From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V5 #12 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Wednesday, 22 Jan 1992 Volume 5 : Issue 12 Today's Topics: Low-level utilities (PC) SBC? (PC) Michelangelo questions (PC) Loading Vshield High (PC) PC Computing Magazine Virus Articles, Feb 92 (PC) FLASH Virus (WAS: Re: More myths) (PC) New virus found (PC) WWIV4.20 doesn't like Vshield (PC) Re: WARNING - Michelangelo Virus (PC) An A/B floppy drive switch design (PC) Virus Detection and Protection for Unix (UNIX) Help Required re IBM RSCS malicious programs (IBM VM/SP) Re: The modem virus myth VS920109.ZIP on risc (PC) new pgms from Padgett Peterson (PC) RE: NCSA Has Tested Anti-Virus Programs (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 20 Jan 92 11:14:31 -0500 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Low-level utilities (PC) OK, I find it hard to stay away. Yesterday my son cleaned out & painted his room and it was raining so I had a chance to put together a final piece I had been meaning to for some time: FixFBR, the last part of my low level utilities. FixFBR is designed to replace the Boot Record on floppy disks with non-bootable code that performs part of my integrity checking and displays a message if a boot from floppy is performed. An additional warning will be displayed if a typical Boot Sector Infector is present (the .DOC has more of an explination). The technique is fairly simple so I do not anticipate problems (right) and it has been tested but at this point it must be considered an ALPHA. Since I do not have a 2.88 floppy drive, at the moment it is limited to the big four floppies: 360k, 720k, 1.2Mb, & 1.44 Mb (did not see any need for including 160k or 320k 5 1/4s but would not be difficult). Since the entire BR including the BPB is replaced, any viruses lurking there are defanged (incidently FixFBR also performs a number of integrity checks on the original BR that will announce the presence of most BR viruses - not the name but that "something" is wrong. The BR is then - with permission - overwritten). Also, with this release, the Shareware price of the "Fix" utilities is changed to $1.00 per supported PC/user (other options available - see the .Doc). This includes both FixMBR and FixFBR. The code used in SafeFBR and SafeMBR as well as NoFBoot and the CHK detection utilities remain copyrighted Freeware (may be used freely so long as not changed). Barring major setbacks, this should be available for Anonymous FTP from Claude Hayes at URVAX (141.166.1.6) as FIXUTIL.ZIP in the antivirus directory - Right, Claude ? Warmly (and tired), Padgett ------------------------------ Date: Mon, 20 Jan 92 16:09:32 -0500 From: kenm@maccs.dcss.mcmaster.ca (...Jose) Subject: SBC? (PC) Does anyone know anything about a virus that McAfee SCAN reports as SBC? Neither SCAN 8.4 nor F-PROT seem to know about it (though f-prot 2.01's analyze will detect it in memory). Any info will be appreciated.... ....Ken - ------------------------------------------------------------------------------ |Kenneth C. Moyle MOYLEK@SSCVAX.CIS.MCMASTER.CA| |Computing Services Coordinator (Sciences) MOYLEK@MCMASTER| |Computing and Information Services ...!uunet!mnetor!maccs!kenm| |McMaster University - Hamilton, Ontario (Canada) | - ------------------------------------------------------------------------------ ------------------------------ Date: Tue, 21 Jan 92 10:30:00 -0800 From: Michael_Kessler.Hum@mailgate.sfsu.edu Subject: Michelangelo questions (PC) I had a Zenith 386 SX machine infected. When booting up with the infected diskette, I get a "Disk read error" message. When I reboot off the hard disk, I get a "Unable to read boot code from partition" message, and the computer is disabled unless I boot off the floppy. If I run a CHKDSK, I still get 655360 bytes total memory. F-Prot 2.01 recognizes the existence of the virus, but does not remove it. The installation of VIRSTOP does not seem to affect the installation of the virus or the subsequent screen messages. McAfee's CLEAN does remove it. Since the virus denies access to the hard disk as soon as it is installed, what is the meaning of the March 6th date? Isn't the virus supposed to be dormant until that date? Why does my experience not match Padgett's description of its activities? MKessler@HUM.SFSU.EDU ------------------------------ Date: Tue, 21 Jan 92 14:05:58 -0500 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Loading Vshield High (PC) >From: hendee%3338.span@Sdsc.Edu (Jim Hendee) >I've noticed that you can use Quarterdeck's QEMM386 and LOADHI to load >VSHIELD1.EXE in high memory, as well as FPROT's VIRSTOP.EXE, but you >can't load VSHIELD.EXE high (so far as I'm aware). Do not know about VIRSTOP but can make the following observations about VSHIELD: Have been loading high for some time using its /LH switch. This also works under QEMM 5.0+ but only with MS-DOS 5.0 - does not work with earlier MS-DOS versions nor with DR-DOS 6.0 (reports itself as IBM 3.3). When the internal /LH switch is used a 416 byte "connection" is left in low menory. This can also be loaded high with either the DOS LOADHIGH or the QEMM LOADHI commands but then CHKSHLD cannot find it (if you care). Can also say it finds things when loaded this way, at least on my PCs. Believe the problem stems from the large extent of memory required for initial memory & vital area check it makes that is reduced following load. Have also found that it needs a certain amount of contiguous memory (forget how much) to load and consequently load it FIRST in Autoexec.Bat (I believe the .DOC recommends loading it LAST but had case of refusing to load then - at present I have about 121k loaded high). Warmly again, Padgett I-Net: padgett%tccslr.dnet@mmc.com (my opinions, obviously) ------------------------------ Date: Tue, 21 Jan 92 12:13:27 -0700 From: Chris McDonald ASQNC-TWS-R-SO Subject: PC Computing Magazine Virus Articles, Feb 92 (PC) PC Computing Magazine, February 1992, has two articles on computer viruses. The first, entitled "Virus-Proof Your PC", examines the characteristics of 11 products. With no false modesty I must comment that Rob Slade's reviews and my own on anti-viral programs are of higher quality. Different persons reviewed the 11 products, and propose some evaluation statements without much supporting information. There is no overview of the test methodology, no specific identification of those malicious programs against which the programs performed, and no consistent identification of the version of the program actually tested. The article relies heavily on information from the National Computer Security Association and on Patricia Hoffman's Hypertext Virus Summary List. There is no mention of the Virus-L Forum which is unforgivable. The second article is a summary of 350 FAX responses to a questionnaire on computer viruses which appeared in an earlier edition. The survey size is so small that the results on infection rates and on defensive strategies seem statistically insignificant. ------------------------------ Date: 21 Jan 92 22:38:42 +0000 From: vail@tegra.com (Johnathan Vail) Subject: FLASH Virus (WAS: Re: More myths) (PC) p1@arkham.wimsey.bc.ca (Rob Slade) writes: More hardware myths 3) "BIOS" virus First of all, BIOS is ROM BIOS. The RO in ROM stands for "read only". The BIOS, therefore, cannot be infected by a virus. At least, not yet. Intel has already developed flash EEPROMs which it is pushing as "upgradeable" ROMs for the BIOS. It *is* possible to get "bad" ROMs, and it is even possible that a run of BIOS ROMs would be programmed such that they constantly "release" a virus. It hasn't yet happened, though, and it is extremely unlikely, as well as being easy to trace. "Upgradeable" means the *user* can update (*change*) his BIOS from a program distributed on a floppy or other media. The danger of flash EAPROMs is a real area of concern and should not be taken lightly. True, they have not hit the marketplace yet but figure: * first line virus defense is booting off a floppy from power-on so that you have a "known" stable and virus free environment. * a flash virus invades the system and reprograms the system BIOS * your BIOS that is a known state can be altered then it is now an "unknown" and no longer trustworthy. This is the danger to be considered but fortunately it has been. The following things can/are being done: * hardware enable of reprogramming (switch/jumper plug, etc) * "protected" portions of the chip that cannot be changed. * elaborate "locks" to reprogram (indeed, the memory cells are relatively fragile and can be damaged by improper programming algorithms). * CRCs, LRCs and or checksums to increase reliability and integrity. Most importantly is that different vendors are implementing their own hardware and the lack of a "standard" should prevent any flash virus from having a large enough culture to thrive in. jv "theobromine: a compound which, contrary to it's name, contains neither bromine nor God" -- David Throop _____ | | Johnathan Vail vail@tegra.com (508) 663-7435 |Tegra| jv@n1dxg.ampr.org N1DXG@448.625-(WorldNet) ----- MEMBER: League for Programming Freedom (league@prep.ai.mit.edu) ------------------------------ Date: Tue, 21 Jan 92 16:02:17 +1100 From: Miguel de Icaza Subject: New virus found (PC) I recently found a new virus, here in Mexico City. After debugging the code, I found a message ("Moctezumas Revenge"), The virus uses an aproach to code infection similar to the Jerusalem virus. No virus scanner catchs it so I wrote a signature for the virus (this signature works fine with ThunderByte Scan): 062e 8f060201 1e2e 8f0600010e07 as soon as I know more about the internals of the virus (such as the date of activation: Yes, it has an activation date, but it seems that it only clears a portion of the screen), I'll post-it here. Miguel de Icaza. Instituto de Ciencias Nucleares, Universidad Nacional Autonoma de Mexico ------------------------------ Date: 21 Jan 92 18:15:53 -0600 From: "Jerome.Grimmer" Subject: WWIV4.20 doesn't like Vshield (PC) I recently got WWIV4.20 and started to set up a BBS here in Carbondale. I was running Vshield at the time, and noted that WWIV would boot OK, and every thing would run normally untill I decided to exit WWIV (I'm still doing setup). When I would exit WWIV, the system would HARD HANG and I would have to hit the reset button. I have since stopped using Vshield and have taken to scanning the HD regulary for viruses using SCAN85, which seems to work just fine. I haven't got enough RAM to run DV, that's next...does anyone know if there are any incompatibilities between McAfee's antivirus utilities and Desqview? Jerome Grimmer ST6267@SIUCVMB.BITNET ST6267@siucvmb.siu.edu ------------------------------ Date: Tue, 21 Jan 92 22:15:32 -0500 From: Charles Fee Subject: Re: WARNING - Michelangelo Virus (PC) To those who are interested in information regarding the Michelangelo Virus My machine was infected with Michelangelo for about two weeks, and worked normally for that time. The only clue I had was that Microsoft SmartDrive would not load and cited an 'Incompatible Disk Partition' After banging my head against the wall trying to figure out why, I ran F-prot 2.01 and it discovered the Michelangelo Virus. I removed it successfully with F-prot 2.01 and the problems with SmartDrive were eliminated.. I hope this possible sign helps... ______ Charles A. Fee DOS Lived... 814-862-2543 cxf111@psuvm.psu.edu DOS Lives... fee@wilbur.psu.edu DOS Will Live... 128 Beaver Hall fee@vivaldi.psu.edu Univeristy Park, PA 16802 ------------------------------ Date: Mon, 20 Jan 92 08:30:54 +0000 From: rmason@ecst.csuchico.edu (Robert Mason) Subject: An A/B floppy drive switch design (PC) Last August, I posted a two part paper that described attempts to contain virus infections at San Jose State University. It referred to a device for helping prevent infections. This posting describes that device, which makes a single floppy drive appear as either A or B, depending on the switch position. This purpose of this functionality is to allow or prevent booting a single floppy drive PC from a floppy disk. While the switch is in the non-boot mode, floppy disks infected with boot sector infectors, such as Azusa or Stoned, are prevented from infecting the hard disk. The device has been tested on an IBM XT class machine, clones using the Phoenix and AMI BIOS, and an AST Premium machine. A simple design using a 74LS157 Quad 2-IN Multiplexer can switch the drive select and motor enable signals to the floppy drive to make it appear electrically as drive A or drive B. The CMOS setup also needs to be changed to show drive A or B installed, according to the switch position. Ideally, the switch would be the keylock type that is built into most AT-class machines. The device can be inserted into the FDC cable, by means of a 8 pin edge card connector, or a 8 pin DIP plug connector. Note that only 4 lines are shown coming in. The ribbon cable actually has 7 lines that are cut and twisted 180 deg. at the FD A connector. The odd numbered lines are at signal ground. The electrical-physical design is shown below. The lines marked as FDC come from the controller. The lines marked as FD go to the floppy drive A connector. The LS157 pin numbers are given next to the multiplexor symbols, with pin 15 connected to an odd numbered input line. The chip must also be connected to power (+5v) and ground at pins 16 and 8, respectively. Floppy drive A/B switch (Switch open selects B drive signals) ------------------------------------- IC1 |\ FDC 10 --13--|B \o-15-o | \__12___________ FD 10 | / FDC 16 --14--|A / |/ | | |\ | FDC 12 --10--|B \ | \___9___________ FD 12 | / FDC 14 --11--|A / |/ | | |\ | FDC 14 ---6--|B \ | \___7___________ FD 14 | / FDC 12 ---5--|A / |/ | | |\ | FDC 16 ---3--|B \ | \___4___________ FD 16 | / FDC 10 ---2--|A / |/ | 1 +5v | Prototype Parts List: | | --------------------------------- R1 | 1 IC1 74LS157 .35 ____/ _|______| 1 R1 10kOhm, 1/4w, 5% .02 | SW1 1 16 pin DIP socket .12 | 2 8 pin DIP plugs .49 ea. | 2 8 pin DIP sockets .11 ea GND 1 1 pin header (power) .02 1 2 pin header (keylock) .04 1.5 sq. in. circuit board .40 ---------------------------------- Total: $2.15 Wirewrap and solder prototypes were built and tested for the approximate cost indicated. Power is obtained from a line to the second FD power connector, and an extension can be made to an AT machine's keylock cable for use with this application. If the machine's keylock is used, it cannot be used to lock the keyboard. I have a single layer board design to manufacture these devices in quantity, if anyone is interested. - -- Bob Mason - rmason@ecst.csuchico.edu ------------------------------ Date: Mon, 20 Jan 92 07:40:45 -0800 From: Scott_Hollenbeck.McLean_CSD@xerox.com Subject: Virus Detection and Protection for Unix (UNIX) I'm looking for recommendations for SunOS (at least 4.1) software packages to provide virus detection and protection services. My preference is for a supported commercially available product, and I'd like to hear from any vendors or users that can provide a detailed product and mechanism description. Please call or respond via e-mail. Thanks, Scott Hollenbeck Xerox Corporation (703) 790-3766 ------------------------------ Date: Wed, 15 Jan 92 00:00:00 From: U10009@SNAESP2.BITNET Subject: Help Required re IBM RSCS malicious programs (IBM VM/SP) Hi! Everybody! My name is Xavier Salmon and I am in charge of the computer System in the ESPOL ( Escuela Superior Politecnica del Litoral ) in Guayaquil-E- cuador. We are new in this "universe" ( BITNET ) and naturally we have had some difficulties seting on our communication system. Now our major concern is about security, could somebody out there, help us with suggestions or references where we can find information about protection against "Malicious Programs" ( worms, virus, etc. within BITNET network ). Our system is and IBM-4341 running RSCS Version 2 Release 3 under VM/SP 6.0. Any information will be appreciated. Please write directly to U10009@SNAESP2.BITNET. Thank you very much. ------------------------------ Date: 21 Jan 92 23:02:01 +0000 From: vail@tegra.com (Johnathan Vail) Subject: Re: The modem virus myth p1@arkham.wimsey.bc.ca (Rob Slade) writes: As people started to raise objections to the possibility of this ridiculous scenario, the initial report was traced back to a posting on Fidonet (the earliest date I have in my records is October 6, 1988) by someone who gave his name as "Mike RoChenle". Ken later suggested this might be read as "microchannel", the then new bus for IBM's PS/2 machines. I think the moral of the story is not to blindly believe what you read, especially if it comes off of fidonet. I always felt that fidonet was the lowest form of life on the internet foodchain. Seriously, one of the "problems" with the internet and related networks is that to a casual observer the "Mike RoChenle"s have the same visibility and stature as the Rob Slades and Padgett Petersons. it. BBSes, and, by extension, modems, have had a consistently, and unfairly, bad press over the past few years. BBSes are seen as the ultimate source of all "evil" programs; viri and trojans; and anything bad said about them is to be believed. It is still my belief that BBSs are a major vector for the spread of viruses and nasty code. I don't mean to paint all BBSs with the same brush but consider that access is mostly anonymous and a lot of people using BBSs are barely computer literate. The ease of access to BBSs and the questionable nature of security and integrity make them an easy target to aid the spreading of viruses. jv "Everything that gives us pleasure gives us pain to measure it by." -- The Residents, GOD IN THREE PERSONS _____ | | Johnathan Vail vail@tegra.com (508) 663-7435 |Tegra| jv@n1dxg.ampr.org N1DXG@448.625-(WorldNet) ----- MEMBER: League for Programming Freedom (league@prep.ai.mit.edu) ------------------------------ Date: Tue, 21 Jan 92 16:58:48 -0600 From: James Ford Subject: VS920109.ZIP on risc (PC) The file vs920109.zip has been placed on risc.ua.edu for anonymous ftp in the directory pub/ibm-antivirus. This file replaces vs911114.zip and was ftped down from Simtel20. Fyi, if an update of an ibm antivirus file is announced on Virus-l, it will usually be on risc.ua.edu a couple of days later if not sooner. I do try to keep the archives updated, but sometimes forget to post the upgrade(s) on mibsrv-l@ua1vm.ua.edu - ---------- Is there any truth to the rumor that everything is really okay? - ---------- James Ford - Consultant II, Seebeck Computer Center The University of Alabama (in Tuscaloosa, Alabama) jford@ua1vm.ua.edu, jford@risc.ua.edu ------------------------------ Date: Tue, 21 Jan 92 04:33:00 -0500 From: HAYES@urvax.urich.edu Subject: new pgms from Padgett Peterson (PC) Hello. Glad to report the availability of new programs from A. Padgett Peterson: FIXMBR22.ZIP This program is designed to replace the standard MS-DOS master boot record program with code that does more than just find the active partition and jump to the O/S boot record. This archive contains also the latest version of SafeMBR. Now shareware. Update. CHK .ZIP Two utilities to check both floppy and hard disk and detect the "Michelangelo" virus. These two programs are integrity checkers. FIXFBR11.ZIP FixFBR is a generic anti-virus program and repair tool for infected and corrupted boot records on floppy disks. FixFBR first checks the disk for a valid Boot Parameter Block (BPB) and does a generic test for infection/corruption. Once the disk has been identified (and the user has an option to change if incorrect), the complete boot record is replaced with non-bootable but error checking and flagging code. If the disk is wished to be made bootable, the DOS SYS command will be effective. FIXUTIL .ZIP For the user who wishes to get Padgett's FIXxxx programs. Contains: CHK.ZIP, FixMBR22.ZIP and FixFBR.ZIP. CHKINT .ZIP Checks the interrupts of a given program without running the said program. Useful to track possible trojan horses. This program used to be in [.msdos.utility]. Reading the respective doc files is a must with Padgett's programs to avoid problems later. - ---------- site: urvax.urich.edu, IP# 141.166.1.6 system: vax/vms 5.4, Multinet as FTP processing program directory: .msdos.antivirus user: anonymous password: your_email_address Please note: a) at logon, the user is in the anonymous directory. typing: cd msdos.antivirus will put the user in this directory. b) I received reports of problems with some files when downloaded on PCs. This is *hopefully* solved. For whose who use Zmodem, no change will be apparent. For whose using Kermit, the command set file type fixed instead of set file type binary *MUST* be issued *before* the server command and download start. Regards, Claude. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET) University of Richmond hayes@urvax.urich.edu (Bitnet or Internet) Richmond, VA 23173 ------------------------------ Date: Tue, 21 Jan 92 08:23:00 -0500 From: "Gerry Santoro - CAC/PSU 814-863-7896" Subject: RE: NCSA Has Tested Anti-Virus Programs (PC) In VIRUS-L V5 #8 someone posted the following: >Subject: RE: NCSA Has Tested Anti-Virus Programs > >The information you presented was correct, though outdated. Those >results were from the previous virus scanner evaluation report, and >were printed last year in Network World, as you said. Just this week, >the latest update to that scanner evaluation was released, and is >available from the NCSA at 717-258-1816. The results may surprise >you..... Hope this helps, happy virus-bust Downloaded From P-80 International Information Systems 304-744-2253