From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V5 #16 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Tuesday, 28 Jan 1992 Volume 5 : Issue 16 Today's Topics: Plastique Virus... (PC) Re: Fprot v2.02 on risc (PC) Re: NCSA has tested Antivirus Programs (PC) Re: .SYS Infector? Really? Info Please! (PC) Re: vsum info... (PC) Re: VIRUS at AT286 in SCAN85 (PC) FAT chance? (PC) Possible Virus, Help!! (PC) re: New virus????? (PC) F-PROT/CPAV conflict (PC) CDef Virus (Mac) very strange Mac behavior (Mac) Re: New Antivirus Organization Announced Re: Trojan definition? Special case Re: Sigs new from Padgett Peterson (PC) "Commercial safety" myth VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 20 Jan 92 16:04:00 -1100 From: Veyis MUEZZINOGLU Subject: Plastique Virus... (PC) Hi everybody! We have trouble with a virus whose name is PLASTIQUE. I think it infect both .EXE and .COM files and place itself to FAT. Once a file infected, then it does not working and operating system (or virus itself) gives "Sector not found..." or "File allocation table error on drive...." errors. Also, it doesn't possible to copy it. After this information, does anybody know where can we get an antivirus program which remove this virus from our PCs. Thanks in advance... Veyis Muezzinoglu Erciyes University VEYIS@TRERUN.BITNET Computer Center ------------------------------ Date: 27 Jan 92 12:36:14 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Fprot v2.02 on risc (PC) JFORD@UA1VM.BITNET (James Ford) writes: > Also, I attempted to ftp the file ccc21.zip (?), but was unable to access > the server using anonymous. If someone has it, please upload it to risc Ooops, I published the address incorrectly. Mea culpa, sorry. The correct name of the file is ccc91.zip, it is on ftp.informatik.uni-hamburg.de [134.100.4.42], in the /pub/virus/texts directory. Please note that we have only one (and quite slow) modem, so I'll appreciate if the file is made available on more popular archive sites as well. One more time sorry for the confusion. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 27 Jan 92 12:50:21 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: NCSA has tested Antivirus Programs (PC) RADAI@HUJIVMS.BITNET (Y. Radai) writes: > >There are currently several products, which claim to add a > >"self-disinfecting" envelope to other programs: I have only McAfee's > >FShield, but have heard about at least three more - The Untouchable, > >something from Central Point Software, and a product under > >development, which I discuss with someone from Bogota, Colombia (if I > >remember correctly, else - sorry) > Sorry, that's not accurate. F-Shield (now called File Protector and > no longer associated with McAfee) does indeed add a self-disinfecting > envelope to other programs, but Untouchable certainly does not. It > keeps all the disinfectant info in a central database. (It does check- > sum itself before checking other files and warns you if it has been > modified, but it does not *disinfect* itself on the fly as described > in your quote from Frisk.) I didn't express myself clearly enough, sorry. My arguments were mainly against the generic disinfection, regardless how it is implemented. I agree that keeping the information in a database is much more correct than to attach it to the files, but I still claim that generic disinfection is impossible in the general case (even if using only the currently known infection techniques, and maybe even with the currently existing viruses). Any, yes, I know that The Untouchable does not destroy files when it tries to disinfect them, since it checks whether the repaired file will have the same checksum as the originals. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 27 Jan 92 13:06:38 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: .SYS Infector? Really? Info Please! (PC) RTRAVSKY@corral.uwyo.edu (Rich Travsky 3668 (307) 766-3663/3668) writes: > What's this about a .sys infector? (Frisk Skulason mentions this in a > recent Virus-l digest.) Some more information please, this is news for > me. The device drivers (usually stored in files with SYS extension) contain executable code, just as the COM and EXE files. They can even be of the two possible types - COM-type device drivers, and EXE-type device drivers. Well, to be exact, they have a somewhat special header, but it is well documented in the manuals and anybody who bothers to read them can figure out how to write a device driver infector. It is arguable whether a device-drivers infecting virus will have any chance to spread only, but nobody said that it must infect only device drivers... One could (in fact several people already did) write a virus, which infects both EXE & COM files and device drivers... In fact, it could infect boot sectors, partition tables, OBJ files, libraries, etc... There have been device drivers infecting viruses since more than two years - the Happy New Year (Bulgarian) was the first one, but it's not so easy to make it infect device drivers, so several people haven't noticed that. Currently I can recall at least about two other device drivers infecting viruses, both of Russian origin - SVC 6.0 and Starship. Yet, I know only about one virus scanner, which checks the device drivers properly - the Dr. Alan Solomon's AntiVirus ToolKit. Hope the above helps. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 27 Jan 92 13:26:30 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: vsum info... (PC) hobbit@vax.ftp.com (*Hobbit*) writes: > Forgive me if this is a faq; I haven't seen any recent references. Is > there a plaintext version of vsumx.h! that is readable by humans > without use of a program? The package includes the program in question, so you can read it without problems. If you read it -carefully-, you'll see the explanation why Patti switched to hypertext versions (hint: look at the Revision History entry). Although I would like to be able to print porions of it into files in plain-text mode, without using dirty tricks and printer redirection... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 27 Jan 92 13:20:30 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: VIRUS at AT286 in SCAN85 (PC) tkorho@cs.joensuu.fi (Tommi Korhonen) writes: > Mine 286 did also JAM after i GOT THE SCAN85.ZIP!!!!! [description deleted] Hmm, sounds more like a hardware problem, or a corrupted DOS... (No problem to write a virus, which does the same, of course, but I don't think this is your case. And it's certainly not because of SCAN /AV. You could remove the checksums with SCAN /RV and check whether the problems disappears. Another advise, boot from a clean DOS system disk and perform a SYS on your hard disk (or use Norton's "make disk bootable", if the version of your SYS is not smart enough). No guarantees, but the problem may disappear. Also try CHKDSK and watch for any reports about corrupted files... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Fri, 24 Jan 92 20:54:16 +0000 From: lark@Solbourne.COM (Daniel Larkin) Subject: FAT chance? (PC) Hi, Does anyone know of any virus that attacks strictly the FAT on the hard disk, and if so, what choices (if any) is there to combat this problem? Any information on this will be appreciated. Thanks, DAN L. ------------------------------ Date: Mon, 27 Jan 92 14:10:00 -0600 From: "RICKY GATES" Subject: Possible Virus, Help!! (PC) I was working on a friends Gateway 2000 386SX-20 MHz computer this weekend, when every time I hit the space bar on the keyboard. It stops taking input from the keyboard, but the computer types out TUMARC FROM CHINA on the screen and beeps for about 3 to 4 minutes. It then stops and leaves the text on the screen. I can backspace it off the screen, but as soon as I hit the spacebar again it does it again. I asked my friend when it started doing this to him. He replied that it started doing it a little while after installing Calender Creater Plus, AddressBook, and one other program from Power-Up software. I am wondering if anyone out there has heard of this problem or virus. I looked in McAfee's virus list and it is not listed, so I am wondering if this a new virus that has not yet been seen. If anyone has any suggests at all please send me e-mail. Thanks!!! Ricky Gates TTU College of Business Microcomputer Specialist and LAN Mgr (615) 372-3684 BITNET: RCG1659@TNTECH.BITNET ------------------------------ Date: 27 Jan 92 15:32:13 -0500 From: "David.M.Chess" Subject: re: New virus????? (PC) >From: diaz@leland.stanford.edu (Kathy Diaz) >I have a question it seems that I have come across some sort of virus. >My Dos Machine has in every directory a file called aux. Various words, including "aux", "con" and "prn", are reserved device names in DOS. If you try to do anything with them as though they were files, various odd and unexpected things can happen. "aux" actually tells DOS to read to / write from the serial port; if the right sort of device were hooked up there, it might actually work, although I haven't heard of anyone doing it. "con" tells DOS to treat the keyboard/screen (the "console") as a file; this can be very useful (as in COPY CON: TEST.JNK), but many editors will get very confused when faced with "edit con". Or "edit aux". For more info, see the index of most DOS manuals, under "device names". Probably not a virus! *8) - --- David M. Chess mI' jIHbe' jay'! High Integrity Computing Lab loD tlhab jIH! IBM Watson Research -- qama''e' ------------------------------ Date: Tue, 28 Jan 92 00:06:44 +0700 From: frisk@complex.is (Fridrik Skulason) Subject: F-PROT/CPAV conflict (PC) A user of F-PROT 2.02 just reported a conflict between that program and the Central Point anti-virus program: It seems that "Secure Scan" reports: VSAFE.SYS Infection: New or modified variant of Flip VWATCH.SYS Infection: New or modified variant of Flip This means that both FLIP signatures are found in the program, but it does not appear to be a normal infected file - perhaps a new variant. Actually, this is a false alarm, caused by the fact that the folks at CP use the same signatures as I do, and they do not store them in encrypted form in the file - something any decent anti-virus program should do... :-) So, if you get this particular message on these files don't worry...I'll do something about this in the next version, although I really consider this to be CP's problem.... - -frisk ------------------------------ Date: Mon, 27 Jan 92 08:54:31 -0500 From: Ed Maioriello Subject: CDef Virus (Mac) Hello All, I have been seeing alot of the CDEF virus lately. Does anyone have any info on the way the virus works etc. It seems to be caught quite nicely by the Disinfectant init, and removed easily by Disinfectant 2.5.1, but I would like to know more about it. Thanks in advance. Ed Maioriello emaiorie @ uga.cc.uga.edu University Computing & Networking Services edm @ athena.cs.uga.edu University of Georgia edm @ aisun1.ai.uga.edu Athens, Ga. 30602 (404) 542-5162 ------------------------------ Date: 24 Jan 92 21:41:17 +0000 From: peter@sysnext.library.upenn.edu (Peter C. Gorman) Subject: very strange Mac behavior (Mac) Hello - I've got a Mac IIsi, system 6.0.7, that's behaving very strangely: - - When anyone tries to access the Page Setup or Print functions from just about any application, Gatekeeper says that the application is trying to violate res(system) privileges against the System - RsrcMapEntry(DRVR2). - - The Mac was working perfectly happpily until a few days ago; the user doesn't know of any changes that were made. (But this is a semipublic machine) - - Some applications also trigger the warning when loading or when trying to open a document. - - Disinfectant 2.5.1 sees nothing wrong. Has anyone seen this sort of this thing before? I don't want to raise the virus alarm prematurely; It's possible that something's been corrupted by other means. Oh yeah - replacing the System file and printer drivers doesn't change anything. Thanks for your help. - -- Peter Gorman University of Pennsylvania Library Systems Office peter@sysnext.library.upenn.edu ------------------------------ Date: Mon, 27 Jan 92 09:21:13 +0000 From: Fridrik Skulason Subject: Re: New Antivirus Organization Announced RTRAVSKY@corral.uwyo.edu (Rich Travsky 3668 (307) 766-3663/3668) writes: >The following is from the Dec 30,1991/Jan 6,1992 issue of Network World. > Northern Telecom, Inc. and universities in Hamburg, Germany, and > Iceland. Hm...I suppose that "University of Iceland" is supposed to refer to me... but it is a misunderstanding - I quit my job at the university last April, and now concentrate my efforts on the development of my product, and virus-related work. - -frisk ------------------------------ Date: 27 Jan 92 13:15:53 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Trojan definition? Special case vail@tegra.com (Johnathan Vail) writes: > The definition I have in my glossary is: > ________________ > trojan (horse) - This is some (usually nasty) code that is added to, > or in place of, a harmless program. This could include many viruses > but is usually reserved to describe code that does not replicate > itself. > ________________ Hmm, the definition is not that bad, but I think that a more exact one would be "a program, which intentionally performs some undocumented functions"... Oh well. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Fri, 24 Jan 92 21:22:58 +0000 From: rslade@cue.bc.ca (Rob Slade) Subject: Re: Sigs willimsa@unix1.tcd.ie (alastair gavi williams) writes: > So, what's a signature virus? Does it require the file to be The signature virus is a joke. You will note, on those sigblocks that have it, the note "append me to your sig file". It is strikingly similar to the "classified ads" virus. The one that says "send a copy of me to your local paper classified ads section". ============== Vancouver p1@arkham.wimsey.bc.ca | "Is it plugged in?" Institute for Robert_Slade@sfu.ca | "I can't see." Research into rslade@cue.bc.ca | "Why not?" User CyberStore Dpac 85301030 | "The power's off Security Canada V7K 2G6 | here." ------------------------------ Date: Tue, 28 Jan 92 09:53:00 -0500 From: HAYES@urvax.urich.edu Subject: new from Padgett Peterson (PC) Hello. Just received from A. Padgett Peterson and made available: FIXUTIL2.ZIP: > Minor updates of FIXUTIL - CHKBOOT finds FORM family, FixFBR won't > flag Zenith boot records as suspect - .doc reflects lower pricing > (why not ?) minor ASCII changes. Best, Claude. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET) University of Richmond hayes@urvax.urich.edu (Bitnet or Internet) Richmond, VA 23173 ------------------------------ Date: Sun, 26 Jan 92 21:07:52 -0800 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: "Commercial safety" myth DEFMTH8.CVP 920126 The "Commercial Safety" Myth If I had to choose one viral myth which most contributed to the unchecked spread of viral programs that exists today, it would be that of the "safety" of commercial software. Although there is little agreement as to actual numbers, most virus researchers would agree with the statement that the vast majority of viral infections are caused by viri which are both easy to detect and easy to remove. Yet one recent survey of 600,000 PCs indicated that 63% had been hit with an infection. Why? Easy. Only 25% had any kind of protection against viri. (Note - even more disturbing - *at least* 48% *have been hit and STILL HAVE NOT TAKEN PRECAUTIONS!*) I am often faced with the assertion from computer users that, "Oh, I don't need to worry about viruses. *I* only use *commercial* software. If it doesn't have shrink wrap, it doesn't go into *my* computer!" This statement, and feeling of false security, relies on three assumptions: 1) that shareware is a major viral vector, 2) commercial software is never infected, only shareware and pirate software are and 3) there are no viral vectors other than software. Although shareware has been involved in the spread of viral programs, it is difficult to say how much of a role that it plays. In nine years of involvement with the local and extended communications community, I have not yet downloaded a file which I found to contain a viral program infection. (Except for the ones that were sent to me as such.) Note that I am not making any claims to superior knowledge or expertise here: my random sampling of interesting looking files off the nets and boards has yet to pull in one which is infected. Others say otherwise, although it was interesting to note, in a recent conversation where someone to the opposing view, that he finally had to admit he'd never downloaded an infected file either. In fact, for many years, shareware antivirals were the only reasonable form of protection. Every major microcomputer operating system except CP/M has had at least one instance of a major commercial software vendor distributing infected programs or media. They take precautions, of course, but apparently still don't give virus checking a high enough priority. Besides which, there are other possibilities for obtaining viral infections from "commercial" sources. Most commercial software is still distributed on writable media. Software retailers will often accept "returned" software, re-wrap it (shrink wrapping is easy to do) and resell it - often without checking for any incidental infection. Hardware or system retailers are all too often selling infected systems these days, not knowin Downloaded From P-80 International Information Systems 304-744-2253