From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V5 #11 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Wednesday, 22 Jan 1992 Volume 5 : Issue 11 Today's Topics: Re: Looking for info on "Friday the 13th" virus (PC) Keypress and Keypress II (PC) Re: Making DIR of a contaminated floppy (PC) Re: NCSA has tested Antivirus Programs (PC) Novell viruses (PC) Re: 1575/1591 Virus (PC) WDEF (mac) PC Virus Checker for Unix (PC) (UNIX) Re: New Antivirus Organization Announced Re: New to the forum - question Re: New Antivirus Organization Announced Sigs Polymorphic viruses new program from Padgett Peterson available (PC) Iraqi Computer Virus story Defended ! Mail Problem (McAfee) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 17 Jan 92 06:13:36 +0000 From: forbes@cbnewsf.cb.att.com (scott.forbes) Subject: Re: Looking for info on "Friday the 13th" virus (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >Yes, but the original poster said that his disk was formatted on >13-Dec-1991. This excludes the Jerusalems and the South Africans, and >also Datacrime. If I remember correctly, Monxla, Leningrad, and Omega >do not format the disk... Or am I wrong? Does any of it at least >overwrite it? Maybe this has been misinterpretted as formatting... And >I can't remember what Relzfu does when it activates... :-( My apologies for ambiguity in the original post. I wrote, "The hard drive received a low-level format," by which I meant that, as a method of curing and removing the virus, all recoverable files were removed, the hard drive was formatted, and the files were restored from master disks. As to damage caused by the virus, I'm afraid I can't be certain: An eager but very misguided person got to the computer before I did, and attempted to make repairs by copying several files *onto* the damaged drive... The only things I know for certain are that the disk was made unbootable, and that later attempts to repair the drive (using Norton Utilities) showed a damaged File Allocation Table. Hope this helps. Any/all info would be appreciated. - -- Scott Forbes ------------------------------ Date: Fri, 17 Jan 92 03:35:31 -0500 From: Subject: Keypress and Keypress II (PC) Hi everyone. Does anyone have a product thet can clean an infected program from Keypress, Keypress II and Tirku ??? /Colin St Rose Internet: CSRCC@CUNYVM.CUNY.EDU Bitnet: CSRCC@CUNYVM Compuserve: 75730.2121@COMPUSERVE.COM ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ------------------------------ Date: 17 Jan 92 10:29:12 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Making DIR of a contaminated floppy (PC) UBAESQ01@EBCESCA1.BITNET (Josep Fortiana Gregori) writes: > 1. Boot from a clean write-protected floppy > 2. SCAN C:\ /m /chkhi > >> No viruses found > 3. SCAN B:\ > >> Found Anti-Tel Virus A-Vir! in boot sector > 4. DIR B: > 5. SCAN C:\ /m /chkhi > >> Found Anti-Tel Virus A-Vir! > active in memory > My conjecture is that the boot sector is read in one of the > DOS buffers, so that the virus is present in memory as data, > not code (so it is not active). > Is that correct? Yes, your conjecture is correct. It's not a virus, it's a ghost false positive in memory. Possible fixes are: 1) Run CHKDSK (on a non-infected disk) each time after SCAN detects a virus or you copy an infected file/diskette. CHKDSK will flush the DOS buffers, and the stupid ghost will disappear. 2) After 2., always run SCAN with the /nomem switch. After all, you have already checked your memory (including the upper memory, which is completely useless, since no known virus is using it and SCAN can detect only known viruses), so you -know- that the memory is not infected. 3) Pester McAfee Associates to write a better memory detection routine. It can be done (there are several scanners like HTScan, TbScan, F-Prot, which already do it) in such a way, that these stupid ghost false positives do not occur. I am doing this since quite a long time, let's hope that if more users do it, SCAN's memory checking will be finally improved. Hope the above helps. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 17 Jan 92 10:41:15 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: NCSA has tested Antivirus Programs (PC) frisk@complex.is (Fridrik Skulason) writes: > They wanted to program to be able to disinfect itself in memory, > disable the virus, if it was active in memory, and continue as if > nothing had happened...something which I consider too dangerous. Even worse - I claim that the above is IMPOSSIBLE in all cases. There are currently several products, which claim to add a "self-disinfecting" envelope to other programs: I have only McAfee's FShield, but have heard about at least three more - The Untouchable, something from Central Point Software, and a product under development, which I discuss with someone from Bogota, Colombia (if I remember correctly, else - sorry) Neither of the products is able to do the above against all possible viruses, even if we limit the viruses to use only the currently known techniques. In fact, I'm almost certain, that even some of the currently existing viruses will be able to circumvent all of the products mentioned... It just cannot be done! > Actually - quite a few of the "American" anti-virus program are actually > American at all...quite a few of them are just repackaged programs from > elsewhere...Israel for example. Yeah, if you mean CPAV and the Untouchable... But, I have observed the same thing as the original poster - the European anti-virus programs, at least the scanners, seem to be supperior to the American ones, at least those we have here at the VTC. When compared with Dr. Solomon's Anti-Virus ToolKit and your product, only McAfee's scan was able to compete, and only if I compared the capabilities to detect whether an object (file or boot sector) is infected or not. Even VirX (the free version) didn't score that much... (More exactly, SCAN was somewhere between AVTK and F-Prot.) However, I tested only the detection capability, since this is the most important, IMHO, property. If one considers anything else - speed, user interface, flexibility, exactness of the reports, documentation, ability to remove viruses, ability to detect unknown variants of the known viruses, then even SCAN is left far behind... American anti-virus producers, where are you? The challenge is here to take... Just don't ferget that the task is not easy and involves a huge amount of research efforts... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 17 Jan 92 12:49:01 -0500 From: Doug Eckert <75140.1550@CompuServe.COM> Subject: Novell viruses (PC) Greetings, All; I'm interested in obtaining a (believable) list that says which viruses infect and/or spread through Novell local area networks, and what effects they cause (error messages and the like). I've followed information about the GP1 ("Get Password 1") about as far as seems worthwhile (it doesn't work). Below I'll share with you what some testing I was involved in early last year showed. My feeling is there needs to be more trustworthy information available on this subject. If NOVELL has any such listing, last time I checked they weren't sharing. We were testing Central Point Anti-Virus version 1.0, at the time of the below. The results were shared with Central Point. And while they are heartening for those of us who depend upon LANs every day, the sample is obviously too small for any general smugness about the imperviousness of Novell Trustee Rights. VIRUS / LOCAL AREA NETWORK TESTING SUMMARY Only two of the five viruses tested, 1701 and Invader, proved capable of cirumventing the file attributes set by the Novell FLAG.EXE command. Repeated attempts with all 5 viruses to infect files protected by Novell Trustee Rights (for example, IBM DOS 3.30 files in F:\PUBLIC\IBM_PC\V3.30 when logged in as a non- supervisory user without trustee rights to those subdirectories) were unsuccessful. Upon execution, Jerusalem-B consistently either prevented or broke the connection to the LAN. SETUP A test local area network (LAN) using Novell NetWare 2.15, 3COM ethernet adapters, coaxial cable, IBM DOS 3.30, 2 IBM PS/2 Model 50's, 2 AST '286's, and one IBM PS/2 Model 80 as a file server was set up. Three types of network shells were used: ODI, NET3 version 3.01 rev. E, and NET3 version 2.15. Attempts were made to infect test .COM and .EXE files stored under F:\USERS\ and C:\TESTEXEC, using the following viruses: (1) Jerusalem-B (aka. "Friday the 13th") (2) 1701 (aka. "1701/1704") (3) 4096 (aka. "100 Years", "Frodo", "Stealth") (4) Invader (aka. "Anticad-2", "Plastique") (5) Whale (aka. "Motherfish") All of these viruses except 1701 were obtained from an anti- virus software vendor. Two versions of Whale were tested. 1701 was obtained from an infected site in Michigan. Test network files NE.COM and FASTGIF.COM were flagged as read- only using Novell's FLAG.EXE program. The file BROWSE.COM was "wrapped" on both the network and the local (C:) drive, using Central Point Anti-Virus's (CPAV) immunization coding, which added 779 bytes to the file size (1737 new size minus the 958 original size). RESULTS While successful at infecting C:\TESTEXEC files, repeated efforts to get Jerusalem-B, 4096 and Whale to infect network files - to which the user had all rights - were unsuccessful. Jerusalem-B continually interfered with the LAN connection. Several attempts to login to the network after becoming infected were unsuccessful. Attempts to become infected after logging in to the network consistently resulted in network adapter card error messages that required re-booting to escape. These results were consistent across all three driver sets and both PC types. Novell technical support indicated there have been reports that certain network adapters, among them those by 3COM, are incompatible with Jerusalem-B. 4096 evidenced no conflict with the network connection and infected C:\TESTEXEC executables, but - strangely - NOT the same files in F:\USERS\ when changed to that directory immediately afterwards. The file BROWSE.COM, previously "wrapped" (immunized) by CPAV, was protected from infection by 4096. Whale also evidenced no conflict with the network connection. Attempts to infect network files with the Whale virus were also unsuccessful. Immediately subsequent calls of the same executable files on drive C: infected those files with Whale. Previous CPAV immunization did NOT protect the file BROWSE.COM from infection by the Whale virus. The CPAV reconstruction feature for this immunized file was also not triggered by future calls of BROWSE.COM. Cleaning of BROWSE.COM by the menu-driven CPAV program left 8 extra bytes which caused execution of BROWSE.COM to hang the computer. Regards, Eck ------------------------------ Date: Sat, 18 Jan 92 13:04:19 +0000 From: Fridrik Skulason Subject: Re: 1575/1591 Virus (PC) In Message 15 Jan 92 11:20:06 GMT, bontchev@fbihh.informatik.uni-hamburg.de (Vesselin writes: >There are 6-7 variants of this virus, but they are essentially the >same. Eh, no...Alan Solomon discovered he was wrong - he included one variable byte in his checksumming range. There seem to be at most two variants. - -frisk ------------------------------ Date: Fri, 17 Jan 92 20:20:36 +0000 From: brown20@obelix.gaul.csd.uwo.ca (Dennis Brown) Subject: WDEF (mac) This is a request for information concering the virus WDEF. It seems that I have contracted this virus and I am now trying to get rid of it. Here's the facts:Mac Plus External HD About a week ago, while doing a routing copy of some files, I created a folder that is empty and is unremoveable. Shortly after this, about 3/4 of the icons on my desktop dissappeared. The missing files are still accessable to some programs (eg: the system that disappeared, still boots the drive when started up, and the cdev boomering can access files that it knows the path to even if it is one of the files that dissapeared). I am told that this virus is searched for by the newest version of SAM, but are ther e any other programs out there that will find WDEF? Any help would be greatly appreciated. Dennis Brown brown20@gaul.csd.uwo.ca ------------------------------ Date: Fri, 17 Jan 92 13:11:39 +0000 From: dylan@ibmpcug.co.uk (Matthew Farwell) Subject: PC Virus Checker for Unix (PC) (UNIX) I've been wondering for a while whether there are actually any PC Virus checkers which work under Unix. I'm wondering this because we have a fairly large download area, which contains a lot of DOS/OS/2 stuff, and it might be an idea to just run through the lot with a checker once in a while. It's a bit of a pain taking them all to a DOS machine & then bringing them all back again. Anyone got any ideas? Dylan. - -- Opinions above are mine, unless discovered to be wrong. ------------------------------ Date: 17 Jan 92 10:58:53 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: New Antivirus Organization Announced bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: > > Virus Busters Join Hands -- The Antivirus Methods Congress, a > > newly formed organization to combat computer viruses, was announced > > last week with the goal of bringing users, vendors and researchers > > together to tackle virus attacks on networks in the private and > > government sectors. > > Dick Lefkon, associate professor at New York University and chair- > > man of the new group, said the organization already has 50 members, > > including representatives from Martin Marietta Corp., the > > insurance industry, the state of Arizona's legal department, > > Northern Telecom, Inc. and universities in Hamburg, Germany, and > > Iceland. > Well, to be honest, I have never heard about that. But, I can speak > only about myself; I'll ask Prof. Brunnstein whether he knows > something on the subject (he is the head of the Virus Test Center at > the Hamburg University) and will inform you. Well, I did. It seems that these are pretty hot news - since the last Saturday. This organization has been indeed established, and we are indeed members of it. It will be in the States something similar to what EICAR is in Europe. More news should appear on the 5th International Virus & Security conference on March 11-13, in New York. BTW, Padgett Peterson should also know about that... Padgett? A more detailed message with explanations was promised by Prof. Brunnstein. In fact, I alread got the message, and Ken should have a copy of it too. Ken, if my boss forgets to CC a copy to Virus-L, could you please forward it here? Thanks. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 17 Jan 92 11:07:24 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: New to the forum - question geoffb@coos.dartmouth.edu (Geoff Bronner) writes: > This is something that varies from site to site, I'm sure. Dartmouth > is a site that is very prone to viruses, we have many inexperienced > mac users on the campus who have the ability to share files all the > time. Viruses get here very quickly on visitors disks or via ftp and Well, it depends what you mean by "very prone"... :-) > I would say that the avergage user here who is running Disinfectant > INIT (most do) sees viri very rarely. A couple times a year maybe. Well, isn't it more plausible to suppose that people, who do NOT run any virus detection software, see the viruses much less, since they are unable to detect them?... :-) > Since I run a cluster and support dozens of macs and ibms directly I > see them more often. Even so, things are better. 3 or 4 years ago I > could expect to see an infected disk or hard disk every day. After > several years of spreading inits like Disinfectant INIT and Gatekeeper > Aid around I see an infected disk maybe once a week. Usually on the Just out of interest, here at the VTC, we get averagely one to two requests for help per week, from all over the Germany. I don't know, maybe for some people this means that the computers in Germany are "very prone" to viruses... To me it means that there are almost no viruses here... When I was in Bulgaria, an average of 20 phone calls per DAY, and only from Sofia, was something usual.... :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 17 Jan 92 13:02:12 +0000 From: douglas@rhi.hi.is (Douglas Brotchie) Subject: Re: New Antivirus Organization Announced RTRAVSKY@corral.uwyo.edu (Rich Travsky 3668 (307) 766-3663/3668) writes: >The following is from the Dec 30,1991/Jan 6,1992 issue of Network World. > Virus Busters Join Hands -- The Antivirus Methods Congress, a > newly formed organization to combat computer viruses, was announced > last week [...] > Dick Lefkon, associate professor at New York University and chair- > man of the new group, said the organization already has 50 members, > including representatives from Martin Marietta Corp., the > insurance industry, the state of Arizona's legal department, > Northern Telecom, Inc. and universities in Hamburg, Germany, and > Iceland. ^^^^^^^ Not to my knowledge. Douglas A. Brotchie Director of Computing Services University of Iceland ------------------------------ Date: Sat, 18 Jan 92 16:54:32 +0000 From: willimsa@unix1.tcd.ie (alastair gavi williams) Subject: Sigs So, what's a signature virus? Does it require the file to be written to an acc before it will infect it? Thanks A G Williams willimsa@unic1.tcd.ie ------------------------------ Date: Sat, 18 Jan 92 23:42:10 +0700 From: frisk@complex.is (Fridrik Skulason) Subject: Polymorphic viruses Terms such as "Viruses using variable encryption with a variable decryption routine" are rather cumbersome, but no accurate single word has been found for those viruses, of which V2P6, Whale, Maltese Amoeba, Russian Mutant and PC-Flu 2 are examples. Until now. It is hereby proposed that the term "polymorphic" be used fore this class of viruses, but this term originated in one of the marathon 5-hour telephone conversations I had with Alan Solomon on the subject of virus naming. - -frisk ------------------------------ Date: Sun, 19 Jan 92 16:44:00 -0500 From: HAYES@urvax.urich.edu Subject: new program from Padgett Peterson available (PC) Hello. Just received and made available for FTP processing a new utility from A. Padgett Peterson. CHK.ZIP Integrity checker. Can be used to detect the Michel- Angelo virus. Best, Claude Bersano-Hayes. ------------------------------ Date: Sun, 19 Jan 92 22:05:00 -0500 From: "David Bridge" Subject: Iraqi Computer Virus story Defended ! from "The Washington Post" Washington, DC USA Tuesday, January 14, 1992. Page A7. COMPUTER VIRUS REPORT IS SIMILAR TO SPOOF Magazine Rechecking Story That U.S. Disabled Iraqi Network Associated Press A newsmagazine report that U.S. intelligence agents planted a disabling "virus" in an Iraqi military computer network before the Persian Gulf War is strikingly similar to an article published last year as an April Fool's joke. The main author of the U.S. News and Report article, Brain Duffy, said yesterday [= Jan. 13], "I have no doubt" that U.S. intelligence agents carried out such an operation, but he said the similarities with the spoof article were "obviously troubling." Duffy said the magazine was rechecking the sources who told it about the operation to determine whether details from the spoof article could have "leached into our report." In an article in its Jan. 20 issue, U.S. News said it had learned from unidentified U.S. officials that intelligence agents placed the virus in a computer printer being smuggled to Baghdad through Amman, Jordan. It said the printer, described as French-made, spread the virus to an Iraqi mainframe computer that the magazine said was critical to Iraq's air defense system. The magazine reported that the trick apparently worked, but it provided no details. The main elements of the U.S. News virus story are similar to an article published in the April 1, 1991, edition of InfoWorld, a computer industry publication based at San Mateo, Calif. The article was not explicitly labeled as fiction but the last paragraph made clear that it was written as an April Fool's joke. Duffy said he had not heard of the InfoWorld spoof. In response to an inquiry by the Associated Press, he said a U.S. News reporter in Tokyo got the "initial tip" on the computer virus story, which the reporter then confirmed through "a very senior official" in the U.S. Air Force. Duffy said he personally confirmed the story through a senior official in the Air Force and a senior intelligence official. Some private computer experts said it seemed highly unlikely that a virus could be transferred to a mainframe computer from a printer. "A printer is a receiving device. Data does not transmit from the printer to the computer," said Winn Schwartaw, executive director of the International Partnership Against Computer Terrorism. ===================================================================== from "The Washington Post" Washington, DC USA Saturday, January 18, 1992. Page A4. COMPUTER VIRUS STORY DEFENDED Associated Press U.S. News & World Report said Thursday [= Jan. 16] it is sticking by its story that U.S. intelligence agents tried to disable an Iraqi air defense network with a computer virus several weeks before the start of the Persian Gulf War. The magazine said it had confirmed that the attempt was made, as reported in its Jan. 20 issue and later questioned, but had not been able to determine whether it was successful. The original story, published Monday [= Jan. 13], quoted two senior U.S. officials as saying that the virus "seems to have worked as planned." Questions arose about the story after it was learned that the computer industry publication InfoWorld spelled out a strikingly similar scenario in a column that ran as an April Fool's joke last year. ------------------------------ Date: Fri, 17 Jan 92 02:12:28 +0000 From: mcafee@netcom.netcom.com (McAfee Associates) Subject: Mail Problem (McAfee) Hello all, Sorry for wasting bandwidth over this, but: I have accidentally lost part of my workspace for the week of Jan 6th to Jan 13th. If anyone from Europe sent mail to mcafee@netcom.com and Downloaded From P-80 International Information Systems 304-744-2253