Received: by lemuria.sai.com (/\==/\ Smail3.1.21.1 #21.11)
	id <m0ouhJl-0002Iza@lemuria.sai.com>; Wed, 3 Nov 93 07:28 EST
Received: from fidoii.CC.Lehigh.EDU by mv.MV.COM (5.67/1.35)
	id AA19845; Wed, 3 Nov 93 06:38:59 -0500
Received: from Fidoii.CC.Lehigh.EDU ([127.0.0.1]) by Fidoii.CC.Lehigh.EDU with SMTP id <126985-2>; Wed, 3 Nov 1993 06:31:44 EST
Message-Id: <9311031129.AA01762@bull-run.ims.disa.mil>
Reply-To: virus-l@lehigh.edu
Originator: virus-l@lehigh.edu
Sender: virus-l@lehigh.edu
Precedence: bulk
From: VIRUS-L Moderator <virus-l@assist.ims.disa.mil>
To: Multiple recipients of list <virus-l@lehigh.edu>
Subject: VIRUS-L Digest V6 #142
X-Listprocessor-Version: 6.0b -- ListProcessor by Anastasios Kotsikonas
X-Comment: Virus Discussion List
Date: Wed, 3 Nov 1993 06:31:32 EST

VIRUS-L Digest   Wednesday,  3 Nov 1993    Volume 6 : Issue 142

Today's Topics:

Re: Can you help me locate an important Masters thesis
Re: Swiss AntiViral legislation
Re: Draft Swiss AntiVirus regulation
Hollywood and Computer Viruses..!? Oh no.
Re: Novell Network Protection (Novell)
Re: Virus scanning for UNIX (UNIX)
Re: Parasitic? (PC)
Re: Satan Bug, et al; VIRUS-L Digest V6 #140 (PC)
Re: Monkey Problem (PC)
Re: INVADER: info wanted (PC)
Re: Protection needed for LAN servers and workstations (PC)
Re: --- Virus sigs for 'Dudley' virus - - (PC)
Re: MtE virus...what does it do? (PC)
*HELP*--Possible Virus? (PC)
Re: Why is CPAV bad? (PC)
Re: Why is CPAV bad? (PC)
Re: Yoshi Virus *&^%$ Help! (PC)
Re: Removing Boot Sector Virus from Floppies (PC)
Re: 1837 bytes 9E 10 16 ... (PC)
Re: Nov 17 Virus (PC)
Re: KEYPRESS 5 virus (PC)
Re: Removing Boot Sector Virus from Floppies (PC)
Re: S-Bug virus (PC)
Looking for Info.:ANNOINT VIRUS (PC)
GS.ZIP

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform - diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CERT.org or upon request.)  Please sign submissions
with your real name; anonymous postings will not be accepted.
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list.  A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on CERT.org (192.88.209.5).

Administrative mail (e.g., comments, suggestions, beer recipes)
should be sent to me at: krvw@ASSIST.IMS.DISA.MIL.

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Ken van Wyk

----------------------------------------------------------------------

Date:    Fri, 29 Oct 93 12:11:20 -0400
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Can you help me locate an important Masters thesis

Paul Yue (yue@se.citri.edu.au) writes:

> I am trying to obtain a copy of:
> "A new integrity based model for limited protection against 
> computer viruses"
> by M. Cohen. Master Thesis, Pennsylvania State University, college 
> Park, 1988.

It is available from ASP Press, PO Box 81270, Pittsburgh, PA 15217,
USA.

[Moderator's note: I believe the above contact is for obtaining Dr.
Fred Cohen's thesis, not M. Cohen; to my knowledge, Fred Cohen never
wrote a master's thesis at Penn State University.  If all else fails,
you might try sending e-mail to postmaster@psu.edu to get pointed in
the right direction at PSU.]

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de        22527 Hamburg, Germany

------------------------------

Date:    Fri, 29 Oct 93 12:18:29 -0400
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Swiss AntiViral legislation

Klaus Brunnstein (brunnstein@rz.informatik.uni-hamburg.d400.de) writes:

> PS: Mr. Frigerio will have another fight with lawyers who think that any leg
> lation is dangerous as it may also hurt the "good viruses". I argued that 
> "good viruses" exist only in Dr. Cohen's head, as those applications which h
> always mentions can be realized by non-replicative methods.

I'll take the risk to disagree with my boss... :-) While I am
perfectly aware of the general public oppinion that "good viruses" are
a "bad idea", I also find some of Dr. Cohen's examples pretty
convincing. I am not yet prepared to argue on the subject. I am not
even decided myself whether "good viruses" can exist or not. However,
I am quite certain that responsible research in this field should not
be forbidden.

Anyway, about a year ago, I have posted here a message, asking for
arguments supporting the oppinion that a good virus is a bad idea. I
have collected about a dozen - all of them very good ones, but they
still have not convinced me. Nevertheless, as I said, I am not
prepared to argue on this subject yet, so please don't send me
messages proving that you are right and I am wrong. (Just for the
record, I would like to note that I am not convinced that Dr. Cohen is
right, either.)

However, in an attempt to help Mr. Frigerio in his legal fights, I am
posting here the arguments that I have collected. I hope that they
will be helpful to him - virus exchange is something that I am
strongly opposed to, and I would welcome any reasonable legislation
against it.

> Moreover, any auto
> matic reproduction has an unwished side-effect, as copyrights for any softwa
> does only apply to the original (=uninfected) program, so viruses "steal" al
> legal rights from both the originator and the user (who looses the guarantee
> if any, of a working program :-)

Not quite. Compressing the program with something like PKLite does the
same (modification), yet nobody says that PKLite is illegal. I agree
that unauthorized reproduction is a bad thing, but who ever claimed
that the good viruses have to reproduce without authorization?

Anyway, as I said, I am not prepared to argue on this subject yet.

Regards,
Vesselin

           A dozen reasons why a "good" virus is a bad idea

1) It is unethical to modify somebody's data without his/her
knowledge. In several countries this is also illegal.

2) Modifying a program could mean that the owner of the program loses
his/her rights for technical support, ownership, or copyright.

3) Once released, you have no control on how the virus will spread; it
may reach a system about which you know nothing (or which could have
even not existed at the time the virus is created) and on which it
might cause non-intentional damage. Even if the bug is discovered, it
would be extremely difficult to find all replicants of the virus and
apply the appropriate fix to them.

4) A bad guy could get a copy of the virus and modify it to include
something malicious. Actually, a bad guy could trojanize -any-
program, but a "good" virus will provide the attacker with means to
transport his malicious code to a virtually unlimited population of
computer users.

5) The anti-virus programs will have to distinguish between "good" and
"bad" viruses, which is essentially impossible.  Also, the existence
of useful programs which modify other programs at will, will make the
integrity checkers essentially useless, because they will be able only
to detect the modification and not to determine that it has been
caused by a "good" virus.

6) A virus will eat up disk space and time resources unnecessarily
while it spreads.

7) A virus could contain bugs which might damage something or harm
somebody.  Any program could be buggy, but the virus is a
self-spreading buggy program which is out of control.

8) A virus will disable the few programs on the market which check
themselves for modifications and halt themselves if they have been
changed, thus performing a denial-of-service attack.

9) Anything useful that could be done by a virus, could also be done
with a normal, non-replicating program.

10) A virus steals control of the machine from the user and ruins the
trust that the user has in his/her machine - the belief that s/he can
control it.

11) Declaring some viruses as "good" will just give an excuse to the
crowd of virus writers to claim that they are actually doing
"research".

12) For most people the word "computer virus" is already loaded with
negative meaning. They will not accept a program called like that,
even if to claims to do something useful.

- --
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de        22527 Hamburg, Germany

------------------------------

Date:    Fri, 29 Oct 93 12:28:45 -0400
From:    context@dialix.oz.au (r frey)
Subject: Re: Draft Swiss AntiVirus regulation

DEL2@phx.cam.ac.uk writes:

>It's always good to see a country framing anti-virus legislation, but
>I was puzzled by the Swiss draft (VIRUS-L Digest V6 #133). It strikes
>me as linguistically ambiguous, surely not a good idea. The text runs:

>"Wer unbefugt elektronisch oder in vergleichbarer
>Weise gespeicherte oder uebermittelte Daten loescht,
>veraendert oder unbrauchbar macht, oder Mittel, die
[stuff deleted - electronically!]

>Now surely the phrase "elektronisch oder ...Weise" could qualify either
>"gespeicherte" (as [presumably] in the translation offered) or "loescht"
>(indicating that the law is against viri rather than against, say, the
>burning of floppies)? Is there something special in Swiss German which
>could distinguish between the two possibilities:

>(a) Anyone who without authorisation uses electronic or similar means to
>erase, alter or render useless saved or transmitted data; or manufactures..

>(b) Anyone who without authorisation erases, alters or renders useless
>data electronically (or by other means) saved or transmitted ...

There is indeed something special in/about Swiss German, but this ain't
it  ;-)  In fact, it's just plain horrible officialese/legalese "High"
German. To answer your question, I think (b) is what they're talking about, mor
e
or less. (I haven't read the original post, though). Which means, of
course that, yes, the burning of floppies is also covered, along with
viri, plug-pulling, sledgehammers, etc. They're thorough back in the old
country :-)

(I know this is not a linguistics group, but I didn't start this! You
are correct in thinking that translation (a) is also 'possible', ie,
grammatically correct -- it just wouldn't be likely in this kind of
text, or in any technical writing. To put it simply, the adverbial
phrase would be positioned so that it is no longer ambiguous. I'm sure
there's a better way of explaining this, but not at 0018 here in the
Land of Oz!)

>And what is the significance of adding the "transmitted" ("uebermittelte")?
>Does it clarify or only obscure?

It extends the area covered to include not only data that is stored but
also data that is in transit. I think it is a useful addition.

> Surely legislation above all should be crystal clear in its intent?

This is where it gets ideological and nasty .. let's leave it alonet
- -- 
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
roger frey                            phone     +61 9 481 4056 
context@dialix.oz.au                  fax       +61 9 481 4249 

------------------------------

Date:    Fri, 29 Oct 93 14:38:07 -0400
From:    datadec@ucrengr.ucr.edu (kevin marcus)
Subject: Hollywood and Computer Viruses..!? Oh no.

I recently read an article about the horror movies coming out for
(or with in mind) Halloween.  IN it, there was mention of a film, which
is supposed to be about a family chased by a computer virus that can 
travel along any means of electricty - so through the stove, and the power
outlets..

It's supposed to be a Fox production.  I don't have the name (yet)!  If I
can get it, I'll post it up..

- -- 
  -- Kevin Marcus:   datadec@ucrengr.ucr.edu,  tck@bend.ucsd.edu
  CSLD Room Monitor, Thurs 10-12p, Sunday  5-10p (909)/787-2842.
  Computer Science,  University of California, Riverside.

------------------------------

Date:    Fri, 29 Oct 93 11:45:41 -0400
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Novell Network Protection (Novell)

Brian Cooper (psgrbbc@prism.gatech.edu) writes:

>  I appologize if this is a FAQ.  I have a friend who is installing a
>  network (first time).  He has one file server and about 20 workstations.
>  He wants to know the best way to protect his network from viruses.

As usual, there are no "best" solutions. In general, it is a good idea
to restrict access to the shared files on the network as much as
possible. Mark them in such a way that the users can only execute
them. (How exactly this is achievable and to what extent, depends on
the kind of network you have.) Tell those users with supervisor
privileges to never log in as privileged users, if they suspect that
the system is infected. Also, tell them to never execute other
people's files, while they are logged in as privileged users. In
general, create alternative accounts for them with "normal"
privileges, and tell them to use only those accounts, except in those
cases, when a task has to be performed that requires more privileges.
Restrict access  the best you can without hampering productivity. Make
sure that the server's console is physically secure.

>  He is interested in protecting the SERVER but also the individual     
>  workstations.  He is running Novell v. 3.11.  What's the best
>  line of defence?

If you are asking about anti-virus products, many producers will be
happy to sell you a LAN version of their scanner, which includes both
an NLM for the server and a resident scanner for each of the
workstations. There are also integrity checkers which support Novell
LANs - for instance, Untouchable.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de        22527 Hamburg, Germany

------------------------------

Date:    Fri, 29 Oct 93 14:04:30 -0400
From:    barnes@sde.mdso.vf.ge.com (Barnes William)
Subject: Re: Virus scanning for UNIX (UNIX)

Gary,
> From:    gmckee@cloudnine.com (Gary McKee)
> When is the last time you copied an executable from one UNIX machine
> onto another one? This is not a characteristic mode of usage for UNIX
> activity.  Usually, programs are recompiled when being ported to
> another machine.
> 
> [Moderator's nitpick: Happens all the time on the NFS LAN that I'm
> on...]

Everytime we load a 3rd party package (ie.  Interleaf doesn't send us
source, only binary) or the OS, and as the Moderator indicated, to
every NFS system, which reaches about 500 nodes for us.  Also, while
we try to stress to our user community, that they need to go through
us, some of them still pull binaries and programs off of other
machines and their "friends".  You might ask how would they get them
to run, and I would reply, there are lots of Suns out there to get
binaries from.

> How often do you transfer data between UNIX machines by carrying a
> floppy disk from machine to machine? Usually, UNIX machines are on
> some kind of network and data is transferred electronically.

hourly.  Our users have a interesting configuration.  They have local
floppy drives (OH WOW!).  They tend to copy their own files off the
system so that they feel more secure in their information.  It also
indicates that they can also load information onto the machine.  And
if you haven't heard, Sun is now making it possible to do this without
root priviledges.

> Consequently, there is, as of yet, no reliable indication of rather or
> not UNIX access control is helpful. As a competent UNIX sysop will
> protect executables from modification by users, it seems likely that a
> much higer level of skill will be required to effectively propagate
> viruses on UNIX.

While a sysop will take protective measures that he/she knows,
remember that many products ask to be installed as root.  If there is
a virus in that package, then it was just installed as root and can
run amuck throughout the entire "trusted" network, not just the local
machine.  If you think that this is far fetched then you probably
don't remember some of the "shrink wrapped" software that has been
shipped with Viruses, accidently, in them for PC's and MACs.

> In any event, if you have access to a UNIX machine, you probably are
> too busy doing something interesting to have time for virus writing.

Are you out of touch with the Unix world?  Many of us have Unix boxes
at home, we have a couple of sparcbooks that run around the country
picking up whatever may land on them and we have people that come in
after hours to play games and just work on their own stuff.  Not only
is Unix now available to more people, but the people also have more
time to work on Unix cracking if they are so inclined.

I am sorry that the tone of this is sarcastic, but I have been
fighting with people for several years now, not to ignore viruses on
Unix machines.  There may not be many floating around yet, but
ignorance of the problem is no solution.  It will just jump up and
bite us if we are not ready.  Unix machines and PC's are starting to
look much like each other.  If there is a problem with viruses on
PC's, why do people think that there will not be a problem, some day
on Unix machines.

Bill Barnes
Sr Systems Analyst
Martin Marietta
barnes@mdso.vf.ge.com

------------------------------

Date:    Fri, 29 Oct 93 11:06:25 -0400
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Parasitic? (PC)

vfreak@aol.com (vfreak@aol.com) writes:

> Parasites usually can't live for very long without their hosts, and since
> file infectors require host files in order for them to replicate, they are
> parasitic.

No, Kevin's reply was more correct - the term "parasitic" is usually
used to label a virus which attaches itself to files somehow
physically (not necessarily at the end) - that is, one that does not 
overwrite them, and not a companion or boot sector virus.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de        22527 Hamburg, Germany

------------------------------

Date:    Fri, 29 Oct 93 11:10:17 -0400
From:    Eric_N._Florack.cru-mc@xerox.com
Subject: Re: Satan Bug, et al; VIRUS-L Digest V6 #140 (PC)

In #140 Padgett writes:

- -=-=-=
>The encryption will also make the virus invisible to antivirus
>scanners dated before August.  *Virus scanners must open a file to
>scan it, and if your virus is in memory, the act of opening it for
>scanning will infect it.  And, if you run an infected antivirus
>scanner, nearly every executable file on the disk will be infected.:

The key here is "scanners". Integrity management software will spot it
immediately (my FreeWare CHKMEM will spot it instantly in memory using
a check added in 1990 - doesn't even require memory size input).
- -=-=-=

Ya know, I`ve always been hazy on this point, at least. Why does should a
scanner /have/ to open a file? Could an effective string serach be done at the
DISK level, such as what such utils as NDD do? Sector by sector, it would be;
and it would require that the whole disk be done, as opposed to just one file.

Sure, the program would have to keep track of what file such and such a sector
is assigned to, but it should be able to do this by using the FAT as a data
file, thereby avoiding the opening of ANY files, except the scanning EXE
itself.

Or am I sideways, here?

Thanks for all the info, and thanks to the folks who sent me reams of
information, off the list.

/E

------------------------------

Date:    Fri, 29 Oct 93 11:17:12 -0400
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Monkey Problem (PC)

Scott Gregory (wg2b+@andrew.cmu.edu) writes:

> We have an epidemic of the Monkey virus here at our school.  I just
> learned that F-Prot won't properly remove Monkey from a hard drive.

Indeed, that's a known bug in F-Prot. Also, it will misidentify the
virus (as "new variant of Stoned") on anything other than a 360 Kb
floppy.

> Can somebody suggest a program (preferably public domain so I can
> distribute it to the kiddies around here) that can successfully remove
> the Monkey virus from a hard drive?

Try KillMonk2 from Tim Martin, available from our anonymous ftp site:

ftp.informatik.uni-hamburg.de:/pub/virus/progs/killmnk2.zip

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de        22527 Hamburg, Germany

------------------------------

Date:    Fri, 29 Oct 93 11:27:32 -0400
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: INVADER: info wanted (PC)

A.W.van Steijn (felfs!awsl3@uunet.uu.net) writes:

> Who has had some expereince with "Inader"-virus?

You probably mean one of the Jerusalem.AntiCAD.4096 viruses?

> I have the following questions:

> 1. Is the MacAffee virus scanner abel to find it?

Yes. It calls it "Invader [Invader]", except that it reports one of my
replicants as "Sunday [Sunday]". (Huh?!)

> 2. Can the virus be "cleaned" from an infected disk?

Of course.

> 3. Is it an stealth virus?

No, as far as I recall. But it is multi-partite (infects both files
and boot sectors) and highly destructive.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de        22527 Hamburg, Germany

------------------------------

Date:    Fri, 29 Oct 93 11:31:10 -0400
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Protection needed for LAN servers and workstations (PC)

fishern3485@cobra.uni.edu (fishern3485@cobra.uni.edu) writes:

> Is it possible to poll the write-protect soft-switch?  If it is possible
> to poll this location without turning the drive on, then you can have
> an interrupt-driven program watch to see if the write protect status
> changes.  This would indicate a disk removal/insertion.

Hm. That's a neat idea. Yes, it is possible to poll the ports of the
floppy disk controller and to check the write protection status. I
don't know whether this will require the drive motor to be turned on.
Try to implement it and keep us posted.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de        22527 Hamburg, Germany

------------------------------

Date:    Fri, 29 Oct 93 11:34:47 -0400
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: --- Virus sigs for 'Dudley' virus - - (PC)

sdoddsir01@cc.curtin.edu.au (sdoddsir01@cc.curtin.edu.au) writes:

>     I was wandering if any of you guys out there in computer world
> would have any virus signatures for the Dudley virus???

Nope. The virus is polymorphic. I have not analysed it, but it is
quite possible that no single scan string for it (or even a 
reasonably small set of them) can be found.

>     Because this virus was caught recently on the net there are no
> scanners for it avail. so I'll do the more monotonous task of
> searching signatures (usually works for me....)

Try VET from Cybec. It's an anti-virus company local to you, and since
the virus has also been reported first in Australia, it is quite
likely that their software can deal with it.

>     I hope one of those sorts who likes gathering virus signatures for
> there own scanners might be reading this and can help..

I hope that this example can show you why gathering virus "signatures"
("scan strings" is the more appropriate term) is not a good idea -
there are viruses for which no such scan strings can exist.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de        22527 Hamburg, Germany

------------------------------

Date:    Fri, 29 Oct 93 11:50:07 -0400
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: MtE virus...what does it do? (PC)

John Coughlin (jcoughli@vela.acs.oakland.edu) writes:

> I recently encountered a virus that Norton NAVSCAN identified as
> MtE. Unfortunately, Norton didn't provide a description of the virus;
> it basically told me to delete it and reinstall the file. Neither
> the versions of Central Point CPAV, MacAffee, or PC Virus that I 
> have even recognize this virus. Does anyone know what this MtE virus 
> does, and if there's a way to remove it without re-installing the 
> infected files?

First, there is no such thing as the MtE virus. MtE is a polymorphic
engine - a library function that can be linked to a virus written to
use it, which makes it polymorphic. This way, the author of the virus
doesn't have to care to implement polymorphism himself, and the
polymorphism provided by MtE is very good. Currently there are a
couple of dozens of viruses, which use the MtE. Some (most) scanners
are unable to distinguish between them and call all of them just "MtE"
(or "DAME", or whatever).

In my tests, the latest versions of McAfee's SCAN were able to detect
the MtE-based viruses reliably. CPAV also has reasonably good
detection, although it is not 100% reliable. I don't know what PC
Virus is, but if you mean PC Vaccine Professional, it is also able to
detect the MtE reliably. As opposed to that, NAV up to and including
version 2.1 is known to have unreliable detection of the MtE-based
viruses. The older versions of the virus definitions were also known
to cause false positives.

Therefore, I am inclined to believe that in your case you don't have a
virus, but are a victim of a false positive.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de        22527 Hamburg, Germany

------------------------------

Date:    Fri, 29 Oct 93 12:01:04 -0400
From:    bc1f_067@uwpg02.uwinnipeg.ca
Subject: *HELP*--Possible Virus? (PC)

Hi.  I've read the FAQ, and i didn't find anything describing my problem.
I think that i may have a virus of sorts.  

I'm using a 496DX2 IBM compatiblerunning MS-DOS 6 with a TVGA89-blah card.  
Occasionally, when i power up,nothing happens on the screen.  The power light 
is on, the fan is going, butthere are no Power On Self Tests (memory, drive 
check, ect...).  This is remedied by hard-booting.  I was told that this was 
most likely caused by a bad BIOS chip, but, i can hear my hard disk work for
approx. 2-3 seconds when i power up.  It is only when this happens that the
screen blanks.

I've run the three virus checkers that i own, CP Antvir, Manitoba Hydro scan,
and Msav.  Cp hangs, Manitoba Hydro doesn't find my boot record, and Msav
detects nothing.  Any help would be appreciated.

Many thanks in advance,

Chris.

email: bc1f_067@uwpg02.uwinnipeg.ca

------------------------------

Date:    Fri, 29 Oct 93 12:18:36 -0400
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Why is CPAV bad? (PC)

Jonah Lin (lin@rs5.tcs.tulane.edu) writes:

> I've read several posts saying how bad CPAV is.
> Why is it so bad,is it because of low detection rate or a combination of
> things?

A combination of things. Miserable detection rate, sometimes crashes,
very weak integrity checker, the resident part in most versions can be
disabled or even removed from memory by a virus, some misleading and
plain wrong things in the manual, etc., etc. The restricted variant
called MSAV that comes with MS-DOS 6.0 is even worse. Yisrael Radai
has an article, explaining all the deficiencies in MSAV; it is
available in PostScript format from our anonymous ftp site:

ftp.informatik.uni-hamburg.de:/pub/virus/texts/viruses/msaveval.zip

> Which AV software is considered to be the best?

Which editor is the best? Which compiler is the best? None! It all
depends on what exactly you need. Of course, some products perform
some anti-virus functions better than others.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de        22527 Hamburg, Germany

------------------------------

Date:    Fri, 29 Oct 93 12:28:48 -0400
From:    <RADAI@vms.huji.ac.il>
Subject: Re: Why is CPAV bad? (PC)

   Jonah Lin asks:
> I've read several posts saying how bad CPAV is.
> Why is it so bad,is it because of low detection rate or a combination of
> things?

I'm sure by now you've already received some replies to your question,
but anyway, here are 15 reasons why I think CPAV is an inferior
product:

1.  CPAV consistently scores at or near the bottom on comparisons of
 known-virus scanners with respect to their detection rate.
2.  CPAV's scanning is relatively slow.
3.  CPAV's resident program VSafe (or Vwatch) can be very easily
 disabled by a virus (even when the program is installed as a device
 driver).
4.  VSafe does not detect creation of new executables (important for
 detecting companion viruses), modifications to files with a non-
 executable extension or renaming of files (thus enabling a virus to
 circumvent the fact that modifications to files with an executable
 extension are detected).
5.  The integrity checking does not detect companion viruses.
6.  If the checksum database is deleted by a virus, instead of
 sounding an alarm, CPAV simply creates the database anew, using the
 *infected* files as a basis for future comparison instead of the
 original ones.
7.  CPAV checksums only the first 63 bytes of a file.  A virus could
 be written which infects files without altering either these 63 bytes
 or the file size.  Furthermore, a virus could overwrite the scan
 strings within CPAV.EXE or VSAFE.COM with garbage, without the user
 becoming aware of this.
8.  CPAV's checksum algorithm is not key-dependent.  Hence for any
 given file, all users will have the same checksum.  This could easily
 be exploited to forge checksums.
9.  CPAV 2.0 can detect viruses within certain types of compressed
 executables and archives, but it is very slow at this.
10. CPAV 2.0 contains heuristic scanning, but its detection rate is
 very low.
11. Some of the defaults (Anti-Stealth = Off and Check All Files = On)
 are very poorly chosen.
12. Despite claims to the contrary, it seems that scan patterns
 containing wildcards are still not encrypted, causing "ghost
 positives" when other scanners scan memory after CPAV or VSafe has
 been active, and possibly false positives in the CPAV.EXE and
 VSAFE.COM files themselves.  No other widely used scanner (except
 MSAV, which is a sub-product of CPAV) fails to take some measure to
 prevent such false alarms.
13. CPAV hangs after scanning a certain number of MtE-infected
 programs.
14. Keeping a separate checksum database for each directory uses a lot
 of disk space and makes blocking of some of the above security holes
 very difficult.
15. Market-wise, CPAV has been rather successful.  However, high sales
 figures do not imply high quality, especially in the AV field, where
 the ordinary user has no way of knowing how good a product really is.
 The developers of CPAV have consistently demonstrated that sales fi-
 gures are much more important for them than quality of their product.

  Note: It is possible that a few (relatively minor) faults among those
mentioned above have been corrected since the last version of CPAV
which I examined.  However, I'm quite sure that this does not apply to
any of the major faults.

                                     Y. Radai
                                     Hebrew Univ. of Jerusalem, Israel
                                     RADAI@HUJIVMS.BITNET
                                     RADAI@VMS.HUJI.AC.IL

------------------------------

Date:    Fri, 29 Oct 93 12:32:16 -0400
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Yoshi Virus *&^%$ Help! (PC)

Stephen H White (swhite@bach.udel.edu) writes:

> I work at a student computer lab at the University of Delaware.  We
> came across a hard-drive that was infected with the Yoshi virus. We

Yoshi? Don't you mean Joshi, by chance? I'll assume that you do.

> tried everything we knewof to remove it:

>   DOS FORMAT (4 Times)

Useless, because the virus infects the MBR and DOS FORMAT doesn't
touch this.

>   CHANGING the PARTITION MAP

Useless, because the virus infects the CODE in the MBR and just
changing the PT doesn't touch it.

>   NORTON WIPEDISK
>   WRITING 0's to entire disk & Reformatting

Wiping only the DOS partition is uselsess, because the virus is not
there!

> None of these methods have worked.

Of course.

> After reinstalling DOS on this
> machine with a LOCKED DISK, the virus has reappeared each time.  Our

It has been just left on the hard disk. It has been always there; no
need to "reappear".

> network is not infected. 

Can't be. Joshi infects only boot sectors; it can't infect across the
network. Just make sure you don't boot your server from an infected
floppy.

> this happen. Does anyone know how toremove YOSHI?

Best solution is to use the appropriate anti-virus program that knows
the virus and can remove it. Try F-Prot, or CLEAN, for instance.

Otherwise, a poor man's removal tool for MBR infectors is to boot from
MS-DOS 5.0 or above (the version is important), make sure you still
"see" the files on your hard disk (unless you don't care whether they
will be preserved), and run the command "FDISK /MBR". This will cure
the virus from the hard disk, but it will remain on the infected
floppies, and forgetting such a floppy in drive while the computer is
booting, will cause a reinfection. Therefore, I'll still need an
anti-virus program to disinfect all the infected floppies.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de        22527 Hamburg, Germany

------------------------------

Date:    Fri, 29 Oct 93 12:45:45 -0400
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Removing Boot Sector Virus from Floppies (PC)

Russell Aminzade (aminzade@moose.uvm.edu) writes:

> We had an epidemic of the ESSEX virus (supposedly started here in
> ESSEX, VT), known to FPROT as the QRry virus.  I can see where the
> name comes from -- when I use a hex editor on the boot sextory QRry is
> there...

> We cleaned it up fairly easily (after reading the FAQs here and asking
> around) with FDISK /MBR, and restoring with SYS.  This was easy --
> we're all DOS 5 in the lab where the infection happened.  I hate to
> think of the hassles if it gets around campus where we have a lot of
> different varieties of DOS!

Qrry is a MBR infector, so just doing FDISK /MBR will be sufficient to
remove it from the hard disks. It doesn't matter what version of DOS
you have on them; you just need version 5.0 or above, or FDISK will
not support the /MBR switch.

SYS -is- DOS version dependent, but you need it only to remove the
virus from floppies, and it doesn't really matter what version of the
boot sector you'll put on them.

> Here is the problem, and I'd appreciate any help from the nets.  I
> don't see how to clean off floppy disks since the boot sector remains.

Just copy the files from them somewhere else (file-by-file, using COPY
or XCOPY, -not- DISKCOPY), format the diskette and copy the files
back. Or just SYS them, if there is enough space for a copy of DOS.

> Copying a file or just doing a DIR of the disk seems to put the virus
> code into RAM (F-PROT finds it , McAfeee doesn't...), but not
> propagate it. 

Yes. When DOS is executing the DIR command, it has to read the boot
sector of the diskette, in order to figure out some parameters. "To
read" the boot sector means that a copy of it is read in the DOS
buffers, i.e. in memory. If this copy is infected, this means that a
copy of the virus is read in memory. However, it never receives
control and cannot infect. But it is there and that's why some
scanners find it there after a DIR of an infected diskette. I maintain
the oppinion that this is a mistake and they shouldn't be looking for
the virus at a place in memory where it definitely can't be.

> etc.).  I'd like to have a better way to tell students how to clean up
> disks than "copy all files to the hard drive, reboot to remove Qrry
> from memory, format the disk, copy them back." 

No need to reboot. If the scanner continues to moan that the virus is
active (when you know that it isn't), tell it not to scan the memory -
most scanners have such an option.

> I'm not entirely sure
> that this clean it up, either. 

It will.

> Damn these virus-writing sociopaths.

Fully agree with you.

> And by the way, is there any way this virus could be lurking in some
> part of our Novell server? 

No, unless you attempt to boot the server from an infected floppy.
Then you will infect the server's hard disk, but it will be still
unable to propagate the virus to the workstations across the network.

> I don't think a Novell volume has anything
> like a boot sector

It sure does have one, just there is no way to access it across the 
network, because NetWare does not support sector access across the 
network.

> (there is a boot IMAGE for no-disk booting, and I
> suppose I need to restore that from a known clean copy just in
> case...).

Yes, that's a good idea.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de        22527 Hamburg, Germany

------------------------------

Date:    Fri, 29 Oct 93 12:45:52 -0400
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: 1837 bytes 9E 10 16 ... (PC)

Lutz Marten (marten@ilt.fhg.de) writes:

> we found a virus (start pattern 9E 10 16 01 74 07 70 00 00 21 06 06
> 00, length 1837 bytes) with the validate function of MacAfee 10.8 but
> can't get rid of him with this MacAfee version. So can someone tell me
> which virus it is and how to blow it out of the infected system ?

I just scanned my whole virus collection for this scan string and no
file contained it. It seems to be a new virus. I suggest you to send a
copy to the anti-virus researchers for analysis.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de        22527 Hamburg, Germany

------------------------------

Date:    Fri, 29 Oct 93 13:09:30 -0400
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Nov 17 Virus (PC)

Fridrik Skulason (frisk@complex.is) writes:

> This information is quite a bit out of date.  There are not four known
> variants, but at least eight: 584, 690, 768, 800, two 855, 880 and 1007
> bytes long.

> Somebody seems to be developing the new variants faster that the information
> (or many anti-virus products) can be updated...

Indeed... :-) I will add that even the above information is already
out of date. In my collection, there are at least 10 variants: 584,
690, 706, three 768, 800, two 855, and 880 bytes long. I was not aware
of the 1007-byte variant, so this makes 11... :-(

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de        22527 Hamburg, Germany

------------------------------

Date:    Fri, 29 Oct 93 13:13:03 -0400
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: KEYPRESS 5 virus (PC)

Fridrik Skulason (frisk@complex.is) writes:

> Sorry, but "KEYPRESS 5" is not enough to provide accurate identification.
> At the moment I know of the following variants:

>     1215                   1215/1455 bytes
>     1228                   1228/1468 bytes
>     9 variants of 1232     1232/1472 bytes
>     1236 (Chaos)           1236/1492 bytes
>     1266                   1266/1506 bytes
>     1495                   1495/1735 bytes
>     1744                   1744/1984 bytes
>     2728                   2728/2984 bytes

> A total of 16 variants...whatever CPAV identifies as "KEYPRESS 5" is
> probably one of them, but without information on the virus size I
> cannot tell which one it is.

CPAV 2.0 calls "KeyPress 5" only the last one - Keypress (2728) in
your naming scheme.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de        22527 Hamburg, Germany

------------------------------

Date:    Fri, 29 Oct 93 13:13:16 -0400
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Removing Boot Sector Virus from Floppies (PC)

Russell Aminzade (aminzade@moose.uvm.edu) writes:

> We had an epidemic of the ESSEX virus (supposedly started here in
> ESSEX, VT), known to FPROT as the QRry virus.  I can see where the
> name comes from -- when I use a hex editor on the boot sextory QRry is
> there...

> We cleaned it up fairly easily (after reading the FAQs here and asking
> around) with FDISK /MBR, and restoring with SYS.  This was easy --
> we're all DOS 5 in the lab where the infection happened.  I hate to
> think of the hassles if it gets around campus where we have a lot of
> different varieties of DOS!

Qrry is a MBR infector, so just doing FDISK /MBR will be sufficient to
remove it from the hard disks. It doesn't matter what version of DOS
you have on them; you just need version 5.0 or above, or FDISK will
not support the /MBR switch.

SYS -is- DOS version dependent, but you need it only to remove the
virus from floppies, and it doesn't really matter what version of the
boot sector you'll put on them.

> Here is the problem, and I'd appreciate any help from the nets.  I
> don't see how to clean off floppy disks since the boot sector remains.

Just copy the files from them somewhere else (file-by-file, using COPY
or XCOPY, -not- DISKCOPY), format the diskette and copy the files
back. Or just SYS them, if there is enough space for a copy of DOS.

> Copying a file or just doing a DIR of the disk seems to put the virus
> code into RAM (F-PROT finds it , McAfeee doesn't...), but not
> propagate it. 

Yes. When DOS is executing the DIR command, it has to read the boot
sector of the diskette, in order to figure out some parameters. "To
read" the boot sector means that a copy of it is read in the DOS
buffers, i.e. in memory. If this copy is infected, this means that a
copy of the virus is read in memory. However, it never receives
control and cannot infect. But it is there and that's why some
scanners find it there after a DIR of an infected diskette. I maintain
the oppinion that this is a mistake and they shouldn't be looking for
the virus at a place in memory where it definitely can't be.

> etc.).  I'd like to have a better way to tell students how to clean up
> disks than "copy all files to the hard drive, reboot to remove Qrry
> from memory, format the disk, copy them back." 

No need to reboot. If the scanner continues to moan that the virus is
active (when you know that it isn't), tell it not to scan the memory -
most scanners have such an option.

> I'm not entirely sure
> that this clean it up, either. 

It will.

> Damn these virus-writing sociopaths.

Fully agree with you.

> And by the way, is there any way this virus could be lurking in some
> part of our Novell server? 

No, unless you attempt to boot the server from an infected floppy.
Then you will infect the server's hard disk, but it will be still
unable to propagate the virus to the workstations across the network.

> I don't think a Novell volume has anything
> like a boot sector

It sure does have one, just there is no way to access it across the 
network, because NetWare does not support sector access across the 
network.

> (there is a boot IMAGE for no-disk booting, and I
> suppose I need to restore that from a known clean copy just in
> case...).

Yes, that's a good idea.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de        22527 Hamburg, Germany

------------------------------

Date:    Fri, 29 Oct 93 13:16:51 -0400
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: S-Bug virus (PC)

A. Padgett Peterson (padgett@tccslr.dnet.mmc.com) writes:

> a) Identification when resident in memory - easy - faulty/obvious mechanism
>    used.

I beg to disagree - detection that something is in memory is easy,
identification that it is exactly this virus - isn't as easy as that,
because the virus is encrypted.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de        22527 Hamburg, Germany

------------------------------

Date:    Fri, 29 Oct 93 15:32:32 -0400
From:    thull@skidmore.edu
Subject: Looking for Info.:ANNOINT VIRUS (PC)

Several universities in our area have had a sudden attack of the virus known 
as ANNOINT. Anyone have experience with this virus? Any information 
would be helpful. THANKS!
\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\
Terri Hull
Skidmore College, Saratoga Springs, NY 12866
thull@skidmore.edu
\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\

------------------------------

Date:    Fri, 29 Oct 93 15:21:55 -0400
From:    HAYES@urvax.urich.edu
Subject: GS.ZIP

Hi fellows.  Announcing a new AV package, GLOBAL SHIELD, just sent my by the
author, Gleb Esman.

Followin is the description sent by Gleb:
- ------------------------------------------------------------------------------
The Global Shield. Full-scale integrity checker with powerful recovery
capabilities. IBMPC/DOS version. Dedicated against unknown and future viruses.
Can detect unknown/possible boot viruses and recover boot/partition sector.
Saves tiny "images" of selected files to be used later for integrity checking
and recovery of files/disks. Can be used on Networks. Gl.I.Yes.(gesman@io.org)
- ------------------------------------------------------------------------------

Please note that this is a BETA version, and address all mail directly to Gleb
Esman at:  gesman@io.org

==========
Site:       urvax.urich.edu,  [141.166.36.6]    (VAX/VMS using Multinet)
Directory:  [anonymous.msdos.antivirus]

FTP to urvax.urich.edu with username anonymous and your email address
as password.  You are in the [anonymous] directory when you connect.
cd msdos.antivirus, and remember to use binary mode for the zip files.
==========

Good weekend to all, Claude.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Claude Bersano-Hayes     HAYES @ URVAX                 (Vanilla BITNET)
University of Richmond   hayes@urvax.urich.edu     (Bitnet or Internet)
Richmond, VA  23173

------------------------------

End of VIRUS-L Digest [Volume 6 Issue 142]
******************************************

