From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V5 #4 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Wednesday, 8 Jan 1992 Volume 5 : Issue 4 Today's Topics: Norton Anty Virus (PC) Stoned virus questions (PC) Re: Michelangelo virus on Zyxel disk (PC) New Virus (Ultimate Weapen)? (PC) Joshi Virus and IDE Hard Drives (PC) Looking for info on "Friday the 13th" virus (PC) Avoid false alarms/ don't run SCAN when VWATCH is active(PC) (forwarded) Is it a virus or is it memorex (Mac) RE:Theoretical Literature on Viruses Re: Geraldo Show: Claims Viruses can blow up Monitors Virus Reserce re: theoretical literature on viruses? New data integrity anti-virus product (PC) WSCANV85.ZIP (PC) Write protection - hardware VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 07 Jan 92 15:31:55 +0700 From: Cezar Cichocki Subject: Norton Anty Virus (PC) Hi folks, I use Peter Norton's programm and I very interesting in his antyviral program. Somebody said me that there is Shareware version of NAV (about 1.5 or something like this). Is this true ? And if it's true, where can I catch this program ? Cezar Cichocki p.s. Best New Year's wishes to all folks on this list ! ------------------------------ Date: Tue, 07 Jan 92 14:15:31 +0000 From: keshava@is.Morgan.COM (Sanjay Keshava) Subject: Stoned virus questions (PC) One secretary's PC has been infected with the STONED virus. What effect does this virus have on the PC? How is it propagated? Where does it reside? We used Macaffee's SCAN and CLEAN programs to neutralize it, but it still recurs at unpredictable intervals. (We may have some floppies that are infected and un-neutralized, so that could be the problem.) Please reply via email. Thanks. - -- Later... Sanjay Greetings to alumni: Anteater ('84), Trojan ('87), Longhorn ('91) - ->|<- keshava@is.morgan.com ...uunet!is.morgan.com!keshava Morgan Stanley & Co., Inc., Equities Analytical Research, NYC ------------------------------ Date: Tue, 07 Jan 92 18:22:20 +0200 From: Tapio Keih{nen Subject: Re: Michelangelo virus on Zyxel disk (PC) >I've just become the proud owner of a Zyxel U-1924E modem (hurray!), >but found the Michelangelo virus on the disk I got with it (boo!). >The disk was not write-protected and the envelope it came in was open, >so I cant say for sure whether it was Zyxel or the distributor. It could have been Zyxel, because I've got reports of infected Zyxel disks from Germany, USA and Finland. Tapio Keih{nen - tapio@nic.funet.fi ------------------------------ Date: Tue, 07 Jan 92 15:52:17 +0100 From: overdijk@ECN.NL Subject: New Virus (Ultimate Weapen)? (PC) Dear readers, I've got a friend with a possible virus on his disks... SCANV85 doesn't detect this beast. He has a HISCREEN 386sx machine. I haven't seen the problem myself, but after discussion I understood the following: Symptoms: - - It appears that the 'virus' is activated after january 1-st, 1992 - - After boot, a message is displayed: +-------------------------------------------+ ! The Ultimate Weapon has arrived, ! ! please contact the nearest police station ! ! to tell about the illegal copying of you ! +-------------------------------------------+ (Yes, I had a 'printscreen' of the message) (No, I don't know if he has an illegal copy of a program ;-)) - - System hangs. - - After boot from floppy in A: he found ALL his files and directory's in the root and next directory-level renamed to CRIMINAL.001, CRIMINAL.002, CRIMINAL.003 ..... etc. After a format of the HD the virus was gone (of course). My friend believes he still has the virus on one of his floppy's, but doesn't know on wich one. He is going to try to reproduce the problem to find out which floppy is guilty. Listening to his story, it appears to me that it might be a boot-sector virus... I couldn't find any hint in Patricia Hoffman's VSUM list... Has anyone heard/seen this virus before? Greetings, Harrie Overdijk Internet : overdijk@ecn.nl ECN - Petten BITNET : Not any more The Netherlands Noisenet : ++31-2246-4597 Europe Fidonet : 2:500/43.1902 (At home!) ------------------------------ Date: Tue, 07 Jan 92 21:18:33 +0000 From: arg@netcom.netcom.com (Greg Argendelli) Subject: Joshi Virus and IDE Hard Drives (PC) How are people removing the Joshi virus from IDE hard drives? Based on what I have read in Patricia's VSUM program, the only way to reomve the virus is via a low-level format. Since we can't do such a format on an IDE, do we wind up trashing the drive? Inquiring minds need to know. McAfee's scan/clean find it, and claim to clean it, but don't.... - -arg (arg@arghouse.uucp) - -- "By this time my lungs were aching for air..." |The Listening Post BBS MST3K |arg@arghouse.uucp ------------------------------ Date: Tue, 07 Jan 92 21:34:39 +0000 From: forbes@cbnewsf.cb.att.com (scott.forbes) Subject: Looking for info on "Friday the 13th" virus (PC) I'm a Macintosh owner and UNIX programmer with little experience dealing in MS-DOS viruses, but I seem to remember hearing about a virus which attacked hard drives on Friday the 13th. I also have a PC which recently lost its hard drive, at approximately the stroke of midnight on Friday, December 13. :-) I don't think this is a coincidence, and would like to find out more about the virus in question to prevent a recurrence. The hard disk received a low-level format, but I still don't know the source of infection and could re-infect the machine at any time. E-mail pointers would be greatly appreciated. ==== =---==== Scott Forbes AT&T Network Wireless Systems =-----==== forbes@toolserv.att.com ==---===== ======== UNIX is a trademark of UNIX System Laboratories. ==== AT&T is a modem test command. ------------------------------ Date: Tue, 07 Jan 92 15:39:00 -0600 From: Ken De Cruyenaere 204-474-8340 Subject: Avoid false alarms/ don't run SCAN when VWATCH is active(PC) I thought I would post this to help someone else avoid the virus "scare" I had over Christmas. When I tried to scan (McAfee V85) a diskette I had just recd in the mail from Australia, Scan told me I had three viruses BRAIN LOZINSKY INVADER active in memory and to power down immediately and reboot from a clean floppy. To make a long story (Scan kept finding them but Clean and other antivirals did not) short, I eventually phoned the McAfee number and spoke to Aryeh Goretsky. He immediately diagnosed my problem: I had (Central Point's) VWATCH running (on my IBM PS/1). It seems VWATCH's search strings are not encrypted and SCAN finds things it thinks are viruses. When I subsequently tried the same thing on my PC at work (UNISYS model 300), SCAN only "found" the BRAIN virus, so I guess different platforms get different false alarms... Ken - --------------------------------------------------------------------- Ken De Cruyenaere - Computer Services University of Manitoba - Winnipeg, Manitoba, Canada, R3T 2N2 Bitnet: KDC@CCM.UManitoba.CA Voice:(204)474-8340 FAX:(204)275-5420 ------------------------------ Date: Wed, 08 Jan 92 08:06:37 -0500 From: Tom Coradeschi Subject: (forwarded) Is it a virus or is it memorex (Mac) Forwarded from Info-Mac Digest. tom coradeschi <+> tcora@pica.army.mil - ----- Forwarded message # 1: Date: 7 Jan 92 14:06:38 EDT From: "Eric Rick" Subject: Is it a virus or is it memorex A challenge for all ye guru types and Apple virologists. The following disturbing message has started showing up on my mac lately: _____________________________________________________________________ | _ * | | ____/ | | / \ | | | | | | \__/ | | So sad, too bad, I just run pro | | | | | | ID = 2 | |___________________________________________________________________| ...it then locks up which kills anything you were doing, must reboot. The ID number may be different but the message is exact. The thing in the left corner that looks like an acorn is the typical Apple bomb. It seems to happen mostly in Microsoft Excel, but has happened in ZBASIC also. Equipment: 512KE, YAH that's right 512KE, with a MacRescue board with 2megs, one external diskette drive, System 6.0.4 or 5, Imagewriter, mouse, and a confused/angry user. By the way, I have tried Disinfectant(I think version 1.5) on it and it finds nothing. Thanks for you help in advance. EREric Rick Univ of Florida Coll of Vet Med efr@vetmed1.vetmed.ufl.edu ------------------------------ Date: Tue, 07 Jan 92 19:10:00 -0500 From: Subject: RE:Theoretical Literature on Viruses George: The most likely place to start would be Fred Cohen's doctoral thesis on the topic. One caveat, however: the price. I had wanted to do some research on the topic, and had contacted Dr. Cohen as a student. I asked where I might be able to get a copy of his thesis (or other writings on the topic), and was told that he had not permitted the issuing institution to keep a copy of it, nor had he registered it with the media services center in Ann Arbor. He had copywrited it and told me that the only way I could take a look at it (for research as a student, remember) was to buy it from him for some absurd price. I've since gotten a copy, and it does contain some interesting information...if you're at all interested in the theory. There have been several experts who have argued against some of Cohen's conclusions, and many of them appear to be correct. It is, however, a good introduction to the theory. Hope this helps...If I ever get around to doing my own research, I'll pass it along to everyon...for free! Charles ***************************************************************************** Rutstein@HWS.BITNET ***************************************************************************** ------------------------------ Date: Wed, 08 Jan 92 00:49:27 +0000 From: rslade@cue.bc.ca (Rob Slade) Subject: Re: Geraldo Show: Claims Viruses can blow up Monitors gerry@dialogic.com (Gerry Lachac) writes: >featured viruses. One so-called expert who has testified before >Congress and has some book out claimed that there are viruses out now >that can blow up monitors. > >Anyone know what the name of this one is? :-) I believe that would be the "No-that's-not-a-monitor-that's-a-TV-stupid" virus. Extremely infective. Transmits from TV to brain causing instant mush. Well, sorry for the flamelike resonse (certainly not directed at Gerry :-), but I post my columns on Fidonet as well, and you should see the nonsense I'm getting back from the recent one on hardware damage ... ============= Vancouver p1@arkham.wimsey.bc.ca | Institute for Robert_Slade@sfu.ca | The user interface Research into rslade@cue.bc.ca | is the boundary of User CyberStore Dpac 85301030 | trustworthiness. Security Canada V7K 2G6 | ------------------------------ Date: Tue, 07 Jan 92 15:07:22 From: <2wsa115@gc.bitnet> Subject: Virus Reserce Well I've decided that viruses will be the topic for my English 102 couse, so I need to get some questions answered. First of all, are there any positive neads for Viruses and are any of the major software developers researching and creating new Viruses. If anyone knows of books that would provide good research material let me know please Thanx Jeff Harris ------------------------------ Date: 07 Jan 92 17:11:55 -0500 From: "David.M.Chess" Subject: re: theoretical literature on viruses? > From: ctika01@mailserv.zdv.uni-tuebingen.de (George Kampis) > > Is there any work out there on a *theoretical* treatment of > computer viruses? I'd recommend (to everyone) the book "Rogue Programs", edited by Lance Hoffman*. It's a collection of papers by various reasonably legitimate folks (well, including me), and includes a section on theory that has the two basic Fred Cohen papers, which will address at least some of what you want. > I suspect the latter will lead to halting-problem-like questions - > would be interested to see if anybody did work on that (pls don't mix Yep, Fred Cohen proves that perfect detection (given a program, is it a virus?) is about equivalent to the halting problem. Of course, this doesn't say anything about 99.99% detection, or perfect detection on any program smaller than 64 megabytes, or... *8) > (pls don't mix it with self-reproducing automata a la von Neumann > etc) Why not? I would think that some of von N's results might be directly relevant to computer virus theory? DC * ISBN 0-442-00454-0, Van Nostrand Reinhold, 1990 ------------------------------ Date: 06 Jan 92 23:54:15 -0500 From: Wolfgang Stiller <72571.3352@CompuServe.COM> Subject: New data integrity anti-virus product (PC) I've just confirmed that Integrity Master(tm) my new data integrity and anti-virus product is available on SIMTEL20 (I-M102B.ZIP). Integrity Master(tm) is an easy to use, data integrity, change management, security, and anti-virus program. It is a descendant of PC Magazine's PCdata integrity toolkit which is still available as free software. Unlike my PCdata toolkit, Integrity Master is shareware ($35 US). Integrity Master detects known viruses specifically using scanning techniques and generically by indentifying specific changes. Cluster (Dir-2) and companion type viruses are specifically recognized. Integrity Master is a high performance assembly language program, providing function and performance far beyond any other data integrity software, yet is easy enough for novice users. Some distinguishing features: 1) Integrity Master recognizes known viruses by name and will describe their characteristics and then guide you through their removal. 2) It can detect not only existing viruses, but will detect as yet unknown viruses, by virtue of its ability to detect changes to any file or system sector. 3) Integrity Master will detect any form of file or program corruption, not just that caused by viruses. This makes Integrity Master a useful tool to provide PC security, change management and hardware error detection. 4) Integrity Master understands which files and areas on your disk are special and provides specific diagnosis and recovery if these areas have changed. 5) Integrity Master can reload system sectors, even on disks which are so badly damaged that DOS can no longer recognize them. Integrity Master is also available through any ASP BBS, SDN BBS and on CompuServe IBMSYS lib 3 file I-M102.EXE. Wolfgang Stiller (Author of Integrity Master(tm) and PCdata) ------------------------------ Date: Tue, 07 Jan 92 08:21:00 -0500 From: HAYES@urvax.urich.edu Subject: WSCANV85.ZIP (PC) The new version of McAfee Associates SCAN for Windows is now available for FTP processing from our site as WSCANV85.ZIP. The file was fetched from McAfee's BBS. Site: University of Richmond Address: urvax.urich.edu, IP# 141.166.1.6 Directory: [.msdos.antivirus] Filename: WSCANV85.ZIP User: anonymous Password: your_email_address Regards, Claude. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET) University of Richmond hayes@urvax.urich.edu (Bitnet or Internet) Richmond, VA 23173 ------------------------------ Date: Mon, 06 Jan 92 12:38:30 -0800 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Write protection - hardware DEFMTH4.CVP 920105 Write protection - hardware Generally, in the microcomputer world, write protection is held to mean write protection implemented by hardware. Although it is a truism that "whatever the hardware people can do, the software people can emulate, and whatever the software people can do the hardware people can emulate", it is physically impossible to overcome a "sufficient" hardware protection with software. Note, however, that not all hardware protection devices are as safe as they may seem at first glance. First, the universal write protect "tab" on floppy disks. It *is* possible to write to *some* write protected drives. Certain systems (MS-DOS is not one) check for write protection in software rather than hardware. Thus, even though the write protect device is hardware, the software checking can be circumvented by a virus. (In systems where the write protection *is* effective, it is still the case that the notification of an attempt to write to the drive is done through software, and so the warning that something may be going on may be trapped by the virus. However, even on some MS-DOS systems, write protection may not be reliable. Some manufacturers use an optical, rather than mechanical, sensor for the write protect tab or notch. Using "translucent" floppy disks, the "silvered" write protect tabs or even the shiny black ones on 5 1/4" diskettes, may allow sufficient light to get through to the sensor as to leave the disk unprotected. It is interesting to note that, because of the two different protect tab designs, the hardware write protection circuits for 5 1/4" diskettes generally "fail safe" in a write disabled configuration, whereas 3 1/2" diskette drives "fail" into a writable configuration. (A pity. I prefer the ability to protect and enable repeatedly without building up gobs of tape adhesive around the notch. And when I did protect 5 1/4s, I used to use "magic" tape as it was easier to remove. These days I'm using "Post-it" notes ...) As in the past, so again I will deplore the failure of drive manufacturers to provide write protect switches on "fixed media" hard drives. Tape and cartridge media do have tabs or switches. Those knowledgeable about hardware and drive cabling can "retrofit" switches, but recent tests at various sites with hardware write protect switches have indicated problems with certain types of drives. No one procedure has been proposed that works for all types of Downloaded From P-80 International Information Systems 304-744-2253