To: VIRUS-L@LEHIGH.EDU Subject: VIRUS-L Digest V6 #160 -------- VIRUS-L Digest Wednesday, 22 Dec 1993 Volume 6 : Issue 160 Today's Topics: Re: Are viruses taking over the world..? Re: Liabilities Re: Freeware distribution of anti-virus software Re: Gun analogy Guns & Viruses (new rock group ?) Re: Any reviews of InVircible/V-Care ? (PC) Re: Running F-PROT 2.10 in DOS Window? (PC) Re: Has anyone heard of the the reaper virus V Cpav (PC) Re: Windows viruses? (PC) Re: The _new_ stoned virus (PC) Re: New version of stoned virus & DOS 3.3 (PC) Re: New version of stoned virus & DOS 3.3 (PC) Re: Monkey is not cute! (PC) Re: Using A-V software to remove vir (PC) Re: New (?) variant of Stoned virus (PC) Re: Info needed on HideNowt Virus. (PC) Re: QUESTION: F-PROT virstop (PC) - THANKS Possible virus (PC) Stoned virus......(help - need info) (PC) Monkey (PC) Is this a virus or hardware problem? (PC) Hhhhhhelllllllllllpppp--MONKEY virus (PC) Re: Save all you can (CVP) Re: save all you can (CVP) Tripwire Version 1.1 released (UNIX) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 16 Dec 93 14:38:51 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Are viruses taking over the world..? djk@netcom.com (Daniel J. Karnes) writes: >Have incidences of infection generally increased? Or do I just happen to >work for a company in VERY infected straights?!? Well, the number of infections has increased somewhat, compared to two years ago, but the number of people using anti-virus software has also increased, so more infections are detected. There is also the question of how large percentage of the infections are reported to you, and whether clean-ups are sufficiently thorough. Still, even though there is an increase it is by no means an exponential one. - -frisk ------------------------------ Date: Thu, 16 Dec 93 14:40:54 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Liabilities mikehan@kaiwan.com (Mike Hanewinckel) writes: >Well, I think most of us have seen or own a copy of a certain collection, >known as "the Goat Collection" which claims to have originally belonged to >a certain well-known member CARO. Well, I still don't know what you are talking about...could you E-mail me a list of the files in this collection or something, so that I can check whether it bears any resemblence to any of the other collections I have seen ? - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Thu, 16 Dec 93 14:52:56 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Freeware distribution of anti-virus software seank@nermal.santarosa.edu (Sean Kirkpatrick) writes: >Last year about this time, I did some research for a Bank that I was >consulting for, and discovered that the FPROT engine was used in about >6 or 7 of the top 10 commercial virus scanners. Eh...6 or 7....Hmm...is anything going on that I don't know about ? The products that currently use my "engine" are: F-PROT shareware (Frisk Software) F-PROT Professional (Command Software, DataFellows and PerComp) Virus Alert (Look Software) VirusNet (SafetyNet) - -frisk ------------------------------ Date: Thu, 16 Dec 93 15:04:58 -0500 From: ksaj@pcscav.com (OS R & D) Subject: Re: Gun analogy Ktark, judging by your post to me, you are arguing for the sake of arguing. If the gun analogy is one created by the anti-virus crowd, then why are you so quick to defend it? No matter who created the analogy, it doesn't work anywhere nearly as smoothly as one would like it to. As for the rest of your arguing, that didn't even come up, so I assume you are just trying to argue. You haven't agreed with anything anybody has said in Virus-L before ;) karsten johansson - --- ksaj@pcscav.com (OS R & D) Elvis killed JFK PC Scavenger -- Computer Virus Research, Toronto CANADA (416)463-8384 Free services: send EMAIL to info@pcscav.com or virus.list@pcscav.com ------------------------------ Date: Thu, 16 Dec 93 16:10:09 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Guns & Viruses (new rock group ?) From: src4src!ktark@imageek.york.cuny.edu (Karl Tarhk) >NO, this is a favorite analogy preferred by 'AntiVirus' types as they >often stigmatize viruses as dangerous things, much like weapons. >As i said it has yet to be proven that viruses are inherently >destructive! Well, I have not found a virus that would not be destructive in some environment. Period. This sounds like the gentleman a few years ago who said the the 4096 was not destructive, it was when the user ran CHKDSK/F that corruption occured. To me the biggest difference between a gun and a virus is that when I fire an Automag, there is a limit to my sphere of destruction. Eventually the bullet will dissipate its energy in some fashion and cease to be destructive. "Eventually" can be measured in seconds. In counterpoint a virus *never* stops and can have undreamed effects in the future. There is discussion today about making the computers in cars field programmable & guess what is the basis for the big GM roll-around. I can command the idle speed in a new Corvette to be anything I want it to be with a Tech-1. Suppose a 5000 rpm command occured in traffic ? Impossible ? Not at all, just takes the wrong parameters. A big business today is replacement PROM chips for cars. What if a PC-based PROM programmer had an "extra added attraction". Unlikely ? You do not have enough appendages for the number of manufacturers who accidently shipped viruses on disks. Cold today, Padgett ------------------------------ Date: Tue, 14 Dec 93 15:00:52 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Any reviews of InVircible/V-Care ? (PC) Howard Ross (howard@ccu1.auckland.ac.nz) writes: > InVircible looks very attractive because it employs generic defences > against viral attack. Because it does not use scanning, it doesn't fall > into obsolescence. It boasts high speed, easy-of-use, inobtrusiveness, > and a high rate of restoration/disinfection. > Can the labelling on the package be believed? I am sorry for not being able to reply to your main question - how good InVircible/V-Care is - because I have no experience with it. However, I would strongly advise you to take any claims like the above with a large grain of salt. It is true that anti-virus packaged based on integrity checking don't need to be updated as often as the scanners. It is not true, however, that they don't have to be updated at all - every program becomes obsolete with time. Second, while integrity checking is a stronger line of anti-virus defense than scanning, it is certainly not good enough as a *single* line of defense. The best is to combine it with scanning - scan all incomming software and control the integrity of the existing software. And, if a package adopts this strategy, it will still need to be updated - at least the scanner part of it. If it doesn't adopt it - then it is weaker than a combined system. In the product mentioned by you relies on integrity checking alone, I can bet you that (a) I can design a virus that will be able to infect a system infected by it and pass unnoticed (actually, I'll probably be able to invent 3-4 different ways to bypass the system, but I am making a safe bet ) and (b) it doesn't protect against at least some of the already existing viruses. If you doubt in the above, ask the producer how the package protects your system against Brain - one of the first IBM PC viruses. Just for information, Brain is a diskette-only boot sector infector. If the producer says "ah, but we are protecting only your hard disk", ask them how would their product protect your hard disk from a virus that infects like Brain, but also corrupts only the data files on your hard disk and only when they are being modified by DOS. BTW, one of the problems with the integrity-based system is that they detect the infection only after-the-fact - which in some cases might be too late. Like if you get infected by Michelangelo on March 6. :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 14 Dec 93 15:23:29 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Running F-PROT 2.10 in DOS Window? (PC) BOB CONN (REC102@psuvm.psu.edu) writes: > I want to know if F-PROT 2.10 is as effective running in a > DOS Window (Windows 3.1). It is just as effective as under plain DOS, although a bit slower. Also, it might not be able to detect in memory a virus that is running in another DOS box, if Windows is started in protected mode, but I am not quite certain about that. In any case, it shouldn't cause any problems in your situation. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 14 Dec 93 15:14:32 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Has anyone heard of the the reaper virus V Cpav (PC) Adam S. Nealis (adam@lbs.lon.ac.uk) writes: > Can any tell me about the reaper virus? Please, folks, read the FAQ for information about how to ask such questions. How do you know that it is the reaper virus? Which scanner has reported it? Which version? > Center Point Anti-Virus software does > not seem to pick this one up. May I suggest that you use some better anti-virus package? You should take a look at F-Prot, TBAV, SCAN - all are shareware (F-Prot is even freeware for individual use) and are available from the usual ftp sites. Searching through my database, I can see a virus, which SCAN 109 calls "Reaper [Rea]" and F-Prot 2.10 calls "Hungarian (ARCV.Reaper)". Do you mean this one? It is a memory-resident, 1072-byte long EXE and COM semi-stealth fast infector. On August 15 it prints the message "Reaper Man. (c) 92, Apache Warrior, ARCV Press." It doesn't contain intentionally destructive routines and the message can be seen in the infected files, because the virus doesn't use encryption. It doesn't infect files matching the specification *D.* - in particular, COMMAND.COM. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 14 Dec 93 15:19:57 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Windows viruses? (PC) Bradley (cs05050@s1.csuhayward.edu) writes: > Someone on a local BBS just told me that a Windows > Zine reported 2 Windows viruses. That's true, although I have been unable to replicate the second one. > Quoted from FAQ.Virus-L 18 November 1993 update > > too. And currently there exists at least one Windows-specific The FAQ is slightly out-of-date. What you have heard is true - currently there are two Windows-specific viruses. > > virus which is able to properly infect Windows applications (it is > > compatible with the NewEXE file format). But the FAQ is also correct, in some sense. The second file doesn't modify the applications it infects, so it doesn't need to know about the NewEXE format. Only the first one does. > What is the name of that one? The names that I was given are: > Winvir and Twitch. Correct again. WinVir was the first one, Twitch is the second one (the one I was unable to replicate - maybe my sample is corrupted). > figure it might just be a stretch on the part of the journalist to > define a "Windows virus". No, the journalist is right. There are indeed two Windows-specific viruses and indeed those are their names. The first one is a non-resident virus, which infects the Windows applications properly but disinfects them when they are executed. It infects only in the current directory, and this, combined with the non-residency, makes it very unlikely to spread. The second virus is of the companion type - it renames the original applications to have OVL extensions and copies itself under their original name. Both viruses are not only Windows-specific; they also *require* Windows, in order to run. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 14 Dec 93 15:47:05 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: The _new_ stoned virus (PC) Doc Cottle (DOCOTTLE@UKCC.uky.edu) writes: > Quick question. Will the newer version of FDISK (the one that includes > the /MBR option) run under DOS 3.x?? No, it won't. But I don't see why you need this - just boot from a MS-DOS 5.0+ system diskette before using FDISK/MBR. If you have a version of FDISK that supports this option, you should have the appropriate system diskette too - they come together. > ps. This is posted for our programmer who is too > busy to do it herself. (Yep, she's THAT good!) If she is *really* that good, she could do any of the following: 1) Use a bootable MS-DOS 5.0+ diskette with FDISK. 2) Patch FDISK to run under any DOS version. 3) Fetch Padgett's Fix Utilities and use it to recover the MBR. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 14 Dec 93 15:50:32 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: New version of stoned virus & DOS 3.3 (PC) Karen Pulliam (KLPULL00@UKCC.uky.edu) writes: > Unfortunatedly, f-prot is unable to disinfect it. I tried using DOS 5.0 > fdisk /mbr, but received the expected wrong dos version error (the computer > is a 286 running DOS 3.3). Huh? Just boot from a DOS 5.0 diskette before running FDISK and the problem will go away. > Deleting the partitions leaves the virus in the MBR. Of course, because it changes only the Partiton Table *data*; not the code where the virus resides. > Do you know how to get this virus out of the MBR? It depends on the virus. After booting from a DOS 5.0+ diskette, make sure that the DIR command still can access the hard disk. If you get "Invalid drive C:" or something similar - DON'T use FDISK/MBR, because it is likely to cause damage. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 14 Dec 93 15:52:19 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: New version of stoned virus & DOS 3.3 (PC) kevin marcus (datadec@ucrengr.ucr.edu) writes: > >is a 286 running DOS 3.3). ^^^^^^^ > You could have booted from a DOS 5.0 formatted system disk which has > a copy of fdisk (and is write protected, of course :) ) and then used > fdisk /mbr, or you could also use a program called, "setver" As far as I recall, SETVER is not available before DOS 4.0. And the first solution is much better anyway. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 14 Dec 93 16:00:53 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Monkey is not cute! (PC) Trimm Industries (trimm@netcom.com) writes: > IMO, you're doing a fine job making time available to post the advice > here on comp.virus. How's the dissertation coming? It's handy that you asked; I'll use the opportunity to post a warning. After Christmas I am going to "disappear" from the net in general and comp.virus in particular. I *really* have to concentrate on writing my Ph.D. If I don't present something substantial in written form in March, I will be kicked out of here in July. :-( So, after Christmas, I will stop posting to comp.virus and replying to e-mail messages. For several reasons, I am unable to install a "vacation" program, so it will look like a black out to those who have not heard the word... :-) I hope that my net.absense will last no more than a couple of months. > Are you considering > posting it here or putting it up for anon ftp when it is complete? > I know that a lot of people would be interested in reading it. Posting it here is out-of-question. Making it available via ftp - I'll consider that option, but I am not promissing anything. > BTW, have you done any work on Windows NT or NT AS vis a vis resistance > to viruses? Do you need a copy of either for testing? I don't know what "NT AS" is. We do have a Windows NT system and another one with OS/2. Currently, a group of students is doing virus experiments with OS/2. The intermediate result that I heard today is that FDISK somehow manages to remove an MBR infection (by Parity_Boot.A), if you change the active partition. Those are still non-verified results, so please consider them as rumors and don't rely on them - it is quite probable that we have messed something up. Currently, no Windows NT experiments are performed. I certainly don't have the time to do it, and the computer is used for work too. Probably we'll do something in this direction in the future. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 14 Dec 93 16:02:48 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Using A-V software to remove vir (PC) vfreak@aol.com (vfreak@aol.com) writes: > When I asked what had happened, she reported that she had used A-V software > to clean the Green Catepillar (1575 according to Mcafee's scan) virus. > > However this was a modified variant of Green catepillar, and her A-V software > hadn't recognized that the virus was larger that 1591 bytes, so the A-V > software corrupted the files suring the cleaning process. Any disinfection software that does not perform exact identification, or at least nearly exact identification when removing viruses, is junk. No, worse, it is dangerous. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 14 Dec 93 16:13:39 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: New (?) variant of Stoned virus (PC) Ted Goldstein (du4@mace.cc.purdue.edu) writes: > >F-PROT 2.10 reports that it has found a new variant of the Stoned virus > >on one my PC's. It does not try to disinfect it. > > > >Mcaffee SCAN 109 does not see any infection at all. > > > >After manually repairing the partition table, and reformatting the > >hard disk, F-PROT still reports the infection. What do you mean exactly be "repairing the partition table"? Just changed the information about the partitions with FDISK? This does not touch the virus code in the MBR. And what do you mean by "reformatting"? Using the command FORMAT? That does not touch the MBR either. You should boot from a write-protected uninfected DOS 5.0 (or above) system diskette, make sure that the hard disk is still accessible, and if it is, use the command FDISK/MBR. If it isn't - you should ask for expert advice. > In the 5 day delay between when I posted, and when my post showed up > in news, I have found out that my PC had the Monkey virus. The best That's kinda strange, because F-Prot should identify this virus and SCAN should at least detect it (usually as "Monkey [Mon]", sometimes as "Generic MBR [GenP]"). > way to remove it is with an excellent program called KILLMONK. I am > sorry, but I do not know where this is available on the net, I got it The latest version of the program (3) is available from our ftp site: ftp.informatik.uni-hamburg.de:/pub/virus/progs/killmnk3.zip > from someone local. Again, I would like to point out that Mcafee SCAN, > Nortan Antivirus, Microsoft Antivirus (all latest versions) all failed > to see it at all. F-PROT 2.10 did see something, but mis-identified it > as a new varient of stoned. Hope this helps someone else out there. That's rather strange, as I pointed out, but I am unable to say more without examining a sample of the virus. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 14 Dec 93 16:20:34 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Info needed on HideNowt Virus. (PC) Alex (amn1@cornell.edu) writes: > I recently encountered the HideNowt Virus in a couple of our PC Clones. > This was found when running Vshield during startup. Actually Vshield was > one of the infected programs, and it alerted us to the fact that something > was wrong. To double check I ran F-prot 2.09f and this reported the > HideNowt (?) Virus. It could not remove the virus, so I know I have to > delete and restore the infected files. No problem there. Hmm... You almost certainly have a false positive or at least a misidentification. When F-Prot says "(?)", this means that it is using just a simple scan string, with no guarantees for identification whatsoever. (Frisk will correct me if I am wrong about this.) On the other hand, Hidenowt is an obscure virus of Polish or English origin (I believe), and I find it rather unlikely that it has made it to Cornell. I would suggest you to try the latest version of F-Prot and SCAN - 2.10 and 109 respectively. F-Prot 2.10 no longer reports this virus with a question mark (which means that the identification has been improved) and SCAN detects it as "1757 [1757]". > So My question is: What is the HideNowt Virus, how does it travel, what > files will it infect ? The virus has been described in both "Virus Bulletin" and "Virus News International", but you probably don't have access to those sources. In short, it is a resident, EXE and COM infector, with a lot of obfuscated code, which actually doesn't hide any signifficant payload - - from where the virus name has been derived. But you are almost certainly not infected by it. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 14 Dec 93 17:39:38 -0500 From: kwakely@uoguelph.ca (Kent J Wakely) Subject: Re: QUESTION: F-PROT virstop (PC) - THANKS Many thanks to those who took the time to answer my query - both here, and via e-mail. Kent - -- - ------------------------------------------------------------------------------ Kent Wakely Community Affairs Reporter/Producer CFRU-FM 93.3 Internet:kwakely@uoguelph.ca Community Radio in Guelph - ------------------------------------------------------------------------------ ------------------------------ Date: Wed, 15 Dec 93 01:49:52 -0500 From: "Roger Riordan" Subject: Possible virus (PC) Marilyn Scott {CMSD} writes > Whenever our PCs have a problem the first thing we think of is a virus. > Several machines (both 386 & 486) have developed a severe case of > cross-linked files and may or not reboot subsequently. They are not > necessarily from the same manufacturer; all are running windows 3.1 but > are not necessarily set up in the same way. > On campus the most prevalent viruses are Spanish Telecom & Form > but neither of these can be detected on affected machines nor > is any other virus found. > If anyone has any thoughts or suggestions we would be very grateful. As Marilyn says, viruses are a lovely scapegoat, but she mentions Windows 3.1, and I would be checking if they have write caching enabled on Smartdrive. This is the default (though I gather MicroSoft have seen the error of their ways on DOS 6.2). Copy a file to another name, and watch the drive light. If you immediately return to the DOS prompt, but the drive light does not flash till a few seconds later, write caching is enabled. If a user saves her/his work, and then switches off before DOS has got around to saving the files the work will be lost. If the PC is switched off while the write is in progress you can get the symptoms described. If you use the command SMARTDRIVE C D ... where C, D, etc are the physical drives, write caching will be disabled. Roger Riordan Author of the VET Anti-Viral Software. riordan.cybec@tmxmelb.mhs.oz.au CYBEC Pty Ltd. Tel: +613 521 0655 PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727 ------------------------------ Date: Wed, 15 Dec 93 11:21:24 -0500 From: umennis0@ccu.umanitoba.ca (Sean Douglas Ennis) Subject: Stoned virus......(help - need info) (PC) Ok, I need som help here (for a PC). A co-worker of my mother had her machine come up with the message (someting like), 'Your Computer is Now Stoned'. First of all Stoned virus, right? Second, her (the co-worker's) and my machine shared a disk (at some point, before or after infection). Question. Does anyone know where there is a good P.D. piece of software out there that would detect this thing. I'm currently using (not P.D. I belive) Virus Clean V1.09 Now its my feeling that is should detect it (if not, then atleast the existance of 'something'), and since it hasn't that it didn't come from me......(or to me). Any help out there? Sean - -- The goal of Computer Science is to build something that will last at least until we've finished building it. Sean Ennis, umennis0@cc.umanitoba.ca or #ennis0@ccm.umanitoba.ca ------------------------------ Date: Thu, 16 Dec 93 01:50:27 -0500 From: al026@yfn.ysu.edu (Joe Norton) Subject: Monkey (PC) Monkey virus really is a pain, at least if you have more than one hard drive. I got a couple of infected disks from a client and tried to play with it on my system... Big mistake! F-prot and Tbav weren't much help since they couldn't see my hard drives after a clean floppy boot. I got KILLMONK from oak.oakland.edu and it did a nice job of cleaning my C: drive while I was infected, but then I had no D: drive... Next I used Norton Disk Doctor to fix the D: drive. All finally seems ok, except that F-Prot is now saying something about a new or modified Stoned on D:... TBAV and ScamV don't find anything wrong with it though. Next time I do a backup I'll probably just reformat it. Then again, I could just infect it again and try to clean it with something better. Any ideas? These are two physical drives BTW.... Joe ------------------------------ Date: Thu, 16 Dec 93 09:09:08 -0500 From: wyc@bu.edu (Yecheng Wu) Subject: Is this a virus or hardware problem? (PC) I have been having a problem with my PC recently. My PC is a 486 DX 33MHZ, 4 MB ram and 120 MB hard disk. The system is about 1 year old. The symptom is: It does not boot from the hard disk some times, not always. Every time when it doesn't boot, I got a message saying "Non system disk, replace". It cannot boot from the hard disk. Then I had to boot from a floppy and then I make the C: drive bootable. It will work for a few days and then the problem happens again when I turn the power on. I have to repeat the whole process to make the C: bootable again. I run DOS 5 and WIndows 3.1 on the system. I've never had any other problem with the system. So I thought it might be a virus, then I ran McAfee's ViroScan and Norton's Anti Virus, nothing was found. I checked the disk and no problem was found. Even at the time it doesn't boot from the harddisk, the boot sector passes every disk test. I can not figure out what is going on. Hope I can get some helps from you guys. Thanks. Yecheng ------------------------------ Date: Thu, 16 Dec 93 16:02:58 -0500 From: kannap@csvaxd.csuohio.edu (Mohan Kannapareddy) Subject: Hhhhhhelllllllllllpppp--MONKEY virus (PC) My PC's has been infected with the Monkey Virus, nothing strange has happened yet? Does anyone has any suggestions as to how to go about exterminatin' the damn thin'??..Any help will be greatly appreciated ...I did try to download KILLMONK.EXE and run it, but nothing happened , I mean the screen just hangs up on me....I guess the Kermit file tra nsfer dosen't work too great.. Please, any suggestions are welcome. thanx Cheers, Mohan ------------------------------ Date: Tue, 14 Dec 93 15:16:23 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Save all you can (CVP) Ellen Carrico (ecarrico@spl.lib.wa.us) writes: > fixed them so they won't boot from A, but I find it frustrating that I > can't seem to get everyone to follow a simple procedure: 1) scan it > 2)write-protect it 3) back it up to a clean disk 4) *then* install the > software. Actually, the order I would recommend should be slightly different: 1) Write-protect it 2) Back it up twice to two clean disks. 3) Lock the original and one of the backup copies in two different places 4) Scan the second backup copy. 5) Install from the scanned backup copy. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 15 Dec 93 01:50:04 -0500 From: "Roger Riordan" Subject: Re: save all you can (CVP) Ellen Carrico writes > > From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) > > > > Ellen Carrico (ecarrico@spl.lib.wa.us) writes: > > > > > > program cost you, anyway? $500? Even if you don't have the > > > > original disks toinstall it again, you can run down to the store > > > > > If you have a legal copy, you *should* have the disks, shouldn't you? > > > > You should, but they wouldn't necessarily be of any use to you. Many > > vendors still distribute their software on floppies that are not > > permanently write-protected. Chances are, that the victim of a virus > > infection has managed to infect them too. > > I obviously spoke too soon. Today - the user (a department manager) > infected disks with stoned and then proceded to install it on two new > hard drives. He had a scanner available, he just didn't use it > because "they were the original disks". Sigh. We've had one > experience of receiving disks from a vendor that were infected. That > wasn't the problem this time. He had brought an infected disk with > data on it from home and booted the machine with the disk in. I've > fixed them so they won't boot from A, but I find it frustrating that I > can't seem to get everyone to follow a simple procedure: 1) scan it > 2)write-protect it 3) back it up to a clean disk 4) *then* install the > software. Now wouldn't it be nice if I could find some way to charge > off my time to *his* department? Correction! 1. Write Protect it. 2. Check it. 3. etc. If you check it before you write protect it, and find a virus, the supplier will say "Oh? You must have infected it!" If you write protect it, then check it, you can say "No! It's your (favorite expletive deleted) virus; I write protected the disk before I did anything with it!" Cheers, Roger Riordan Author of the VET Anti-Viral Software. riordan.cybec@tmxmelb.mhs.oz.au CYBEC Pty Ltd. Tel: +613 521 0655 PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727 ------------------------------ Date: Wed, 15 Dec 93 19:34:33 -0500 From: Gene Kim , Gene Spafford Subject: Tripwire Version 1.1 released (UNIX) Announcing the release of version 1.1 of Tripwire! This version supersedes all previous versions of Tripwire. Version 1.1 includes many new features, small performance improvements, and several bug fixes. This version also comes complete with a rationale/design document (finally!). Version 1.1 of Tripwire is probably the final release of Tripwire for some time to come. We have not heard any new bug reports or suggestions for new features in some time, so there is little "outside reason" to modify the program. Gene Kim is graduating and moving on to graduate school elsewhere, so there is also little "internal reason" to continue to tinker with the code. Enclosed below is a brief description of what Tripwire is, a description of how to get a copy of the source code, and a list of new features added since the Version 1.0.5 release. We greatly appreciate the time and effort expended by all the people who beta-tested various versions of Tripwire over the last year. Without the contributions and reports of these people, we are certain that the package would not be as complete as it is currently. We have tried to acknowledge all our testers and contributors in the documentation and Changlog file in this distribution; our sincere apologies if we forgot anyone. Also, our thanks to COAST sponsors and sponsors of COAST research projects who helped fund this project, directly or indirectly. This includes especially Bell Northern Research, Trident Data Systems and the US Air Force. (Be sure to read the COAST.info file!) 15 December 1993 Gene Kim Gene Spafford What is Tripwire? - ----------------- Tripwire is an integrity-monitor for Unix systems. It uses several checksum/message-digest/secure-hash/signature routines to detect changes to files, as well as monitoring selected items of system-maintained information. The system also monitors for changes in permissions, links, and sizes of files and directories. It can be made to detect additions or deletions of files from watched directories. The configuration of Tripwire is such that the system/security administrator can easily specify files and directories to be monitored or to be excluded from monitoring, and to specify files which are allowed limited changes without generating a warning. Tripwire can also be configured with customized signature routines for site-specific checks. Tripwire, once installed on a clean system, can detect changes from intruder activity, unauthorized modification of files to introduce backdoor or logic-bomb code, and virus activity (if any were to exist) in the Unix environment. Tripwire is provided as source code with documentation. The system, as delivered, performs no changes to system files and does not require root privilege to run (in the general case). The code has been extensively tested at many sites. Tripwire should work on almost any version of Unix, from Xenix on 80386-based machines to Cray and ETA-10 supercomputers. Tripwire may be used without charge, but it may not be sold or modified for sale. Tripwire was written as a project under the auspices of the COAST Project at Purdue University. The primary author was Gene Kim, with the aid and under the direction of Gene Spafford (COAST Director). Where to Get Tripwire - --------------------- Copies of the Tripwire distribution may be ftp'd from ftp.cs.purdue.edu from the directory pub/spaf/COAST/Tripwire. The distribution is available as a compressed tar file, and as uncompressed shar kits. The shar kit form of Tripwire version 1.1 will also be posted to comp.sources.unix on the Usenet. A mailserver exists for distribution and to provide a means of reporting bugs. To use the mail server, send e-mail to "tripwire-request@cs.purdue.edu" with a message body consisting solely of the word "help". The server will respond with instructions on how to get sources, patches (if any are issued), and how to report a bug (which we hope doesn't happen!). Questions, comments, complaints, bugfixes, etc may be directed to: gkim@cs.purdue.edu (Gene Kim) spaf@cs.purdue.edu (Gene Spafford) Changes from Version 1.0.x to Version 1.1 - ----------------------------------------- Version 1.1 considerably upgrades the functionality of Tripwire. All known bugs have been fixed, and many selected features have been added at the request of Tripwire users. Among the major changes are: - rewrite of the "-update" command. - addition of an "-interactive" command that prompts the user whether a changed file's database entry should be updated. - addition of a "-loosedir" command for quieter Tripwire runs. - support for monotonically growing files in tw.config. - addition of comprehensive test suite to test Tripwire functionalities. - hooks for external services (i.e., compression, encryption, networking) through "-cfd" and "-dfd" options. - addition of the new NIST SHA/SHS signature algorithm. - corrections and changes in the MD2, MD4, MD5, CRC32, and Snefru signature routines. - addition of a more rigorous signature test suite. - more error checking in tw.config @@directives. - siggen replaces sigfetch. - addition of a tw.config file for Solaris v2.2 (SVR4). - change of base-64 alphabet to conform to standards. - preprocessor macro fixes. New Tripwire database format: ============================= The Tripwire database format has changed slightly since v1.0, using a different base-64 alphabet. Use the twconvert program to convert v1.0 databases to v1.1 databases (located in the ./aux directory). Updating the Tripwire database: =============================== There has been a major rewrite/rethink of the "tripwire -update" command, as well as the addition of a "tripwire -interactive" command which allows the user to interactively select which database entries should be updated. No vestiges of the "-add" or "-delete" command remain, since the "-update" command now automatically deletes and adds files. However, the preferred way of keeping Tripwire databases in sync with the filesystems is using the "-interactive" command. A Tripwire session using Interactive mode might look like: 6:25am (flounder) tw/src 1006 %% tripwire -interactive ### Phase 1: Reading configuration file ### Phase 2: Generating file list ### Phase 3: Creating file information database ### Phase 4: Searching for inconsistencies ### ### Total files scanned: 49 ### Files added: 0 ### Files deleted: 0 ### Files changed: 49 ### ### After applying rules: ### Changes discarded: 47 ### Changes remaining: 2 ### changed: drwx------ genek 1024 May 3 06:25:37 1993 /homes/genek/research/tw/s rc changed: -rw------- genek 7978 May 3 06:24:19 1993 /homes/genek/research/tw/s rc/databases/tw.db_flounder.Eng.Sun.COM.old ### Phase 5: Generating observed/expected pairs for changed files ### ### Attr Observed (what it is) Expected (what it should be) ### =========== ============================= ============================= /homes/genek/research/tw/src st_mtime: Mon May 3 06:25:37 1993 Mon May 3 06:11:39 1993 st_ctime: Mon May 3 06:25:37 1993 Mon May 3 06:11:39 1993 ---> File: '/homes/genek/research/tw/src' ---> Update entry? [YN(y)nh?] y ### Updating database... ### ### Phase 1: Reading configuration file ### Phase 2: Generating file list ### Phase 3: Updating file information database ### ### Warning: Old database file will be moved to `tw.db_flounder.Eng.Sun.COM.old' ### in ./databases. ### 6:25am (flounder) tw/src 1007 %% Tripwire prompts the user whether the database entry of the current file should be updated to match the current file information. Pressing either 'y' or 'n' either updates the current file or skips to the next file. Pressing 'Y' or 'N' applies your answer to the entire entry. (I.e., if /etc is changed, typing 'Y' will not only update /etc, but it will also files update all the files in /etc.) Tripwire exit codes: ==================== Tripwire exit status can be interpreted by the following mask: 1: run-time error. aborted. 2: files added 4: files deleted 8: files changed For example, if Tripwire exits with status code 10, then files were found added and changed. (i.e., 8 + 2 = 10.) Tripwire quiet option: ====================== When run with -q option, Tripwire really is quiet, printing only one-line reports for each added, deleted, or changed file. The output is more suitable for parsing with awk or perl. Monotonically growing files: ============================ The ">" template is now supported in the tw.config files. This template allows files to grow without being reported. However, if the file is deleted or is smaller than the size recorded in the database, it is reported as changed. Loose directory checking: ========================= This option was prompted by complaints that Tripwire in Integrity Checking and Interactive mode unnecessarily complains about directories whose nlink, ctime, mtime, or size have changed. When Tripwire is run with the "-loosedir" option, directories automatically have these attributes included in their ignore-mask, thus quieting these complaints. Note that this is option is not enabled by default, making normal Tripwire behavior no different than previous releases. However, running with this option enabled considerably decreases "noise" in Tripwire reports. (Ideally, this "loose directory checking" should be offered on a per-file basis in the tw.config file. However, adding another field to the tw.config file was too extensive a change to be considered for this release. A later release of Tripwire may rectify this.) Hooks for external services: ============================ Tripwire now supports the "-cfd" and "-dfd" options that allow the user to specify an open file descriptor for reading the configuration file and database file, respectively. Using these options, an external program can feed Tripwire both input files through open file descriptors. This external program could supply services not provided though Tripwire, such as encryption, data compression, or a centralized network server. This program might do the following: Open the database and configuration files, process or decode (i.e., uncompress the file), and then write out the reguarly formatted file to a temporary file. Open file descriptors to these files are then passed to Tripwire by command-line arguments though execl(). An example of using a shell script to compress and encrypt your files is given in ./contrib/zcatcrypt. It is a four line Bourne shell script that encrypts and compresses the database and configuration files. It uses a named pipe (FIFO) to do this. SHA/SHS signature routines: =========================== Tripwire now includes SHA/SHS, the proposed NIST Digital Signature Standard. See the README file for details on this algorithm. Please note that the SHA code in ./sigs/sha seems to be poorly handled by many optimizing C compilers. For example, the stock C compiler included with SunOS 4.x takes almost two minutes to compile this file with the -O option on a Sparcstation10. Other compilers (such as GCC) do not have this problem. Change in tw.config preprocessor: ================================= The tw.config preprocessor has been changed to allow the proper expansion of @@variables in filenames. The following use of @@define now works as expected: @@define DOMAIN_NAME my_main_nis_domain /var/yp/@@DOMAIN_NAME L @@DOMAIN_NAME/FOO L (This is the third attempt at getting this working correctly. We finally fixed this by moving the macro expansion routines into the lexical analyzer.) Expanded test suite: ==================== The Tripwire test suite now includes runs a more standard signature test suite. This was prompted by discovery of several implementation errors in the MD2, MD4, and MD5 signature routines that was introduced right before the official release of Tripwire. (Thanks Eugene Zaustinsky.) Two more test suites have been added. One iterates through all the Tripwire reporting functionalities, and exercises all the database update cases. The other test suite checks for proper Tripwire preprocessor macro expansions. CRC32 changes: ============== Furthermore, the CRC32 signature routine is now POSIX 1003.2 compliant. (Thanks Dan Bernstein.) "siggen" replaces "sigfetch": ============================= As a tester noted, "sigfetch" was a misnomer as nothing was actually being fetched. Consequently, it was easy to (incorrectly) conclude that "sigfetch" retrieved signatures from the database. The "siggen" command is the current incarnation of "sigfetch". The manual pages reflect this change. Source code cleanup: ==================== The authors went through the sources, doing generic cleanups aid in code comprehension. Bug fixes: ========== This release fixes all known bugs. The TODO list, however, gives a wishlist of features that may be included in future releases. ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 160] ******************************************