VIRUS-L Digest Friday, 1 Feb 1991 Volume 4 : Issue 18 ****************************************************************************** Today's Topics: Re: Text in MLTI virus (PC) Boot Sector/Partition Table Protection (PC) Hardware damage? Virex 3.0 init problems? (Mac) Table of Contents for Virus-L Digest Virus Proctection in Real Time Re: Text in MLTI virus (PC) STONED in files (PC) RE: Anti-virus policies Re: Word Perfect and change checkers (PC?) New viruses (PC) re: Antiviral product contact list (PC); Re: Infected vendor software (Mac) Weird Thing With F-Prot (PC) Re: Problem with virus checker (PC) Re: Stoned virus in partition table (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Wed, 30 Jan 91 17:28:00 +0200 From: Y. Radai Subject: Re: Text in MLTI virus (PC) Fridrik Skulason asked about the meaning of the following text in the MLTI virus: > This programm was written in the city of Prostokwashino > (C) 1990 RED DIAVOLYATA The following info was supplied to me by a co-worker who recently emigrated from the USSR: "RED DIAVOLYATA" is a partial translation of "Krasnie Dyavolyata". It and "Prostokvashino" are the names of well-known Soviet films. "Dyavolyata" was apparently too hard for the virus-writer to translate. It means something like "little devils", and "Krasnie Dyavolyata" refers to the youth who fought against the White Army during the Russian Revolution. The village "Prostokvashino" is a fictitious one, which explains why Brian McMahon didn't find it in the books he consulted. Y. Radai RADAI@HUJIVMS.BITNET ------------------------------ Date: 30 January, 1991 From: Padgett Peterson Subject: Boot Sector/Partition Table Protection (PC) >>From: gt1546c@prism.gatech.edu (Gatliff, William A.) >>To help combat this, what would be the possibility of 'delibrately' >>infecting ones boot-sector with a piece of code that would display >>some kind of 'ok' message if it hadn't been tampered with? Exactly what I was talking about in issue 17 except the "partition table" sector (absolute sector one) should be used, not the boot sector. More, such code can be used to prevent any tampering with itself, the real partition table, or the active boot sector. At one extreme I have tried on a system with C: & D: drives was to put all executables on the C: drive and prohibit ANY writes or formats to that drive (except with a special maintenance program). The D: drive just has its low area protected and contains mutable programs and data. A university or corporate environment might allow writing only to floppies or bernoullis, protecting the hard disk. While such software techniques alone cannot prevent an infected boot from occurring from a floppy - only hardware can do this - they do allow such intrusion to be detected prior to the load of the OS and can block any such infection thereafter. I hope that this will stimulate some activity on the part of the vendors to provide such protection - it is not difficult to write, but for me, I would no longer consider any product complete unless some such form of low level protection was included. Padgett ps: This is my hobby - you should see my job. ------------------------------ Date: Tue, 29 Jan 91 17:10:38 +0000 From: hagins@gamecock.rtp.dg.com (Jody Hagins) Subject: Hardware damage? Please forgive my ignorance on this subject... Is it possible for a virus, etc to cripple physical hardware components? I ask as I have recently experienced an abrupt halt of my system, frying my power supply. This occurred after aquiring a piece of software from a supposedly very reliable source. Just wondering if this is related, or a coincidence. Thanks for any help! Jody Hagins hagins@gamecock.rtp.dg.com Data General Corp. 62 Alexander Dr. RTP, N.C. 27709 (919) 248-6035 Nothing I ever say reflects the opinions of DGC. ------------------------------ Date: Wed, 30 Jan 91 13:10:47 -0600 From: "Stan Kerr" Subject: Virex 3.0 init problems? (Mac) I just received Virex 3.0 a few days ago, and as soon as I installed it, Gatekeeper (1.1) started going crazy, complaining about things I had specified to allow in its configuration menu. As an example, I got NUMEROUS complaints that DA Handler was violating 'Res(other)' privileges against various applications. As soon as I turned off the Virex init, the complaints stopped. - -------------------------------------------------------- Stan Kerr Internet: stankerr@uiuc.edu University of Illinois BITNET: stankerr@uiucvmd Computing Services Office Phone: (217) 333-5217 1304 W. Springfield Urbana IL 61801 ------------------------------ Date: Tue, 29 Jan 91 15:44:41 -0500 From: Colin Lay Subject: Table of Contents for Virus-L Digest Being a dedicated listener, and occasional contributor, to VIRUS-L Digest, I sometimes want to find out what was said, when, and by whom. There is no index to the Digest topics I am aware of, and therefore I decided to start the process, at least for myself, by creating a Table of Contents on a month by month basis. I routinely download and ZIP the Digest and store the results on floppies (720K), in 1 month groups. The big problem is where to find what I am looking for, a month or so later. My partial solution is to use the following WordPerfect 5.1 macros to strip out all but the topic list and individual submission Date, From and Subject entries. So far in the month of January 1990, issues 1 to 16 are reduced to a Table of Contents file of 35,161 bytes, while the ZIPped digests are 148,044 bytes long, and the originals take 335377 bytes. Following the macros in this submission I am including a sample of the output from Vol.4 Issue 1. If there is sufficient interest, I can submit the Table of Contents on a regular basis to the Digest or some other appropriate repository. [Ed. You might want to also take a look at Anthony Appleyard's index system.] ============================================================= Macro: Action File VIRUSL.WPM Description cleanup Virus-L Digest for Tbl of Con. -------------------------------------------------------- {DISPLAY OFF}{Block}{Search}{Enter} virus{Home}-l {Search}{Home}{Left}{Backspace}y{Enter} {Search}{Search}{Home}{Left}{Block}{Search}{Enter} Date: {Search}{Home}{Left}{Backspace}y {CHAIN}vira~ -------------------------------------------------------- Macro: Action File VIRA.WPM Description Clean indiv.submiss. to Date,From,Subj -------------------------------------------------------- {DISPLAY OFF} {ON NOT FOUND}{GO}end~~ {Search}{Enter} Subject: {Search}{Home}{Left}{Down}{Enter} {Block}{Search}{Enter} Date: {Search}{Home}{Left}{Backspace}y {CHAIN}vira~ {RETURN} 1 {LABEL}end~ {CHAIN}virb~ {RETURN} -------------------------------------------------------- Macro: Action File VIRB.WPM Description Cleanup last submission to eof -------------------------------------------------------- {DISPLAY OFF}{Home}{Home}{Down} {Up}{Up}{Up}{Up}{Up}{Backspace}y{Down} {Down}{Down}{Block}{Home}{Home}{Down}{Backspace}y{HPg} -------------------------------------------------------- ============================================================== VIRUS-L Digest Wednesday, 2 Jan 1991 Volume 4 : Issue 1 Today's Topics: EXE file compression with LZEXE and PKLITE (PC) Macvirus index? (Mac) Disk Utilities (PC) Re: Virus Protection (PC) more about the conference in Hamburg ZeroHunt Virus (PC) Re: Viruses for the holidays & admin note please stop the requests Re: (1) GAO Report on Computer Security Zmodem infected with Violator (PC) UK Computer Crime Unit MIBSRV downtime WP viri and bugs (PC) Unix and Mainframe Viruses New virus (PC) Date: 20 Dec 90 14:22:50 +0000 From: Mark Scase Subject: EXE file compression with LZEXE and PKLITE (PC) Date: Thu, 20 Dec 90 11:58:36 -0800 From: rrk@planets.risc.com (Richard Killion) Subject: Macvirus index? (Mac) Date: Thu, 20 Dec 90 15:14:00 -0400 From: Bill Thater Subject: Disk Utilities (PC) Date: Thu, 20 Dec 90 22:06:33 -0800 From: sulistio@sutro.SFSU.EDU (Sulistio Muljadi) Subject: Re: Virus Protection (PC) etc. etc. etc. Colin M. Lay,Assoc. Prof. Fac. of Administration, Univ. of Ottawa Tel. (613)564-7015 FAX (613) 564-6518 "Any opinions expressed are mine, not necessarily those of my employer." Acknowledge-To: ------------------------------ Date: Tue, 29 Jan 91 10:50:00 -0800 From: "David M. Ung x57408 >The MLTI virus contains this text - clearly a reference to the "Eddie" >>virus, but what does "RED DIAVOLYATA" mean ? (I want to emphasize >>that "Dark Avenger" is the name of the author of the "Eddie" virus - >>not the name of the virus itself.) >> >> Eddie die somewhere in time! >> This programm was written in the city of Prostokwashino >> (C) 1990 RED DIAVOLYATA >> Hello! MLTI! Perhaps our virus author is a heavy-metal fan. "Eddie" is the mascot of the group Iron Maiden. Eddie happens to be a {corpse, undead, zom- bie}. (I'm not sure which word to use. That group's discography in- cludes an album titled "Somewhere In Time". Hmmmm.....a techno-metalhead conspiracy, perhaps? Subliminal messages in rock albums inciting teenagers to digital terrorism? Hmmmmmmm..... | Wes Morgan, not speaking for | {any major site}!ukma!ukecc!morgan | | the University of Kentucky's | morgan@engr.uky.edu | | Engineering Computing Center | morgan%engr.uky.edu@UKCC.BITNET | Lint is the compiler's only means of dampening the programmer's ego. ------------------------------ Date: 30 January, 1990 From: Padgett Peterson Subject: STONED in files (PC) For those wanting to check for STONED in executables as mentioned earlier using the McAfee /ext switch, I would suggest trying the string "a1 4c 00 *(2) a3 ? ? a1 4e 00 a3" While this may generate some "false positives", I would like to know about ANY files that try to do this since it may indicate a low level (not through DOS) access of the INT 13 vectors. Note: use your own since duplication of one of Mr. McAfee's names may result in SCAN not checking for the virus otherwise. Padgett ------------------------------ Date: Thu, 31 Jan 91 10:57:00 +0100 From: "Nick FitzGerald" Subject: RE: Anti-virus policies In V4 #17 (Mon, 28 Jan 91) rtravsky@CORRAL.UWyo.Edu (Richard W Travsky) wrote: >[deletions] > 1. Viral Software > a. Viral scanning/cleaning software will not be used unless the > accompanying documentation has been read by the support person > doing the scan/cleanup. > b. Viral scanning/cleaning software should be kept reasonably up to date. >[As stated, we've had fairly low virus activity, so being up to date with >the latest is not real important - yet.] > c. More than software product should be used for cross checking purposes. > d. After removal of a virus, the machine/disk should be re-scanned to > verify removal. I would disagree on point b. - you should keep as up to date as there is. Whilst the virii you are most likely to experience are "old" and widely distributed, the newest scanner might one day save you from a very recent hard disk trasher. Unfortunately, it is difficult to convince most users (and "the powers that be") to go to the little extra trouble of updating their external virus file (or the software itself) as often as possible (unless they have been caught already). > 2. Maintenance >[good practices deleted] > c. All diagnostic disks will have write protect tabs. NO!! All such disks should be UNNOTCHED. Get one of your tech's to bypass the write-protect switch on drive B: on ONE machine that is in a very secure place. Make copies of diagnostics disks, installation disks (more below) etc onto disks that have not been notched. It may take a bit of effort on your part to find a supply, but do so and use them. (We found a ready supply in our safe - multiple copies of obsolete software packages like PC (IBM) DOS, PC-SAS.) For 3.5" disks pry the slide thingy out. (That's what I don't like about 3.5" disks compared to notchless 5.25" disks - a user with malicious intent can easily disable write-protection and then enable it without leaving any obvious signs of it). > d. If software is being restored to someone's machine (like a backup, > format, and then a restore) the disks should be checked for infection. > > 3. Installs >[We install software - like PC SAS - on users' machines. > a. When possible, install disks will have write protect tabs. > b. When write protect tabs can not be used, the install disks will be > checked for infection upon return. >[Some software, like dBase 4 we found, writes to the install floppy during >installation.] > c. User's machine should be checked for infection. >[This would take care of b .] Similar comments as above re write-protect tabs. Installation procedures that write to the installation disks are the pits. The sooner that vendors take the virus threat seriously, and start distributing their software on *unnotched* disks the better - McAfee Associates, are you listening? Some software licences we have allow us to install on many machines - we copy the original disks to notchless ones and distribute these to the users who want to install the programs. (We only do installation ourselves if specially asked - we would spend all our time doing them otherwise.) This may seem paranoid, but (before I started here) there was a case of the notched but write-protected disks our working copy was on coming back infected. The user had taken the tabs off the disks - because of past experience with install programs that required write access to the distribution disks - and dutifully stuck them back on when the installation was complete. This was not an intentionally malicious act. >[further good practices deleted] My recommendations above may seem a little strong for some, but I would say you're kidding yourself if you think you don't have to go to these lengths. Possible exception - *everyone* at your site who will *ever* have access to your disks and/or machines *always* does *everything* that *perfect* users *should* do. Get the point? Can't remember where, but I read the following somewhere: "Once is happenstance, twice is coincidence, three times is enemy action". With virii, "Once is enemy action", and you have to be very careful if you want to prevent that one event. - --------------------------------------------------------------------------- Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. Internet: n.fitzgerald@csc.canterbury.ac.nz Phone: (64)(3) 642-337 ------------------------------ Date: Thu, 31 Jan 91 03:53:55 +0000 From: hampster@wyatt.ksu.ksu.edu (Kip J Mussatt) Subject: Re: Word Perfect and change checkers (PC?) p1@arkham.wimsey.bc.ca (Rob Slade) writes: >csw76@seq1.keele.ac.uk (J.C. Kohler) writes: > >> I'm using a Dutch version of WP 5.1, does anybody has an ideay why >> F-XLOCK can't lock them, it displays an error message, which contains >> something about a illegal header. > >All versions of Word Perfect (at least since 4.2) have had a self >testing module on them. Neither F-XLOCK nor SCAN /AV nor any other >slef checker that adds code to the program can be used on it, since >the added code invalidates the internal self test. If I am understanding you correctly, WP 4.2 and later versions should be virus proof? If this is your assumption then why did we have an epidemic of the Jeru II virus that infected almost every wp 4.2, 5.0, and 5.1 at work? Again, if I am misunderstanding what you are saying about WP product, then please clarify. If not, then could you please shed some light on my question. Thanx -KJM ------------------------------ Date: Thu, 31 Jan 91 09:29:14 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: New viruses (PC) Well, folks - we now have around 400 PC viruses - currently we get on the average one new virus per day, and the rate is increasing...maybe we will have 1000 before the end of the year. Anyhow - for users of F-PROT 1.14 - please add the following encrypted signatures to the SIGN.TXT, to provide detection of the viruses I have received since Jan 15th. Hybryd iglMWj8jKMNAUHcZbj2AgYSdg9nmFsp7Ueys-pc3-ha7Iv Akuku 3Ux5pMu5858HMj5MgXdA19n8x4ybN5YtMmkm6PpykupSZ6 SVC3.1 3Hxnv5u5uM749Lydm-SnY4PoYnOwIt7V5fUuMFxBWfZa9j Paris iH15v5umAmruKeV504HK8eHKjrG8wEEjT5m2M5DsdwO+UO Doom2 zU1MCmKMA5m8UVPmT5Xpp3cMgB7jUE0MTmURMVc5zv5nOk Wolfman ZUo5pjKmujwA5fwOvjMMxl08fifY55pip5JWdwxhDU1eA7 MIX2 zw1NW58mAjwH4AuFV51rm6AtQlj5j62fXXjXFujf8gQelB 403 zHTkvju5AmvVgbS8Jl75nmwlrKxNc5N5gbED3mk5GKlYYn ACAD-2576 3g6jpmKMAMa62XAcz5hkFSwRqqUNd0m5HNimvOSWGrAHYb Ontario ZHJnWM-MimyuCuAwkj-28UnjxYjLwlMEWm1vRgKqE47UYK Leprosy iHNjpjKmumoXO8rHxotuxiWmtHW5mK4bD51CMK4Em5tnCG Perfume-731 Zwbjvju585fhqt5jjm7YpyNufwmMWj1jhOFtM53cOrmNYW Spyer ZgJnC58Mu5O8JVTjTmEmih4YV+vPmo74O810TMkjYd3tFW Ussr-1594 iUCTpmSMzmUkiMt26N5MURjKz7jaVpT8thP0bjfZcqbLHQ Sentinel zHJkpM8mum4YIPgBEPjMNMfPgBRsB5NmauFwe6At5j+8ol Monxla-B zHbmvjujKMSKWaQTjjWdfBe4Nb5uQg35XiMNWtMvSdIsbE Xmas Viol 3HRmvjuMAjnN4saOj5m8BhgDStp5MMFPUD6i9UBHDhTVHV ------------------------------ Date: 31 Jan 91 09:32:51 -0500 From: "Otto.Stolz" Subject: re: Antiviral product contact list (PC); You wrote: > The following is a list of antiviral product vendors, mostly for the > PC line. [...] > I would appreciate feedback on any errors or ommissions I did not see one of my favourite products on your list: Vendor: S&S International Ltd. Berkley Court, Mill Street Berkhamsted, Herts. HP4 2HB England Phone: +44 442 877 877 Fax: +44 442 877 882 (Note that address & phone have been changed around New Year 1991, so anybody having the old address in Chesham Bucks., please update your files!) BBS: +44 494 724 946 (used to be -- still valid??) E-Mail: Dr. Alan Solomon Product: Dr. Solomon's Anti-Virus Toolkit A German variant of this product is also available: Vendor: perComp Verlag GmbH Holzm&LU17.hlenstra&LS61.e 84 2000 Hamburg 70 Germany Phone: +49 40 693 2033 Fax: +49 40 695 9991 E-Mail: G&LU17.nter Mu&LS61.topf Product: Dr. Solomons Anti-Viren-Werkzeuge where "&LU17." is u-Umlaut (looking like a small letter u with diaeresis) and "&LS61." is German sharp-s (resembling a greek small beta) I know, Ken's system will trash genuine Umlauts and sharp-s, so I had to resort to this device ... :-( The toolkit is regularly updated & comes with a detailed documentation. It comprises tools for preventing, finding and removing viruses. The virus-scanner provided with this toolkit is the fastest I've ever seen; it's search-patterns are derived from the vendor's own research. Please do not regard the above as advertising: I'm not affiliated or otherwise economically connected to S&S, nor to perComp; I'm just a satisfied user. Btw, as it has been asked in VIRUS-L befor for information of this kind: We also use F-PROT, and I'm pleased with it. I try to convince as many users as possible to install F-DRIVER and F-OSCHK on their own computers (so far I've not been successful enough), and I use Dr. Solomon's FINDVIRU to cope with heavy virus incidents. I also use ancillary tools from both packages. A general remark: For virus-specific tools, particularly virus-scanners, your final product list should state 1. how often the tools will be updated; 2. where the virus-specific information is derived from. ad 1: These days, we are experiencing an ever increasing flood of new virus strains and variants. To cope with these new viruses, a virus-specific tool has to be updated regurlarly -- actually more often than any other product in the EDP market. I'd guess that we will have to arrive at monthly updating in the near future. ad 2: Many vendors take their search string from public sources. Now, two virus-specific tools from two different vendors are essentialy the very same thing when they exploit search patterns from the same external source. Only a vendor who does his own research into viruses and derives his own search patterns can offer a genuinely particular product. And the more different scanners a user applies, the more unknown variants of known viruses he is likely to spot. Best regards Otto Stolz ------------------------------ Date: Thu, 31 Jan 91 10:30:43 -0500 From: Joe McMahon Subject: Re: Infected vendor software (Mac) THE GAR writes: >BUT . . . SIMWARE's "SimMac 3.1 Application Disk" (Master Program), >which I received on or about Jan 11 was infected! SAM reports that it >was last altered on 12/21/90 at 12:55 PM. This INFURIATES me, as I >had up until today always trusted the programs that come straight from >the manufacturer sealed in the "Read Carefully BEFORE Opening" license >envelope! We have, many times, emphasized that manufacturers are human, too. Always scan *everything* you get, no matter what the source! --- Joe M. ------------------------------ Date: Thu, 31 Jan 91 10:05:43 -0700 From: rtravsky@CORRAL.UWyo.Edu (Richard W Travsky) Subject: Weird Thing With F-Prot (PC) This Wednesday I visited our Law school to check on problem with the pong virus in their computer lab (three machines, not a big lab). Each machine had a 5.25" drive and a 20 meg hard disk. I scanned the machines, booting off a tabbed write-protected floppy in the A: drive. I ran McAfee's Scan (version 4.5V6-B), said everything was ok. Out of curiousity, I also ran F-FCHK and F-BOOT from the F-PROT package (version 1.13). A funny thing happened: when F-FCHK came across the file INSTALL.EXE from the PCPANEL package (something to do with redirecting printer output) I got an error message saying it couldn't write to the A: drive (the familiar "abort, retry, fail"). I ran it again, same result. I ran it on another machine, same result when it came across that file. This is a bit weird. Didn't happen using Scan. Why should scanning a file provoke a write attempt? I realize these are not the latest versions of the packages, but I feel that to be irrelevant. Anyone have any ideas? +-----------------+ Richard Travsky | | Division of Information Technology | | University of Wyoming | | Bitnet: RTRAVSKY @ UWYO | | Internet: RTRAVSKY @ CORRAL.UWYO.EDU | U W | (307) 766 - 3663 / 3668 | * | "Wyoming is the capital of Denver." - a tourist +-----------------+ "One of those square states." - another tourist Home state of Dick Cheney, Secretary of Defense of these here UNITED STATES! ------------------------------ Date: 31 Jan 91 17:31:37 +0000 From: jesse@altos86.Altos.COM ( Jesse Chisholm) Subject: Re: Problem with virus checker (PC) PERETTI%auvm.auvm.edu@VM1.gatech.edu (Brian J. Peretti) writes: >A friend of mine is using the McAfee virus scan program on his computer. When >he attempts to run the program, however, the program does not run. As soon as >the line with the phone number comes up, some funny characters come onto the >screen and then the c: prompt reappears. Whenever he puts a clean disk into > the computer, the disk, when scanned on another machine, the stoned virus is >on the disk. Does anyone have an answer to this problem? > >Thanks, >Brian J. Peretti Sounds to me like two things have happened. (1) his machined has the STONED virus in its partition table (2) the copy of SCAN that he has is damaged. He should call the McAfee BBS and down load the current version as soon as possible. Since the STONED virus is there, he could go ahead and run the CLEAN program to remove it. Then see if SCAN could detect any more. ======================================================================== Jesse Chisholm | "Belief without understanding is superstition; jesse@Altos86.Altos.COM | Understanding without belief is theology; Tel 1-408-432-6200x4810 | It takes both for a living faith." Fax 1-408-434-0273 | -- Dr. Wolfgang Gross ------------------------------ Date: 31 Jan 91 17:36:51 +0000 From: jesse@altos86.Altos.COM ( Jesse Chisholm) Subject: Re: Stoned virus in partition table (PC) The STONED (and other partition table) virus is tricky to get rid of. I recommend getting the CLEAN program from McAfee Associates. McAfee Associates 4423 Cheeney Street Santa Clara, CA 95054 408 988 3832 (voice) 408 988 4004 (BBS) The current versions of SCAN and CLEAN may be downloaded. With these the STONED virus can be removed without the hassle of removing/losing data on the hard disk. ======================================================================== Jesse Chisholm | "Belief without understanding is superstition; jesse@Altos86.Altos.COM | Understanding without belief is theology; Tel 1-408-432-6200x4810 | It takes both for a living faith." Fax 1-408-434-0273 | -- Dr. Wolfgang Gross ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 18] *****************************************