VIRUS-L Digest Tuesday, 7 Sep 1993 Volume 6 : Issue 119 Today's Topics: Multi-Platform/OS Virus Scanner? comments on the last virus-l Re: Dark Avenger Update? Re: Dark Avenger Update? Dark Avenger Update? WARNING -- SPLIT in BREAKARJ.LZH (PC) Floppy disk virus (PC) TBAV604.ZIP/TBAVX604.ZIP - Thunderbyte Anti-Virus utilities v6.04 (PC) Re: Write protect ... (HELP!) (PC) Exebug1 problems......... aaaggghhhh!! (PC) Re: Butterfly (Crusades) (PC) Lambdin's Accuracy Tests (PC) Re: Butterfly (Crusades) (PC) Anti-virus package testing (PC) Re: Any good anti-viral shareware out there (PC) Vshield v107 (PC) Re: virusses in .ARJ & .ZIP (PC) NukePox disinfector? (PC) Detecting droppers (was: Form virus) (PC) You never forget the first time (PC) YB-1 (PC) DiskSecure II (PC) announcing DISKSECURE II (PC) Polymorphism and self-encryption (CVP) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 01 Sep 93 08:49:19 -0400 >From: Curtis Sawyer Subject: Multi-Platform/OS Virus Scanner? Has anyone dealt with a product called "VFind" by CyberSoft, Inc.? According to their literature, VFind "Scans for UNIX, MS-DOS, Macintosh, and Amiga viruses on your NFS network, servers, clients, or stand-alone systems, in one pass." VFind uses something called a CVDL generic pattern matching language. I am in the process of trying to get an evaluation copy, however, I just wondered what other people's experience has been with this product. You can feel free to post (obviously) or E-Mail me at: cs7627a@american.edu (preferred) .OR. cmsawyer@dockmaster.ncsc.mil Thank you in advance for your time and consideration... - ---Curt ------------------------------ Date: Thu, 02 Sep 93 07:49:11 -0400 >From: Subject: comments on the last virus-l Novell can easily be infected - read the paper presented on this at last years (1992) Virus Bulletin conference - also see the improved article in Computers and Security Every Eternet card does not have a built-in address - or at least some didn't used to. Also, current routers strip the address of the sending chip in favor of their own addresses, so you lose this information over any nonlocal network. The problem with the turn switch and all the other schemes for flash ROMs is that like a hard disk with a write lock switch, when you eventually write enable it for a few seconds to make a legitimate change, the attack can use that window of vulnerability to win. That's why we need to have a procedure involving booting from a special disk starting from, power down in order to be even a little bit safe: 1: Turn keyswitch to ROM CHANGE position 2: Place permanently write protected disk in disk drive 3: wait till screen tells you to remove disk 4: remove disk and turn keyswitch back to RUN position The ROM should be set to look for a disk in A after clearing memory. As soon as the door is closed, it should read from A, verify the write protect status of A by attempting (and failing) to write to it, use an RSA based (or similar) cryptographic checksum to verify the legitimacy of the data in A, load its Flash ROM, put the proper message on the screen, and halt the processor. This scheme would allow even a bad ROM update to be backed out of because the loading routine is in ROM not EROM, should prevent unauthorized updates, and enforces the procedures required to prevent malicious EROM changes. The reason this scheme is NOT used (even though the hardware designers of most flash ROMs designed their ROMs to work this way) is that it costs money to add a switch and the few hundred lines of code required to implement protection, and we all know that people want protection for free and believe it is safe even when it isn't. Call a bug a feature, and you have happy customers. FC ------------------------------ Date: Thu, 02 Sep 93 12:58:33 -0400 >From: vfr@netcom.com (Rushka) Subject: Re: Dark Avenger Update? mvjma2@cbnewsb.cb.att.com (jenny.m.abar) writes: >Just wondering if anyone has heard anything about Dark Avenger >lately, any new viruses, mutation engines, has he been caught, >etc. 1. No new viruses released. However some people (who have certain ulterior motives) would like to represent that he has released new ones. If he does, there are experts who can confirm he actually has written xyz beyond most reasonable doubt, as well as verify any communications with him, subject to the same stident measures used to assure my communication with him was valid prior to my interview with him. 2. No new mutation engines. There is a vs1.00, with some text about Data Destroyers. I personally have not looked at it nor received any comment from him other than that he has not 'updated' the MTE. There were, however, several versions of it released a -long- time ago, as I to ld some of the a-v community. It is possible this is one of them. I don't know, be cause I've not discussed it in any great depth with him. I have seen "source codes" and object modules of the original MTE..only they were actually just sourcer outputs, garbage, useless modules, etc. 3. Has he been caught for what? Writing viruses, etc., was not a crime when he did it. Vesselin has stated no one in Bulgaria cares to catch him, and I've not heard from anyone who is looking to track down an ex-virus writer, especial ly when there are so many whose names and addresses are well known. - -- SGordon@Dockmaster.ncsc.mil / vfr@netcom.com bbs: 219-273-2431 fidonet 1:227/190 / virnet 9:10/0 p.o. box 11417 south bend, in 46624 you are only coming thru in waves..your lips move but i cant hear what you say ------------------------------ Date: Thu, 02 Sep 93 17:37:41 -0400 >From: "William H. Lambdin" <73044.2573@compuserve.com> Subject: Re: Dark Avenger Update? >Just wondering if anyone has heard anything about Dark Avenger >lately, any new viruses, mutation engines, has he been caught, The latest thing that I have seen written by Dark Avenger was the Uruguay virus, but that was several months ago Bill ------------------------------ Date: Thu, 02 Sep 93 21:54:53 -0400 >From: grimhac@santafe.edu (Chris Unger) Subject: Dark Avenger Update? Most of you probably already know this, but in case you haven't heard: I read a book the other day. Approaching Zero by Paul Mongo and Bryan Clough. They say The Dark Avenger has (or will be) created a virus that is encrypted and creates its own strains, over a billion of them! So it would be kind of hard to track that one down! - -- (*************************************************************************) (** Chris Unger Kutztown University **) (** unge1845@acad.csv.kutztown.edu Computer Services **) (** grimhac@sanjuan.santafe.edu (215)-683-4152 **) (** **) (** Last night as I lay in bed looking at the stars, I asked myself **) (** "Where the hell is the ceiling?!" **) (*************************************************************************) ------------------------------ Date: Fri, 03 Sep 93 10:16:00 +0200 >From: Martin_Roesler@f1070.n491.z9.virnet.bad.se (Martin Roesler) Subject: WARNING -- SPLIT in BREAKARJ.LZH (PC) Hello all! In Germany a file named BREAKARJ.LZH floats around. This file contains the SPLIT virus. Split is a simple COM infector (250 Byte) and can be detected with following signature: 9CFC 8DB6 DF01 BF00 01B9 0200 bye Martin =============================================================== Martin Roesler, Kolpingstr.7, 84416 Taufkirchen/Vils,08084/3270 email: Martin_Roesler@nem.fido.de - --- GoldED 2.41+--IMAIL 1.31/beta * Origin: Virus Help Munich - call 49-89-92793593 (9:491/1070) ------------------------------ Date: Wed, 01 Sep 93 00:11:53 -0400 >From: s9018166@pewter.spectrum.cs.unsw.OZ.AU (Elisa Aquino) Subject: Floppy disk virus (PC) I don't know how to fix my computer because i think it is infected by virus. 1. Drive A just can read first disk. Even u put second disk , directory will show the same as first disk. 2. After I read drive B , then drive A is reset to read first disk but it is the same after puting another disk. I even reformat the hard disk, still the same. Then I low level format the hard disk, also the same. Any help! Email: s9018166@cs.unsw.oz.au ------------------------------ Date: Wed, 01 Sep 93 03:26:36 -0400 >From: bondt@dutiws.TWI.TUDelft.NL (Piet de Bondt) Subject: TBAV604.ZIP/TBAVX604.ZIP - Thunderbyte Anti-Virus utilities v6.04 (PC) I have uploaded to WSMR-SIMTEL20.Army.Mil and OAK.Oakland.Edu: pd1: TBAV604.ZIP TBAV anti-virus software (complete pkg v6.04) TBAVX604.ZIP TBAV anti-virus - processor optimized versions Replaces: tbav603.zip tbavx603.zip Greetings, Piet de Bondt E-mail: bondt@dutiws.twi.tudelft.nl =================================================================== FTP-Admin for the MSDOS Anti-virus software, @dutiws.twi.tudelft.nl ------------------------------ Date: Wed, 01 Sep 93 05:40:12 -0400 >From: Martin_blas Perez Pinilla Subject: Re: Write protect ... (HELP!) (PC) berces@ludens.elte.hu writes: > My computer (IBM386+110Mb harddisk[C+D part.]+MS-DOS 5.0+Stacker 2.0 > version) displays at each disk operation on C that: > > "Write protect error writing drive C > Abort, Retry, Fail?" I think that Stacker is the guilty. This problem was discussed last year in V5#167 of VIRUS-L. This follows the verbatim copy of a message of OB77665@IBMH1.ORL.MMC.COM: Subject: Stacker problems (PC) The last few months I've observed a lot of discussion on the automatic write protection of stacker drives as a result of allocation errors. I had this unfortunate experience this weekend as a result I dialed into the stacker BBS which was listed in the manual. They have several nice utilities and text files that you can d/l for troubles and updates. Below I have included the text file I d/l on how to get out of the write-protected problem. Bruce - - ------------------------------------------------------------------------ STACKER NOTE Stac Electronics Technical Note SUBJECT: Write Protected Stacker Drives. Tec035 - 6/10/92 - - ------------------------------------------------------------------------ When file corruption such as a damaged temp file is detected, Stacker will write protect the drive as a means of safeguarding data. This forces the user to run Stacker's SCHECK /F, to repair logical data structures before anything else can be written to the drive. Stacker will also write protect a mounted drive if it has not been "padded" to its full size. The fix for this condition involves the SCREATE program and is discussed in greater detail in section III. I. Fixing Errors with SCHECK /F: SCHECK is similar to the DOS CHKDSK program in that it checks for and repairs allocation unit errors. Unlike CHKDSK's work at the DOS cluster level, SCHECK will diagnose and repair at the sector level. Stacker's ability to store on a sector by sector basis makes this a necessity. Because SCHECK only repairs sector allocation errors, it will recommend using CHKDSK to fix any DOS cluster allocation errors that it has detected. Sometimes SCHECK will offer to delete damaged files. It is able to do this even though the drive is write protected. If it offers to do this, make a backup copy of the file and let SCHECK delete it. After SCHECK has made its repairs, the write protection may then be removed by rebooting or by unmounting then re-mounting the drive. II. Forcing SCHECK to remove the write protection: DOS errors can be repaired by CHKDSK or another disk repair utility such as Norton Disk Doctor or PCTOOLS Diskfix. Because SCHECK will not repair all DOS errors, it may be necessary to force SCHECK to remove the write protection before one of these utilities may be used. This should ONLY be done AFTER SCHECK /F has repaired any Stacker errors. Remove the write protection by typing: SCHECK /=w d: where d: is the write protected drive. NOTE: DO NOT use this option if the Stacker drive has been mounted as (SIZE MISMATCH) (Write Protected). See section III. Scheck /=w will return the following message. Follow its advice. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! The read only status of drive D has been cleared so that you may delete those files which contain errors. However, the damage to drive D has not yet been repaired!" DO NOT ATTEMPT TO WRITE OR CHANGE ANY DATA ON DRIVE D UNTIL YOU HAVE COMPLETED ALL OF THE FOLLOWING STEPS: 1) DELETE THE FILES CONTAINING THE ERRORS 2) REBOOT YOUR COMPUTER 3) RUN SCHECK /F D: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Restart the system after step 3 to reset the status of the Stacker drive. III. Repairing a (Size Mismatched), (Write Protected) Drive. Stacking a drive is a three step process. First, construction of the Stacker drive companion file (STACVOL.DSK) begins as compressed files are copied into it. After all the files have been added, Norton Speedisk is run to defragment this file and optimize the host drive. The last step is to "pad" the file (add the free space). If the process halts for some reason, such as Speedisk discovering a bad sector or someone tripping over the power cord, the Stacvol file will be undersized. Upon reboot, as the drive is mounted, the message (Size Mismatched) (Write Protected) will be displayed. In order to continue where Speedisk left off and pad the file, it is necessary to use the Screate program as follows: Note: insert the Stacker program diskette and issue these commands from the floppy drive prompt. 1. Unmount the Stacker drive by typing: Stacker -c: c: is the letter of the drive you wish to unmount. 2. Run SCREATE d: /P where d: is the letter of the host drive containing the Stacvol file. 3. After receiving the message "volume created successfully" , reboot to mount the drive. - - ----------------------------------------------------------------------------- 1992 STAC ELECTRONICS Is possible that some details are different for your version. See the documentation and good luck. A personal opinion: Don't use any disk compressor (Is _my_ opinion. Stacker/SuperStor/etc fans, please, i don't want initiate a flame war). Regards, - -mb M.B. Perez Pinilla | mtppepim@lg.ehu.es | Write 10^6 times: Departamento de Matematicas | "I'll never waste bandwidth" Universidad del Pais Vasco | SPAIN ------------------------------ Date: Wed, 01 Sep 93 10:36:57 -0400 >From: craa77@vaxa.strath.ac.uk Subject: Exebug1 problems......... aaaggghhhh!! (PC) Hi.. I have a 286 IBM that is infected with the Exebug1 virus. It seems to be active in the memory and McAffee (sp) scan/clean tells me to switch off the machine and boot from a floppy and run scan and clean from there. The problem is however, when I do this the hard drive is no longer accessible (which makes it rather difficult to clean :-) I have tried re-formatting, m-disk, norton disk doctor, sacrifising a virgin under a full moon and a whole host of other black magic type things but nothing works. Could someone (with a non black magic answer) please help... it is driving me mad. thanks in advance. .alan ------------------------------ Date: Thu, 02 Sep 93 08:39:48 -0400 >From: frisk@complex.is (Fridrik Skulason) Subject: Re: Butterfly (Crusades) (PC) 73044.2573@compuserve.com (William H. Lambdin) writes: >1. This variant contains the text string "Hurray the Crusades!" >2. This variant will infect .EXE files as well as .COM files. >F-Prot 2.09 detects this virus as Butterfly in .COM files, but misses it in >EXE files. Uh...the virus does *not* infect .EXE files as far as I can see. There is a simple check for *.COM inside it. There is a third variant of this virus that infects .EXE files, but infected programs *never* work. > Add this signature to F-Prot or others scanners that allow the As the current version of F-PROT identifies (and disinfects) the virus, any concerned F-PROT users can just obtain the 2.09d version. - -frisk ------------------------------ Date: Thu, 02 Sep 93 09:23:34 -0400 >From: Subject: Lambdin's Accuracy Tests (PC) Bill Lambdin writes: > Here is the August 1993 LAT. > LAT 9308 August 14, 1993 > +--------------------------+----------+---------+-----------+-----+ > | SCANNER | COMMON | POLY- | ZOO |FLAGS| > | | | MORPHIC | | | > | | | | | | > | |36 |56 |1502 1454| | > +--------------------------+----------+---------+-----------+-----+ > | F-Prot 2.09 |36 100% |56 100% |1480 98.5%| S | > | TBAV 604 |36 100% |55 98.2%|1462 97.3%| GS | > | Scan 106 |35 97.2%|52 92.9%|1376 91.6%| S | > | | | | | | > | Integrity Master 2.01 |36 100% |54 96.4%|1351 90.0%| GS | > | Dr Sol A-V toolkit 6.18 |34 94.4%|29 51.8%|1346 89.6%| C | > | VIRx 2.9 |34 94.4%|34 60.1%|1300 86.6%| S | > | | | | | | > | UT Scan 25.1 June 93 SIGS|29 80.1%|33 58.9%|1074 73.9%| CDG | > | NAV 2.1 Aug 93 SIGS |29 80.1%|24 42.9%|1014 67.5%| C | > | MSAV w/DOS 6.0 |28 77.7%|17 30.4%| 913 62.8%| D | > +--------------------------+----------+---------+-----------+-----+ I've noticed your "accuracy" tests for a long time and hoped that they would eventually improve without my having to comment on them, but I can't pass over this in silence any more. The question is how such a comparison can be fair when you don't use the latest version of each scanner. For example, despite the date "June 93", the fact is that UT Scan 25.1 was released in *OCTOBER 1992*, while the most recent version is Ver. 30. (Even Patricia Hoffman updated UTScan to Ver. 28.02 in her VSUM comparison a month ago.) It's true you write: > If your company produces anti-viral software, and would like for me > to test it in LAT, contact me at either of the addresses below. But is it fair to penalize a product in the eyes of the readers simply because no one at that company has read your invitation? Or if for some other reason no one has sent you a free copy of the latest ver- sion of the scanner or scan strings? Does that really justify giving the readers misleading results? Also, don't you think it'd be a good idea to explain the meaning of certain notations in your table without our having to guess? For example, is "ZOO" supposed to suggest a kind of "zoo" populated by vi- ruses? (Or could it mean that the infected files are contained within a ZOO-type archive which the scanner is supposed to be able to un- pack?) And you might explain precisely what "SIGS" means. Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL ------------------------------ Date: Thu, 02 Sep 93 10:44:42 -0400 >From: Eric_N._Florack.cru-mc@xerox.com Subject: Re: Butterfly (Crusades) (PC) In V6#117, "William H. Lambdin" <73044.2573@compuserve.com> Writes: I wish to thank Brian O'Sullivan for uploading SPORT21C.ZIP to The Metaverse BBS this morning. Here are the contents of the archive. Searching ZIP: SPORT21C.ZIP Length Method Size Ratio Date Time CRC-32 Attr Name ------ ------ ----- ----- ---- ---- -------- ---- ---- 4853 Stored 4853 0% 07-11-93 14:01 70ff5aa6 --w- DOCUMENT.CO_ 1037 Implode 933 11% 07-11-93 14:01 e7a47861 --w- INSTALL.COM 11407 Stored 11407 0% 07-11-93 14:01 0a9cd832 --w- SPORT21C.EXE 3153 Stored 3153 0% 07-11-93 14:01 ec985abb --w- SPORTS.CO_ ------ ------ --- ------- 20450 20346 1% 4 INSTALL.COM is infected with a new variant of Butterfly. - -=-=-= (Sorry for the re-formatting... can't be helped. However; note the compression ratios. 11%? The rest all zeros? Obviously, we're dealing with compressed files, inside the zip. On my BBS, the FREE FILE FARM (716-352-1629, 716-352-6544) I have a standing policy against such packages. I'm willing to bet that the packages that INSTALL is supposed to work with are also infected, once de-compressed. This may explain why F-PROT missed BUTTERRFLY in these EXE files..... /E ------------------------------ Date: Thu, 02 Sep 93 16:30:46 -0400 >From: ksaj@pcscav.com (OS R & D) Subject: Anti-virus package testing (PC) Today I finished some heavy anti-virus package testing. For those interested, Thunderbyte found 1873 of the 2011 viruses in my test suite. This scan took a total of 1 minute and 7 seconds. On the other hand, McAfee SCAN found 1550 of them, and took 1 hour and 14 minutes to do it. There were a few other packages tested, but I thought that this comparison was most interesting. karsten johansson BTW: this was only one out of several tests done between 6 "top" packages. - --- ksaj@pcscav.com (OS R & D) PC Scavenger -- Computer Virus Research, Toronto CANADA (416)463-8384 Free services: send EMAIL to info@pcscav.com or virus.list@pcscav.com ------------------------------ Date: Fri, 03 Sep 93 03:04:39 +0000 >From: mlara@news.weeg.uiowa.edu (Michael Lara) Subject: Re: Any good anti-viral shareware out there (PC) Myself, I'm partial to the F-Prot shareware program. It's free for individual users and reasonably priced for businesses/institutions. For one thing, you can use it in either menu-driven or command-line mode. I think the latest version available is F-PROT 2.09d... Mike :) ------------------------------ Date: Fri, 03 Sep 93 09:52:16 -0400 >From: as789@cleveland.freenet.edu (Francisco J. Diaz) Subject: Vshield v107 (PC) I was just trying to get Vshield to loadhi under MSDOS 6.0/QEMM 7.01 combo and while it worked fine before, now it refuses to loadhi. I guess there is some incompatibility between the 2 programs. There's a lot of upper memory available and I have tried many different combinations using Vshield's options and still have the problem. Can any1 help me out on this one? Thanks! - -- | Francisco J. Diaz Rivera | Freenet: as789@cleveland.freenet.edu | | University of Puerto Rico | Internet: 841901723@cutb.upr.clu.edu | | Hey Waitress! There's a pubic hair in my soup! | | "Don't give up, don't ever give up" - Jim Valvano | ------------------------------ Date: Fri, 03 Sep 93 12:47:13 -0400 >From: gary@sci34hub.sci.com (Gary Heston) Subject: Re: virusses in .ARJ & .ZIP (PC) C.J.Leune@kub.nl (Kees Leune) writes: >Can anyone help me out? I am the sysop of a BBS running WWIV software >under MS-DOS 5.0 and we have lots of .ARJ en .ZIP software in our transfer >areas. Last night I was running a virus checker over the software and >since most of those programs have their default values set to only >checking executables, these archives where not checked. So, read the documentation for the software you're running and learn how to make it scan all files. I not only scan all files, I redirect the results to a report file, and then grep out the summary lines. This is sort of necessary on a NetWare server (seven of them, actually, about to be 10), since there are problems reading some NetWare files that aren't openable by a regular application. - -- Gary Heston SCI Systems, Inc. gary@sci34hub.sci.com site admin The Chairman of the Board and the CFO speak for SCI. I'm neither. # It's a bad year for NASCAR. #7 Allan Kulwicki, #28 Davey Allison, RIP # # Where was Dale Ernhart at 3:00PM CDT on July 12? # ------------------------------ Date: Fri, 03 Sep 93 18:34:00 +0000 >From: fjw2@ns1.cc.lehigh.edu (FRANK JUDE WOJCIK) Subject: NukePox disinfector? (PC) Does anyone have/know of a disinfector for NPox (NukePox) 2.2? F-Prot 2.09d identifies the infected file as a new variant of NPox, and CLEAN corrupts the file when it tries to disinfect it. Any help/info would be appreciated... Frank fjw2@lehigh.edu ------------------------------ Date: Fri, 03 Sep 93 16:49:14 -0400 >From: "Jimmy Kuo" Subject: Detecting droppers (was: Form virus) (PC) William H. Lambdin writes: >the scanner authors should add the ability to detect droppers. Even though >they themselves aren't viruses, they should be detected. Some have replied >to me with " Why? the scanner will detect the virus after it is laid on the >boot sector." The idea is to detect the dropper before infection takes >place. It is always best to preventa user from running a dropper than to >have the user remove the virus later. Bill, this logic is slightly flawed. The correct part of the statement is: >It is always best to prevent a user from running a dropper than to >have the user remove the virus later. But this does not necessarily support your conclusion that scanners need to detect droppers. That is only one possible way of arriving at the desired result. Other ways involve mechanisms outside the realm of the scanner (like blocking the write). It is simply not feasible for a scanner to detect all forms of packaging a virus (dropper). Also, it is not feasible to ask that the scanner do everything you ever need in the battle against viruses. If scanners could do everything, there wouldn't be any need for other antivirus components like TSRs and integrity checking. The idea is that each concept has a task to perform and you should not rely on just one. Jimmy Kuo cjkuo@symantec.com Norton AntiVirus Research ------------------------------ Date: Sat, 04 Sep 93 23:16:30 -0400 >From: gmillman@pilot.njin.net (Gregory Millman) Subject: You never forget the first time (PC) I think I've just had my first brush with a virus and I need some advice. I'm a novice at telecommunications. Last night I went cruising and had a ball. I stopped in at a couple local bbs. I downloaded a couple files. I downloaded pkunzip.exe, and pkz204.zip, and showgif.exe, and tush.gif from a local bulletin board. I also downloaded a popular internet tutorial, meritcrz.exe, and meritcrz.zip, and even hyteln65.zip. Maybe I got a little carried away. Today, when I tried to unzip hyteln65.zip, I got a message saying there was an error in the zip file. Same message when I tried to unzip meritcrz.zip. When I tried to run meritcrz.exe using windows, a message popped up in windows advising me to load my anti-virus softwared first. I loaded it. It's the MSDOS 6.0 anti-virus software. It didn't spot anything. But the meritcrz.exe program wouldn't run. Well, I'd downloaded some text files too, and I started to read one of those using my wordperfect program. Suddenly, unbidden, my printer started printing hexadecimal numbers (at least that's what i think they are). It printed half a page before I shut it off. Then the wordperfect screen went black at the top, like the dos prompt, and gibberish figures filled it. Then the computer hung. I couldn't get it to do anything. I had to shut it off. Even Ctrl-Alt-Del wouldn't move it. I just cut the power. I ran the MSDOS antivirus program again when I booted the system back up. It didn't actually detect a virus, but it flagged a file that had grown by 200-300 bytes. the file's name was PCPLUS.FON. I use Procomm Plus for telecommunication. I deleted the file from within the anti-virus program -- that is, the file was in the procomm plus directory but Iyt I deleted it without leaving anti-virus. Then I plugged my original procomm plus diskettes into my a: drive. I checked the directory. None of them list anything called a PCPLUS.FON file. OK, those are the facts as I remember them. I hurriedly deleted every file I had downloaded yesterday, every one of them (except the text files which I understand are no threat). Can anyone tell me what happened? Is this a virus? If so, why didn't my MSDOS anti-virus program pick it up? IS my system at risk? I'm a writer and I depend on this Compaq 486 machine for my work. No machine, no work. I just discovered this newsgroup this evening, and I notice all this talk about Chinese Fish and Goddam Butterflies. It's like listening to somebody with delerium tremens. But maybe somebody out there can tell me what I need to do. Heck, I only cruised the bbs one time. And now ... what a headache. Any information or advice will be appreciated. Thanks. Best Regards, Greg gmillman@pilot.njin.net PS: I'm always glad to receive e-mail responses. This situation may be too basic for extended public discussion before an audience of savants. Thanks again. ------------------------------ Date: Sun, 05 Sep 93 14:37:28 -0400 >From: vfreak@aol.com Subject: YB-1 (PC) I received a 426 byte direct infector of .COM files. This virus infected every .COM bait file on my test computer from 2 bytes - - 29696 bytes. The virus appends to the end of .COM file, and contains the following text. ! YB-1 & Handsome Dick Manitoba / K hntark *.COM ????????COM? The virus is also infectctious in the second generation. This virus isn't reportedly in the wild. so there shouldn't be any reason to distribute a signature for it. I am temporarily naming this specimen "YB-1" from the text enclosed above. F-Prot 2.09 is unable to detect this virus with either the Secure scan mode or the heuristics scan mode. I will be sending a copy of this virus to the following people. David M. Chess of IBM Anti-virus Fridrik Skulason Author of F-Prot Wolfgang Stiller Author of Integrity Master Bill Lambdin ------------------------------ Date: Sun, 05 Sep 93 18:14:34 -0400 >From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: DiskSecure II (PC) Announcing DiskSecure II (for real) (C) 1993 by Padgett Today (Sunday 5 September, 1993) I have uploaded to URVAX.URICH.EDU the complete DIskSecure II v2.31, the first public release. This is the first major upgrade to the DiskSecure programs since DiskSecure was first released in 1990 (and is still effective for many users), since this was the first time I have been able to put something together that I consider to be a real upgrade, with some features that I did not think possible a few years ago. First some philosophy is necessary: For years I have believed that the only *real* protection for a PC is in hardware. This is still true. Today however, modern BIOSes have added the one critical feature that I saw first in a Zenith 248 (286), the ability for the user to select the boot disk. IMHO, this is *all* that hardware must do, everything else can be handled in software. (For those machines that do not my FreeWare SumFBoot and NoFBoot programs - now use only 256 bytes as TSR - can protect against accidental "three finger salutes"). True, for really sensitive installations requiring DOD-class security, a strong full disk encryption with off-line key storage is the only real answer and such products are available including those with smart cards, PINs, and self-destruct features. Most are very good but expensive and one must ask if a PC is the right platform for such work in the first place. DiskSecure is not designed for a rigorous defense against a physical attack by a real expert. Instead its first and foremost aim is to provide Integrity and Availability in a personal and corporate environment in a time of "rightsizing". Password boot protection has been included for those who feel they need it but Confidentiality was not a prime concern. Physical security is the best answer to this. Two years ago we felt that only experts could deal with viruses and the standard approach on exception detection was to shut the PC down and call in a specially-trained technician. Today, few can afford specially trained technicians at every site. To answer this, DiskSecure II is specially trained to deal with most MBR and BSI infectors such as STONED, MICHELANGELO, JOSHI, MUSICBUG, AND FORM automatically, all the user must do is grant permission for repair. Of course if booting from the DiskSecure protected partition is selectable, the PC will not become infected in the first place. True, some machines do not have boot selection and some low level viruses are unable to deal with the DiskSecure partition (e.g. AZUSA) leaving corruption in their wake. Sh*t happens. In this case just booting from a known clean floppy and running DiskSec2.exe *whether or not the C: drive is accessible* will accomplish recovery. Unlike commercial scanners with recovery, DiskSecure assumes nothing and does not rely on knowing *what* has caused the corruption. Further, in each case, redundant mechanisms are available - one size does not fit all. In the past, such BIOS level protection was expensive. Nothing used less memory than the original DISKSECURE at 1k but even this came from the top of memory (typically just before the 640k boundary) making impossible the use of DOS extenders such as QEMM (I like Quarterdeck products - plug) VIDRAM. Further, this location was vulnerable to attack - the Monkey viruses were written specifically to exploit this - DiskSecure II can move itself into low memory where it uses only 304 bytes. Exactly where is not determinable prior to DOS load and DS II has some "extra added attractions" to make subversion a bit more difficult. Another void DS II fills is protection of Novell servers from the boot level. Past products including the original Disksecure could be loaded onto a server but Netware would not be bootable. As a consequence many servers today are vulnerable to infection. DISKSECURE II is compatible with Netware 3.11 and I would expect it to be compatible with other versions (only have 3.11 running at home). Possibly even UNIX & OS/2 but not tested. It will block "dual boot" when it resides in the MBR or OSBR. OSs using a special "boot floppy" should work just fine 8*). To see all of the other features, just download the programs and try them but PLEASE read the documentation. Caveat: DiskSecure is not protection agaianst all malicious software, only those that affect the MBR and DBR on boot. The figures I have seen this year indicate that these have become by far the most common problem, file infectors seem to have nearly disappeared. Further DS II is designed to be compatable with OS-specific protection such as F-PROT, Dr. Panda, Dr. Solomon, MSAV, CPAV, NAV, and McAfee products though it is sugested that low level checking be turned off since IMHO DiskSecure & DS2CHK are better at this. Final note, this is a hobby and not a business or corporation (just ask the IRS) and must be done in my spare time. Custom versions are possible (logo's, incorporation in other software) but my house still needs painting and the weather is cooling off so I can start working outside again. Warmly (and exhausted 8*) Padgett ------------------------------ Date: Sun, 05 Sep 93 20:35:17 -0400 >From: HAYES@urvax.urich.edu Subject: announcing DISKSECURE II (PC) Hello folks. Announcing the availability starting monday 09/06/1993 of the new version of A. Padgett Peterson's "DISKSECURE", now DISKSECURE II. As usual, it will be in our [anonymous.msdos.antivirus] directory (see below) as DS231.ZIP. A companion file, DS231.DOC (an ASCII file), sent also by Padgett, gives some additional information about the program -- but please DO read the .DOC files also included in the distribution archive. =========== Site: urvax.urich.edu, [141.166.36.6] (VAX/VMS using Multinet) Directory: [anonymous.msdos.antivirus] FTP to urvax.urich.edu with username anonymous and your email address as password. You are in the [anonymous] directory when you connect. cd msdos.antivirus, and remember to use binary mode for the zip files. =========== Best, Claude. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET) University of Richmond hayes@urvax.urich.edu (Bitnet or Internet) Richmond, VA 23173 ------------------------------ Date: Fri, 03 Sep 93 17:26:44 -0400 >From: "Rob Slade" Subject: Polymorphism and self-encryption (CVP) DEFGEN9.CVP 930819 Polymorphism and self encryption Scanning software is, for all of its limitations, still the most widely used of antiviral software. The idea is to find a "signature string" for the virus: a piece of code that appears in the virus and in no other program, thus giving a unique identification. There is an art to the choice of a signature string, as with anything else. You want a piece of code more than you want text, which is easy to change. You want a piece of code integral to the operation of the virus. You want a string which may identify new "mutations" of this virus, as well as the current infection. However, once you have a suitable signature, you can identify the virus. Unless the virus changes. This is the idea behind polymorphism. There are a number of ways to change the "shape" of a virus. One way is to get a simple "random" number, such as the value of the "seconds" field of the system time when the infection occurs, and to perform a simple encryption on the value of each byte in the viral code. Only a short chunk is left at the beginning to decrypt the rest of the virus when the time comes to activate it. Encryption could be used in other ways: encrypting a regular but arbitrary number of bytes, or encrypting the code as a whole rather than on a bytewise basis. A second means is the fact that, in programming, there are always at least half a dozen means to the same end, and that many programming functions are commutative; it doesn't matter in what order certain operations are performed. This means that very small chunks of code, pieces too small to be of use as signatures, can be rearranged in different orders each time the virus infects a new file. This, as you can imagine, requires a more "intelligent" program than a simple encryption routine. A distinction tends to be made between the early, and limited, "self-encrypting" viral programs, and the latter, more sophisticated, polymorphs. Earlier self-encrypting viri had limited numbers of "variants": even the enormous Whale virus had less than forty distinct forms. (Some of the earliest were the V2Px family written by Mark Washburn. He stated that he wrote them to prove that scanners were unworkable, and wrote his own activity monitoring program. He is one of the very few people to have written, and released, a virus, and to have written antiviral software. His release of "live" code in the wild tends to deny him the status of an antivirus researcher. Lest some say this is arbitrary bias, please note that his thesis was rather ineffectual: all his variants are fairly easily detectable.) More recent polymorphs are more prolific: Tremor is calculated to have almost six billion forms. copyright Robert M. Slade, 1993 DEFGEN9.CVP 930819 ============== Vancouver ROBERTS@decus.ca | "Do you get guns with your Institute for Robert_Slade@sfu.ca | gun magazines? No. Research into rslade@cue.bc.ca | Do you get viruses with your User p1@CyberStore.ca | virus magazines? Yes." Security Canada V7K 2G6 | - Kevin Marcus ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 119] ******************************************