VIRUS-L Digest Wednesday, 3 Apr 1991 Volume 4 : Issue 52 Today's Topics: New Mac Hypercard Virus (Mac) Questions re. UNIX viruses (UNIX) VSHIELD vs F-DRIVER (PC) Re: Re:Mutation of Stoned/Implications for self check (PC) Re: Whale virus, can anybody find it? (PC) FDISK; partitions starting at 0,0,2; Stoned virus; (PC) F-PROT 1.13 vs. 1.14 Bug? (PC) Help on key press (PC) How to kill Stoned in partition table (PC) Re: Need information about VIRUS BUSTER Re: Taking out A: & USSR BBS SILITEK virus (PC) Reviews placed on MIBSRV VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: 01 Apr 91 17:48:00 +0000 >From: D1660@AppleLink.Apple.COM (SoftPlus, Paul Cozza,PRT) Subject: New Mac Hypercard Virus (Mac) For SAM 3.0 Users: A new Macintosh HyperCard virus has been found and has been named the HC Virus. The virus infects only HyperCard stacks, and is mostly annoying. With SAM 3.0 you can download the latest Virus Definitions file from the Symantec bulletin board which includes both detection and repair of stacks infected with this virus. You can also enter a virus definition via SAM Virus Clinic 3.0 if you only require detection capabilities for this virus. The proper virus definition for SAM 3.0 is included here. ************************************* SAM 3.0 Virus Definition For HC Virus Open the Data Definitions dialog in SAM 3.0 Virus Clinic by choosing "Add Definition (Data)" from the Definitions menu. Then enter the following information: Virus Name: HC Virus File Type: STAK Search String pop-up menu: ASCII Search String text field: if char 1 to 2 of LookAtDate <11 The string in the Search String text field above is an ASCII string. Blank area between words are spaces. The string IS case sensitive. As a guard against incorrect entry, SAM 3.0 has a "Check field" in the Definitions dialog boxes. If all of the above information is entered correctly, then your check field should be A0BD. Note that SAM 2.0 had the capability to detect and repair Hypercard viruses (such as Dukakis), but did NOT have a data definitions entry dialog. This is new to SAM 3.0. Paul Cozza SAM Author ------------------------------ Date: Mon, 01 Apr 91 20:18:49 +0000 >From: micor!esleng!esleng.ocunix.on.ca!dag@uunet.UU.NET (Dave Gilmour) Subject: Questions re. UNIX viruses (UNIX) Our company is currently under contract to provide some software to a customer that is worried that, because our system is connected to the USENET, it could potentially become infected with a virus and subsequently transmit that virus to their machine via the delivered software. Given this, I basically have three questions: 1) Are viruses a problem on UNIX machines that are connected to the net? We do not accept binary UNIX sources on our machine, so I presume that trojans are more likely to be a problem than viruses. 2) If viruses are out there ready to infect my UNIX machine, is there any software that I can run to detect/remove them from my machine? 3) What steps should I take in order to "reduce the risk" |-) Any help in the matter will be greatly appreciated. As always, if there is sufficient interest I will summarize to the net. Thanks. System Info : ISC2.2 System V R3.2, Everex Step 386/33 __________________________________________________________________________ David A. Gilmour | dag@esleng.ocunix.on.ca Excalibur Systems Limited | uunet!mitel!cunews!micor!esleng!dag Kanata, Ontario, Canada | ------------------------------ Date: Mon, 01 Apr 91 17:11:46 -0500 >From: Jeff Subject: VSHIELD vs F-DRIVER (PC) I am looking for comments on Vshield vs F-Driver running on a Novell network. Thanks in advance. Jeff LAN Administrator Georgia State University usgjej@gsuvm1 usgjej@gsuvm1.gsu.edu ------------------------------ Date: Tue, 02 Apr 91 10:50:00 +1200 >From: "Mark Aitchison, U of Canty; Physics" Subject: Re: Re:Mutation of Stoned/Implications for self check (PC) CHESS@YKTVMV.BITNET (David.M.Chess) writes: > ... Someone that I trust to be reasonably knowledgeable > in such things told me awhile back something like (I didn't write it > down) this: some hard disk controllers keep some information about the > structure of the hard disk on the hard disk itself, in the MBR. An area, up to 17 bytes, before the partition table, is used by some older XT controllers to store disk type parameters, instead of using CMOS or jumpers.* This isn't a problem for sensible checkers, since the area cannot gain control (even if it does contain nasty stuff), so long as the rest of the sector is still okay. The IMMUNISE program works around that area, for example. Mark Aitchison, Physics, University of Canterbury, New Zealand. * Info courtesy of Peter Johnson, still half asleep when I phoned. ------------------------------ Date: 02 Apr 91 10:59:23 +0000 >From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: Whale virus, can anybody find it? (PC) csw76@seq1.keele.ac.uk (J.C. Kohler) writes: >I have a computer which is infected by the Whale virus, but none of >the virus-scanners I use can find it. I found the virus on the >computer about a week ago, using McAffee's scan. I removed the >infected files, but it keeps coming up. Ono possible explanation might be that most existing scanners only detect the "standard" 30 forms of the Whale, but recently some new forms have appeared. There are rumors they are created by a "configuration" program which swaps out entire modules, if it finds Whale present in memory, but this has not been confirmed. - -frisk ------------------------------ Date: Tue, 02 Apr 91 08:39:12 -0700 >From: con_jdc@selway.umt.edu (John-David Childs) Subject: FDISK; partitions starting at 0,0,2; Stoned virus; (PC) >> Nick Fitzgerald wrote >> Some OEM versions of DOS (some of them still >> labelled MS DOS) with version numbers 3.0 and above have versions of >> FDISK that still begin the first partition at 0,0,2 - from memory, I >> think Falcon DOS 3.1 is one such. This may give a tiny bit more >> usable disk space, but causes grief after a Stoned strike. >Padgett Peterson replied: >[stuff deleted] One point though: A disk could be partitioned with FDISK 1.00 >even though a later version of DOS is loaded. I would like to hear from the >readers if they have come across any later partitioning software that does >not use "hidden sectors" as described. One of our computer labs on campus uses Computerland DOS 3.1 (the FDISK version number is listed as "BC88/BC286 FDISK ver 3.0") which begins the first partition at 0,0,2. A few months back, the lab got hit with the Stoned virus and we discovered that F-PROT 1.13 would not disinfect the stoned virus properly so we ended up having to reinstall the machines from scratch every time the PC's got infected (until I wrote a small C program to get rid of it...thanks to the VIRUS-L readers). F-PROT 1.14 DOES properly disinfect the Stoned virus from machines whose partitions begin at 0,0,2. When used in conjunction with F-DRIVER.SYS at startup, I've had no trouble with removing the virus. If F-DRIVER.SYS or some other detection utility was not loaded at startup (F-DRIVER.SYS halts the PC if a virus is detected), then Nick's and Padgett's comments about corrupted FAT's etc. would be apropos. John-David Childs Consultant, University of Montana CIS ------------------------------ Date: Tue, 02 Apr 91 09:45:29 -0700 >From: rtravsky@CORRAL.UWyo.Edu (Richard W Travsky) Subject: F-PROT 1.13 vs. 1.14 Bug? (PC) I have an older version of the Jerusalem virus (2 years or so) I use for testing. F-Prot version 1.13 detects and removes it, version 1.14a detects it but doesn't remove it, saying it's an unknown variant. Does anyone have any other information or similar reports on version differences? I've sent this on to Mr. Skulason, but I don't think my mail is getting through. Richard Travsky Division of Information Technology Internet: RTRAVSKY @ CORRAL.UWYO.EDU University of Wyoming (307) 766 - 3663 / 3668 ------------------------------ Date: Tue, 02 Apr 91 18:01:17 +0000 >From: pc@dtek.chalmers.se (PC-Operator) Subject: Help on key press (PC) We are having trouble with the key press virus and would like some information about it. We clean our machines regulary with SCAN wich seams to work, but it always shows up again. Is this a common problem with this virus (it could of course be due to people bringing infected disks but sometimes it shows up only an our after we have cleaned the machine) If anybody has the signature we would apriciate if he/she could mail it. (we would like to scan a partition on our UNIX system without using MS-DOS. Please send the above information to: pc@dtek.chalmers.se Thanks Martin ------------------------------ Date: Tue, 02 Apr 91 23:25:15 +0000 >From: westk@cgrb.orst.edu (Ken West - Entomology) Subject: How to kill Stoned in partition table (PC) How does one kill the stoned virus when it resides in the partition table of a hard drive. Does McAfee's clean kill it? I've had no trouble killing in boot sectors with f-disinf but it won't get it in the PT. Thanks in advance! =-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-- = Kenneth J. West Ever notice how war is particularly ugly westk@bionette.cgrb.orst.edu when you try to explain it to children? =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - - ------------------------------ Date: Tue, 02 Apr 91 23:42:13 +0000 >From: act@softserver.canberra.edu.au (Andrew Turner) Subject: Re: Need information about VIRUS BUSTER R.Grapes@massey.ac.nz (Robert Grapes) writes: >I am trying to obtain as much information as possible about a product >called VIRUS BUSTER. The only information I have about it is that it >appears to be an Australian product. Any help would be greatly >appreciated. Virus Buster is marketted by: Leprechaun Software Pty Ltd PO Box 134 Lutwyche Queensland 4003 Australia A contact for them is Lindsay Hough +61 7 2524037 At the University of Canberra we have just purchased a site license after reviewing a number of antivirus products. As with all of them it has its pros and cons. I was surprised to find an Australian product able to keep track of the latest virii, these guys seem to have the right sources. The product approaches the Virus problem from very sound principles and while signatures are used it is recognised that with the exponential growth in virii this approach has limits. Virus Buster also uses ISO standard check-summing at very low levels to defeat virii which attempt to catch and defeat check-summers. For the State-side listeners. Virus Buster makets out of Leprechaun International 2284 Pine Warbler Way (pretty name eh!) Marietta Georgia 30062 USA 404 971 8900 fax 404 971 8988 I would be happy to accept queries via e-mail. PLEASE NOTE THAT THIS POSTING IS NOT AIMED AT PROMOTING THIS PRODUCT OVER ANY OTHER. SO LETS NOT HAVE A NEWS WAR!!! I believe that - -- Andrew Turner :-) | E-mail : act@csc.canberra.edu.au Comp. Services Centre | +61 6 2522414 / +61 6 2522401 University of Canberra |________________ fax +61 6 2522400 P.O. Box 1 BELCONNEN ACT 2616 AUSTRALIA | ------------------------------ Date: Tue, 02 Apr 91 11:01:00 -0800 >From: "rivero@dev8.mdcbbs.com"@MDCBBS.COM Subject: Re: Taking out A: & USSR BBS mrs@netcom.com (Morgan Schweers) writes: > Greetings, > I recently recommended to a network site that they lock their 'A' > drives with a network boot diskette in them. Their 'B' drives should > remain unlocked for data transfer. There are many companies that make > disk drive door-locks, and this is a much 'nicer' solution than > removing the drive entirely. In fact, one could lock the drive doors > WITHOUT a disk in them, thus forcing a boot from the HD, and still > allowing access to the B drive by anyone (and access to the 'A' drive > by the computer-manager). I know a lot of sites ( and will probably use this in my own setup soon) in which one small PC is the lone interface to the outside world. It is a one way gate. There is no way to communicate from the PC to the internal systems, only from the internal systems to the PC. The PC connection to the world is two way. This is a hardwire job, and thus effectivly prevents a virus attack from getting any further than the PC ( which is kinked with all kinds of detection and elimination code). ------------------------------ Date: Wed, 03 Apr 91 09:28:36 -0500 >From: Dj Merrill Subject: SILITEK virus (PC) Shows a bunch of hearts, smiley faces, etc. on the screen - says something to the effect 'Copyright 1989 by SILITEK' Anyone ever hear of this?? SCAN75 apparently doesnt find it... Know of something to clean it? - -Dj Merrill deej@maine.maine.edu ------------------------------ Date: Mon, 01 Apr 91 14:57:03 -0600 >From: James Ford Subject: Reviews placed on MIBSRV Several antivirus package reviews by Rob Slade and Chris McDonald have been placed on MIBSRV (130.160.20.80). These reviews are located in the directory pub/ibm-antivirus/0REVIEWS. These reviews were taken from cert.sei.cmd.edu's pub/virus-l/docs/reviews directory. Note: The directory name *is* case sensitive. You must specify 0REVIEWS in caps (thats "zero"REVIEWS, not "oh"REVIEWS). The file vsum9103.txt has been placed online. This is the text version of vsum9103.zip. Hopefully I have all the permissions set right on the files this time! :-) - ---------- Help fight truth decay. - ---------- James Ford - JFORD@UA1VM.UA.EDU, JFORD@mib333.mib.eng.ua.edu The University of Alabama (in Tuscaloosa, Alabama) ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 52] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253