VIRUS-L Digest Monday, 2 Mar 1992 Volume 5 : Issue 51 Today's Topics: hiding hard drives (PC) Re: Question on Michelangelo Date-Trigger (PC) Re: Weird Joshi (PC) Re: Kamikaze virus? (PC) Re: mutated FORM? (PC) Re: TIME virus (PC) Re: V2P6 VIRUS (PC) Request for Info on Lisbon Virus (PC) False Positives with Virus Scanners (PC) Problem with McAfee CLEAN against the FORM virus (PC) Re: Another Michelangelo question... (PC) Michelangelo question (PC) Michelangelo (PC) Fprot 2.20d and Novell (PC) Manufacturing of software (GENERAL) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: 01 Mar 92 22:17:55 -0500 >From: Leonard Erickson <70524.2603@CompuServe.COM> Subject: hiding hard drives (PC) Martin McCormak writes: >> Before testing new software on my 286/386 machines, I disable the hard >> disk by changing the CMOS hard disk type to 0 and reboot from a > >First of all, I make this statement without ever having experimented >with a present generation system containing the CMOS hardware >configuration setup ability so my opinions are worth just what you >paid for them, but I would say, with some confidence that it is >possible for a sophisticated virus to bypass any CMOS settings. After >all, it is possible for any running program to determine the type of >system which is running it. If anything about this system can be set >by software, it can be a potential mark for attack. Basically, if you >set something from the keyboard or a disk file, somebody else can set >it also with their program. Remember, we aren't talking about >following all the rules or doing things according to the book. We are >talking about field expedience and getting the job done any way one >can. If this means doing something totally unorthodox, such as >loading "incorrect" values into a BIOS routine, somebody will do it if >it makes their sabotage program stealthier or more destructive. A virus isn't going to *infect* a hard drive that way. On machines with CMOS setup, *all* the info about the drive is determined by the info in the setup. # of heads, cylinders, sectors per track, etc. A virus *might* try testing access with all of the possible drive types (over 40 on many machines) but picking the wrong one will result in a BIOS level error, with attendant error message. It would be *very* noticeable, especially since as soon as it tried to access the drive, the drive access light would come on (it doesn't if you tell the machine that there is no HD). I really don't think any virus author is going to waste time and effort on trying to find such a drive. It'd tie up the virus for *minutes*, generate some noticeable physical effects (the drive light), and could be a waste of time (if there really *wasn't* a hard drive). ------ Sid asks about his mother's HD getting trashed and being told "..it had a virus which replaced information in sectors 2-35 with "E5"." Well it could be a virus. On the other hand, guess what gets written to sectors when you format a disk? There are *lots* of ways to caused a porly behaved program to do that to the FAT... I'd test anyway, just to be on the safe side. ------------------------------ Date: Sat, 29 Feb 92 11:16:15 -0500 >From: mgk@sql.sybase.com (Michael Keirnan) Subject: Re: Question on Michelangelo Date-Trigger (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >> It would seem that if true, as an interim measure until all systems >> could be scanned, that the systems just be set so that Friday, the 6th >> of March never comes.... >Yeah... And on March 13 (Friday) the Jerusalem virus (a quite ... >on March 15 the Maltese Amoeba virus (quite widespread in the UK, but ... >Are you going to turn your computer on at all? > >No, you must take proper anti-virus measures. Not because one silly >virus happens to activate in a few days, but because computer viruses >do exist and because the -are- widespread. You -must- take those >measures -now- and not wait till the next panic, or rely on changing >the system date. Yes indeed, and I would add that turning off your computer and waiting for the threat to pass sounds a lot like giving in: "Okay, virus writer, you win, I won't use my computer because of your virus." If people start doing that, as Vesselin pointed out, computers would become large paper weights. I'd rather get infected!! well...almost :) The idea of setting the clock has probably been suggested largely because it is easy to do, and doesn't take much time. This is understandable, but the virus situation is such that to protect yourself requires a time investment. But it is well worth it. The plans that the people on this list suggest typically include a regular backups, something that pays for itself even if you never get hit with a virus. And the time investment is biggest to set up a prevention scheme. Once procedures are in place and part of your (or your company's) routine, the time spent is minimal. =========================================================================== Michael Keirnan | Internet: mgk@sql.sybase.com Sr. Software Engineer | Voice: 617-270-9234 x202 SQL Solutions, Inc. | #include - --------------------------------------------------------------------------- Seize the day by next week at the latest. -- Boynton =========================================================================== ------------------------------ Date: Mon, 02 Mar 92 00:51:46 -0500 >From: David_Conrad@MTS.cc.Wayne.edu Subject: Re: Weird Joshi (PC) The problem you ran into with Joshi has a fairly simple explanation: Joshi, as you know, infects boot sectors. The boot sector contains some data about the disk as well as the bootstrap loader program (which you probably also knew). This data includes such things as the media descriptor (5 1/4", 3 1/2", etc.), the number of bytes per sector, sectors per track, tracks per cluster, FAT's, root directory entries, etc. DOS needs this information to access the disk. Your floppy was infected, no doubt about it. But your hard disk wasn't, and Joshi was not active in memory. Now, you do a DIR of the infected diskette. To do this, DOS reads the root directory, BUT FIRST IT READS THE BOOT SECTOR! It reads it into a buffer, and uses the data contained therein. It does NOT execute the code, so Joshi never gets control. Then, when you run F-PROT and it goes looking through memory for viruses, Joshi is found in the DOS buffer into which it had been read. Although Joshi is not active in memory, F-PROT either doesn't realize this, or takes the conservative course, and reports it. And well it should. The reason you saw this behavior under MS-DOS 5.0 but not under HP MS-DOS 3.30 or 3.20 is presumably that HP MS-DOS reuses the buffer into which it read the boot sector for the root directory sectors, whereas MS-DOS 5.0 keeps the boot sector around so that it doesn't have to read it again if you access the same diskette. I think someone on this list mentioned that you can press Ctrl-C or Ctrl-Break, which will force DOS to flush its buffers and reload them on the next diskette access. Could someone confirm this? Anyway, all you're seeing is the ghost of Joshi in memory. Disinfect (or reformat) the diskette and any others which may be infected and you should have no more problems. David R. Conrad David_Conrad@mts.cc.wayne.edu ------------------------------ Date: 02 Mar 92 11:47:05 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Kamikaze virus? (PC) miss059@uxa.ecn.bgu.edu (Pug) writes: > semester. When I run scan, it comes up with nothing. When I run > f-prot, it comes up with TURBO.TPL possibly being infected with the > Kamikaze virus. I understand that it's possible that the signature for > a virus COULD randomly appear, but for some reason I doubt it. This Not randomly. There is a perfectly good reason why the Turbo Pascal library causes a false positive. Kamikaze is a pretty silly overwriting virus, written in a high level language. In Turbo Pascal, more exactly. While such viruses have virtually no chances to spread (although I personally caught this one in the wild, but this was in Bulgaria anyway ), it is extrememly difficult to select a good scan string for them. The reason is that most of their body consists of library routines, and if you happen to pick something from there, you'll get a false positive in any program, which is compiled by the same compiler and contains the same library. Or in the library itself. However, I think that Frisk corrected this problem. Maybe your version of F-Prot is outdated; try 2.02d (available from Simtel20, garbo, and many other places). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 02 Mar 92 11:53:45 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: mutated FORM? (PC) jgunders@copper.denver.colorado.edu (James P. Gunderson) writes: > At the University of Colorado Denver we have run across an interesting > situation. On a routine scan of a users disk, we found FORM in memory > with no detection on the disk it self. After making a disk copy of > the disk (5 1/4 HD formatted at 360K) we again scanned. No image on > the disk, but the machine was reinfected. Just a (wild) guess. Do you run any other (resident) form of virus protection? Like the one that comes with Central Point Anti-Virus? If so, remove it and check whether the "virus" (actually a ghost false positive) will disappear. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 02 Mar 92 12:11:36 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: TIME virus (PC) PEINADOR@UCRVM2.BITNET (Jose A. Peinador) writes: > We are having a lot of requests to eliminate TIME virus from several > machines (PCs). "TIME" is a not very often used alias for the Monxla viruses. There are two Monxla viruses (A and B), both are Vienna variants. > A vendor and us started investigating about it in our organization and > found some strange facts (we used an antivirus called anti-kot that he > brought): Hmm... Anti-kot is a Russian program, right? If the guy has been in Russia (or anywhere in East Europe), chances are that he has brought the virus as well... :-) > - - first we found out that not only com files were infected but text files > did also. Are they -really- infected or just flagged as such? This is easy to check, just load them with a text editor and see what's inside. > - - not all of the com files that we ran in a computer that was supposelly > infected, got infected. Well, if you really have the virus, the above is not strange, since the virus infects only files in the current directory and in the directories, listed in the PATH variable. > So, what would you think? Is it the anti-kot program or is it that this > virus doesn't really exist? In any case, what damage can it cause? I can't tell for sure, because I have not seen an infected program, and I don't know the anti-kot program well. I advise you to try some other scanners. For instance, F-Prot 2.02d calls these viruses Vienna (Monxla-A) and Vienna (Monxla-B). SCAN 86-B calls both viruses Vienna [VHP]. Anyway, if you are really infected, be sure to remove the infection before March 13, since on 13th of any month this virus will damage the files it tries to infect. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 02 Mar 92 12:23:06 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: V2P6 VIRUS (PC) segrove@pbhya.PacBell.COM (S. E. Grove) writes: > One of my co-workers ran virex-pc 2.0 on his 486 and it declared that > powermenu was infected by the virus v2p6. He doesn't beleive he has > done anything to infect the pc, and he hasn't had it very long. The > same program on his old pc is clean and that is where he got powermenu > from. It is certainly a false positive. > Questions: > 1) What does V2P6 do to a pc? Basically, nothing else than spreading. However, this is a polymorphic virus, the decryption routine and infective length of which vary a lot, so it is extremely difficult to locate all the infected files. Otherwise, this is a Vienna-related virus, non-resident, and infecting only COM files in the current directory and in the directories, listed in the PATH variable. > 2) Is it possible that virex-pc 2.0 is in error? It is almost certainly an error. Please report it to Microcomm (the producers of Virex-PC) or to Ross Greenberg (the author of the program). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Mon, 02 Mar 92 13:45:08 +0700 >From: "Mickie Person, SA" Subject: Request for Info on Lisbon Virus (PC) Can you please furnish any more information about the Lisbon virus than is in the PC Tools ver 6 User's guide? Mickie Person ------------------------------ Date: Thu, 20 Feb 92 21:06:39 +0000 >From: userSAMY@mts.ucs.UAlberta.CA (Marilyn Francis) Subject: False Positives with Virus Scanners (PC) Thought I would pass on an interesting experience for those of you who have to check out virus reports on other people's machines. I recently got a call from a staff member who said when he booted from his hard disk the scanners reported it infected with the Pakistani Brain virus and said to immediately turn off the machine until it was disinfected. When he booted from a clean floppy as we had instructed people to do, his scanners reported that he was clean. I checked it out with F-Prot (which said he had the Brain) and Scan (which said he had Invader) and VirX (which said he had every virus! - I quit counting after 17). Further investigation showed he is using the Central Point Anti-Virus product and the above scanners were triggering on the VWATCH.SYS and VSAFE.SYS files. When we removed these files from the hard disk, all scanners reported the machine clean. I'm not sure why these files triggered the message unless they pick up the signatures that Central Point is using and think it is the actual virus. Hope it can save someone else some valuable investigative time. Marilyn Francis usersamy@mts.ucs.ualberta.ca Computing & Network Services programmer analyst University of Alberta **************************************************************** ------------------------------ Date: 02 Mar 92 14:46:04 +0000 >From: mmeijer@accucx.cc.ruu.nl (Maarten Meijer) Subject: Problem with McAfee CLEAN against the FORM virus (PC) We - at the Academic Computing Centre of Utrecht University (ACCU), the Netherlands - have tried to remove the FORM virus from several hard disks using McAfee's CLEAN version 8.3B86. All disks were larger than 60 MB, formatted with DOS 5.0, some with one large partition, others with multiple partitions (C:, D:, etc.). CLEAN always reports removal of the [FORM] virus, but in the meanwhile it often destroys the boot sector of partition C:, making the partition unreachable at the next bootstrap. Although the FORM virus puts the original bootsector at the end of the hard disk, CLEAN isn't able to find it. (So does F-PROT 2.02D of Fridrik Skulason, but at least this program correctly reports that it can't find the original bootsector, instead of messing up the system). It seems quite simple to locate the original bootsector at the very end of the hard disk. Why then do both these programs not succeed? - -- Maarten Meijer, Academic Computing Centre University of Utrecht, The Netherlands. Email: mmeijer@cc.ruu.nl ------------------------------ Date: Mon, 02 Mar 92 16:45:46 +0000 >From: gary@sci34hub.sci.com (Gary Heston) Subject: Re: Another Michelangelo question... (PC) rslade@sfu.ca (Robert Slade) writes: =HSVLM%tjuvm.bitnet@TJUVM.TJU.EDU (LARRY MATEO) writes: =>Actually, this is a question about viruses that infect the boot sector =>of a hard drive. If I boot a Novell network (version 2.x, 3.x) from an =>infected disk, can the boot sector on the server become infected? If =>so, what happens when the server is brought up? Does the virus get =>loaded into memory where it CANNOT infect floppies, or what? =Can we define "boot a Novell network"? Booting the network would mean booting the server, as was implied by the following question about "when the server is brought up". At least, that's the way I read it..... =If you boot a workstation from an infected disk, the workstation will =become infected. The infection on the workstation will not "travel" =to the server, at least not over the network. In the case of a boot-sector infector, this is correct. In the case of an executable infector, executables that the user has write permissions to will most certainly get infected on the network drives. If another user then executes one of those, their system becomes infected. For this reason, anyone using supervisor logins or having supervisor-equivalency can do *serious* damage to a network if they're not careful. I scan my server daily, and every floppy I put into my workstation, shrink-wrapped or not. [ re: servers ] =The possibility of infection of the network is the same as for a =workstation. Actually, if an infected NetWare server was able to boot, I don't think the infection would spread. It's a totally different environment in there; even though the BIOS calls are the same, memory is handled in a totally different manner, and I just can't see how it would do anything other than crash on attempting to boot. An executable infector on a NW 3.11 server could infect everything in the DOS partition, but couldn't get to the files in the NW volumes, or infect workstations. Note that I'm not going to go infect my server to test any of this, either.... :-) - -- Gary Heston uunet!sci34hub!gary or gary@sci34hub.sci.com Authority? Me?? "I understand the chairman of the Senate Ethics comittee is going to examine the check-bouncing scandal with a microscope. ...makes sense... If you're going to look at ethics in Congress, a microscope is what you need." J. Leno ------------------------------ Date: Mon, 02 Mar 92 12:54:00 -0500 >From: VANCLEEF@MPS.OHIO-STATE.EDU Subject: Michelangelo question (PC) Does the Mich virus spread from executable files (such as the Jerusalem B virus)? In other words, can the virus be spread through distribution of executable files, or does it require a boot sector to be present to spread it? - -Garrett ------------------------------ Date: Mon, 02 Mar 92 10:13:00 -0800 >From: Michael_Kessler.Hum@mailgate.sfsu.edu Subject: Michelangelo (PC) A faculty member happened to read a newspaper report about Michelangelo which indicated the changes in memory available if infected, and compared it to the information he had on a piece of paper written down when he purchased his computer last summer. The numbers matched, and in fact, his diskettes were infected. It appears that the infection came with the computer, which was purchased from HI-TECH USA, a clone outlet in the San Francisco Bay Area. I am placing no blame, just circulating a warning for those who may be unaware. MKessler@HUM.SFSU.EDU ------------------------------ Date: Mon, 02 Mar 92 13:42:40 -0500 >From: usgjej@gsusgi2.gsu.edu (Jeffrey Johnson) Subject: Fprot 2.20d and Novell (PC) When I try to run Fprot 2.02d from a PS/2 model 50 running off a Novell 3.11 network it comes up and says i have a boot-secotr virus. I have run F-prot 2.02d and Scan86b on the machine and nothing shows up. This happens on all of our 60 PS/2 running IBM Dos v3.30. VIRSTOP gets loaded after the machine logs onto the network. The only TSR's that are loaded on the machine are IPX and XMSNET3 network drivers. Is anyone having any problems like this? I have scanned the machines over and over again and no virus shows up. Any help appreciated!!!!!!! ___ ___....-----'---`-----....___ ======================================= ___`---..._______...---'___ (___) _|_|_|_ (___) \\____.-'_.---._`-.____// ~~~~`.__`---'__.'~~~~ ~~~~~ Jeff Johnson LAN Administrator Georgia State University (404)651-2686 (404)651-2013 FAX ------------------------------ Date: Mon, 02 Mar 92 00:11:11 -0500 >From: Michael Purcell Subject: Manufacturing of software (GENERAL) I was looking in the Virus-L archives in Jan. 1990 (v3i12) and read the discussions then concerning shrink-wrapped software. I've also seen the recent reports of software distributors shipping their product infected with the Michelangelo virus. Can anyone respond to (a) How do software publishers tend to produce the physical disks -- in house or by contract to another business, (b) How is this software copied to the disks (xx thousands of copies), and (c) How often and what type of quality checks are being performed? I'm sure that there are as many variations as there are companies, but I'm wondering what the normal practice is. Personally, I never trust any software with regards to viruses irregardless of the source. But it is frustrating to hear of these reports of Michelangelo being distributed via commercial software. Maybe it is time for the lawyers to test the laws concerning merchantability. - -=Michael Purcell=- mopurc01@ulkyvm.bitnet mopurc01@ulkyvm.louisville.edu ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 51] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253