From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V5 #19 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Monday, 3 Feb 1992 Volume 5 : Issue 19 Today's Topics: Anti-virus Product Info (PC) Re: New virus????? (PC) Help: 1193 virus? (PC) Re: Total memory available to DOS less than 655360 (PC) Michelangelo Virus in Florida too! (PC) Re: michaelangelo virus & HD's (PC) Maltese Amoeba / fao McAffe Associates (PC) Ohio Virus? (PC) Re: Pentagon and Keypress virus found (PC) Re: Plastique Virus... (PC) Scramble (PC) re: Stoned (PC) Re: very strange Mac behavior (Mac) Re: very strange Mac behavior (Mac) "Commercial safety" myth Re: Iraqi Virus Question? McAfee virus scanner Windows version at garbo.uwasa.fi (PC) IBM Anti-Virus Product 2.1.9 (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 29 Jan 92 10:22:33 -0500 From: TFW103@psuvm.psu.edu Subject: Anti-virus Product Info (PC) This may be FAQ, but is there any good references as to which anti-virus (SCANv85,VIRex, Central Point, etc) are the best for the money or more effective than others? After just reading postings for this group for a few days I am disturbed how often I see the a certain virus was not detected by Product X. Does anyone have any personal opinions on this to give some help and understanding to a novice? Thanks! Tom Woloszyn tfw103@psuvm.psu.edu ------------------------------ Date: 29 Jan 92 19:16:57 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: New virus????? (PC) diaz@leland.stanford.edu (Kathy Diaz) writes: > I have a question it seems that I have come across some sort of virus. > My Dos Machine has in every directory a file called aux. It seems also I don't know how exactly have you managed to "find" this "file". On the previous DOS versions it usually appeared when you execute Norton's FileFind and look for aux*.*. Unfortunately, I'm using MS-DOS 5.0 right now, so I can't confirm this. BTW, regardless what you do, use the same method to look for the "files" CON, COM1, COM2, LPT1, etc... You'll "find" them in all directories as well. Don't worry, these are just reserved names for the DOS device drivers. In many ways they behave as files. If you have any other installed device drivers, you'll be able to "find" them as well. Just ignore them and don't touch them; everything will be OK. BTW, the "length" has nothing to do with the real size of the driver in memory. Ignore this information as well. Hope the above helps. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Wed, 29 Jan 92 19:31:54 +0000 From: mark@walt.CS.MsState.Edu (Mark Rauschkolb) Subject: Help: 1193 virus? (PC) I was just asked if I knew anything about the 1193 virus. I can't find a reference to it anywhere. Any clues? Mark Rauschkolb mark@cs.msstate.edu ------------------------------ Date: 29 Jan 92 15:59:49 -0600 From: hannuk@cs.tamu.edu (Hannu H Kari) Subject: Re: Total memory available to DOS less than 655360 (PC) UBAESQ01@EBCESCA1.BITNET (Josep Fortiana Gregori) writes: > After reading the note by Padgett Peterson about the > Michelangelo virus, I checked my machines and found > that one of them (a 486/33MHz clone AT with 8M ram) > reports total memory = 654336 = 655360 - 1024 when > booted from drive C: and 655360 when booted from A: > > No other symptom of infection can be observed. (and > SCAN '85 reports "no viruses found") > > Does someone know if there is a possible cause of this > behaviour, other than infection? One possible explanation for missing 1 kB area is that you have e.g. SCSI disk controller that needs some RAM work space. The memory area is stolen from BIOS by setting smaller number into location of memory that tells the size of the memory during the boot time of the PC. However, if you boot from the floppy and the size is different, then that is not the case. Another explanation is that some BIOS'es take some memory for example for IDE/ST-506 disk type information. My AMI BIOS is an example for this. This memory is used for storing user defineable disk types (i.e. if the BIOS doesn't know the disk type, you can tell the number of head, sectors and tracks manually). But also in this case, it should not depend from where you boot. Have you tried to boot the PC from HD with no CONFIG.SYS and AUTOEXEC.BAT files. Maybe you have some strange drivers? Is the operating system version in floppy and HD the same? HHK Howdy from Texas ------------------------------ Date: 29 Jan 92 23:40:30 +0000 From: jbs@reef.cis.ufl.edu (Joe Schofield) Subject: Michelangelo Virus in Florida too! (PC) tong@ee.ubc.ca (ONG TONY TUNG L) writes: > We've been hit here at the University of B.C., if anybody is > keeping track. Well, if there is someone keeping track, at the University of Florida approx. half of 30 computers tested (SCANV85) had the Michelangelo Virus. They seemed to be successfully cleaned by CLEANV85. HOWEVER, I found the Michealangelo Virus on two of the four 5 1/4" disks in my posession. The other two had a stoned related virus. None of my fifteen frequently used, unwrite-protected 3 1/2" disks had any viruses. One of the two 5 1/4" disks gave strange "cleaning results". First, I cleaned for the [Mich] virus. CLEANV85 replied "virus removed". Second, I re-scaned the disk. SCANV85 replied "found stoned [Stoned] related virus" Third, I cleaned it for the [Stoned] virus. CLEANV85 replied "virus removed" Fourth, I re-scanned the disk. SCANV85 replied "found Michealangelo virus" Finally, I cleaned it for the [Mich] virus again, but CLEANV85 replied something like "virus could not be removed". Has anyone else had similar results? It would be interesting to have a list of places infected by the Michealangelo virus. Since I don't normally read this group, I don't know if one is usually posted. Anyway, if anyone reading this message has been infected by the Michealangelo virus, email me and tell me about it. (I have no solutions on how to kill it (besides SCAN), but I would be interested in finding out how wide spread this virus is--especially since it was on the 6 o'clock news last night) (The virus testing softward CLEANV85 and SCANV85 used are both licenced by the University of Florida.) - -- ----------------------------------------------------------------------- / jbs@reef.cis.ufl.edu / The Golden Rule / / / "Those who have the gold make the rules." / ----------------------------------------------------------------------- ------------------------------ Date: Thu, 30 Jan 92 00:37:54 +0000 From: NEIL@icarus.curtin.edu.au Subject: Re: michaelangelo virus & HD's (PC) homan@envmsa.eas.asu.edu (Thomas H. Homan (aka Bit Bucket Bandit)) writes: >Is there some other program for removing the michaelangelo virus from >a stricken hard drive....I have a Seagate 3120A (IDE) drive that I >cannot remove this virus from. Here's what I have tried so far: >1 - Fprot 2.01 - nope >2 - Scan V80 - nope >3 - Scan v84 - nada >4 - Repartition drive as 40m and format - nope >5 - Return partition size to 100m and format - still there >what can be done? >any and all thoughts are appreciated. >tom Try the old mdisk. It works ok on my ide drive. good luck Neil Raymond ______________________________________________________________________________ IMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM; : Internet: NEIL@ICARUS.curtin.edu.au : HMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM< ------------------------------ Date: Tue, 28 Jan 92 20:13:32 +0000 From: Chris Wells Subject: Maltese Amoeba / fao McAffe Associates (PC) Hi all. No peace for the wicked! Two days after finding the Green Caterpillar virus, around, a more nastier virus has been found. This virus is the Maltese Amoeba, (according to Bate's Viscan), or the Irish virus (according to Viruscan). When I ran an infected file whilst running "FluShot", the computer just hung. I don't think any infection took place. Curiously enough, scan ALSO reported that the Brain/Asher virus was active in memory. This message only appeared once, and I assume it was a false alarm. Has any one got any more information about this virus? (Concerning McAffe). I recently was "testing" the Jerusalem virus, and I noticed that Scan failed to detect it under certain circumstances. (I won't elaborate here, to avoid giving the 'worms' ideas). Version 85 was used. If McAffe associates would post their e-mail address, I'll send some private mail. Many thanks, Chris ------------------------------ Date: Thu, 30 Jan 92 14:08:27 +0700 From: Nigel Tan Subject: Ohio Virus? (PC) This is my 1st posting... excuse me for any foul-ups! Last weekend, I encountered a strange situation using McAfee's Scan84. When scanning a disk, it said : [Stoned] related virus found. And on the next line, it said: 3 viruses found. Well, I cleaned off the [Stoned] with Clean84, then re-scanned the disk. It then said: [Ohio] virus found in boot sector. When I tried to use Clean84 to clean it off, it said: [Ohio] virus cannot be safely removed. So I formatted the disk. The funny thing was I later checked Virlist84, and could not find any mention of the [Ohio] virus. 3 questions: 1. is there an Ohio virus or not? Was it accidentally left out in Virlist84? 2. what is the 3rd virus on the diskette? (it said 3 viruses initially) 3. can boot sector viruses be safely removed with clean84? Thank you! ------------------------------ Date: 30 Jan 92 10:05:39 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Pentagon and Keypress virus found (PC) NVCARLE@VCCSCENT.BITNET (Eric Carlson) writes: > Pentagon and Keypress viruses were found on floppys in one of our labs. Pentagon?! You said Pentagon? Not possible, must be a false positive. This virus does not exist in live form - nobody has succeeded to make it replicate. It -must- be a false positive. > Pentagon virus was NOT FOUND by SCANv84, but it was found with SCANv69. This explains the problem. Scan version 69 is a pretty old thing and certainly contains bugs. FYI, the latest official version I know about is 85, but I have heard about something, called Scan version 86-beta to float around. Could we get a comment on this from McAfee Associates? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 30 Jan 92 10:17:06 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Plastique Virus... (PC) VEYIS@TRERUN.BITNET (Veyis MUEZZINOGLU) writes: > Hi everybody! Hi! > We have trouble with a virus whose name is PLASTIQUE. The real trouble is that there are about at least 10 different virus variants, which are called by this name... :-( > I think it infect both .EXE and .COM files and place itself to FAT. Naw, doesn't put itself in the FAT. It infects COM & EXE files and the boot sector. > Once a file infected, then it does not working and operating > system (or virus itself) gives > "Sector not found..." > or > "File allocation table error on drive...." Hmm, to my knowledge, most of the variants of this virus play a melody. If you press Ctrl-Alt-Del while the melody is being played, some of the variants will overwrite the beginning of the hard disk. But then the damage will be much more serious, not just slight FAT corruption or bad sectors... > Also, it doesn't possible to copy it. To copy -what-? The virus? If it cannot copy itself, it won't spread and therefore is no virus. Or do you mean the bad sector? Then it probably means that the sector is indeed bad, and this has nothing to do with the virus... BTW, how did you identify the virus? What program reported the name Plastique? McAfee's SCAN? > After this information, does anybody know where can we get > an antivirus program which remove this virus from our PCs. At least the following programs are able to remove the virus: Fprot 2.02, Dr. Solomon's Anti-Virus ToolKit, McAfee's CLEAN 85. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Thu, 30 Jan 92 10:08:00 -0500 From: "Jeffrey S. Payne" Subject: Scramble (PC) We have had an outbreak of what appears to be some sort of trojan, that has been described to me as a program called scramble. This program renames the first part of every .com file on the hard drive to a random 8 character string. I would like some sort of confirmation that this is a trojan or just a malicous program as opposed to a virus. Also, is there any known way to defend against it? we are currently running f-prot 2 on IBM PS/2 computers. Jeffrey S. Payne JSP105@PSUVM(.psu.edu) Penn State Ogontz Campus / Woodland Computer Center "Any significantly advanced technology is indistinguishable from magic" -A.C. Clarke,Murphy,Jean-Luc Picard, and other significant intellects ------------------------------ Date: 30 Jan 92 11:22:54 -0500 From: "David.M.Chess" Subject: re: Stoned (PC) >From: "V70D::HUNTRESS" > ... I have no idea how long it had been resident, and since I >never saw it trigger (never got the message "You have been stoned"), I >started to wonder what causes it to trigger. A date? A number of >boots? Random? It's basically random (about one boot in eight boots) BUT it only happens when the system is booted from an infected *floppy*. Booting from an infected hard disk never displays the message. That's probably why you didn't see it, and why people in general can have the virus for a long time without suspecting... DC ------------------------------ Date: 29 Jan 92 15:42:26 +0000 From: peter@sysnext.library.upenn.edu (Peter C. Gorman) Subject: Re: very strange Mac behavior (Mac) In article <0012.9201282044.AA25406@ubu.cert.sei.cmu.edu> I write: > I've got a Mac IIsi, system 6.0.7, that's behaving very strangely: > > - - When anyone tries to access the Page Setup or Print functions from > just about any application, Gatekeeper says that the application is > trying to violate res(system) privileges against the System - > RsrcMapEntry(DRVR2). Thanks to all who replied. It seems that older versions of Gatekeeper do not get along well with System 6.0.7. Upgrading to GK 1.2.1 fixed everything. Thanks again. - --- Peter Gorman University of Pennsylvania Library Systems Office peter@sysnext.library.upenn.edu ------------------------------ Date: Wed, 29 Jan 92 13:48:00 -0500 From: "dholland@husc10.harvard.edu"@HUSC3.HARVARD.EDU Subject: Re: very strange Mac behavior (Mac) The strange behavior you describe is, as far as I can tell, exactly the same as the strange Mac behavior I posted about around the beginning of January. Same Gatekeeper alert, in particular, under similar circumstances. Since the Mac I posted about has nothing particular in common with yours (it was a Classic, for starters) it sounds like it's time to raise the virus alarm after all. - -- - David A. Holland dholland@husc.harvard.edu *** "Hi! I'm a signature virus. Copy me into your .sig to join in!" *** ------------------------------ Date: Wed, 29 Jan 92 18:29:43 -0500 From: cowan@aqua.pc.ocunix.on.ca (Darin Cowan) Subject: "Commercial safety" myth > Every major microcomputer operating system except CP/M has had at least > one instance of a major commercial software vendor distributing infected > programs or media. They take precautions, of course, but apparently > still don't give virus checking a high enough priority. > > Besides which, there are other possibilities for obtaining viral > infections from "commercial" sources. Most commercial software is still > distributed on writable media. Software retailers will often accept > "returned" software, re-wrap it (shrink wrapping is easy to do) and > resell it - often without checking for any incidental infection. > Hardware or system retailers are all too often selling infected systems > these days, not knowing or caring that they are doing so. I have seen instances where vendors have distributed software on disks manufactured to not be writable (no notch on a 5.25", no tab in the 3.5") and STILL contain a virus that was picked up and put on the master during development. Anybody who puts ANY software on a machine without checking it for viruses is assuming a risk. Another of my favourite virus infection vehicles is the "infected backup"... in my work I have seen incidents of reinfection due to failure to screen bckup disks/tapes when the virus was first discovered. I have also encountered people with virus infections who were oblivious to it. One user I asked "how long has your computer been saying 'you are now stoned'"? He replied that it had done that since he had been there (over 2 years) and that it was "just some joke that someone put in my startup so I never bothered to take it out". That cost us a lot of man hours scanning about 500 disks. I guess that the key is not so much for a bunch of propeller heads (:-) to sit around and discuss that viruses exist with each other, but to educate the non-power user that there are dangers out there and those dangers are real. ------------------------------ Date: 30 Jan 92 09:48:57 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Iraqi Virus Question? 379BMWMASQ@sacemnet.af.mil (379BMWMASQ) writes: > I have been watching in the list the message treads on the Iraqi printer > virus, and I have a question to pose to the group. > 1. Postscript printers receive printouts in the form of Postscript > Program Code, which is in turn run by the printer to printout > the Page. Now if that Postscript printer is on a Network and > is capable of sending information to the network, then could > the printer CPU be programmed to access the well known and > some not so well known security features of the network to > plant code or overload the system with bogus traffic. Well... There's no an easy answer to this. First, don't expect your laser printer to infect your PC this way. However, there are printers, which can be connected to a network as separate devices (not attached to any particular computer). These printers are quite intelligent and in fact are computers themselves. There's a very interesting discussion about this on comp.risks, I'm just wondering why nobody has forwarded the appropriate messages here. (Ken?) Such a networked printer can do a lot of things, probably log as an active computer, or impersonate one of the computers on the network, or even locate the computer which is usually used to boot the network and instruct it to write something on its disk. Again, this does not hold for simple PCs, Novell LANs, or laser printers, but it is theoretically possible and while it's certainly not true that it has been used in the Gulf war, it poses a particular security problem, with which we'll have to deal in the future. Unfortunately, my knowledge on networking is not enough to provide a more detailed information, sorry. > I know that this requires the information on the type of network and > the types of computing platforms in use, but seems to me that they Exactly... > bought most of thier computers from us, over the last 10 years and it > would only be smart for one of the watchers (CIA, FBI, NSA, DIS) to > keep track of this. Right, but as Prof. Spafford has pointed out on comp.risks, they could do much better without actually using a virus. For instance, a small trojan horse, which causes inpredictable delays, which youd be critical for a computer used in an air defence system. (E.g. suppose the computer pauses for a moment to display the "printer out of paper" message just while in the middle of tracking an attacking bomber... ) Or a small device in the printer, which just broadcasts everything that is said by the people around... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Sat, 01 Feb 92 09:38:46 +0200 From: ts@uwasa.fi (Timo Salmi) Subject: McAfee virus scanner Windows version at garbo.uwasa.fi (PC) - -From: hv@garbo.uwasa.fi (Harri Valkama) To: mcafee@netcom.netcom.com Date: Sat, 1 Feb 92 09:28:38 +0200 Forwarded-by: ts@uwasa.fi (Timo Salmi) I have uploaded to garbo.uwasa.fi: pc/incoming WSCAN86B.ZIP Windows version of SCAN. Version 86B Aryeh Goretsky McAfee Associates Technical Support Thanks Aryeh. Available now as: garbo.uwasa.fi:/pc/win3/misc/wscan86b.zip - -harri- "If you do not know how to go about getting this package you are welcome to email me for the prerecorded garbo.uwasa.fi instructions, Keith Petersen (w8sdz@wsmr-simtel20.army.mil) for SIMTEL20 information, or Craig Warren (ccw@deakin.oz.au) for Oceanian garbo mirror information. North American users are advised first to search on SIMTEL20 or its mirror wuarchive.wustl.edu. Oceanian users are referred to rana.cc.deakin.oz.au (for recent files)." ................................................................... Prof. Timo Salmi Moderating at garbo.uwasa.fi anonymous ftp archives 128.214.87.1 School of Business Studies, University of Vaasa, SF-65101, Finland Internet: ts@chyde.uwasa.fi Funet: gado::salmi Bitnet: salmi@finfun ------------------------------ Date: 30 Jan 92 12:48:06 -0500 From: "David.M.Chess" Subject: IBM Anti-Virus Product 2.1.9 (PC) A new level of the IBM Anti-Virus Product now exists. It should be available now or shortly from IBM Marketing Reps, Branch Offices, the Electronic Software Delivery section of IBMLINK, and on Promenade (the PS/1 support BBSy-thing). I'll attach the contents of the WHATIS.NEW file. As I said a bit ago, I'm not an Official Anything, so don't send me your money! *8) As before, the U.S. terms are $35 for an original license, $10 for an upgrade (for terms outside the U.S., contact your country IBM). Note that these prices are for an *enterprise* license, so if you are a company with a thousand employees, it's $35 for all thousand copies. The last released version was 2.1.5, this is 2.1.9. Versions in between were internal IBM versions, and not released. One of the large items, as usual, is a whole bunch of new signatures. Many are from our usual analysis of viruses, of course, but some are from the UK magazine Virus Bulletin. I'd like to thank VB for their permission to use their signatures (or, more accurately, their emphatic statement that no permission is necessary, since they don't consider the signatures to be their property!). We ran all the new signatures through our usual false-positive screening first, of course. *8) DC The IBM Anti-Virus Product, Version 2.1.9 Copyright (C) IBM Corporation 1989, 1990, 1991, 1992 The following are the highlights of the changes and enhancements made to the IBM Anti-Virus Product, since the release of Version 2.1.5: - Added approximately 250 new Downloaded From P-80 International Information Systems 304-744-2253