From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V5 #5 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Monday, 13 Jan 1992 Volume 5 : Issue 5 Today's Topics: Virus Update disk for Central Point Antivirus (PC) Re: Question re Stoned (PC) What Does Michael Angelo Do? (PC) NCSA has tested Antivirus Programs (PC) Antitelifonica (A-VIR) (PC) Re: Question re Stoned (PC) re: Joshi Virus and IDE Hard Drives (PC) Worldwide Software products Vaccine and Vacnet (PC) Error on WSCANV85B (PC) Resource Forks (Mac) Re: Macs Running Soft PC (Mac) (PC) a trojan horse - literally! Trojan definition? Special case Military Viruses new programs available (PC) More myths VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 08 Jan 92 13:31:16 +0000 From: dale@garfield.cs.mun.ca (Dale Fraser) Subject: Virus Update disk for Central Point Antivirus (PC) Does anyone know of an ftp site that carries the virus update file that comes out quarterly from Central Point? I just got my first Virus Update Bulletin and I can't afford to download this file through their BBS or pay to get the Update Disk (another poor university student!!) and I don't really want to type in all the hex codes. Any help will be greatly appreciated! Dale |-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-| | "Why sex is so popular | Dale Fraser dale@garfield.cs.mun.ca | | Is easy to see: | Memorial University of Newfoundland | | It contains no sodium | CS Undergrad - Class of '92 | | And it's cholesterol free!" |-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-| | Shelby Friedman | THIS SPACE FOR RENT-REASONABLE RATES! | |-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-| | *OPINIONS EXPRESSED ABOVE DO NOT BELONG TO ME OR THIS INSTITUTION!* | |-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-| ------------------------------ Date: 08 Jan 92 09:15:00 -0600 From: "William Walker C60223 x4570" Subject: Re: Question re Stoned (PC) From: HAYES@urvax.urich.edu (Claude Bersano-Hayes): > I myself came with no good reason why the system [detailed below] ... > does not get infected. Any guru out there with some explanation(s)? > - ----- begin forwarded messages -- > ... A: & B: drives are 360K and 1.2M (respectively); C: is > 1.44M. D: is the hard drive. If ever a PC would be succeptable to > "Stoned" it would be this one, considering the amount and nature of > its use--or so it would seem! Periodic checks for the virus on the > hard drive have always been negative over four months of heavy use. > (Like I say--I know "Stoned" is still around here.) Is there > something about the four-disk controller setup (or the drive name > "D:") that creates an immunity to "Stoned"? Or have we been > incredibly lucky? > ... The hard drive is a 40 meg. (brand or type > unknown--I'm not that familiar with the types), and as I said, it was > designated D: as per the requirements of the JDR ... > Microdevices 4-floppy controller card I used. I wrote a snazzy > menu-driven batch program (with BATMAN and ANSWER enhancements) > walking users through any of the 4 floppy formats and permitting > copying of files ("All" or selected) between any two of the floppy > drives. The "selected" copying option would list the directory of the > source floppy before copying (prime infection activity!) No virus > protection installed. (I'd check it periodically by running Clean-Up > on the D: drive.) IMHO, you've just been lucky, but not incredibly lucky. "Stoned" will only infect a hard drive if you boot from an infected floppy; however, since you operate the PC in question with a batch program, it is unlikely that you ever have the need (or take the opportunity) to boot from a floppy. Your hard disk's having the drive letter D: has nothing to do with the "Stoned" virus' ability to infect it. Drive letters are assigned by DOS, but "Stoned" operates at a much lower level than DOS -- through the disk interrupt, INT 13H. At this level, all disks are specified by a sequential number, according to drive type. Floppy drive numbers start at 00H and hard drive numbers start at 80H (numbers are hexadecimal). For a system with one floppy and one hard disk, Drive A: is 00H and drive C: is 80H. For your system, Drive A: is 00H, Drive B: is 01H, Drive C: is 02H, and Drive D: is 80H. As you can see, the number of the first hard drive, regardless of letter, is always 80H to INT 13H, and therefore to "Stoned," which infects drive 80H via INT 13H. You may want to consider installing VSHIELD or a comparable TSR anti- virus package, in spite of the speed (or lack thereof) of your machine. Or if speed really is a major concern, Padgett's NoFBoot will at least prevent you from warm-booting with a floppy in drive A: (the cause of hard disk "Stoned" infections). BTW, listing the directory of a floppy disk is NOT "prime infection activity," at least not in the sense of getting a virus FROM the floppy TO the hard disk. Now, if the machine was ALREADY infected, listing the directory of a floppy (or any other floppy access) WOULD be "prime infection activity" in the sense of getting a virus FROM the hard disk TO the floppy. With ANY virus (not just "Stoned"), the viral code must be EXECUTED to infect a clean system, not just viewed. Hope this is of some help. (P.S. - "You" above refers to the original author, not Claude) Bill Walker ( WALKER@AEDC-VAX.AF.MIL ) | OAO Corporation | "Some days you just can't get Arnold Engineering Development Center | rid of a bomb!" M.S. 120 | -- Adam West, "Batman" Arnold Air Force Base, TN 37389-9998 | ------------------------------ Date: 08 Jan 92 11:31:00 -0400 From: "21478, SCHILLIG,JR., LAWRENCE K" Subject: What Does Michael Angelo Do? (PC) In the Cleveland Ohio area the virus Michael Angelo Has popped up But has not seemed to do any damage to the systems that it has been found on. It was detected by a virus checking program. Does anyone know what this virus can do to a IBM system? Larry Schillig ------------------------------ Date: 08 Jan 92 17:26:35 +0100 From: "Otto.Stolz" Subject: NCSA has tested Antivirus Programs (PC) Dear virus buster, below, I'll give my translation of an article that appeared in the German periodical "Personal Computer", page 134, number 1 (January 1992). I hope this does not re-hash an old topic. I know, I'm reporting from hearsay (or is it "from readwrite"? :-) Has anybody read the article in Network World, or the original report from the NCSA, and can (and is willing to) tell us more details? Best wishes, Otto Stolz - -------- From "Personal Computer", p 134, no 1 (1992): ... Scanner Test ... The American National Computer Security Association (NCSA) has tested 11 anti-virus programs. The report has been issued on 21 Oct 1991, and it has been published e.g by the periodical "Network World". The scoring table reads thus: Product | Producer | Score ------------------------------+-----------------------+------ F-Prot V. 2.0 | F. Skulason | 129 Virus Buster V. 3.75 | Leprechaun | 116 Solomon's Toolkit V. 5.15 | S&S International | 103 | | Virex-PC V. 2.00 b | Microcom | 103 Scan V80 | McAfee | 102 Antivirus | Central Point | 99 | | Virusafe V. 4.50 | XTREE | 99 Anti-Virus V. 1.5 | Symantec | 98 Pro-Scan V. 2.32 | McAfee | 90 | | Virus Clean V. 2.10 | Comp. Cons. | 66 Antivirus Plus V. 3.7 | IRIS | 64 ------------------------------+-----------------------+------ It goes without saying that all those scores are subject to the usual proviso. Irrespectively of this proviso, note that this list comprises two European products (F-Prot from Iceland, and Dr. Solomon's Toolkit from england) ranking among the best ones. Most apparently, high-quality European products in this domain will be recognized internationally. The complete test report can be obtained from NCSA. ------------------------------ Date: Wed, 08 Jan 92 17:16:31 +0000 From: ahubbell@orlith.bates.edu (Arlyn Hubbell) Subject: Antitelifonica (A-VIR) (PC) We here at Bates College have just come across our first occurrence of Antitelifonica. According to McAffee's SCAN85 documentation it can only be cleaned using a program called M-DISK. Has anyone out there had any experience with this particular virus? If so, can you please tell me what you know about it? Thank you much in advance. Arlyn J. Hubbell Applications Programmer Bates College Ahubbell@Bat.Bates.Edu ------------------------------ Date: Wed, 08 Jan 92 09:36:44 -0700 From: martin@cs.ualberta.ca (Tim Martin; FSO; Soil Sciences) Subject: Re: Question re Stoned (PC) HAYES@urvax.urich.edu writes: >As a co-sysop of the virus discussion board I received the following >message. I thought it was interesting enough, and asked more details >which will show in the second forwarded message (in fact, long >excerpts of both messages). > >I myself came with no good reason why the system (details in msg #2) >does not get infected. Any guru out there with some explanation(s)? > (etc...) For stoned to infect a hard disk, the computer must be booted from an infected diskette. It may be that in its current setup no student ever reboots the computer from any diskette, because the computer has only one function -- disk copying -- and is always already on and ready to go. Many of the diskettes being copied may be infected, but because the copy station isn't started from these infected diskettes, the virus doesn't get onto the station. Nor is it transferred between the diskettes during the file copying process. Stoned is a problem in multi-use computer labs, where students reboot the computers from diskettes, either because they are using copy-protected games that must be booted from the diskette, or because they don't know any better -- don't know how else to get to the task they want to run. I'm afraid I'm not a guru, and for all I know there may be something about stoned's INT 13 hard disk reads and writes being set with DL=80h rather than 81h, but I don't think so. (Padgett?) I would suspect the above explanation in the case of a dedicated, one-use computer like you describe. The test is to intentionally boot the computer from an infected floppy, then see if Stoned is on the hard drive. This test is only to be done if you know what you are doing, of course! Tim. ------------------------------------------------------------- Tim Martin * Soil Science * These opinions are my own: University of Alberta * My employer has none! martin@cs.ualberta.ca * ------------------------------------------------------------- ------------------------------ Date: 08 Jan 92 16:11:00 -0500 From: "David.M.Chess" Subject: re: Joshi Virus and IDE Hard Drives (PC) > From: arg@netcom.netcom.com (Greg Argendelli) > How are people removing the Joshi virus from IDE hard drives? Based > on what I have read in Patricia's VSUM program, the only way to reomve > the virus is via a low-level format. If VSUM says that, it's wrong. All you have to do is fix the master boot record; the undocumented /MBR option to DOS 5's FDISK command can do that (with the caveats noted in the last VIRUS-L), or your local guru can do it with DEBUG, or you can use any of various commercially-available utilities that I'm sure are out there! *8) DC ------------------------------ Date: Wed, 08 Jan 92 16:41:18 -0500 From: Thomas DiBlasi Subject: Worldwide Software products Vaccine and Vacnet (PC) Hi, We had a salesman in today espousing the virtues of the above viral detection and extraction (he called it that) products. Is anyone out there familiar with them? I've yet to find an evaluation on them anywhere including my back issues of Virus-L. Any information would be appreciated. Thanks, Tom ------------------------------ Date: Thu, 09 Jan 92 10:20:34 +0000 From: News System Uni-Oldenburg.DE Subject: Error on WSCANV85B (PC) After scanning my harddisks with Scan for Windows the switches "scanning all files", "scanning overlay extionsions" were _both_ ON and I couldn't turn them off. Can anyone help me? - -- ********************************************************** * T h o r s t e n K o c h * * * * University of Oldenburg, Germany * * * * E-Mail: Thorsten.Koch@arbi.informatik.uni-oldenburg.de * ********************************************************** ------------------------------ Date: Wed, 08 Jan 92 17:33:50 +0000 From: cmontoya%carina.unm.edu@lynx.unm.edu (Red Dragon) Subject: Resource Forks (Mac) Problem: Our file server and three mac machines have had errors during virus scanning using Disinfectant saying that a resource fork for Mathematica is damaged or missing. The Quark we use gives us this message also. Can someone help please? I think our anti-virus person is on leave. /cm cmontoya@carina ------------------------------ Date: Wed, 08 Jan 92 10:56:40 +0000 From: gatech!chinet.chi.il.us!magik@harvard.harvard.edu (Ben Liberman) Subject: Re: Macs Running Soft PC (Mac) (PC) lev@amarna.gsfc.nasa.gov (Brian S. Lev) writes: >fprice@itsmail1.hamilton.edu (Frank Price) writes... >>SoftPC does such a good job of emulating an MS-DOS machine that many >>(most? virtually all?) viruses WILL infect it. SoftPC uses a (big) >>data file for the contents of the simulated PC's hard drive. I believe >>Mac antiviral programs consider this to be a data file and do not >>check it. Even if they did, they would not know how to recognize >>MS-DOS viral code. > >Ummm... I'm not 100% positive, but I seem to remember the more recent >versions of the Mac's "Big 4" (Disinfectant, Virex, SAM, SUM) all _do_ >look at data files if you tell 'em to scan your disk... While Mac antivir. pgms. may scan your SoftPC hard disk file, they are not designed to identify PC virii. You can install a PC antivir. program on your SoftPC drive (or keep it on a locked floppy). I have McAffe's SCAN and CLEAN installed on mine and they work fine. Just treat your SoftPC virtual hard drive the way you would treat any other PC drive. SoftPC also allows you to designate a Mac folder as your E: drive. There may be problems trying to scan this folder from SoftPC because it is not a real drive and doesn't have all of the normal structures (no boot blocks for example) ------------ ------ ---------------------- Ben Liberman USENET magik@chinet.chi.il.us ------------------------------ Date: Tue, 07 Jan 92 16:17:36 +0000 From: Anthony Appleyard Subject: a trojan horse - literally! (from UK newspaper "Daily Telegraph", Mon 6 Jan 1992) [Trojan horse workers trick factory guards] A trojan horse used by protesting wheat farmers during President Bush's visit to Australia was used by locked-out workers to slip back into a factory today. The 13-foot horse, which was made up of metal drums had been used by farmers outside Canberra's Parliament House on Thursday when the Americal President was in the capital. It bore the sign: "Not a New World Order, a New Wheat Order." The farmers were protesting at United States grain subsidied that Australians say undercut their crops in world markets. Yesterday the horse found a different use when it was driven on a trailer through the gates of the Bryant Group heavy transport firm which had been repossessed by the Commonwealth Bank because of a mortgage dispute. The guards left on the factory gate by the bank thought the horse was being returned to the plant after being used in the demonstration. Then about 20 workers spilled out of the horse and into the factory. The security guards left after they found that they were outnumbered by the workers. Police said that no charges would be laid. Bank officials were not available for comment. "It's business as usual," said Mr.Joe Bryant, managing director of the Bryant Group. "If we have to pay the bank, we have to generate income, and we do that by working" - AP {A.Appleyard} (email: APPLEYARD@UK.AC.UMIST), Tue, 07 Jan 92 16:04:36 GMT ------------------------------ Date: Tue, 07 Jan 92 11:10:33 +0100 From: Ralf Stephan Subject: Trojan definition? Special case Hi, I heard there was a collection for a FAQ list. Maybe this question belongs to it: What is the exact definition for "trojan"? I would like to present you a special case where I would say, this is one, and I'm very interested in your opinion. Some week ago, someone uploaded a program in a BBS where anonymous uploading is possible. The program description given had some attributes that were sufficient to make the program a widely downloaded one. Keywords were: "sex","porno" et cetera... To admit, the author did all not to say what the program really was for. What the program did: It asked the user to free 20MB of hard disk space (if not already free), created a file with that length fully filled with "6"es and stuffed it on the screen. This should apparently be a joke since in German the words for "sex" and for the number 6 are spoken the same way. So the program actually intended no damage, but some users with small hard disks had problems with Murphy's law when freeing the space (they deleted files, you know). The story still is not ended because the program writer later claimed it to be a "scientific experiment"... So, is this a trojan or not? Where is the border between "damaging" and "not damaging"? Is it sufficient for a program to be a trojan if it does not what it says or intends? BTW: I know that the users are to blame for not maintaining some security on their system, but that's not the point. Thanks for answers R Stephan - --hagbard@ark.abg.sub.org "The only civilized way of being a scientist is to engage in _the_process_ of doing science primarily for one's own _private_pleasure_." B B Mandelbrot ------------------------------ Date: Thu, 09 Jan 92 08:44:00 -0500 From: Nick Di Giovanni Subject: Military Viruses The January 1992 edition of the EDP Audit, Control, and Security (EDPACS) newsletter includes an overview of an article that appeared in the October 1991 Massachusettes Institute of Technology Review. The Review reported that Software and Electrical Engineering (SEE) was one of two organizations preparing reports for the Army Center for Signal Warfare on the deliberate use of computer viruses and worms to incapacitate computer networks. The center identified the desired effects of such a use as including data disruption, denial of use, and affecting the operation of processors and the management of data storage. SEE's contract was reportedly for $50,000; however, it stood to make as much as $500,000, according to this account, if it received a contract for the follow-up phase of the project, which involves devising particular viruses, demonstrating them, and devising possible defenses against their use. Nick Di Giovanni EDP Audit Manager Rutgers University ------------------------------ Date: Thu, 09 Jan 92 07:26:00 -0500 From: HAYES@urvax.urich.edu Subject: new programs available (PC) Hello. Now available for FTP processing from our site: FIXMBR21.ZIP Update of A. Pagett Peterson's FixMBR program. This new version is now shareware. Please note that it is impor- tant to read the documentation before reading. I-M102B.ZIP Comprehensive protection program. - ----- Site: urvax.urich.edu IP# 141.166.1.6 Directory: .msdos.antivirus User: anonymous Password; your_e-mail_address When logged on, the user will be in the anonymous directory. Type: cd msdos.antivirus to enter the "antivirus" (no quotes) subdirectory. - ----- All files must be fetched using the "binary" format (we do not support Tenex), with the exception of AAAAREAD.ME, an ASCII file. Case is NOT significant. Please download AAAAREAD.ME for short descriptions of the available programs. Regards, Claude - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET) University of Richmond hayes@urvax.urich.edu (Bitnet or Internet) Richmond, VA 23173 ------------------------------ Date: Mon, 06 Jan 92 12:40:46 -0800 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: More myths DEFMTH5.CVP 920105 More hardware myths I am indebted to Padgett Peterson for reminding me of some additional "hardware" viri which have occasionally been reported. 1) "Lethal Floppy Eject" aka "Toaster" virus I think this one belongs with the users who can't find "Any" keys, photocopy floppies and can't see whether the screen is on because the power is off. 2) "CMOS" virus 3) "BIOS" virus 4) "Battery" virus These three are all variations on a similar theme. These types of viri are reported regularly. First of all, BIOS is ROM BIOS. The RO in ROM stands for "read only". The BIOS, therefore, cannot be infected by a virus. At least, not yet. Intel has already developed flash EEPROMs which it is pushing as "upgradeable" ROMs for the BIOS. It *is* possible to get "bad" ROMs, and it is even possible that a run of BIOS ROMs would be programmed such that they constantly "release" a virus. It hasn't yet happened, though, and it is extremely unlikely, as well as being easy to trace. The CMOS is stored in RAM, and can be changed. However, the CMOS table is stored in a very small piece of memory. It is highly unlikely that a virus could fit into the "leftover" space, even though the theoretical limit of the "minimal" family is about 31 bytes. More importantly, in normal operation the contents of the CMOS are never "run", but are referred to as data by the operating system. We have had "joke" reports of electrical "metaviri" (eg. "they cluster around the negative terminal, so if you cut off the negative post you should be safe ...", "they transmit over the "third prong", but occasionally leak over onto the others ..."). However, there are also a number of reports that changing the battery in a computer damages the CMOS. This is probably because no matter how fast you change the battery, there is a loss of power during that time, and therefore the data is lost. Some computers do have a backup system that does give you about 10 minutes Downloaded From P-80 International Information Systems 304-744-2253