From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V5 #8 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Wednesday, 15 Jan 1992 Volume 5 : Issue 8 Today's Topics: Re: VIRUS at AT286 in SCAN85 (PC) Re: Odd Problem with F-PROT 2.01 (PC) Re: Does this behaviour sound like a virus (PC) Re: Antitelifonica (A-VIR) (PC) Re: Question re Stoned (PC) Form virus infected Dos 5.0 diskettes (PC) Re: Antitelifonica (A-VIR) (PC) Re: NCSA has tested Antivirus Programs (PC) Re: Gulf War "virus" Re: Viruses against Iraq?????? LANs & Viruses RE: NCSA Has Tested Anti-Virus Programs Re: Military Viruses Re: UNIX viruses, request for information (UNIX) VIRX19.ZIP - VIRX v1.9: Easy to use free virus checker (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 15 Jan 92 06:16:32 +0000 From: mcafee@netcom.netcom.com (McAfee Associates) Subject: Re: VIRUS at AT286 in SCAN85 (PC) DVORACEK@CSEARN.BITNET (Jarda Dvoracek) writes: > > !!! AT 286 USERS !!! > !!! WARNING !!! WARNING !!! WARNING !!! > !!! SCANV85 INFECTED, CLEAR85 MAYBE TOO !!! Hello Jarda, > >In Czechoslovakia, I got some new virus with the SCANV85.ZIP from some >BBS. It makes all .COM, .EXE and .ASM files 10 bytes longer, the first When SCAN is run with the /AV option, it will create a validation code that is used to compare the file against so that it can be checked for unknown virus. This process adds ten (10) bytes to the end of .COM and .EXE files. [some of message deleted] >During 3 days it has infected all files but COMMAND.COM, some of them >worked normally, several terminated just after calling them. [rest of message deleted] SCAN does not add ten bytes to COMMAND.COM or the system files. Instead, it stores the validation data in a hidden file in the root directory called SCANVAL.VAL. Regards, Aryeh Goretsky McAfee Associates Technical Support - -- - - - - McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com (business) 4423 Cheeney Street | FAX (408) 970-9727 | "Welcome to the alligator Santa Clara, California | BBS (408) 988-4004 | farm..." 95054-0253 USA | v.32 (408) 988-5190 | CompuServe ID: 76702,1714 ViruScan/CleanUp/VShield | HST (408) 988-5138 | or GO VIRUSFORUM ------------------------------ Date: Wed, 15 Jan 92 10:48:19 +0000 From: Fridrik Skulason Subject: Re: Odd Problem with F-PROT 2.01 (PC) In Message 9 Jan 92 18:40:00 GMT, WALKER@aedc-vax.af.mil (William Walker C60223 x457 writes: >While testing F-PROT 2.01 against my suite of captive viri, I noticed a >curious behavior. When F-PROT prompted to "Press ENTER to scan next >diskette," I swapped diskettes, pressed ENTER, and F-PROT began scanning >the diskette, but the files it reported scanning were those on the >previous diskette. This problem has been fixed in version 2.02. The problem only appears on certain types of 360K drives - mostly old ones - which do not have a disk change status line - 1.2M drives and 3.5" drives did not cause the problem, which is why it never surfaced in testing. Version 2.02 also corrects a few other problems: "Secure Scan" used to report a "possible new variant of Yaunch" when scanning certain files, including some OS/2 executables - fixed. "Analyse Program" would occasionally crash with a "Divide error" message - fixed. Version 2.01 had some problems when scanning Bernoulli boxes, and when run from the OS/2 DOS box - fixed. The major changes in 2.02 are not bug fixes of course, but a considerable speed improvement ans some other nice features. It is finished - I am just making some changes to the virus names, to bring them in line with the recent "standard" naming scheme. Expect to see an annoucement that 2.02 is available in a couple of days or so. - -frisk (author of F-PROT) ------------------------------ Date: Mon, 13 Jan 92 16:54:00 +0000 From: Anthony Naggs Subject: Re: Does this behaviour sound like a virus (PC) In issue 1 Mark Saake reports: >The other day I inserted a floppy into the A: drive on my pc and tried >to do a dir. I got the message back stating "Sector not found" and it >was unable to read the disk. >... >I tried booting off a a floppy instead of the hard drive and was able >to read other floppies fine, with and without write protect tabs. >However, after some experimenting, I discovered that if I booted off >the hard drive I could read floppies as long as they had the write >protect tab on but the second I took the tab off the disks became >trashed. Note that when booting off an original system floppy this >behavior was not exhibited. Everything worked fine. Yes Mark you definitely have a 'boot sector' virus, probably a variant of New Zealand (also known as Stoned or Marijuana). So what is happening? Well, the first sector on each DOS diskette is the boot sector, this carries a short 'boot strap' program and some information about the disk format. To infect a diskette the virus copies the original boot sector to somewhere safe (towards the end of the root directory for the New Zealand virus), and places a copy of itself in the first sector. The purpose of the bootstrap program is to examine the disk and decide whether it is suitable to boot from, by ensuring the DOS system files are present, and giving a warning message if they are missing. The effect you see is due to a major fault in the New Zealand virus, and most of subsequent variants, it does not understand that there are different diskette sizes. It therefore doesn't include the the disk size information in the new boot sector. Without the disk size information DOS does not correctly recognise some sizes of disk, eg it assumes 1.2M diskettes are 360k and reads the root directory from the wrong part of the disk. The New Zealand virus spreads if you boot your PC from an infected diskette, even if the diskette does not have the system files. This is because the virus is loaded by the BIOS ROM, the virus looks for a hard disk and infects that, and then it loads the original bootstrap program. To confirm this run CHKDSK, for 640k of standard memory it should normally report "655360 bytes total memory", with New Zealand virus in memory this will be reduced to 653312. The solution: either acquire some anti-virus software locally, or send me your postal address & you can have a program of mine which will disinfect your hard disk & should be able to recover all your floppy disks. To ensure that my program works with the virus version that you have you can post a copy of an infected diskette to me: P.O. Box 1080, PEACEHAVEN East Sussex BN10 8BT GREAT BRITAIN Good luck with your clean up, Anthony Naggs ~~~~~~~~~~~~~ PS "Review: A Pathology of Computer Viruses" Interested to see Gene Spafford's review especially as I am still awaiting my review copy. Ho hum. ------------------------------ Date: 14 Jan 92 09:51:01 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Antitelifonica (A-VIR) (PC) ahubbell@orlith.bates.edu (Arlyn Hubbell) writes: > Antitelifonica. According to McAffee's SCAN85 documentation it can > only be cleaned using a program called M-DISK. Has anyone out there ^^^^ Well, "only" is a bit hard... :-) M-DISK is certainly not the only anti-virus program in the world, which can help you get rid of this virus. In fact, if you have a DOS 5.0 system disk, you don't need any anti-virus program at all in order to remove the virus from the hard disk. Just run FDISK with the /MBR option. It will rewrite the master boot sector program without touching your partition table information. The bad news is that the virus might have already destroyed some information on some kinds of hard disks, but that same happens with Stoned... You can remove the virus from diskettes (if their root directory information has not been destroyed) by copying all the files to another diskette and reformatting the infected one. In order to remove the infection from the files (this is a multi-partite virus), you need some kind of virus scanner, which will tell you which files are infected, so you can delete them and replace them from clean backups. Of course, all this must be done while the virus is not active in memory (i.e., after booting from a write-protected non-infected system diskette), since the virus is a stealth one. If you really want to disinfect the infected files (instead of removing them), which I strongly discourage you, you might consider getting a good disinfector. Dr. Solomon's Anti-Virus ToolKit is one, but even McAfee's CLEAN 85 is able to disinfect this virus from the files (and it is less expensive than the AVTK). Fridrik Skulason's F-Prot 2.01 is also a good choice (read: it detects the virus perfectly, but I haven't found time yet to test its disinfection capabilities on this virus. You can contact Fridrik Skulason at frisk@complex.is for more information.) and it is -very- cheap. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 14 Jan 92 10:56:00 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Question re Stoned (PC) martin@cs.ualberta.ca (Tim Martin; FSO; Soil Sciences) writes: > For stoned to infect a hard disk, the computer must be booted from an > infected diskette. It may be that in its current setup no student ever The wording of the above sentence is not very exact, which often leads to misunderstandings. (Tim, I know that you know what you're talking about, you just didn't express it in the most exact way.) The wording should be: "For Stoned to infect a hard disk, there must be an ATTEMPT to boot from and infected diskette." Note that this does not imply that the attempt is successful. According to my own experience, most users get re-infected by Stoned not by actually booting from and infected bootable diskette, but by forgetting an infected data diskette (i.e., with no DOS or even any executable files on it) in the A: drive when they are truning their computer on. The trick is that when you see the "Press any key" message, the hard disk is -already- infected. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Tue, 14 Jan 92 11:05:49 +0000 From: root@itnsg1.cineca.it (Valter Cavecchia) Subject: Form virus infected Dos 5.0 diskettes (PC) Some time ago we were infected by the Form (boot sector) virus. Nothing serious happened, but among the computers infected few of them were running Dos 5.0. We tried to remove the virus using M-DISK but found that Dos 5.0 is not yet supported. Is there a new version of M-DISK available? Is there any other way to clean up the diskettes (without formatting :-)) ? Thanks a lot for any help Valter --------------------------------------------------------------------------- | Valter V. Cavecchia | Bitnet: cavecchi@itncisca | | Centro di Fisica del C.N.R. | Internet: valter@itnsg1.cineca.it | ------------------------------ Date: Tue, 14 Jan 92 13:43:12 +0000 From: Fridrik Skulason Subject: Re: Antitelifonica (A-VIR) (PC) >We here at Bates College have just come across our first occurrence of >Antitelifonica. This virus is also known under the following names: Kampana (boot) Telefonica Spanish Telecom (boot) Telecom (boot) It is a very rapidly spreading boot sector virus, which can be quite harmful as it may reformat the disk on the 400th boot. This virus is sometimes "dropped" by a different virus - a program virus, which exists in several versions. You probably have only the boot virus. > According to McAffee's SCAN85 documentation it can >only be cleaned using a program called M-DISK. "only" is not correct - I think most other anti-virus programs, at least my own - can disinfect it as well. - -frisk ------------------------------ Date: Tue, 14 Jan 92 13:57:00 +0000 From: Fridrik Skulason Subject: Re: NCSA has tested Antivirus Programs (PC) In Message 8 Jan 92 16:26:35 GMT, RZOTTO@DKNKURZ1.BITNET (Otto.Stolz) writes: > F-Prot V. 2.0 | F. Skulason | 129 Well, I'm not complaining...I was quite happy with the results, and getting the top score has only helped me... :-) Actually, the main reasons why I did not get a perfect score (140 points) were: Speed - Version 2.0 was quite slow compared to some of the other scanners - a problem which has been fixed in 2.02. Handling of "self-infections" - I did not agree with this part of the review, but the question was what what the scanner program should do if it determined that it had been infected with a virus. Obviously 0 points were awarded if the scanner did not detect the infection, but my opinion was that the program should simply abort and announce that it had been infected, telling the user to reboot from a "clean" disk, and run an original copy of the program. They wanted to program to be able to disinfect itself in memory, disable the virus, if it was active in memory, and continue as if nothing had happened...something which I consider too dangerous. >england) ranking among the best ones. Most apparently, high-quality >European products in this domain will be recognized internationally. Actually - quite a few of the "American" anti-virus program are actually American at all...quite a few of them are just repackaged programs from elsewhere...Israel for example. - -frisk ------------------------------ Date: 15 Jan 92 11:30:05 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Gulf War "virus" fstuart@eng.auburn.edu (Frank Stuart) writes: > CNN is reporting that a computer "virus" was used during the Gulf War. > Reportedly, the virus was used to blank the screens of Iraq's air > defense computers. The alleged virus was supposed to have been hidden > in a printer chip that was smuggled in from Jordan. I (and many > others, I'm sure) would be very interested if anyone has further > information. This is old news; I heard about that when I was in Bulgaria, maybe in May. I'm afraid that it is based on an April 1st joke, published by a computer magazine (was it Computerworld?)... It is, essentially, nonsense, of course. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 15 Jan 92 14:44:04 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Viruses against Iraq?????? stus5239@mary.cs.fredonia.edu (Kevin Stussman) writes: > Virus on a chip?? How and when did it go off? What type virus? > (it probably wasn't a real virus (not self replicating) but nasty > screen killing code on a chip) So now hacking is now legal, but only > during wartime against an enemy. (goes with killing) Nonsense, complete nonsense. If it is in the printer, it cannot force you to execute it. It cannot copy itself to the computer. It cannot exist. Period. The whole story is a rumor, just as the "modem virus", an excellent article about which was posted by Rob Slade just in time. And the rumor in this case is based on an April 1st joke, made by a computer magazine. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Mon, 13 Jan 92 16:33:16 -0500 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: LANs & Viruses It is my conviction that part of effective LAN protection from Viruses and other malicious software must center arount the ability of the server to be able to authenticate clients prior to permitting access. This requires the ability for the client to force the client to run certain applications during the login process. While most client-server networks provide for such login "scripts", I do not know of any perr-peer networks that do. I would appreciate hearing from users who know of any peer-peer networks that can force such action on the requestor by the requestee (or alternately, any client-server systems that cannot. Please reply to me directly. Warmly (73 today), Padgett padgett%tccslr.dnet@mmc.com ------------------------------ Date: Mon, 13 Jan 92 19:53:00 -0500 From: Subject: RE: NCSA Has Tested Anti-Virus Programs The information you presented was correct, though outdated. Those results were from the previous virus scanner evaluation report, and were printed last year in Network World, as you said. Just this week, the latest update to that scanner evaluation was released, and is available from the NCSA at 717-258-1816. The results may surprise you..... Hope this helps, happy virus-busting.... Charles ************************************************************************** Rutstein@HWS.BITNET (Charles Rutstein) *************************************************************************** ------------------------------ Date: 14 Jan 92 10:12:06 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Military Viruses U953001@RUTADMIN.BITNET (Nick Di Giovanni) writes: > The Review reported that Software and Electrical Engineering (SEE) was > one of two organizations preparing reports for the Army Center for > Signal Warfare on the deliberate use of computer viruses and worms to Probably SPARTA, INC. is the other one. > incapacitate computer networks. The center identified the desired > effects of such a use as including data disruption, denial of use, and > affecting the operation of processors and the management of data Yeah, yeah, but this is mainly wishful thinking - they dream to have viruses which are able to do this... Currently no such things are available, of course. > storage. SEE's contract was reportedly for $50,000; however, it stood > to make as much as $500,000, according to this account, if it received > a contract for the follow-up phase of the project, which involves > devising particular viruses, demonstrating them, and devising possible > defenses against their use. This is not quite exact, and it involves not only SEE. In fact, the DoD's SBIR (Small Business Innovation Research) program consists of three phases. During the first one (Concept Feasability), contracts are awarded for a study of feasability of the projects in the Army' areas of interest. The awards are for $50,000 over a six-month period. They say that the available funds will permit support of approximately 20 % of the proposals received. Firms that successfully complete Phase I study are eligible to submit Phase II (Research and Developpment) proposals in that area of study. The Phase II awards fund research, developpment, and prototype production. The awards cover a period of two years, and average $450,000. They expect that the funds will permit to about 40 % of those who have completed Phase I to progress to Phase II. Success in Phase II is expected to lead to Phase III (Production and Commercialization). The SBIR contractors normally obtain funding for this phase of their product or service from the private sector. The Government, through its agencies, also provides financial support for contractors whose products will be used by the U.S. Government. By law, no SBIR funds are extended for this phase. Sigh... After all that, there will be again people, who will claim that I'm a KGB agent... :-) Just FYI, I read all this in an article, published in the proceedings of a Virus & Security conference. The document bears, indeed, sceals from the Department of Defense, the Department of the Army, the Department of the Navy, the Department of the Air Force, DARPA, the Defense Nuclear Agency, and the Strategic Defense Initiative Organization, but it also has an inscription, which says that "Nothing on this page is classified or proprietary information/data"... Hope that this clears any misunderstandings... :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Tue, 14 Jan 92 10:31:50 -0500 From: m19940@mwvm.mitre.org (Emily H. Lonsford) Subject: Re: UNIX viruses, request for information (UNIX) You might want to read the article by Tom Duff called "Experience with Viruses on UNIX systems" in the 1989 V2#2 issue of Computing Systems. pp155-171. ************************** * EMILY H. LONSFORD * MITRE - HOUSTON H123 (713) 333-0922 * EHL@MITRE.ORG ************************** ------ Downloaded From P-80 International Information Systems 304-744-2253