From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V5 #1 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Friday, 3 Jan 1992 Volume 5 : Issue 1 Today's Topics: Novell Inadvertantly distributes virus with update (PC) Re: password program (PC) Central-Point Anti-Virus Question (PC) Re: DOS 5.0 FDISK, UNFORMAT and the wily MBR (PC) Re: PC problem - possible virus? (PC) Re: virus outbreak in central Virginia (PC) TBScan v3.1 (PC) Unknown Mac virus? (Mac) General questions about viruses Virus capable of infecting Mainframes and PCs New files on Risc (PC) VIRx v1.9 Is Released ! (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 20 Dec 91 12:02:34 -0800 From: karyn@cheetah.llnl.gov (Karyn Pichnarczyk) Subject: Novell Inadvertantly distributes virus with update (PC) The following is an excerpt from CIAC bulletin C-11. The infected distribution occurred ONLY on 5 1/4 inch diskettes. Karyn Pichnarczyk - --------------------- CIAC has learned that Novell, Inc. has inadvertently sent diskettes infected with the Stoned-3 virus to Novell Netware customers. These diskettes are labelled "Network Support Encyclopedia - Standard Volume Update." The Novell part number for these disks is 883-001495-004. Infected diskettes were distributed from December 9 - 16, 1991. The Stoned-3 virus is a minor variation of the Stoned virus. This virus infects the boot sector of a hard disk or diskette and will sometimes display the message: "Your PC is now Stoned!.....LEGALISE MARIJUANA!" This virus becomes memory resident and will infect any other disks accessed by the PC while the virus is memory resident. For additional information, please see CIAC bulletins A-28 for more information on the Stoned virus family, and B-16 for a summary of known viruses. If you discover that the Stoned virus has infected your PC, it may be removed using the VIRHUNT package. CIAC also recommends that you follow a policy of scanning all new software before using or installing it on your PC. This policy should be followed for all vendor-supplied shrink-wrapped software as well as bulletin board or shareware software, since a few other vendors have inadvertently distributed viruses with packaged software in the past. CIAC recommends that if you are from a DOE site and are not already using an effective anti-viral scanner, you should contact your site's computer security department to obtain one. In addition, since new viruses are constantly being discovered, we recommend that you ensure that your anti-viral scanner has been updated to the most recent version. For additional information or assistance, please contact CIAC: Karen Pichnarczyk Tom Longstaff (510)422-1779** or (FTS) 532-1779 (510)423-4416** or (FTS) 543-4416 karyn@cheetah.llnl.gov longstaf@llnl.gov (FAX) (510) 423-8002** or (FTS) 543-8002 Send e-mail to ciac@llnl.gov or call CIAC at (510) 422-8193**/(FTS)532-8193. **Note area code has changed from 415, although the 415 area code will work until Jan. 1992. PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Some of the other teams include the NASA NSI response team, DARPA's CERT/CC, NAVCIRT, and the Air Force response team. Your agency's team will coordinate with CIAC. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. ------------------------------ Date: 19 Dec 91 17:54:38 +0000 From: bdrake@oxy.edu (Barry T. Drake) Subject: Re: password program (PC) Another way to reset the CMOS is to disconnect the battery. If it's a soldered-in NiCad, try draining it completely with a light bulb or other load (unless you *really* want to unsolder it). - --Barry (bdrake@oxy.edu) ------------------------------ Date: Thu, 19 Dec 91 22:17:54 -0700 From: martin@cs.ualberta.ca (Tim Martin; FSO; Soil Sciences) Subject: Central-Point Anti-Virus Question (PC) I gather that CPAV includes a "self-integrity check" routine that can be appended to files. My question: is the size of this appendix constant, or does it vary? I suspect it varies, in the range of 700 - 1000 bytes. Can someone who knows the product please confirm or refute this? Tim. ------------------------------------------------------------- Tim Martin * Soil Science * These opinions are my own: University of Alberta * My employer has none! martin@cs.ualberta.ca * ------------------------------------------------------------- ------------------------------ Date: Fri, 20 Dec 91 18:34:00 +0200 From: Y. Radai Subject: Re: DOS 5.0 FDISK, UNFORMAT and the wily MBR (PC) Padgett Peterson writes: >The new FDISK is not so well known but is just as effective for the >MBR if the cunningly named /MBR switch is used however you will not >find mention of this by typing FDISK /? or HELP FDISK. Nor could I >find it in the hologram-equipped manual that came with the software >from EggHead but it does seem to work in replacing the MBR code >section while maintaining the Partition-Table. The /MBR parameter of FDISK is an undocumented feature of DOS 5 (both PC-DOS and MS-DOS) which replaces the code in the Master Boot Record with a clean copy, but leaves the Partition Table as is. It is there- fore effective in removing MBR infections (provided that the virus has not modified the Partition Table). Although this feature was mentioned by Bill Arnold in Virus-L/comp.virus half a year ago and in the Virus Bulletin in its November issue, my experience is that very few people, even experienced virus fighters, know of its existence, and those who do seem to be unaware that it can also be used on machines running DOS *prior to Ver. 5*. All that is necessary is to find a (clean) DOS 5 system diskette, to copy FDISK.EXE from DOS 5 onto that diskette, to cold boot the infected machine from the diskette, and then to perform FDISK /MBR . Works beautifully. Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL ------------------------------ Date: Sat, 21 Dec 91 23:10:50 -0800 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Re: PC problem - possible virus? (PC) cci632!sjfc!od9425@ccicpg.irv.icl.com (Ogden Dumas) writes: > Question for all: Is there a virus that can infect BOTH PCs and > Mainframes? The place where I am working is networking and I am trying to > find out what possible threats can arise from this. Thanx. The answer to your question is: yes and no. No, there is no current PC virus which would "infect" mainframes in the sense of being active in them. However, in a networking situation, viral infections can spread "through" the medium of a mainframe being used as a server. Mainframe and network viri or worms may be able to infect PC's in the net. This is due to the more complex nature of mainframe viri, and the use of "interpreters" in network machines. One example is the Morris/Internet?UNIX worm which contained "source" code in the most basic form which would be interepretted by a number of different machines, as well as "object" code for different machines it expected to encounter. The CHRISTMA EXEC of a few years back relied strictly upon a common interpretted language, REXX. A PC version of REXX is available, and is used in IBM based networks in order to assist in automating communications between machines. However, at present this type of situation is relatively rare. For the moment, infections crossing OS lines are extremely unlikely. ============= Vancouver p1@arkham.wimsey.bc.ca | "Remember, by the Institute for Robert_Slade@mtsg.sfu.ca | rules of the game, I Research into CyberStore | *must* lie. *Now* do User (Datapac 3020 8530 1030)| you believe me?" Security Canada V7K 2G6 | Margaret Atwood ------------------------------ Date: 23 Dec 91 09:48:39 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: virus outbreak in central Virginia (PC) HAYES@urvax.urich.edu writes: > Msg #: 3005 MAIN > From: TOM HUFFMAN Sent: 12-18-91 22:23 > To: ALL Rcvd: 12-19-91 05:23 > Re: DIR-2 WARNING!!! > We have had a "slight" attack of the DIR-2 virus in the School of > Business at VCU. We found the virus on almost 10-15 computers... two Sigh... :-(( It began to happen... With the source of this incredibly infectious virus published world-wide, what else do you expect?... > We have McAfee's VSHIELD v84 on all the machines, but they never > detected the infections! The virus was however found with version 85. Hmm, strange... The original, as posted, was for a quite weird and unpopular assembler... (No, -not- A86.) If assembled with MASM/TASM, it will generate a variant of the virus (perfectly working, though). Maybe somebody already did this? > This virus has already trashed several hard disks, which need to be > formatted because they're beyond help!! Since this virus is He must be kidding! No reformatting is necessary! Just reboot from a non-infected diskette; delete all executable files; and run CHKDSK/F on the infected machine. This way you'll lose only the executables, which you can restore from a clean backup... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -246 Vogt-Koeln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Thu, 01 Jan 70 00:00:00 +0000 From: djonge@isis.cs.du.edu (Denny de Jonge) Subject: TBScan v3.1 (PC) I'm using Thunderbyte's TBScan v3.1, with virussignatures dated 14-nov-1991. If someone is interested I can post it here. Denny ------------------------------ Date: Sun, 22 Dec 91 19:12:00 -0500 From: "dholland@husc10.harvard.edu"@HUSC3.HARVARD.EDU Subject: Unknown Mac virus? (Mac) A friend of mine was cleaning up his sister's Mac Classic today, and discovered and removed the CDEF virus using Disinfectant (2.5.1). He also installed Gatekeeper. Now, later on, we discovered that starting Microsoft Word generated a Gatekeeper alert; plus, the menus were printed in the wrong font. Furthermore, the System file was over 1 megabyte, with no DAs or fonts or anything else installed except for the standard ones that come with every Mac. Worst of all, the Grouch was deleted without warning from the System Folder while we were looking around. Disinfectant still reported the system clean. I haven't been reading this group very regularly of late; is there a new Mac virus around? (The Mac in question has been at Brown lately.) Unfortunately, I don't have a sample: the computer is needed, so we did a low-level format and reinstalled everything from clean copies. - -- - David A. Holland dholland@husc.harvard.edu Just say NO to vi. ------------------------------ Date: Sun, 22 Dec 91 02:56:48 +0000 From: nkjle@locus.com (John Elghani) Subject: General questions about viruses Can someone help me with the following questions: 1- A virus obviously is a program that is CPU bound, io bound, ..etc. i.e. it occupies system's resources. Some could probably delete all files on a system? right? 2- How does it transfer across networks. How does it know a phone number (modem #) of a remote node. 3- How does it get tracked down. By program name? if so, then what if this virus changes its name? are we in trouble? 4- When it makes it to disk, how does it tell the Kernel that it wants to run the system. It it something like a daemon tht sleeps and wakes up? Thanks in advance jle - -- ----------------------------------------------------------------------------- The above is my own posting and has nothing to do with the opinion of Locus Computing Corporation. ------------------------------ Date: Fri, 20 Dec 91 16:46:37 -0500 From: Arthur Gutowski Subject: Virus capable of infecting Mainframes and PCs >Date: Wed, 18 Dec 91 16:44:47 -0500 >From: cci632!sjfc!od9425@ccicpg.irv.icl.com (Ogden Dumas) > Question for all: Is there a virus that can infect BOTH PCs and >Mainframes? The place where I am working is networking and I am trying >to find out what possible threats can arise from this. Not yet. And I don't think there could be. Not with the major differences between program execution, and for that matter, operation codes on these different platforms. For example, X'D20750006000' in MVS translates to MVC 0(8,R5),0(,R6) which moves 8 bytes from a location pointed to by register 6 into a location pointed to by R5. This hex string, even if it could be downloaded to a PC in its origional form without get translated by whatever protocol you happen to be using, is *probably* (I'm not a PC assembler guru) meaningless once it gets there. The effort expended in trying to get something on a mainframe downloaded to a PC and executed there would be wasted. Disclaimer: Then again, I may have no idea what I'm talking about. Arthur J. Gutowski MVS System Programmer and Virus Research Dabbler Wayne State University - ---------------------- "We come into the world and take our chances Fate is just the way of circumstances That's the way that Lady Luck dances... Roll the Bones..." -Neil Peart ------------------------------ Date: Fri, 20 Dec 91 09:37:07 -0600 From: James Ford Subject: New files on Risc (PC) The following files have been placed on risc.ua.edu (130.160.4.7) in the directory pub/ibm-antivirus: bootid.zip - Identify a diskette's boot sector type ("hashcode") checkout.zip - Display or check a diskette or Hashcode tbresc15.zip - Thunderbyte Anti-Virus Resque Boot Sector v1.5 tbscan30.zip - Thunderbyte Virus Scan v3.0, need VSyymmdd.ZIP vs911114.zip - Virus signatures for HTSCAN/TBSCAN date 911114. Apparently, Novell has sent out diskettes infected with Stoned 3. The origional text follows....... - ---------- User: "The mainframe is broke. I can't get to my account!!" Helpdesk: "What exactly does your computer screen show now?" User: "Wait a sec...hey, bring the candle over so I can read the screen." - ---------- James Ford - Consultant II, Seebeck Computer Center jford@ua1vm.ua.edu, jford@risc.ua.edu The University of Alabama in Tuscaloosa ------------------------------ Date: Fri, 20 Dec 91 23:37:55 +0000 From: trent@rock.concert.net (C. Glenn Jordan -- Microcom) Subject: VIRx v1.9 Is Released ! (PC) p1@arkham.wimsey.bc.ca (Rob Slade) writes: > ...VIRx 1.8 (by the way, Ross, where/when is 1.9?)... OK, ok, Rob Slade ! Here it is ! :-) VIRx version 1.9 ---------------- (Good things come to those who wait !) :-) Available on many FTP sites, Compuserve, FIDO-Net and the Virex Support BBS at (919) 419-1602 (V.32bis, MNP-10) >From the original $TOC file: Length Method Size Ratio Date Time CRC-32 Attr Name ------ ------ ----- ----- ---- ---- ------ ---- ---- 804 Implode 493 39% 12-17-91 00:00 2c496185 --w $TOC 7129 Implode 2626 64% 12-17-91 00:00 505730b1 --w VIREX.TXT 13184 Implode 5536 59% 12-17-91 00:00 f79005aa --w README.VRX 99242 Implode 57351 43% 12-17-91 00:00 9d38dd54 --w VIRX.EXE 13184 Implode 5135 62% 12-17-91 00:00 3065505b --w WHATSNEW.19 ------ ------ --- ------- 133543 71141 47% 5 What's New In VIRx Version 1.9 ============================== Date: 12/17/91 1. The licensing agreement for your usage of VIRx has been changed. Individual and educational users need not concern themselves with the change. For corporate and business users: VIRx may only be used within your institution for a 30 day evaluation period. If you wish to use VIRx after that period, please contact Microcom, Inc. at (919)-490-1277 for information on a site license. VIRx may not be bundled with other products without a written agreement: contact Microcom for details. 2. VIRx 1.9 now detects 85 newly discovered viruses, bringing the total count to 649, plus innumerable variants. 3. There is a known problem with occasional V2P6 false positives. If you encounter a file that VIRx indicates contains the V2P6 virus, please leave a message on Microcom's BBS at the number listed below with details immediately. If possible, please upload a copy of the file that is generating the V2P6 alert. 4. Our BBS is thriving and awaits your visit! It runs at up to V.32BIS speeds. Please upload suspect files to the BBS, where we'll examine them and let you know whether the file contains a virus. The latest copy of VIRx is always available on the BBS, and we welcome your suggestions and comments regarding our products. You can reach the BBS at (919)-419-1602 5. Finally, we are documenting our external signature file. This allows new viruses to be detected without having to wait for a new release of VIRx. You should be careful: if you use the external signature file and add a virus signature that we are already using within our internal virus signature database, VIRx will inform you that it has found a virus in Downloaded From P-80 International Information Systems 304-744-2253