VIRUS-L Digest Thursday, 28 Feb 1991 Volume 4 : Issue 33 Today's Topics: Problems with AirCop (PC) Stoned - new version? (PC) Word Perfect and change checkers (PC) Virus Protection in Real Time Boot Sector/Partition Table Protection (PC) Re: SCANv74B false positive (PC) ALERT: WDEF A, found on Rodime utilities for Mac. (Mac) File reduction virus? (PC) Unidentified infection - help (PC) f-prot & windows (PC) CARMEL Turbo Anti-Virus Set (PC) Innoculating diskettes (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Wed, 27 Feb 91 11:50:31 -0600 >From: Jesus Barrera Ramos Subject: Problems with AirCop (PC) Last week I detected AirCop virus in two disks of mine (in my systems disks to be exact), well I "removed" them with scan72 but in the finish of the clearing it said me that "Virus cannot be safely removed from boot sector"; so, I cleane d it again and said me again that it cannot be removed safely, I don't know if giving to the disk a "Sys b:" can I get ride of AirCop, I read Patricia M. Hoff man document and it doesn't says nothing about that. Can anybody tell me how ca n I get ride of AirCop?, Does a scan newer than scan72 can remove it safely?and if it does, Where can I get that new version?, and last, does AirCop virus safe it virus code anywhere else the boot sector? (Like a backup af itself)...Well, that's all for now, I'll thank your answers...and please...forgive my english errors. Jesus Barrera Ramos (BL161926@TECMTYVM) (Eqix) ------------------------------ Date: Tue, 26 Feb 91 11:36:53 -0500 >From: martha rapp Subject: Stoned - new version? (PC) We may have a new variation of STONED II here at IUPUI. The message has been changed to say LEGALISE instead of version 2. This IS NOT being found by virus scan version 74b on the harddrive but will find it on the floppy. The machine infected is a COMPAQ XT. Also before I forget the message does not appear in the partition table when viewed with a sector editor. Martha Rapp BITNET: IMER400@INDYCMS || INTERNET: IMER400@INDYCMS.IUPUI.EDU Programmer/Analyst Indiana University Purdue University at Indianapolis ------------------------------ Date: 27 Feb 91 13:35:38 -0500 >From: Bob Bosen <71435.1777@CompuServe.COM> Subject: Word Perfect and change checkers (PC) Rob slade writes: >All versions of Word Perfect (at least since 4.2) have had a self >testing module in them. Neither F-XLock nor SCAN /AV nor any >other self checker that adds code to the program can be used on >it, since the added code invalidates the internal self test. Please note that not all "change checkers" add code to the program. SafeWord Virus-Safe, for example, does not. There are probably others. The term "change checkers" is very descriptive, but I prefer the more positive-sounding terms such as "integrity checkers" or "signature verifiers". Whatever you call them, in my view these represent the only defense capable of detecting TODAY's and TOMORROW's viruses in addition to YESTERDAY's! Viral infection is a subset of the larger problem of verification of integrity. - -Bob Bosen- Enigma Logic Inc. (Producers of SafeWord VIRUS-Safe [Now Shareware]) 2151 Salvio Street #301 Concord, CA 94520 USA Tel: 415 827-5707 FAX: 415 827-2593 Internet: 71435.1777@COMPUSERVE.COM ------------------------------ Date: 27 Feb 91 14:37:54 -0500 >From: Bob Bosen <71435.1777@CompuServe.COM> Subject: Virus Protection in Real Time David M. Ung writes: >Does anyone know about existing software packages that watch for >suspicious viral activities in real time? There are several such packages. One of them is mine, SafeWord Virus-Safe, now available as shareware. This package evaluates all executable code prior to allowing it to execute, performing a sophisticated integrity check. It does NOT check for viruses specifically. Instead, it alerts the user if it detects any CHANGES in the file(s) or programs or program segments being executed. Users can "tune" this package to achieve any trade-off they want, choosing between the highest possible performance or the highest possible protection. - -Bob Bosen- Enigma Logic Inc. 2151 Salvio Street #301 Concord, CA 94520 USA Tel: (415) 827-5707 FAX: (415) 827-2593 Internet: 71435.1777@COMPUSERVE.COM ------------------------------ Date: 27 Feb 91 14:22:36 -0500 >From: Bob Bosen <71435.1777@CompuServe.COM> Subject: Boot Sector/Partition Table Protection (PC) Referring to the idea of inserting viral detection code very early in the bootstrap sequence by modifying the partition table, Padgett Peterson writes: >I hope that this will stimulate some activity on the part of the >vendors to provide such protection -- it is not difficult to write, >but for me, I would no longer consider any product complete unless >some such form of low level protection was included. I'm sorry, but it would just be too easy to fake the "all clear" message generated by any such technique. I agree that some form of low level protection is necessary but I fear that defensive code hiding in partition tables will be much more vulnerable to attack than MY preferred method: periodically bootstrapping from a "sterile" boot diskette that is kept isolated from every other usage. If I never use that boot diskette in any machine executing any code that didn't COME from that diskette, then it CAN't be corrupted. Period. End of discussion. That's the ultimate low-level protection. Bob Bosen Enigma Logic Inc. (Producers of SafeWord VIRUS-Safe [Now Shareware]) 2151 Salvio Street #301 Concord, CA 94520 USA Tel: (415) 827-5707 FAX: (415) 827-2593 Internet: 715435.1777@COMPUSERVE.COM ------------------------------ Date: 28 Feb 91 18:34:22 +0100 >From: cctr132@csc.canterbury.ac.nz (Nick FitzGerald) Subject: Re: SCANv74B false positive (PC) In Virus-L V4 #32 GORDON@CHMEDS.AC.NZ (Gordon Findlay) wrote: >I just downloaded the latest version of McAffee's SCAN (v74B) and >tried it. > >It gives a false positive (I HOPE it's a false positive!) on a NZ >program KILLER.COM, which is a little .COM file for removing >variations on the Stoned virus. Scanv74B reports the Invader virus. It's a false postive alright. Seems that the code sequence in the INVADER that SCAN looks for is also *legitimately* present in KILLER. My guess is that it is part of the code that does the absolute disk reads and/or writes that is likely to be present in both the virus and KILLER. Anyone who has KILLER shouldn't be using it any more. Apart from the "annoyance" value of the false SCAN report, it does not detect or fix the STONED-2 virus. NOSTONE (an update of KILLER), is aware of both strains of the STONED, and doesn't set off the false alarm when SCANned. >I assume it's a false positive as the file is only 799 bytes long, and >the Invader virus is reported as adding 4096 bytes to .COM files; >modifying the boot sector, and hooking interrupts (Thanks, Patricia >Hoffman, for your VIRSUSSUM work). None of these has happened. Sounds like good reasoning to me. As I said above, its likely the absolute disk read/write code is the same in the virus and KILLER. - -------------------------------------------------------------------------- - Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. Internet: n.fitzgerald@csc.canterbury.ac.nz Phone: (64)(3) 642-337 ------------------------------ Date: Thu, 28 Feb 91 09:44:36 +0000 >From: Paul Woodman Subject: ALERT: WDEF A, found on Rodime utilities for Mac. (Mac) This subject may have been covered here before, but viewers may be interested in the virus that came with my new Rodime disk. Last week I took delivery (in the UK) of a Rodime 45 plus drive for my Mac. It was supplied in an unopened Rodime carton so I presume, but can't be sure, that nobody has had their fingers in it since it left the factory. The drive comes with a 3.5' floppy called PLUS/RX utilities for the Macintosh. It is a nice touch by Rodime that the drive is supplied already formatted complete with System 6.0.4 installed so you are ready to plug in and go. However, as the accompanying documentation points out, it would be a good idea to reformat/partition your disk etc with the utilities provided on the floppy. So I did, and they were very nice utilities that left me with a reformated disk waiting for me to load with my appropriate software environment. In fact the utilities were so nice that I inserted the floppy in another Mac to see if they would work with a different Rodime drive. As I inserted the floppy, good old disinfectant 2.4 complained the floppy was infected with WDEF A. I then went back to my newly formatted 45 plus with a clean write protected copy of disinfectant and sure enough, the hard drive was infected. (I must make clear that this was a diskless Mac Plus that I connected the Rodime drive to. At the time of connection it was switched off, had no other external hardware attached and on subsequent power up, no external hardware was attached and the only floppy inserted in the internal drive was the Rodime utilities followed by the disinfectant floppy AFTER I had discovered the virus.) I called the Rodime UK technical support number as listed in the manual and discovered it was the number of their Fax machine. When I finally got through to their UK technical support, they appologised, but didnt seem in the slightest bit concerned to the extent that they didnt even want to take my name or contact details or have the offending floppy back. They also confirmed that the utilities floppies are not delivered shrink wrapped so there is no security involved. In conclusion, I dont know enough about viruses to be sure of where this one got in. However I can be 100% sure it wasnt on this site, as far as I can tell from the packaging, nobody has opened the box since it left Rodime and the dealer confirms that he didnt open the box. When you consider the damage that could have been caused if trusty disinfectant hadn't come to my rescue, then Rodimes response is incredibly poor, even if they aren't responsible for the appearance of this virus on my disk. The UK price is $900 and for that price, I expect better. Rodime told me that they no longer make this model in the UK but import it from Rodime in the US. I wonder if anybody else has discovered this problem with Rodime ? Paul Woodman Praxis plc, Software Engineers, \ / | 20 Manvers Street, Bath, BA1 1PX, UK. \ / ___ ___ _| Tel +44 225 444700 xt228 \ /\ / / / / / / | \ / Fax +44 225 465205, Telex 445848 \/ \/ /__/ /__/ /__| \/ woody@praxis.co.uk _________________________/ ------------------------------ Date: Wed, 27 Feb 91 18:24:00 -0500 >From: Sliner Subject: File reduction virus? (PC) I know viruses sometimes increase file lengths, but can a virus decrease a file length? The reason why I was asking was on a bank of PCs in a lab, the ipx.com file was 26666, but on one machine in the bank, the size was 25500, and the file had the correct date. Another problem was that the machine was notreading the autoexec.bat file when the computer was booted up. I ran scan 72, but it did not detect anything. Thanks in advance, Dan Sline Bitnet: Sline@Ithaca Internet:Sline@Ithaca.bitnet P.S. Could someone please post to list or e-mail me a message when the next batch of scan programs from McAfee is available (I currently have V74B)? ------------------------------ Date: 28 Feb 91 14:58:57 -0500 >From: "Christa.Keil" Subject: Unidentified infection - help (PC) Hallo :-) I have a probleme.... with a virus (with whatelse ;-) ) A student is working with WINDOWS 3.0, the name of the file which is 'infected' is: WIN386.EXE. He has 2 viren scan programs (ANTIVIR SCAN), which both tell me that there is a virus, BUT they can't tell me what virus it is. The original exec is smaller then the exec the student is using now. Is it possible, that the virus has been in a free space of the hard- disc, before the installation of windows was started? The program is still running and the student did not find any changes in files or other exe's or com's Can anybody give me the name of a virus-kill-program, which is avaible in Germany. Christa Keil *====================================================================* ! _--_ _--_ ! Christa Keil UMV001@DBNMEB1.BITNET! ! ( )~~~( ) ! S.-Freud-Strasse 25 Tel.: +49-228-280-2832! ! \ / ! D-5300 Bonn 1 ! ! ( O _ O ) ! Fed. Republic Germany ! ! \ / !==================================================! ! ( `-' ) ! "Teddies will never disappoint you .... :-)"! ! `---' ! "I'm the female your mommy always warned you! ! Zotty ! about...." ! *====================================================================* ------------------------------ Date: Thu, 28 Feb 91 15:25:01 +0000 >From: treeves@magnus.ircc.ohio-state.edu (Terry N Reeves) Subject: f-prot & windows (PC) I hope the author will speak to this, but by actual test: IBM DOS 4.01 IBM PS/2 55sx Windows 3.0 F-PROT 1.14a Attempted to run file infected with Jerusalem viurs from windows file manager. The f-driver flashed the "this file infected message" (gone too fast to read thanks to windows) and then windows gave me a dialog box with an Access Denied error. This is the same error I would get at the C> prompt. The virus was blocked. The same results occur if an icon is setup for an infected file. Hardly an exhaustive test, but it would appear windows doesn't stop the f-driver from functioning. ___________________________________________________________________________ _ | That's my story, and I'm sticking to it! | |___________________________________________________________________________ _| | Microcomputer software support, | treeves@magnus.IRCC.OHIO-STATE.EDU | ------------------------------ Date: Tue, 26 Feb 91 10:16:47 -0800 >From: Ferdi.Louw@p112.f1.n491.z5.fidonet.org (Ferdi Louw) Subject: CARMEL Turbo Anti-Virus Set (PC) infocenter@urz.unibas.ch told All on that: Newsgroups: comp.virus >Please send me any information you have about the >Turbo Anti-Virus Set from Carmel Software Engineering Short evaluation of "Turbo Anti-virus" by Carmel Software Engineering, Israel. It costs about (SA)R300 and contains the following: TNTVIRUS EXE 153600 91-01-10 23:12 Menu or command line driven do-it-all program. It can scan, clean, immunize self verification and backup boot areas. The menu system allows you to tag dir.s or files to operate on. It is quite reasonable friendly. INSTALL EXE 48734 90-09-27 17:23 Automatic installation. README DOC 71067 90-09-14 11:02 Updates and short virus descriptions. TSAFE COM 22703 91-01-08 11:09 TSR of 16.5k ram. Checks for invalid operations (on disk and on ram), known virii, pop-up menu, friendly configuration. Select what you want to protect. DEFENDER COM 6819 91-01-08 11:10 Small 4.5k TSR checks only for known virii BOOTSAFE EXE 34014 90-11-08 7:00 Compares boot areas at startup for modifications. Can restore from saved copies. PROTECTH EXE 9728 90-09-25 9:38 Copy protection :-( allows install on HD. (Protection scheme involves a series of magnetically bad sectors.) Only on tntvirus.exe. LAN version also available. Includes 1 year free upgrades. I don't like menu driven software but this seems quite acceptable. Non-technical users should also find it usable. The manual is however short, without index or contents. But I heard there is a new manual out now. Ferdi :-) D.F.B. Louw E-mail: Ferdi.Louw@p112.f1.n491.z5.FidoNet.org Atomic Energy Corp. FidoNet: Ferdi Louw of 5:491/1.112 Pelindaba 1500 UniNet: Ferdi.Louw%p112.f1.n491.z5.FidoNet.ORG at RURES PO Box 582 Phone: +27-12-316-6125(w) Pretoria 0001 Phone: +27-12-344-3331(h) South Africa Fax: +27-12-316-5137 (Alternative e-mail: "[D.Louw/OMNET]MAIL/USA%TELEMAIL"@intermail.isi.edu) - -- uucp: uunet!m2xenix!puddle!5!491!1.112!Ferdi.Louw Internet: Ferdi.Louw@p112.f1.n491.z5.fidonet.org ------------------------------ Date: Mon, 25 Feb 91 15:43:38 -0400 >From: MMCCUNE@sctnve.BITNET Subject: Innoculating diskettes (PC) [Ed. The INNOC program (source code only) is available by anonymous FTP from mibsrv.mib.eng.ua.edu in pub/ibm-antivirus/innoc.zip.] INNOC Boot Virus Immunizer - -------------------------- (c) Mike McCune 1991 - All rights reserved. This program may be used and distributed freely. Boot Sectors infectors are among the most prevalent of computer viruses in the US. Commercial programs that detect and clean out these viruses do not confer any immunity, and the same diskettes can be reinfected at a later date by the same virus. INNOC is a general-purpose Boot virus immunizer for diskettes. It will not only destroy Boot Sector infectors, but will `innoculate' against some of the more common Boot viruses. To use it, insert the desired diskette in Drive A: and type: innoc INNOC will immediately destroy any Boot infectors present on the diskette and will simultaneously immunize it against the following viruses: Brain Ashar Stoned Ping-Pong Diskettes immunized by INNOC will not be infected by any of the viruses against which INNOC confers immunity. The immunization is achieved by writing special code sequences into the Boot Sector. For this reason, immunized Diskettes can no longer be used as Booting disks. Since most disks are never used in that manner, this is not a major problem. If you need to make a diskette bootable again, simply use DOS's SYS.COM (SYS A:.). This, however, will destroy the immunization conferred by INNOC. INNOC issues the following messages: - ----------------------------------- Read Error | An error occured while reading from the diskette. Simply run the program again. Usually a hardware/media problem. Write Error | An error occured writing to the diskette. Same as above. Try again. Diskette A: | Any Boot Sector viruses have been disabled, and the diskette Innoculated | is now immunized. DISCLAIMER ---------- In order to avoid getting sued, I offer no warranty on this or any other program. I do appreciate suggestions, though. I can be reached on the ILink and FidoNet virus conferences. I can also be reached on the RelayNet DataProtect and Virus-L conferences. My BitNet address is MMCCUNE@SCTNVE.... ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 33] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253