VIRUS-L Digest Wednesday, 27 Feb 1991 Volume 4 : Issue 32 Today's Topics: problems w/ scan V74-b (PC) Re: IBM Virus Scanner. (PC) Standardized virus signatures Norton rebuttal (PC) Virus Zaps POW Database MusicBug (PC) Problem with Scan 74B (PC) Comments to VAX/VMS: XENIX vs. MS-DOS boot vir. New Virus (PC) Re: Mac viruses (Mac) MusicBug Boo-Boo (PC) Possible new BRAIN version? (PC) SCANning incompatible drive (PC) SCANv74B false positive (PC) Windows v3.0 / F-Prot (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: 22 Feb 91 15:23:34 +0000 >From: ben@bucsf.bu.edu (Benjamin Cline) Subject: problems w/ scan V74-b (PC) I just downloaded scanv74-b from beach.gal.utexas.edu and it refuses to work properly with my hard disk, which is a Seagate ST-251-1 formatted with NEC DOS 3.3 (supports partions > 32 megs). When I try scan c:\ it gives an error message "Sorry, the partion table on drive C is 1024 bytes long. That's too big forme." It will work fine if try scan c:\windows. Previous versions (71,72) of scan worked fine. Any ideas? Benjamin - -- - --------------------------------------------------------------------------- --- Benjamin Cline 700 Commonwealth Ave, Box 1087 ben@bucsf.bu.edu Boston, MA 02215 - --------------------------------------------------------------------------- --- ------------------------------ Date: 22 Feb 91 11:13:58 -0500 >From: "David.M.Chess" Subject: Re: IBM Virus Scanner. (PC) If you have a version of VIRSCAN that is labelled 1.23, what you have is a (quite old) copy of the INTERNAL USE version of the program. The internal version number and the product version number are on two entirely different tracks (we'll be fixing this soon!). So internal 1.23 is in fact *older* than product 1.2. (The next versions of both will probably be called "2.0", so this problem will go away.) The current version of the product is 1.3; it should be available in IBMLINK in the Electronic Software Distribution section (this is what I'm told; I've never used IBMLINK myself). The one source of virus signatures (suitable for use in VIRSCAN, for instance) that springs to mind is the list that is published in Virus Bulletin. That's a UK publication; I'm not sure how likely you are to find it in a US library, for instance... DC ------------------------------ Date: Fri, 22 Feb 91 12:12:14 -0500 >From: Jim Pinson Subject: Standardized virus signatures I have been evaluating several of the virus-scan programs and have noticed that several of them use (or can use) an external text file containing virus "signatures". This seems a very useful feature since signatures can be posted on lists such as this. There does not seem to be a standard format for these files. Is there any reason a standard format could not be developed? It would simplify the virus posting process. Jim Pinson University of Georgia ------------------------------ Date: Fri, 22 Feb 91 16:23:28 +0000 >From: DEL2@phoenix.cambridge.ac.uk Subject: Norton rebuttal (PC) Since I posted a comment from PC Business World recently which was critical of the Norton Anti-Virus package; I think it incombent on me to offer also this response from Symantec. The "%" stand for bullets in the original text, which I have abbreviated, slightly edited and reformatted. Regards, Douglas de Lacey, Cambridge University. I would like to respond to PC Business Word's review of Symantec's Norton Anti Virus for the PC (Nav) software--"Physician, heal thyself", 22 January 1991. Not only did it set out deliberately to discredit the solution offered by the Norton Anti Virus, but it did so with considerable inaccuracy. To illustrate this, I have highlighted some of the criticism in the review and offer Symantec's reply. ... %"lt contains the signatures for 141 viruses": this is incorrect. We do not contain signatures but virus definitions, which offer a more comprehensive description of the virus and in some cases, contain repair facilities. Furthermore, Nav has more than 141 definitions and detects more than 200 viruses and strains. We are constantly adding to the libraries to increase detection and prevention with monthly update disks, the first of which is currently being shipped. We have also consistently made it clear that we place great emphasis on providing users with a data protection service. This includes a unique Virus Newsline which users can dial into for information, a Virus Clinic-providing users with comprehensive seminars to address anti-viral issues-and the regular anti-virus update disk protecting against new virus outbreaks. It is also worth mentioning that as there is no standard taxonomy of viruses, competitive analysis of virus libraries is spurious. Until there is an industry standard way of naming viruses, competitive surveys should be treated with caution. %"Unless you have Norton Intercept loaded in memory, you must boot up from an uninfected, write-protected Dos disk": this is no criticism, but highlights a positive feature. Good practice dictates that if Virus Intercept is not loaded, the user should boot from a write-protected disk. Virus Intercept also detects all defined viruses in memory. %"PC performance drops noticeably": in the December issue of the Virus Bulletin, Nav was rated better than the competition ... %"Percentage of files in which viral activity was detected--80%": Virus Bulletin stated that Nav had a 99% capability. ... ... we have d already begun a dialogue with Interpol via Bob Hay, chairman of Fast and the Police Computer Crime Unit, as well as talking to our competitors about establishing an independent, international virus research facility. %"The company says it does not do research in Europe, nor does it co-operate with the UK research community": this is untrue. ... YUSUF HASSAN General Manager Symantec UK ------------------------------ Date: Sun, 24 Feb 91 07:43:50 -0800 >From: teda!RATVAX.DNET.teda.Teradyne.COM!ROBERTS@EDDIE.MIT.EDU (George Roberts) Subject: Virus Zaps POW Database Taken without permission from: DEFENSE NEWS Monday, February 18,1991 Virus Zaps POW Database A small computer in the U.S. Army's Pentagon operations center was struck by a virus Feb. 8, damaging a database of information about Iraqi prisoners of war, according to a Defense Department computer expert. However, the information was automatically preserved by security software, he said. The virus, called the "Marijuana Stoned" virus, probably infected the computer through video game software used for recreation by soldiers in Saudi Arabia, the expert said. Once the virus infects a computer, the screen displays a message telling users that the computer is stoned, adding "Legalize Marijuana!." ------------------------------ Date: Fri, 22 Feb 91 19:13:55 -0500 >From: padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) Subject: MusicBug (PC) Have just had a chance to look at the February VSUM and though Patti and I discussed this, evidently the fix did not get into this month's list. In short, you do not have to do a low level format of a hard disk to remove the MBug (though it will certainly work). Earlier I posted the "better" way to remove it, but if you are familiar with the disk and do not mind boot sector patching, restoration using "SYS" is possible. Simply put, the MBug wipes the "reserved" sector value in the boot record. Since a DOS SYS command preserves this value, on boot, the system looks in the wrong place for the FAT. This makes finding the system files difficult. If the disk is a standard MFM or RLL drive, this value is hex 11 (17). Big drives are liable to use 3F (63). If in doubt, the maximum sector value (bits 0-5 of CL return from Int 13 fn 08) is a good start. No guarentees & caveat todo but might retrieve the disk. Padgett ------------------------------ Date: Mon, 25 Feb 91 13:01:42 -0500 >From: Stephen McCloud Subject: Problem with Scan 74B (PC) SCAN 74B still finds Stoned/Swedish Virus on some Zenith-OEM MS-DOS computers. McAfee still has some work to do. - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Stephen McCloud, Systems Programmer, Indiana State University ------------------------------ Date: Mon, 25 Feb 91 16:08:28 +0300 >From: eldar@lomi.spb.su (Eldar A. Musaev) Subject: Comments to VAX/VMS: XENIX vs. MS-DOS boot vir. Though UNIX and UNIX-like systems are highly protected, it does not work on the PC with many MS-DOS boot-viruses. For example, I've seen a month ago the XENIX floppy infected by the Italy Ball virus. Eldar A. Musaev, Ph.D., eldar@lomi.spb.su Mathematical Institute, Leningrad or fuug.fi!lomi.spb.su!eldar ------------------------------ Date: Mon, 25 Feb 91 16:49:00 -0500 >From: S008@HECMTL01.BITNET Subject: New Virus (PC) Here is some information about a new virus (that I named "SCUD"). This virus modifies the boot record or the master boot of the hard disk depending on the stage of infection. Randomly, when you try to access a diskette (dir or other commands), if it is not write protected, it changes the boot record of the diskette and most of the time, it changes the media descriptor byte so you're not able to correctly access this disk anymore. One way to recover the data is to put a clean boot record on the diskette. Hakim Belmaachi Computer Analyst Ecole des Hautes Etudes Commerciales 5255 Decelles, Montreal Quebec, H3T 1V6 Tel. (514) 340-6067 ------------------------------ Date: Mon, 25 Feb 91 23:02:44 +0000 >From: fau@po.CWRU.Edu (Francis A. Uy) Subject: Re: Mac viruses (Mac) Melissa Jehnings said: "Although Mac viruses are easier to write, they are written much simply-minded. That is, it just has one thing in mind...to mess up a Mac. However, if you're keeping count of viruses, there are fewer Mac viruses (I think the last count was at 16) than there are for PC's, although PC viruses are usually much more sophisticated." Another important thing to note is that none of the Mac virii known as of Disinfectant 2.4 are specifically malignant: i.e. they only attempt to spread, rather than trying to destroy files. As we all know, this is dangerous anyways, but at least it's heartening to know that aside from a few old Trojans, the Mac environment isn't lethal yet. - -- "I have a very interesting pencil holder. It's an exact replica of a microwave oven." --mac7 Francis A Uy The Loft 754.2079 ------------------------------ Date: Sat, 23 Feb 91 15:11:35 -0500 >From: padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) Subject: MusicBug Boo-Boo (PC) Must have had brain fade over the weekend - only normal MFM drives use 17 sectors per track. RLL drives use 24 or 26 or something like that (why they are bigger). Int 13 fn 8 will tell you. Sorrabout that. Padgett ------------------------------ Date: Mon, 25 Feb 91 15:51:36 -0800 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Possible new BRAIN version? (PC) I have no confirmation on this as yet, but ... Date : 16-Feb-91 16:23 From : Larry Beattie A version of Brain (apparently) know as "Shithead" as surfaced trashing hard disks etc on home computers. It apparently was transferred from PCs used by the airline reservation systems and came from a travel agent in Quebec. Anyone know anything about it. Using SCAN /M seems to disinfect it. The virus also apparently hides the work of other viruses (didn't know they did that) so it could be particularly insidious. RS> Larry: RS> RS> Do you have a copy of the new virus for disassembly? Unfortunatly not. As new user exchanging disks with my friend (who had his drive trashed) I immediatly ran everything I could to clean my system. Apparently it worked. I will try to see what I can get since it also infected (came from) Airlines reservation systems and travel agents (brought home by my friend's wife). ======== In addition, I have recently been promised, but haven't yet seen, a version of Stoned that infects COMMAND.COM, increasing its length by 960 bytes. Vancouver p1@arkham.wimsey.bc.ca _n_ Insitute for Robert_Slade@mtsg.sfu.ca H Research into (SUZY) INtegrity / User Canada V7K 2G6 O=C\ Security Radical Dude | O- /\_ /-----+---/ \_\ / | ` ||/ "A ship in a harbour is safe, but that / ||`----'|| is not what ships are built for." || || - John Parks `` `` ------------------------------ Date: Tue, 26 Feb 91 11:44:00 +0100 >From: Subject: SCANning incompatible drive (PC) In a message of Thomas Heil said: > When I enter SCAN C: with C: being a 40MB Tandon DataPac that has > 1K-Sectors, SCAN reported that the partition table size was too large > to be processed, and it stopped all further checking of the files. I think that you should give NETSCN74 a try: it will scan all files (recursing into subdirectories) without checking on boot/partition compatibility. I don't know whether your DataPac won't be (easily) infected by current bootsector or partition table viruses though... (maybe not, if it is really non-standard?). Jan van 't Ent, Apparatuurbeheer (computer support & maint dept) ERASMUS VANTENT@HROEUR5.bitnet UNIVERSITEIT telefoon +31 10 4081337 jvte@cs.eur.nl usenet ROTTERDAM telefax +31 10 4081372 ------------------------------ Date: Wed, 27 Feb 91 11:07:00 +0000 >From: "Gordon Findlay" Subject: SCANv74B false positive (PC) I just downloaded the latest version of McAffee's SCAN (v74B) and tried it. It gives a false positive (I HOPE it's a false positive!) on a NZ program KILLER.COM, which is a little .COM file for removing variations on the Stoned virus. Scanv74B reports the Invader virus. I assume it's a false positive as the file is only 799 bytes long, and the Invader virus is reported as adding 4096 bytes to .COM files; modifying the boot sector, and hooking interrupts (Thanks, Patricia Hoffman, for your VIRSUSSUM work). None of these has happened. I don't know how far KILLER.COM has travelled - it is a public domain program widely distributed in NZ; it may have spread as widely as Stoned, who knows? This false positive is definitely something for people to be aware of. Gordon Findlay GORDON@CHMEDS.AC.NZ ------------------------------ Date: Tue, 26 Feb 91 21:52:00 -0500 >From: "Jeff Payne" Subject: Windows v3.0 / F-Prot (PC) I was curious if there was a Windows 3.0 version (or even aware) of any anti virus software? I am currently evaluating F-Prot and Norton's virus software for use on a large scale at the company I work for, as well as Penn State's Ogontz campus. What kind of result should I expect if I were to pick up a virus? My experience with Character-based TSR's has shown that most will either be ignored or cause an UAE (the Microsoft user friendly "Unrecoverable Application Error" - about as Intelligent as "Abort, Retry, Ignore?") Does F-prot get around this? I think there would be a serious demand for a windows-based anti-virus program or even just a win front end (in the spirit of Zip Manager) for F-Prot. Although I don't claim to be a programmer, windows "TSR's" should probably be easier to write than a standard TSR, because they are actually seperate processes, running in the background. Also, has anyone tested F-Net with 3Com or Microsoft LanManager networks? I've loaded it and it didn't crash, but without a virus to test it, I can't really tell... Which brings me to my last question, Is there a "harmless" virus that I could use to test my configurations (in an isolated environment) ? If so, where could I get it and how would you recommend I do this testing? Please mail or post... Jeff Payne JSP105@psuvm.psu.edu ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 32] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253