From lehigh.edu!virus-l Mon Apr 19 09:03:58 1993 remote from vhc Received: by vhc.se (1.65/waf) via UUCP; Mon, 19 Apr 93 22:52:05 GMT for mikael Received: from fidoii.CC.Lehigh.EDU by mail.swip.net (5.65c8-/1.2) id AA05390; Mon, 19 Apr 1993 21:28:30 +0200 Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA51448 (5.67a/IDA-1.5 for ); Mon, 19 Apr 1993 13:03:58 -0400 Date: Mon, 19 Apr 1993 13:03:58 -0400 Message-Id: <9304191119.AA02892@first.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@first.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V6 #65 VIRUS-L Digest Monday, 19 Apr 1993 Volume 6 : Issue 65 Today's Topics: Re: Sending viruses over Internet Re: Scanners getting bigger and slower Re: Scanners getting bigger and slower Re: New program chair for IDES-of-March Virus Conference Re: New program chair for IDES-of-March Virus Conference Should viral tricks be publicized? (was: Integrity checking) Virus Signatures IDES-of-March Virus Conference Re: Beneficial/Non-Destructive Re: Macintosh [and non-PC] Postings Forwarded message from Scotland Yard Re: Should viral tricks be publicized? Re: Survey Re: ANSI viruses and things that go bump in the night (mostly PC) Re: Optimum Strategy for Virus Checking (PC) Re: Viruses and Canada (PC) Re: McAfee latest version (PC) Disk Access via Port Writes (PC) 5lo virus? (PC) Disk Death (PC) Re: Unknown little virus? (PC) VSAFE WONDER false alarm? (PC) Re: Removing PingPong virus from boot sectors (PC) Re: VSUM (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.org or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk, krvw@first.org ---------------------------------------------------------------------- Date: Thu, 15 Apr 93 17:57:20 +0000 From: atman@rahul.net (Visceral Clamping Mechanism) Subject: Re: Sending viruses over Internet Quoth bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev): > Peters@DOCKMASTER.NCSC.MIL (Donald G Peters) writes: > > > My concern is that it would be easy for an untrustworthy Internet > > node to trap all mail to/from a certain Internet address in order > > to obtain virus code. > > You are right. > > > Of course, similar concerns exist for other networks like Fidonet > > and local area networks as well. > > On FidoNet the situation is slightly different. If NetMail is used, > then you are calling directly the telephone of the recipient, so the > only way to intercept the virus code is by wiretaping. This is not strictly true. Fidonet also has an email routing method called "host routing" in which email is transferred through one (or more?) "host" systems. There is a "host" for each "net" and one of the obligations of a host is to pass host-routed mail, although most of them will complain if you do so, since there is generally no good reason other than forcing someone else to shoulder the long-distance phone bill for the message. Additionally, email sent to other Fidonet-compatible networks or other zones (Europe and North America are in different zones) may wait in a gateway. Email in Fidonet is not always point-to-point, and encryption of sensitive data, such as new viruses, with a good encryption program is always a good idea. @Man - -- atman@rahul.net || "Burn hollywood burn!" "I hanker for a hunk of cheese." ------------------------------ Date: Thu, 15 Apr 93 17:53:35 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Scanners getting bigger and slower Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz) writes: > But still, the more viruses there are, the more time you'll have to spend > searching, or, to put it in other words, there are more things to search for. > in every scanned file, that is, exclusive of various 'Turbo Scanning' > techniques...) No, this is exactly what Frisk is trying to tell you - it is possible to make the scanning time constant (and very short), regardless (well, almost) of how many signatures you are scanning for. At the expense of memory usage, of course. The technique is known as "hashing" and is explained in Kunth's "bible". Roger Riordan has invented another such technique, called Polysearch; it is described in the proceedings of the 5th International Computer Virus and Security Conference. > This is true, but the least program of all to EVER announce - "Sorry, 386 and > up" is an Anti-Virus program. This program is always guarenteed to have a > market, no matter what new chip Intel is announcing or what old chips people > laugh about - as long as it runs MS-DOS :-) Honest, have you recently run CPAV or NAV or SCAN or F-Prot on a XT with CGA, 256 Kb conventional RAM, no XMS or EMS RAM, and a 20 Mb MFM hard disk? Did the scanner fit into that memory? Did you have the patience to wait until it finishes the memory scan? Would you run it on that machine every day? (Note: some of the scanners mentioned will probably run under these conditions. Whether the user will be willing to use them is another question.) > Generic programs were more of effect in the days where all the viruses were > leaching - adding to file. Today, you have a lot of new techniques, that are That's very true, but nevertheless there are hundreds of -silly- viruses being written even nowadays, so a generic disinfector really helps - just don't expect it to be able to handle everything. > disinfector. Maybe a generic scanner, but what good is a scanner without a > disinfector? A generic disinfector is significantly easier to write than a generic scanner. With a generic scanner you have to worry about the false positives. To make a generic disinfector you just need to keep some information about the uninfected files and try to restore it after infection. The more information you keep, the better the chances that you'll succeed to recover the file. In order to achieve 100% effectiveness, it is sufficient to keep ALL the information about the files. Such 100% effective generic disinfector exists. It is supplied with every DOS version. It is called BACKUP (or something similar). Use it. It can disinfect any virus, and not only viruses... :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Thu, 15 Apr 93 18:09:16 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Scanners getting bigger and slower Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) writes: > Do you remember who published the first GENERIC method of > how to clean the 1963 virus without an Anti-Virus program ? A generic method for Necropolis? It's relatively difficult for generic disinfectors... Not completely impossible, but... Oh, I see, you probably mean the trick with archiving all executables, booting from a clean system and restoring them? Works for almost any stealth fast infector; I have described that years ago when I first saw Frodo... And have actually used it to remove Number of the Beast, Necropolis, Dir II (for the last one I used a simpler variation). > As I said: Suppose you've discovered that when a specific virus > infects a program the result is such that if you do a certain process on the > file the result will always be the same... for example lets say that the > Jerusalem virus always adds 1800 bytes to the file and the 170th word of the > end of the file - 1800 equals 1800 (NOT THAT IT IS REALLY SO). > So if you take ANY file and do: (FileSize-(FileSize-1800))-170 the result wil l > always be 1800 (if the file is infected). Bzzt... Won't work. Here comes CPAV/TNTVIRUS in its "immunize" mode, adding "MsDos" to all files, or SCAN /AV, adding 10 bytes to all files, or the file has been downloaded with Xmodem and is padded with 1Ah to the next multiple of 128. Now the 170h word from the end of the file contains something entire different and you miss the virus, which works perfectly and infects the user's system. Or am I missing something? Relying on the supposition that the virus will be at a particular offset from the beginning or from the end of the file could be very dangerous. You should either follow the file entry point, or scan the whole file... > You spent only 2 cycles to verify each virus on your list... ..and missed the virus on 2 of every 100 checked systems... :-) > Ask Nemrod about the generic methods in McAfee's package... Uh, -what- generic methods in McAfee's package? The generic boot sector virus detection? It is relatively good, indeed. Or the generic file virus detection - the Fam[1-3EJMNQ-S] viruses? That's horribly bad. Or the generic boot sector virus disinfector? That's useful, but trivial to bypass... > Some infection methods are harder to disinfect then others, However there are > Generic disinfection techniques for all viruses today (except the distructive Yes, BACKUP. Works even against the destructive viruses... :-) > viruses), generally: if a file works after infection that means that the > information for it's recovery exists and one should only look in the right > place. That sounds nice in theory, but there are a few practical problems to implement it. You are probably referring to something like the method used by TbClean - interpret the virus until it restores the original file. Problem is, how do you know that the virus has transferred control to the original file? What if the virus performs (randomly) something destructive before transferring control to the original file? What if the virus tries to detect that it has been interpreted/traced/emulated and behaves differently in these cases? What are you going to do - emulate the full hardware? Let the virus do the damage? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Thu, 15 Apr 93 18:48:29 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: New program chair for IDES-of-March Virus Conference jsb@well.sf.ca.us (Judy S. Brand) writes: > The person does not seem to have read my letter last week > to "Ides of March" attendees. Uh, what letter? I have not received any such letter - at least not yet. > It contained this announcement: > "Next year, for the first time, the specialists > on our greatly expanded Program Committee will > take complete charge of organizing the presen- > tations and sessions." You mean "Next year it will be better"? :-) > Each program objective or topic will have multiple session > presiders and be chaired by a member of the Program Committee > who is a specialist in that area. For practical reasons, a > topic occupying more than one track will have co-chairs, > and in one case one pair of unrelated topics of two or three > sessions may be chaired by the same individual who knows both. I don't think that anybody complained about the lack of chairs in the last conference. The major complain was about the lack of organization... Because of that the chairs didn't know what to chair, where, when, and who was speaking in their sessions and what about. (BTW, I thought that "chair" means only the object you use to sit on; you seem to be using it as a synonym for "chairperson"?) > overall Program Chair. Professor Richard G. Lefkon, who > has been Program Chair for a few years running, will devote > most of his effort at the 1994 conference to making sure the > registration and premises are well-run. I'm afraid that this alone might repulse the prospective attendees for the next conference... > Dick deserves the > thanks of us all for his excellent past contributions in > assembling and overseeing the sessions. Huh? Dick is probably a nice chap (well those two who were thrown away by the security guards, reportedly on his order, might disagree), but one thing I have been unable to observe him during the last two years was organizing conferences... > affiliations elsewhere, papers are encouraged from all. Since > 1989 there have always been at least 2 dozen scheduled speakers > about computer viruses, with multiple tracks since 1990, and > in recent years there have been nearly 100 scheduled speakers. Due to which in 1992 the speakers had about 10-20 minutes to speak. I'm not sure about how much time they had this year, due to the fact that nobody knew who is speaking, where, when, for how long, and about what. > The 1994 base price will still be $325 for 2-1/2 days, plus an > optional $40 for half-day beginner courses in different fields. > Attendees receive a bound proceedings, usually distributed > before the meeting begins. Speaking about proceedings, may I remind you that none of us has obtained them from this year's conference - one month after the conference! > As by far the oldest, best known - and the largest - conference ..and probably the worst organized one... > treating computer viruses extensively, "Ides of March" is an > annual "must" for many specialists in the security field to meet, > swap samples and anecdotes, and make new business contacts. In the Meeting many specialists and swapping anecdotes is nice, but many of us go there to present a speech, listen to other speeches, and get the proceedings. This year I learned when my speech is literally hours before I had to present it, didn't know where to present it till the end, and it was announced as something completely different. I couldn't meet many of the attendees I wanted to meet, because I couldn't find out where and when they are speaking, or even whether they were present at all... I won't discuss in details such things about the last conference like the lack of enough food or even place at the gala dinner, the horrible hotel (sheesh, we have better ones even in Bulgaria), etc... Actually it was my intention not to comment it at all, because I feel indebted to the organizer - he agreed to wave my conference fee and even payed three days of my staying in the hotel. But after your message, I just couldn't resist... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 15 Apr 93 11:47:49 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: New program chair for IDES-of-March Virus Conference jsb@well.sf.ca.us (Judy S. Brand) writes: >overall Program Chair. Professor Richard G. Lefkon, who >has been Program Chair for a few years running, will devote >most of his effort at the 1994 conference to making sure the >registration and premises are well-run. Dick deserves the >thanks of us all for his excellent past contributions in >assembling and overseeing the sessions. You must be joking. If his "contributions" this year, the last, and the one before that are "excellent", I must have a very different understanding of what that word means than you do. >Attendees receive a bound proceedings, usually distributed >before the meeting begins. Oh, we do ? Strange, I had not noticed that :-) This year the proceedings were not distributed at all, and I have not yet - a month later - not received my copy. >Nearly all the speakers are first >required to have their papers pass an expert quality review >where both the judges and the authors remain anonymous. Unfortunately the papers accepted may not be the same ones as those which get actually presented. >As by far the oldest, best known - and the largest - conference >treating computer viruses extensively, "Ides of March" is an >annual "must" for many specialists in the security field to meet, I would change "is" to "was" above. I went to the conference not because of the papers presented, but simply to meet other "experts". However, the conference has become an embarrassment to several of us. As I have said before, I apologize to anyone who attended this year's confererence...this is not what a anti-virus/security conference is supposed to be like. I will not be supporting or attending this conference next year - this has already been too much waste of time and money for too many people. Instead I will be doing my best to support two other conferences in USA in '94 - one in the spring, which is organized by VSI, and the other (the VB conference) in the fall. I would also like to state, as others have done, that I do not want to have my picture on any future brochures. - -frisk - -- Fridrik Skulason Frisk Software International phone: +354-1-694749 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-28801 ------------------------------ Date: Sun, 11 Apr 93 09:56:05 +0100 From: Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz) Subject: Should viral tricks be publicized? (was: Integrity checking) > RADAI@vms.huji.ac.il (Y. Radai) writes: > Btw, it should be noted that on Fidonet there appeared an article > describing tricks which can be used by virus writers to prevent tra- > cing and disassembly of their code. The reason I mention this parti- > cular article is that it appeared under the name of someone who has > been contributing to this forum recently, Inbar Raz. The article is > called "Anti Debugging Tricks", and one of the virus writers found it > useful enough to forward it to 40 Hex (Number 9). Ahem. This is SURELY not what I had in mind when I compiled that article. That article is a result of the crackings I did in the past. I collected all the fairly useful tricks I've came across, and published them. I only crack to learn, and teach others. I have already advised at least one how to alter his protection scheme to make it tougher. I consider myself on both sides. True, I do some cracking, occasionally. I am not ashamed of it, because most of my Assembly knowledge, which people tend to appreciate more than myself, has come from there. And, as you saw, I routed this experience/knowledge to useful routs. Inbar Raz - - -- Inbar Raz 5 Henegev, Yavne 70600 ISRAEL. Phone: +972-8-438660 Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il - --- FMail 0.94 * Origin: Inbar's Point - Home of the UnTinyProg. (9:9721/210) ------------------------------ Date: Thu, 15 Apr 93 23:08:22 -0600 From: ST29701@vm.cc.latech.edu Subject: Virus Signatures I was wondering why there is not anyone that periodically post NEW virus Signatures. This would be very helpful to people in between releases of different virus scanners. I know this might be helpful to the writter of that virus but there has to be a middle ground. Alan Jones ------------------------------ Date: Fri, 16 Apr 93 03:22:07 -0400 From: "Roger Riordan" Subject: IDES-of-March Virus Conference jsb@well.sf.ca.us (Judy S. Brand) writes It appears that someone who had been on the 1993 New York > "Ides of March" program committee mistakenly reported to > Virus-L that there were no significant changes for 1994. > > The person does not seem to have read my letter last week > to "Ides of March" attendees. It contained this announcement: > > "Next year, for the first time, the specialists > on our greatly expanded Program Committee will > take complete charge of organizing the presen- > tations and sessions." Each delegate to the recent conference paid a registration fee ranging from $325 to $425. If we add a conservative $200 for accomodation and travel, and $400 for two days pay, and we assume that there were 500 paying delegates (in the absense of any reliable information on the subject), and add the costs of the exhibitors, and overseas delegates, the total cost of this conference was almost certainly well in excess of $500,000. If any individual had paid this amount for a service which failed as dismally as did this conference, they would certainly take legal action. Unfortunately it would be difficult to establish just how much loss the delegates had suffered, and difficult for any individual to take action. However the registration form clearly stated "Registration includes Proceedings, ... ". As these are valued (by the organisers) at $100 per copy, the organisers are in clear breach of contract to the tune of something like $50,000. I have been promised that I would receive the proceedings in a couple of weeks, but as we were promised we would receive them "Tomorrow", then "they will be posted first thing next week", I place no credence in this. Despite all this Ms Brand appears to think that the organisers can make a few cosmetic changes and continue as before. Is there anyone, or any organisation, who/which is in a position to ensure firstly that the organisers meet their legal obligations with respect to the Proceedings, and secondly that they are not permitted to attempt to repeat this fiasco? Roger Riordan Author of the VET Anti-Viral Software. riordan.cybec@tmxmelb.mhs.oz.au CYBEC Pty Ltd. Tel: +613 521 0655 PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727 ------------------------------ Date: Fri, 16 Apr 93 11:13:51 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Re: Beneficial/Non-Destructive >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) >Don't be so sure... Suppose that the beneficial virus does the >following: >1) Modifies only one executable file on your system. >2) This file is an anti-virus program. >3) The modification consists of replacing the program with a newer >copy. >4) The virus infects your computer when you log to the LAN server. >5) The virus has been installed on the LAN server by the LAN >administrator. >6) The LAN owner has a policy that no workstations are allowed to log >in unless they are running the latest version of this particular >anti-virus software. >7) The virus (actually a worm - it does not "attach" itself to >programs and spreads via networks) does not do anything else. >8) The whole thing is marketed by the producer of the anti-virus >software not as a virus, but as "a centralized method for automatic >update of the software on the workstations". My question is: why do you need a virus (or worm) to do this ? All you need is a regular program that runs as part of the login script, detects the version via strobe/date/size/checksum and performs a copy/ execute if an update is needed. McAfee's CHKSHLD in a .BAT will do this function plus verify that the TSR is functioning properly and is neither virus nor worm (neither the .BAT nor CHKSHLD needs to be copied to the client). Warmly, Padgett ------------------------------ Date: 16 Apr 93 16:14:21 +0000 From: tkc@aurora.engr.latech.edu Subject: Re: Macintosh [and non-PC] Postings PATCHAS@VM.NRC.CA (Charles A. Patrick) writes: > Of late I have noticed that there has been a distinct dearth of postings > about NON-PC's. In particular, I have seen no postings about Macintosh virii. > Certainly I have no recollection of postings about the most recent one that > precipitated version 3.1 of Disinfectant. > Well, there was a lengthy post on the latest virus for the Mac. The reason I think there aren't any postings for the Mac is because Mac users have more respect for their environment, and less viruses are written. If there aren't any new viruses to talk about, and the old ones are taken care of by the detection programs out there, then there is nothing to discuss. I think, though, if a Mac posting is made, the subject should be easily identifiable as a Mac posting and it should stand out, because there are so few of them. - - Keith __________________________________________________________________________ Keith Cooley EE Macintosh Lab Administrator Louisiana Tech University Ruston, LA 71272 tkc@engr.LaTech.EDU ------------------------------ Date: Fri, 16 Apr 93 09:17:21 -0700 From: aryeh@mcafee.com (McAfee Associates) Subject: Forwarded message from Scotland Yard Hello All, I was recently contacted by DC Noel Bonczoszek of the Computer Crimes Unit at New Scotland Yard in London. As some of you may be aware, Noel is one of the folks responsible for arresting the members of ARCV, a UK-based group of virus-writers. He would like to speak with anyone who suffered an infection from any of their viruses (listed below). If you have been infected by one of their viruses, or know of someone who has, then please give him a call at +44 (71) 230-1177 during office hours (GMT), or send him a fax at +44 (71) 230-1275. A list of viruses written by ARCV: 159 199 224 240 330 334 (Made) 334-2 Alpha Anna ARCV '93 (ICE-9) ARCV 1 ARCV 2 ARCV 3 ARCV 4 ARCV 5 ARCV 6 ARCV 7 ARCV 8 ARCV 9 ARCV 10 ARCV Sandwich ARCV Xmas Benoit Chad Coolboot Dennis 1 ECU Friends Jo V1.01 Joanna Exersiser Joanna V1.11 McWhale More Nichols Reaper Man Scroll Scythe Small ARVC Small EXE Solomon Spawn 1 Toxic Toxic 2 Toxic 3 Toxic C Two Minutes to Midnight X-1 X-2 Zaphod Please bear in mind that I'm only forwarding this message for DC Bonczoszek. If you have any questions, please contact him directly. Regards, Aryeh Goretsky McAfee Associates Technical Support - -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: aryeh@mcafee.COM 3350 Scott Blvd, Bldg 14 | FAX (408) 970-9727 | IP# 192.187.128.1 Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95054-3107 USA | USR HST Courier DS | or GO MCAFEE ------------------------------ Date: Fri, 16 Apr 93 18:04:32 +0000 From: khan0095@nova.gmi.edu (Mohammad Razi Khan) Subject: Re: Should viral tricks be publicized? Virus writers will write viruses, Ant-Virus writers will write anti-virus programs, I think it should be publicised, only to inform the (uninformed) public about how easy it actually is, you wouldn't belive the amount of people who "trust". I had one friend who was a new computer user, had 2 different viruses on his system and didn't even know it! There are also another extreme group of people, paranoid about security, who cringe at even hearing the word virus, and all the hype about michelangelo did bring many of them out. If these viruses were made to be public domain then a.) trusting people will see what they really are up against b.) paranoid people will see how trivial most viruses are. heck, who can't make a batch program that goes echo Y|del *.* Also, people, in general, will know how to effectively combat a virus by them selves. I sometimes think AV people are reluctant to give out info because they get paid for the programs, but thats not all people, only a few. Well, anyway, I think they should be public domain.] - -- Mohammad R. Khan / khan0095@nova.gmi.edu After July '93, please send mail to mkhan@nyx.cs.du.edu ------------------------------ Date: Fri, 16 Apr 93 18:21:54 +0000 From: mdallin@lamar.ColoState.EDU (ABCDefghIJKLm) Subject: Re: Survey frisk@complex.is (Fridrik Skulason) writes: >Well, as countries don't write viruses, but people do, this question can >be assumed to mean either: > >2. Do you believe that programmers in some countries write viruses designed > to infiltrate computers in other countries? > >or > >2. Do you believe that it is an official policy in some countries to write > viruses designed to infiltrate computers in other countries? When I say 'countries' it is implies 'government'... ie, Do You believe that some governments write viruses meant to infect computers in other countries? Which, even though I can see where you could get confused, would imply the original meaning your second question (Do you believe it is an official policy...) But, one thing to point out in phrasing it as such... the policy doesn't have to be a public policy (just look at most of the USA's policies 8^) ). Sorry for the confusion... Mdd - -- "Ah, Ah, Ah, Ah, AAAAAAAAAAAH!!!!" mdallin@lamar.colostate.edu -- Queen, Ogre Battle dallin@beethoven.colostate.edu ------------------------------ Date: Thu, 15 Apr 93 17:27:17 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: ANSI viruses and things that go bump in the night (mostly PC) smd@hrt216.brooks.af.mil (Sten Drescher) writes: > screen colors in my PROMPT string? Answer: it doesn't. A better > answer, rather than to tell people to make binary patches to their OS, > is to use one of the multitude of ANSI drivers that don't support, or > allow you to disable, key redirection. Just off the top of my head I > can think of NANSI, NNANSI, ZANSI, ANSIPlus, and ANSI.COM (from PC Magazine). Speaking about ANSI drivers, does anybody know one which: 1) Is public domain or freeware or shareware (I'm not interested in commercial implementations); 2) Runs on anything, including CGA (I'm not interested in implementations that require at least EGA); 3) Supports everything that the DOS ANSI.SYS does (I'm not interested in restricted versions); 4) Can be loaded both as a device driver and as a TSR; 5) Allows the user to optionally disable keyboard programming with an option from the command line (I'm not interested in implementations that don't allow keyboard programming at all or that have to be re-compiled in order to change their behavior); 6) Comes in source. ? As far as I know (haven't seen the latest versions), none of the drivers mentioned by you satisfies all of the above conditions... Does anybody know a driver that does satisfy them? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Thu, 15 Apr 93 17:34:42 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Optimum Strategy for Virus Checking (PC) riordan@tmxmelb.mhs.oz.au (Roger Riordan) writes: > The strategy we use is to scan till we find a subdirectory, > immediately dive into it, continue till we find another > subdirectory, and so on. I see, you are using a depth-first directory tree traversing. > This is certainly not ideal, from the > theoretical point of view, but it is something which will work > on any PC, and has a good chance of catching a real virus, > without making the scan time so long that the test is disabled. Sure, but it can be improved, IMHO. > If you are computer literate, and know which programs you use, > you can devise a better strategy, or you can check the lot if you > like, but an imperfect test which is performed is better than an > ideal test which is disabled. If the user is computer literate, s/he probably would have organized his/her disk in such a way that the directories listed in the PATH variable appear first in the directory tree, so your method will work reasonably well. However, for the casual user whose directory tree is more likely to be a complete mess, it is possible to devise an improvement of your method. How about the following: 1) Check the command interpreter; 2) Check the first few files in the root directory; 3) Check the first few files in the current directory; 4) Check a few files (randomly selected) in each directory listed in the PATH variable; 5) Check the first few files in the first subdirectory of the root directory; 6) Check the first few files in the first deepest subdirectory (i.e., your current approach). I think that 10 is a reasonable number for "a few". This procedure is a bit more complex to implement than the one you are currently using, but will run just as fast and will increase the chance to catch the virus. > There are viruses which do not visibly affect the memory map, but > Necropolis, like Jerusalem, goes TSR, and changes the loading Well, an important difference is that Jerusalem can be -easily- spotted with memory inspection tools like MAPMEM, while Necropolis cannot. > Most of the recent viruses load at the top of memory where they > are readily detected. Yes, they are using the "Dark Avenger" method, or the method the boot sector viruses are using. But sooner or later the virus writers will switch to more sophisticated schemes... With the lack of memory protection in DOS, there are plenty of holes for an unknown virus to hide... Hiding a known virus is significantly more difficult, but several tricks are possible too... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Thu, 15 Apr 93 18:34:38 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Viruses and Canada (PC) aparker@mach1.wlu.ca (alan parker S) writes: > software in general use is from Leprechaun, Virus Buster; now the latest hit > is of a new variant of Stoned which is detected by Scanv102, and F-prot-207 > as new variants, but I haven't seen or read anything about a new variant.. What do you mean? There are several dozens of Stoned variants, most of them are not described anywhere, and new ones are popping up every day... > The trend seems to be turning msdos/io.sys files as non-hidden, and > increasing io.sys for example to 40470 under dos 5. The norm also seems to No Stoned variant does this. You might also have a different virus - a file infector this time. > be DD floppies becoming 1.3+Gigabytes of storage space with the obviously > dubious file names it creates. This means that the root directory is scrambled. Indeed, Stoned can cause this. > I note also that stoned appears to have dos > 3.x as part of its make up. Huh? What do you mean? > I've read recently much about the wonders of Untouchable(tm); now > I've had 3 different suites of programs from them, Untouchable 1.3, Search > and Destroy, and Untouchable NLM, I'm not at all impressed. The evaluation > copies sucked. As I've said the we normally suffer from stoned, although we > have had a single hit from Form(ouch nasty beastie), and a little something > from the Mte which proved to be very spreadable. The Untouchable software > (all of it) failed miserably with all but the oldest variants of > Stoned(Manitoba being our most frequent), also the safe disk it had made > didn't seem to allow corrupted files to be restored from the information > saved about them, which Virus Buster was able to do. Wait, wait, wait, there are too many wrong things in the above... First, as far as I know, Search and Destroy is the scanner/disinfector part of Untouchable only. The strongest part of the product is its integrity checker - that is what you must install and use. Next, what is this "little something from the Mte that proved to be very spreadable"? I've never heard about any MtE-based virus being found in the wild - is your university the first case? Next, the integrity checker from Untouchable is able to repair almost any possible boot sector infector and certainly Stoned and Form. Are you sure to have installed and used it in the correct way? Next, what's so nasty about Form? A silly boot sector infector that makes your keyboard click on a particular date... Next, what exactly means "the Untouchable software failed miserably"? Which part of the software? Have you installed the integrity checker on a virus-free system? If not - why not? Maybe you have used only the scanner/disinfector? Next, what corrupted files? Stoned and Form are boot sector viruses; they don't infect files... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Thu, 15 Apr 93 23:11:36 +0000 From: Joshua Aaron Klein Subject: Re: McAfee latest version (PC) Mike Lastort (lastort@access.digex.com) wrote: > > I was just wondering if there was an address where McAfee's programs are > available through Internet. I used to subscribe to Compu$$erve but have > given up that habit when I got this account. Any info on how to ftp > McAfee's programs would be greatly appreciated. > > Mike I believe that ftp.mcafee.com will do it... - -- ************************************************* Joshua Klein INTERNET ADDRESSES Amherst College jaklein@unix.amherst.edu Amherst, MA jaklein@amherst.edu ************************************************* ------------------------------ Date: Sun, 11 Apr 93 10:02:06 +0100 From: Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz) Subject: Disk Access via Port Writes (PC) Jan-Pieter Cornet writes to Inbar Raz about Disk Access by Port Writes: > I think the virus will not work under OS/2, as a real operating system like > OS/2 shields the hardware from the user program. I'm not sure about other > operating systems. This absolutely requires a 386+, tho' Hmm. Now that you mention it, OS/2 DOES do that. What a reliefe. That's one less platform to be effected by such malicious code. > Also, will your virus work on 2.88M drives? SCSI drives? Wang/DEC/ > other incompatible computers? (sold as IBM clones of course, not VAXes > etc ;) This is NOT a VIRUS. Please. I never wrote one, now will I. That was an experimental code. Since I only have an AT-Type (IDE) drives, I only know AT THE MOMENT, how to access IDE drives via ports. However, I have the ANSI specifications of SCSI too (as well as SCSI-2), so given such a harddisk, I believe I could write the equivalent code in less than two hours. > On the other hand I think there are a lot of virusses not able to replicate > on all systems... so on the majority of systems "your" virus will probably > be effective regardless of any virus shields. I don't think so. When I thought about this technique, my fear was NOT for viruses to use it to MULTIPLY, because you can scan for them anyway. My fear was that viruses will implement such a technique to CAUSE MALICIUS HARM. And believe me, there's a lot of harm you can do with ports, that you can't do with INT 13h... Inbar Raz - - -- Inbar Raz 5 Henegev, Yavne 70600 ISRAEL. Phone: +972-8-438660 Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il - --- FMail 0.94 * Origin: Inbar's Point - Home of the UnTinyProg. (9:9721/210) ------------------------------ Date: Mon, 12 Apr 93 23:44:02 +0100 From: Marcin_Dobrucki@f200.n3581.z9.virnet.bad.se (Marcin Dobrucki) Subject: 5lo virus? (PC) While using F-PROT 2.07 I got a message that some 60 files on my drive are infected with 5lo (?) virus. However after checking the virus list I could not locate such virus nor find any information anywhere else. Is this some kind of a code name for the PROTO-T virus which I suspected was the one I had? Marcin Dobrucki -- - --- GEcho 1.00+/RA 1.11+ * Origin: Empire BBS (9:3581/200) ------------------------------ Date: Fri, 16 Apr 93 02:43:06 +0000 From: apreiser@skidmore.EDU (arthur preiser) Subject: Disk Death (PC) I recently bought a notebook computer. In my enthusiasm, I bought several new programs that would make full use of the 386 processor with the 387 Math co-processor and the 8 megs of ram. Anyway, I let a friend run some numbers through lotus 1-2-3 on my computer. Right in the middle of calculating something, my virus detector went off. I scanned the hard drive and found the disk to be infected. The problem was, my virus cleaning program was infected. I tried to recover my information with the original copies of the virus program, but the virus was resident and infected my "A:\" drive as well. I had to reformat the hard drive on my computer. I wanted to know what kind of virus could attack all these files in so short a time? What could I have done differently to save my disks? I don't know what virus it was or how it infected my system without infecting my friends. We ran a virual scan on his computer and it came up negative. Is it just me or does anyone else think my friend sabatoged (sp?) my system? How can I prevent this kind of total disaster from reoccuring? Please excuse me for rambling on. I'm still getting over the shock of loosing everything. I was niave and, you guessed it, I didn't have backups of my work. I guess a hard lesson learned is a lesson worth remembering. An important question I wanted answered is: what do I do when all my virual killing defences are breached? Is there another line of defence I could established? Should I kill my EX-friend now? Arthur. E-Mail apreiser@scott.skidmore.edu ------------------------------ Date: 15 Apr 93 23:59:50 -0400 From: ac999512@umbc.edu (ac999512) Subject: Re: Unknown little virus? (PC) >gary@sci34hub.sci.com (Gary Heston) writes: > >>32 bytes isn't enough to write an interrupt service routine, much less >>anything resembling a virus. > >Eh, one can easily write a virus (well, a stupid overwriting one) in less than >32 bytes - I think 24 bytes is the minimum .... but not a memory resident one. > >- -frisk 24 bytes? That's it? Really? The smallest I've managed to obtain/create is 27 bytes. I find it hard to believe another three could be stripped. Does that use 386 instructions? +-------------------------------------------------------+ | Ed T. Toton III, Virus Researcher ac999512@umbc.edu | | Press any key.. Except THAT one! | +-------------------------------------------------------+ ------------------------------ Date: Thu, 15 Apr 93 22:49:00 -0700 From: Ullrich_Fischer@mindlink.bc.ca (Ullrich Fischer) Subject: VSAFE WONDER false alarm? (PC) I've had a number of incidents lately on our 255 PC Novell LAN where VSAFE reports an executable is infected with the WONDER virus. F-PROT 2.07, CPAV's SCAN function (1.4), and McAfee's SCANV102 and NETSCAN102 don't find anything, so I'm assuming it is a false alarm. No suspicious activity has been detected when the suspect executables are run in the absence of VSAFE. I'm using a home-grown CRC checking system which detects any modifications to key executables and is run whenever any PC boots... this hasn't detected any modifications to executables as would likely happen if there really was a WONDER infection. One of the suspect files is ECODE.EXE, part of a commercial hypertext system which displays the Canadian Electrical Code. Has anyone run into similar problems with VSAFE (version 1.4 from Central Point)? - -- Ullrich_Fischer@mindlink.bc.ca Before people are governable, they have to have something to lose. - Nils Christie ------------------------------ Date: Fri, 16 Apr 93 18:27:11 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Removing PingPong virus from boot sectors (PC) dnebing@andy.bgsu.edu (Dave Nebinger) writes: > One of the IBM's that I manage has pingpong virus in the boot blocks of Is it a 8088-based machine? > the hard drive. I have Norton's AntiVirus, but it will not remove it. What That's strange... NAV should be able to disinfect Ping Pong... You might have a new variant, but in any case you should contact your local Symantec support. > do I have to do to remove the pingpong virus, or is it really nothing to > worry about? Boot from a clean diskette and do a SYS C:. This will remove the virus from the hard disk. It will also leave one cluster, marked as bad by the virus, but this is not something to worry about. If you are a perfectionist and know what you are doing, you might use Norton Utilities to mark the cluster back as unused. Note: the above advice assumes that even if you are not familiar with viruses, you are at least familiar with DOS and your PC. If you don't know what "boot from a clean diskette" means - ask me by private e-mail. It also assumes that you are smart enough to boot from the same DOS version as the one installed on your hard disk. And it finally assumes that if SYS tells you "No room for system files" you know how to fix the problem with Norton Disk Doctor and its "Make a disk bootable" capability. If not - ask me by private e-mail. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Fri, 16 Apr 93 18:45:30 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: VSUM (PC) padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) writes: > I have recently seen the new version of VSUM (currently VSUMX303) and > must say that the user interface is much improved, particularly the > part that lets you search the database for a particular string, I > do not need to use LIST to examine the H! any more (also there is > no more H!, been replaced by an .XDB). Well, VSUM has been converted to this new format since quite a while - I think since version 9212. One thing that I do not understand is why the new hypertext engine (produced by the same company) is no longer able to view the old .H! files... Another puzzling thing is why Patricia Hoffman has disabled the Cut&Paste function - this makes even less likely that people export information from there, correct it, and send her back the corrections... > Detractors say that it is flawed in the same way that Ralf Brown's > interrupt list is flawed and it does have errors but I cannot think > of anything today that is perfect - certainly if you have to ask, it > is a good place to start. "Flawed in the same way" is an insult for Ralf Brown's work. I am using his list intensively and have found only a few minor mistakes and omissions. In the same time, each time I consult a VSUM entry, I find it either incomplete, or containing errors, or both. Not to mention how unnecessary verbose the articles there are... > For those on the net, it is available via anonymous FTP from mcaffee.com > or can be downloaded from many sources but be advised, even compressed > it is over 800k - bare 2400 baud will take nearly an hour. The copy on Simtel20 is compressed with the new PKZIP and is a bit more than 600 Kb. > Last year I heard about several other compilations "in the works" but > have not seen any yet so at least for now it is still an essential work. Two of them are available for anonymous ftp from our site: ftp.informatik.uni-hamburg.de:/pub/virus/progs/vbaseabc.zip ftp.informatik.uni-hamburg.de:/pub/virus/texts/catalog/cvb-293.zip The first one is in the same format as VSUM, so you can use the same hypertext engine (VSUM.EXE) to browse it. Neither of the two is complete enough (actually, both are ridiculously incomplete), but any of them is significantly more accurate than VSUM. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 65] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253