS prompt, it would disable the > virus. I posted a reply stating that it was FALSE and if they have a > copy of the virus that responds to that then send it to me so I can > forward it on. Apparently they have confused Michelangelo with Joshi to some extent. Maybe it was the word "Birthday" that managed to stick in their memory? When Joshi triggers (on January 5th) you must type "Happy Birthday Joshi" in order to continue. Michelangelo does not ask for any input: When it triggers, it just starts writing over the first 256 tracks on the first four sides of the boot disk(ette). Bye-bye data! Fritz Schneider (msb-ce@cup.portal.com) ------------------------------ Date: Sun, 01 Mar 92 16:27:03 -0600 >From: James Ford Subject: joshirep.doc/ps on risc (PC) The following files have been placed on risc.ua.edu (130.160.4.7) in the directory /pub/virus-text/docs for anonymous ftp: /pub/virus-text/docs/joshirep.doc (ascii format) /pub/virus-text/docs/joshirep.ps (PostScript format) - ---------- When you are over the hill, you pick up speed. - ---------- James Ford - Consultant II, Seebeck Computer Center The University of Alabama (in Tuscaloosa, Alabama) jford@ua1vm.ua.edu, jford@seebeck.ua.edu Work (205)348-3968 fax (205)348-3993 ------------------------------ Date: Sun, 01 Mar 92 14:02:34 -0800 >From: alfredor@LOGOS.EDU.AR Subject: about Michelangelo (PC) I read some information about the virus named MICHELANGELO. But I have some questions, maybe you can help me. o The virus works in march 6th only or it is activated this day and works every day after march 6th of 1992 ? o I haven't got the Scan V.85, Can I remove the Mich virus with the 84 version ? o My BIOS ask me what to do when somebody is trying to change the hard disk partition table or the boot. Can Mich get into mi hard disk without I note this ? o Sorry for my english, and, PLEASE send me the answer before march 4th. so it can reach me before march 6th. Thank's Alfrenovsky - -------------------------------+---------------------------------------------- Alfredo Daniel Rezinovsky | E-Mail adress: alfredor@logos.edu.ar Student of the Facultad de | Phone: (54-61)-29-1774 Ingenieria of the Universidad | Nacional de Cuyo - Mza - Arg | |\/\/\/| ______________________ | | _ _| / \ Mailing Adress: | | (_)(_) / if A=B and B=C, A=C | Alfredo Daniel Rezinovsky | C _) __| except if void or | 9 de julio 1067 Piso 5 Dpto. 9 | | ,___| <___ prohibited by law. | (5500) - Mendoza - Argentina | |____/ \______________________/ | | \ - -------------------------------+----+-----+----------------------------------- ------------------------------ Date: Sun, 01 Mar 92 15:25:04 +0000 >From: mailrus!gatech!bing.stonemtn.ga.us!root@uunet.uu.net (Administrator) Subject: Re: Preventing virus infection by disabling the hard disk (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: > mathews@kong.gsfc.nasa.gov (Jason Mathews - 514) writes: > > > It seems that DOS and most programs cannot access the hard disk from > > this point. However, are there any viruses (actual or theoretical) > > that can infect the hard disk after the CMOS disabled it? > > For sure none of the currently existing viruses will bypass this > protection. The hard disk is not accessible even throuth BIOS calls. > However, I will not take the responsability to state that it is really > impossible to access the disk and that no future virus will be able to > do that. Note that in this case my reaction ("who knows, might be > possible") is caused mainly because I am not informated well enough > (read: ignorant) on this (hardware) matter. A simple hardware level device driver for the normal AT type controller is only several screen fulls of C code. I would venture that it would not be theoretically impossible to have such a thing in a virus. But, I think it is impossible to deactivate the disk activity light. So, in the above test method, I would keep a sharp eye on the disk activity light, just in case. ------------------------------ Date: Sun, 01 Mar 92 18:07:14 -0500 >From: "Albert M. Berg" Subject: Alamo Virus? (PC) Has anyone had experience with a virus or trojan that overwrites the beginning of disk sectors with the string: "remember the alamo!" I have a client whose NetWare server got trashed, and we found this string at the beginning of many sectors examined with Novell's DISKED utility. There doesn't seem to be a listing for this type of behavior anywhere I looked. Any help will be greatly appreciated. Al ------------------------------ Date: Fri, 28 Feb 92 23:57:28 +0000 >From: kucharsk@Solbourne.COM (William Kucharski) Subject: Re: Disinfectant 2.6 (Mac) norman@cs.st-andrews.ac.uk (Norman Paterson) said the following: >I've been having trouble running Disinfectant 2.6 on an Apple Quadra. >There are several other applications that might be involved, including >TELNET 2.4 and CAP/AUFS. Symptoms include crashing during hard disc >scan with "unimplemented trap" error and sporadic unmounting of file >server volumes. > >Has anyone else come across this? The Quadra seems to have a number of >peculiarities. Don't blame the Quadra; Disinfectant 2.6 works just great for me. Sounds like an INIT problem somewhere (standard answer.) - -- | William Kucharski, Solbourne Computer, Inc. | Opinions expressed above | Internet: kucharsk@solbourne.com Ham: N0OKQ | are MINE alone, not those | Snail Mail: 1900 Pike Road, Longmont, CO 80501 | of Solbourne Computer, Inc. | President, "Just the Ten of Us" Fan Club | "It's Night 9 with D2 Dave! " ------------------------------ Date: Sun, 01 Mar 92 12:34:42 -0500 >From: IP_BOSS@syd.deg.CSIRO.AU (Jack Churchill) Subject: Viruses in general bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: > TENCATI@NSSDCA.GSFC.NASA.GOV (NSI Security Manager +1-202-434-4541) writes: > >> This question may have been asked/answered already, but does merely >> setting the system date ahead on the 5th (to the 7th) cause the >> trigger mechanism never to go off? > > No. The trigger mechanism will go off the next March 6 (after one > year) too. "Never say never"... :-) > >> It would seem that if true, as an interim measure until all systems >> could be scanned, that the systems just be set so that Friday, the 6th >> of March never comes.... > > Yeah... And on March 13 (Friday) the Jerusalem virus (a quite > widespread one, maybe more than Michelangelo) will delete files. And > on March 15 the Maltese Amoeba virus (quite widespread in the UK, but > also in other places in the world) will destroy your hard disk... Are > you going to change the date in these cases as well? Not to forget > the few hundreds other viruses, which cause destruction every day, > every hour... Some of them are -very- widespread (Dark Avenger). Are > you going to turn your computer on at all? > > No, you must take proper anti-virus measures. Not because one silly > virus happens to activate in a few days, but because computer viruses > do exist and because the -are- widespread. You -must- take those > measures -now- and not wait till the next panic, or rely on changing > the system date. If it's that important to have a good anti-virus tool (which it is) then it should be mandatory on all PCs. It's now come to the stage we spend too much time chasing viruses and ant-viruse cures. PCs are supposed to be useful, productive and cost effective means of computing. I feel it's come to the stage that MSDOS should have anti-virus tools as standard with the provision for updates through normal computer stores or electronic means. In other words, why should we put up with so many different forms of anti-virus tools when one should be enough and made a permanent feature of all PCs. That way the spread of viruses would be much harder since every system would stop the spread as close to the source as possible. Then we can get back to using PCs for other more productive uses. Otherwise, we will quickly come to the stage of having so many new viruses (one per day or worse) that we spend most of our time doing backups/restores/virus-checking/etc. If it's not that important to make every system safe then the opposite argument becomes true, namely we are all becoming paranoid about viruses (which I don't think is true). You see, you can't have it both ways. Either we take it seriously or not. - -- Jack N. Churchill | jack@syd.deg.csiro.au CSIRO Division of Exploration Geoscience | churchill@decus.com.au PO Box 136 North Ryde NSW 2113 | Phone: +61 2 887 8884 Australia | Fax: +61 2 887 8909 ------------------------------ Date: Fri, 28 Feb 92 23:47:59 -0600 >From: James Ford Subject: New files on risc.ua.edu (PC) The following files have been placed on risc.ua.edu for anonymous FTP: /pub/ibm-antivirus/stealth.zip (replaces crcset*.zip) /pub/ibm-antivirus/navm.zip Nortin AV M(ichelangel) /pub/ibm-antivirus/cpavse.zip Central Point AV "special edition" - ------------------------------------ stealth.zip This is an anti-virus protection utility that uses a 32-bit CRC to test the integrity of the running program and any supporting files. It also performs a basic system check for any viruses that may evade detection by a file check. Supporting code is in C and Turbo Pascal and full documentation is included. (DOS) - ------------------------------------- Below is a file listing from risc.ua.edu (130.160.4.7) pub/ibm-antivirus files. If you see an outdated file, please let me know which file so I can replace it. Thanks. risc.ua.edu (130.160.4.7) filelist current as of Feb. 28, 1992. - ---------------------------------------------------------------------------- 0files.9203 fshld15.zip tbresc15.zip vc300ega.zip vshld86b.zip avs_e224.zip fsp_183.zip tbscan30.zip vc300lte.zip vstop54.zip bbug.zip htscan12.zip trapdisk.zip vcheck11.zip vsumx201.zip bootid.zip i-m102b.zip unvir902.zip vcopy82.zip vtac48.zip ccc91.zip innoc5.zip uu-help.text vdetect.zip vtec30a.zip checkout.zip m-disk.zip uudecode.bas virlab14.zip wcv201.zip chk.zip navm.zip uudecode.doc virpres.zip wolfchk.zip chkint.zip navupd01.zip uudecode.pas virsimul.zip wp-hdisk.zip clean86b.zip netsc86b.zip uuencode.pas virstop.zip wscan86b.zip cpavse.zip pcv4.zip uxencode.pas virusck.zip xxdecode.bas dir2clr.zip pkz110eu.exe vacbrain.zip virusgrd.zip xxdecode.c fixfbr11.zip scanv86b.zip vaccine.zip virx20.zip xxencode.c fixmbr24.zip secur231.zip vaccinea.zip vkill10.zip xxencode.cms fixutil2.zip sentry02.zip validat3.zip vs920109.zip fprot202d.zip stealth.zip validate.crc vshell10.zip - ---------- The pot at the end of the rainbow is not Acapulco Gold. - ---------- James Ford - Consultant II, Seebeck Computer Center The University of Alabama (in Tuscaloosa, Alabama) jford@ua1vm.ua.edu, jford@seebeck.ua.edu Work - (205) 348-3968 fax - (205) 348-3998 ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 50] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253