From @Fidoii.CC.Lehigh.EDU:virus-l@lehigh.edu Wed Aug 18 05:21:05 1993
Return-Path: <@Fidoii.CC.Lehigh.EDU:virus-l@lehigh.edu>
Received: from Fidoii.CC.Lehigh.EDU by dylan.af.mil (4.1/SMI-4.1)
	id AA28552; Wed, 18 Aug 93 05:20:00 CDT
Received: from Fidoii.CC.Lehigh.EDU ([127.0.0.1]) by Fidoii.CC.Lehigh.EDU with SMTP id <4174-6>; Wed, 18 Aug 1993 06:01:31 EDT
Message-Id: <9308181005.AA00385@agarne.ims.disa.mil>
Reply-To: virus-l@lehigh.edu
Originator: virus-l@lehigh.edu
Sender: virus-l@lehigh.edu
Precedence: bulk
From: VIRUS-L Moderator <virus-l@assist.ims.disa.mil>
To: Multiple recipients of list <virus-l@lehigh.edu>
Subject: VIRUS-L Digest V6 #113
X-Listprocessor-Version: 6.0a -- ListProcessor by Anastasios Kotsikonas
X-Comment: Virus Discussion List
Date: Wed, 18 Aug 1993 06:01:31 EDT
Status: O

VIRUS-L Digest   Wednesday, 18 Aug 1993    Volume 6 : Issue 113

Today's Topics:

Origin of name "Virus"
Cohen papers by mail, please
Encrypting viruses -- not a good idea
VMS Malicious Logic (VAX/VMS)
E-Rillutanza virus? (PC)
F-PROT_209 Problem (PC)
Re: Tremor (PC)
Virus? (PC)
central point- anti-virus for DO (PC)
Got a trojan :( (PC)
two new viruses (PC)
Re: Dudley Virus (PC)
Re: WARNING: Stoned/Dir-2 infection in Israel (PC)
Barrotes (PC)
unknown (?) virus (PC)
Friday 13th virus? (PC)
New (?) "Moose" virus (PC)
Re: Suspicious .COM files (PC)
Re: Information on the 'Trident' virus (PC)
NSH152A.ZIP - NETSHLD 1.52AV106 antivirus NLM for Novell3.11 (PC)
August 1993 LAT (PC)
"Link" virus (CVP)
Call for Papers IFIP SEC'94 Caribbean

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform - diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CERT.org or upon request.)  Please sign submissions
with your real name; anonymous postings will not be accepted.
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list.  A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on CERT.org (192.88.209.5).

Administrative mail (e.g., comments, suggestions, beer recipes)
should be sent to me at: krvw@ASSIST.IMS.DISA.MIL.

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Ken van Wyk

----------------------------------------------------------------------

Date:    Mon, 09 Aug 93 13:32:50 -0800
From:    a_rubin%%dsg4.dse.beckman.com@biivax.dp.beckman.com
Subject: Origin of name "Virus"

What is the origin of the term "Virus".  I didn't find this in the
FAQ, (although I lost the FAQ recently due to operator error, and I
haven't gotten the last repost.)

- --
Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea
216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal)
My opinions are my own, and do not represent those of my employer.

------------------------------

Date:    Wed, 11 Aug 93 20:43:26 -0400
From:    fernando@ubik.satlink.net (Fernando Bonsembiante)
Subject: Cohen papers by mail, please

    I would like to get some books or papers by Fred Cohen, I only
know the name of a few books, 'A short course on Computer Viruses',
for instance, and a lot of papers. I would like to know if I can get
some of Cohen's works by mail, if anyone knows of a bookstore that
could send me those books via air mail or surface delivery to
Argentina, it would be of a great help.

Saludos, Fernando (fernando@ubik.satlink.net)

{                        Fernando Bonsembiante                         }
{ Guemes 160 dto 2                                Tel: (54-1) 654-0459 }
{ Ramos Mejia (1704)                                Fidonet: 4:901/303 }
{ Republica Argentina              Internet: fernando@ubik.satlink.net }

------------------------------

Date:    Sun, 15 Aug 93 17:46:03 -0400
From:    fergp@sytex.com (Paul Ferguson)
Subject: Encrypting viruses -- not a good idea

This is a response to a message thread which is currently being held in 
the .cypherpunks listserv list. I thought some readers of virus-l may 
appreciate the content -

- -----BEGIN PGP SIGNED MESSAGE-----
 
On 14 Aug 1993 19:51:27 -0500 (CDT),
 Michael A. Ellison <uunet!vaxb.acs.unt.edu!IE63> wrote -
 
 
>  My bottome line is this: the virus may be cool, but why a virus?
> Viruses may work for attacking things, wiping stuff out, hacking
> stuff, whatever (although they always tend to hit more than the
> intended target, funny thing about that), but when the only user
> of a machine WANTS to do something with their machine, why a
> virus?  I mean, honestly......  although I must admit, it solves
> the problem of distribution of software in the most interesting
> way - I want to see what happens if a commercial company writes
> one of these and COPYRIGHTS it......
 
Phooey. At least you _did_ ask the right question, "Why a virus?"
 
Fred Cohen is a bit "out there" when it comes to his ideologies about
what is or what is not a virus and further, what is a "good virus," if
there really _is_ such a critter. My personal opinion is that there
cannot be such an animal, because by its purest definition, a virus is
any program that _replicates_ -- if it doesn't replicate, then be
assured that it is not a virus.
 
Ideally, a virus replicates without the user's knowledge. In doing
this, it violates the integrity of the system and furthermore, it does
it surreptitiously. Personally, I like to be intamately aware of every
byte on each of my systems (I am) and know _exactly_ what every
executable which resides on my system does (again, I do). For users
who cannot know this, then a virus is a breech of their privacy, in a
matter of speaking.
 
Finally, distributed computing need not be accomplished by something
as brain-damaged as a virus. Anything a virus could beneficially do, a
legitimate, non-replicating program can do better. In fact, there have
been viruses designed and coded which were supposed to perform
beneficial activities (see historical notes about the Denzuko, Ohio,
etc. viruses). Also, every virus harbors the potential for damage. No
programmer (read: virus author) can possibly know each and every
environment where the code will be introduced. An example which I
frequently use to illustrate this point is the Stoned virus; it is
mostly an innocuous virus, however with several spoofing disk
partitioning schemes (such as Disk Mangler), it can devastating. And
with the advent of the Microsoft Doublspace shit, alot of other
potholes in the road are introduced into the possible scenarios.
 
A final note: There is a virus called "Cruncher" which compresses
executables in much the same way as PKLite or LZEXE. Is this a "good"
virus? This ia an exercise left to the reader...
 
Cheers from Washington, DC
 
- -----BEGIN PGP SIGNATURE-----
Version: 2.2
 
iQCVAgUBLG57NZRLcZSdHMBNAQEHygQAhER6mpzGIctOx6sHpndNsv9EdoO++DBq
x32h5Q4b5ylGDJWEcbC3RMqpkbDrzzYJOaBtRiqW+XTfpTagAKI0CbBWknxJcF3T
W8hdDxu0kN2K0TVPbinkUUM+bvXLAdhYdv9GqixoWJx+Y/mkW2XtQLKbxRSFt/Uv
ZC/YC+YVb18=
=Mq8P
- -----END PGP SIGNATURE-----

Paul Ferguson               |  "Government, even in its best state,
Network Integrator          |   is but a necessary evil; in its worst
Centreville, Virginia USA   |   state, an intolerable one."
fergp@sytex.com             |      - Thomas Paine, Common Sense
 
Type bits/keyID   Date       User ID
pub  1024/1CC04D 1993/03/15  Paul Ferguson <fergp@sytex.com>
  Key fingerprint =  EE D2 93 7D 04 6D C6 05  AC 36 AD 9D 8E 4F 41 58

------------------------------

Date:    Fri, 13 Aug 93 12:26:21 -0400
From:    rcox@cscns.com (Richard Cox)
Subject: VMS Malicious Logic (VAX/VMS)

I'm looking for examples of malicious logic (ML) (virus, logic bomb, 
Trojan Horse, etc.) in the VMS environment.  Preferably actual cases,
type of viruses, hours expended to correct the problem, damage done,
types of information stored and tools to identify, isolate and remove 
the ML. 

- ----------------------------------------------------------------------
- ----------------------------------------------------------------------
Gill Gillespie                  |         Computer Security Engineer
CTA INCORPORATED                |               ggillesp@cos.cta.com
7150 Campus Drive #100          |   Phone 719-590-5172  Fax 590-5198
Colorado Springs, CO 80920 USA  |  Comments are solely of the author
- ----------------------------------------------------------------------
- ----------------------------------------------------------------------

------------------------------

Date:    Wed, 11 Aug 93 04:44:02 -0400
From:    sci00019@leonis.nus.sg (CHENG MUN WAI)
Subject: E-Rillutanza virus? (PC)

I recently scan my hard disk using F-prot 2.09 and it reported that
several COM files were 'suspicious' of being infected with a variant of
E-Rillutanza virus. I promptly emailed to Mcafee asking if they had heard
of it but apparently they hadn't.
I also scan the harddisk with scan106 for Mcafee but it didn't show any
sign of the above mention virus.
I believe that my disk was indeed infected because the size of the program
were altered compared to the original.
I managed to remove it from my disk by deleting and reinstalling (I hope).
What I want to know is that have anyone had a similar report using F-Prot
which scan106 missed. 
At the moment the 'virus' had done no damage except incresing the file
size. The only problem is when I tried to upgrade Qemm7.00 to version 7.01
using the patch. When it came across loadhi.com it reported that the
program is invalid (or something like that) and stopped updating.
Loadhi.com was among one of the program reported as suspicious by F-Prot.

Regards,

Mun Wai.

Death to all virus!!!!

------------------------------

Date:    10 Aug 93 13:08:04 -0600
From:    brickman@mhd.moorhead.msus.edu
Subject: F-PROT_209 Problem (PC)

I seem to be having a problem with f-prot 209.  I am a programming
assitant at MSU computer services.  On two different occations and on
two different computers, We have been infected with stoned (no-int)
(on the hard drive).  Both computers are ibm ps/2 model 30 with a 30
meg hard. F-Prot 209 is unable to fix the disk.  The progrma sends an
error message, something like -- unable to find original MBR, I don't
remeber the exact wording.  I then used F-Prot 208a and it fixed the
disk no prob.

------------------------------

Date:    Thu, 05 Aug 93 08:52:00 +0200
From:    Robert_Hoerner@f2170.n492.z9.virnet.bad.se (Robert Hoerner)
Subject: Re: Tremor (PC)

Hello Thomas,

 TR> Question:
 TR> Does the Virus "Tremor" mask the interrupt 21h,function 3dh

No. It intercepts this function and desinfects a file on the harddisk (!) if 
itis opened via int21h/ax=3d02 (r/w-mode) or ah=6c (any mode).

TR> or  how else can T. when a File is opened, which is infected by       him
 TR>  desinfect the file and then open it for the programm that originally
 TR> opened it like
 TR> scanners...... ERRIK

This is not the way tremor works.

greetings,
      Robert

- ---
 * Origin: Virus Help Service Karlsruhe (9:492/2170)

------------------------------

Date:    Sat, 07 Aug 93 18:19:09 +0200
From:    Malte_Eppert@f6050.n491.z9.virnet.bad.se (Malte Eppert)
Subject: Virus? (PC)

Hi Mike!

 > message, I get the following "Kein System oder Laufwerkfehler
 > Wechseln und Taste drucken".
 > suggestions or even a translation of the text would be helpful.

It's German and means "Non system disk or disk error... Replace and strike a 
key when ready" ;-))

 > of them find anything.  So, I guess that I'm asking all of you
 > what I can do?

Yep - reformat those disks with an english/american version of DOS :-) 
Somebody had them formatted with a german DOS version.

cu!
eppi

- --- GEcho 1.00
 * Origin: Another Virus Help Node - The EpiCentre! (9:491/6050)

------------------------------

Date:    Wed, 11 Aug 93 09:50:22 -0400
From:    pierre-b@aci1.aci.ns.ca (PIERRE BENOIT)
Subject: central point- anti-virus for DO (PC)

Can anyone give me any information on the centralpoint anti-virus for DOS. 
Any type of information, no matter how small, would be great. Also, could 
you tell me who to contact for more info. 
                            Thanks in advance.

P.S.  My email address is robert-t@aci1.aci.ns.ca  if you would like to mail 
me the info.

------------------------------

Date:    Wed, 11 Aug 93 09:50:17 -0400
From:    do321@cleveland.freenet.edu (Brian R. Landel)
Subject: Got a trojan :( (PC)

Beware for a program called USEREDIT.ZIP described as "Full Screen
User editor for SLBBS" If you need the non-virused user editor by
Patrick Lewis call my board, his support board at 216-543-2321.
ANyway, I was testing some recent uploads to my BBS and ran into a
Trojan, McAfee's scan failed to pick up. I ran MicroSoft's VSAFE
turning every option on and ran it again and it said it tried to write
to the floppy disk's boot sector. Think this trojan is going to create
a virus or do any harm?

Thanks,
Brian

------------------------------

Date:    Wed, 11 Aug 93 14:03:31 -0400
From:    "William H. Lambdin" <73044.2573@compuserve.com>
Subject: two new viruses (PC)

I recently received these two files. I don't believe either virus is in the 
wild. None of the scanners I tested can detect these two viruses.

- ------------------------------------------------------------
GOT319.COM

This is a direct infector of .EXE files. It is not stealth, 
and the infected files grow by 578 bytes.

No text is visible in the virus.

This virus appends to the end of files.

This virus infected infected every .EXE bait file I use on 
my test machine.

I tested The second generation of this virus, and it is 
infectious as well.
- ------------------------------------------------------------
CPL35.COM

This is a direct infector. I could only get this virus to
infect .EXE files. It is not stealth. and the infected 
files grow by 478 bytes.

The second generation of the virus is infectious as well.

The virus appends to the end of host files.
- ------------------------------------------------------------

I forwarded both files to Fridrik Skulason, and Wolfgang Stiller.

Bill Lambdin

------------------------------

Date:    Wed, 11 Aug 93 19:09:53 -0400
From:    "Roger Riordan" <riordan@tmxmelb.mhs.oz.au>
Subject: Re: Dudley Virus (PC)

> Does anybody know of the "Dudley" virus (Dudley [odud]).
> 
> Is there a scanner that will disinfect it and where can I get it from.

Dudley is an Australian virus; the one that caused a great upheaval at
Telecom recently (Allegedly written by someone at Optus!).  Our
program VET will detect it, and disinfect infected files.

VET is writtten and widely used in Australia, and is 
increasingly being used overseas.  It is fast, easy to use, and 
safely recovers files and disks infected with most of the viruses 
which are actually in the field.  

VET is a mid price product; cheaper than Dr. Solomons Toolkit, but 
more expensive than F-Prot, which are the two most nearly comparable 
products.  They will usually detect a few more viruses than VET, but 
VET is faster, and does a better job of recovering PCs infected with 
boot sector viruses.  McAfee Scan is decidely slower, far more 
difficult to use, generates more false alarms, and has a number of 
serious bugs, which can cause loss of data on hard disks, especially 
when trying to remove MBR infectors, such as No-Int, Stoned and 
Michelangelo.

Our normal license includes updates for one year, posted quarterly, 
and covers PCs belonging to staff/students, provided all PCs on the 
site are covered. 

With Best Wishes,

Roger Riordan                 Author of the VET Anti-Viral Software.
riordan.cybec@tmxmelb.mhs.oz.au

CYBEC Pty Ltd.                                 Tel: +613 521 0655
PO Box 205, Hampton Vic 3188   AUSTRALIA       Fax: +613 521 0727

------------------------------

Date:    Thu, 12 Aug 93 08:47:53 -0400
From:    hjstein@sunrise.huji.ac.il (Harvey J. Stein)
Subject: Re: WARNING: Stoned/Dir-2 infection in Israel (PC)

Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) writes: 

   hjstein@sunrise.huji.ac.il (Harvey J. Stein) writes back to
   amn@ubik.demon.co.uk (Anthony Naggs):

    > I informed the supermarket chain, and they informed
    > the distributer and the manufacturer.

   As i wrote to you a week ago: Check your own PC before blaming
   others! since I personally checked sample floppies from EACH
   supermarket store + The masters used for duplication + the
   duplication factory itself and more.

   Gues what: non of them was infected !!!!!!!!!!!!!!

1. I did not blame anyone for the viruses on the disk.  I said that
   the disk I got had these viruses and that I notified the
   supermarket chain.  The fact that both sample floppies and the
   masters are clean indicate that disks must have been contaminated
   after distribution.  Perhaps people were playing with the disks in
   the stockroom?  Perhaps disks were being brought back after being
   used (and getting infected)?  Perhaps my machine was infected?
   However,

2. I did check my PC.  It is clean (according to mcafee scan version
   106).

3. An article in an Israeli newspaper said that some of the disks were
   infected with DIR2 and with STONED, and that "dozens of people were
   affected by the viruses".  Since *I* haven't been distributing this
   disk, and since *I* was not in contact with this paper, OTHER
   PEOPLE also have seen the SAME VIRUSES on the game disks.  Thus,
   either "dozens of people" have the same viruses on their machines
   and didn't notice them until they checked out this game disk, or
   the game disk is infected.  Take your pick.

- --
Harvey Stein
Department of Mathematics
Hebrew University
hjstein@math.huji.ac.il

------------------------------

Date:    Thu, 12 Aug 93 15:34:39 -0400
From:    tly@SEI.CMU.EDU (Tonya L Yount)
Subject: Barrotes (PC)

Recently we detected this virus on our PCs.  We would like to find
information about it (i.e. is it destructive) but are unable to find
the name anywhere.  Are there other names it might go by?  It was
undetectable by MS DOS 6 anti-virus but detected by McAfee.  It
doesn't seem to do much more than attach itself to executable files.
Because it changed the executables, we had trouble running Norton
Commander and Turbo Pascal.  Both of these programs would run,
however, after much prompting.

Any help, suggestions, or comments are welcome.  The PCs are now clean
but we would still like to know.

Thank you,
Tonya

Tonya L. Yount		"Oh, I have slipped the surly bonds of earth
tly@sei.cmu.edu		   and danced the skies on laughter silvered wings"

- ------the thoughts expressed here in no way reflect any policy of SEI------

------------------------------

Date:    Thu, 12 Aug 93 15:44:46 -0400
From:    jhb@gmd.de (Joerg H. Blankenburg)
Subject: unknown (?) virus (PC)

I have a virus here that can not be detected by VSCAN105.

When you call an infected program on a clean system, the virus first
infects the program to which the COMSPEC variable points, normally
COMMAND.COM, increasing it by exactly 4000 bytes, which it also does
with most programs (EXE or COM) called afterwards. After a call of
such a program, the virus stays resident (using little less than 4000
bytes) and infects more and more other programs. Yet it doesn't like
windows applications and some others.

When you scan a file on an infected system, the virus re- builds its
exact contents. (This is how you get rid of it, simply zipping
infected files on an infected system and un- zipping them on a clean
one.) When the virus is resident, the DIR command doesn't show the
4000 additional bytes. But the Norton disk editor does.

Is this is a known virus or is it new? If so, I'd suggest to call it
the proton virus!

Joerg H. Blankenburg
- --
**************************************************************************
* Gesellschaft fuer Mathematik und Datenverarbeitung (GMD)               *
* (German National Research Centre for Computer Science)                 *
* Arbeitsgruppe Informationsrecht (I3.IR)				 *
* Institute for Information Technology in Jurisdiction                   *
* Rathausallee 10, D-53757 St. Augustin, Germany, Tel.: +49 2241 143318  *
* FAX: +49 2241 14 3017, e-mail: jhb@gmdzi.gmd.de                        *
* Home: H.v.-Kleist-Str. 8, D-53113 Bonn, Germany, Tel.:+49 228 361556   *
**************************************************************************

------------------------------

Date:    Sat, 14 Aug 93 14:30:55 -0400
From:    belinda@cory.EECS.Berkeley.EDU ( )
Subject: Friday 13th virus? (PC)

Thoughout yesterday, Friday 13th August, I was transferring files
among floppy, local and network (Netware 3.11) drives, and thought I
saw that some old files took on the August 13 date.  I said to myself
'Nah, maybe it's that 14th cup of coffee...' But when I noticed the
same thing during a technical support call with a customer - that her
PKUNZIP.EXE (v 2.04c - the 12/28/92 version with a bug) had a date of
8/13/93 - I became more suspicious.  The in-house network supervisor
went ahead and scanned network drives without detecting anything.  He
told me that the known Friday 13th PC virus is only supposed to
corrupt data and affect file execution, not anything as serious as
going around changing file dates.  Has anyone had this experience?

Postscript: our network server did happen to go down at 4:30pm.

- -------------------------------------------------------------------------
Belinda Leung				| belinda@cory.eecs.berkeley.edu
Software Support Technican		| belinda@viper.cs.berkeley.edu
Continuing Education of the Bar, Calif.	| belinda@tsunami.berkeley.edu
- ---------------------------------------------------------------------

------------------------------

Date:    Sat, 14 Aug 93 22:23:28 -0400
From:    "Lars Renman" <LARS@amc.chalmers.se>
Subject: New (?) "Moose" virus (PC)

I have recently taken charge of a PC lab for the students at the
Chemistry Department of Chalmers University of Technology,
Gothenburg, Sweden. The lab has 24 PCs (Acer 33/468DX, local hard
disks, 3 1/2" diskettes, DOS 5.0) and Novell 3.11 server. The
local net has world access via internet. More than 600 students
use the lab.

The following is what I have found over the last three days (in
roughly chronological order). Please bear with me for the length
of this text - nothing in what I have seen is reproducible.

  * some PCs refused to boot

  * some PCs had enormous disk access during boot (warm & cold)

  * .EXE files with increased file size - on inspection of these
    files I found FAR JP codes to the end of the file and added code
    containing readable text strings "Moose31", "Moose32" or
    both, in the last case because code had been added twice to
    the files. The string "*.EXE" was also readable. Infected
    files sometimes work, sometimes not. Depending on type of
    code added (see more below) increases in file sizes vary -
    for a single file, I have seen at least five different versions
    with sizes from 464 bytes to +1700 bytes on different PCs

  * tests with Central Point CPAV (old version), MS-DOS 6.0 MSAV,
    McAfee SCAN (ver. 9.17 v106), Dr Solomon's Toolkit (virus list
    from 10/5/92) and Frisk Skulason's F-PROT (ver 2.09) all failed
    to detect anything. CPAV and F-PROT detected infections of
    themselves and CPAV detected increased file sizes.

  * .COM files with increased file size contain added code with
    readable text strings "Moose30" and "*.COM"

  * COMMAND.COM infected on a few PCs.

  * .EXE files infected on file server and all PCs

  * a message "Divide overflow" during boot on some PCs

  * diskette drives refusing to work - some working again after
    cold boots

  * eternal boot sessions with continuos disk access on some PCs -
    these will almost always boot from a diskette.

  * fake message (screen blanked first) "insert boot diskette and
    press <enter>" on machine that would not cold-boot from diskette.
    Inserting a write-protected boot diskette did not work.

  * attempted write operations on write-protected boot diskettes
    (after executing programs on hard disk); sometimes without
    error message, sometimes with normal DOS error message.

  * MS-DOS.SYS infected with "Moose30" on at least one PC (but not
    on some of the more troublesome one's)

  * parts of the CPAV.EXE code (The self-integrity check part)
    appended to some infected .EXE files

  * examination of the partion records with Solomon's PEEKA resulted
    in the following:
      the first display looked ok
      moving to the next record caused the display to be distorted
        (display heading with cyl/head/sector info gone) and an
        extra 64 bytes (copies of the first 64 bytes of the
        partion record) to be displayed at offset 0. This means that
        40h + 200h bytes were displayed. Refreshing the display by
        pressing the space bar restored the display to normal.
      by keeping the + key down (switches between alpha and hex
        display) I was able to see a message
          "Disk read error 12 - Unknown error response."
        flash on the screen. It was immediatly overwritten.
      whatever is displayed seems normal, except for the extra 64
      bytes

  * finally, this morning a 2 am, DISPLAY.SYS and EGA.SYS converted to
    COM files on one PC (this PC has also shown the "Divide overflow"
    and the fake "insert boot diskette .." message). These files
    have their original names left but start with a NEAR JP to the end
    where code has been after the Microsoft copyright notice. This
    code starts with a NEAR JP further ahead in the code and is
    followed by the readable text string
      "This, and much more, from Moose crashing corp."

I don't know what all this adds up to. I have little experience of
viruses, but I have tried to read what's available over the last few
days. I haven't experimented much with diskettes, but it looks like
everything at once - BSV, PSV, stealth, etc.

I should add that there are a number of hacked and cracked games
on the PCs - the previous system manager hasn't done anything about
it. He also hasn't had the server backup system working since March
(funny ?).

Has anybody seen the "Moose" before ? Any hints ?

I am now trying to collect some of the strange files. These will
be forwarded to the virus expert community. Are there some special
things that I should do? I will have to start low-level formatting
the PC hard disks and recharge the server soon. Hordes of students
are approaching ....

For anyone familiar with Swedish - my name is not a hoax
(For non-Swedish speakers: Renman means reindeer-man in Swedish).

Lars Renman

Lars Renman
AMK, CTH/GU, G|teborg, Sweden
tel. +46 31 772 2782    fax. +46 31 772 2785

------------------------------

Date:    Sat, 14 Aug 93 12:52:48 -0000
From:    malcolm@muir.demon.co.uk ("Malcolm S. Muir")
Subject: Re: Suspicious .COM files (PC) 

A.M.Zanker@newcastle.ac.uk writes:

> I recently downloaded a file, SPORTS.ZIP from the CIX online system
> in the UK. It's a program for determining the addresses of your serial
> ports, I think.
> 
> I scanned it with the new Central Point Anti-Virus version 2.0, which
> contains a "virus analyzer" which looks for suspicious virus-like activity
> in executable files. It reported a possible file virus in both the files
> in the ZIP archive, DOCUMENT.COM and SPORTS.COM. I looked at both files
> using a binary editor and discovered that they both have the string
> 
>    Hurray the crusades
> 
> near the end of the file. Does this ring any bells with anyone? I've also
> scanned with SCAN 106 and F-PROT 1.08 but neither detected anything.

Both the .com files in this .zip are infected with a new strain of the
butterfly virus.

Everyone who downloaded the file (only a small number) in the 6 or so
hours it was on line before the virus was detected (It passed the
initial scrutiny for the same reason as you failed to detect the
virus) has been notified by CIX and told how to remove the infection.
It is a trivial non-destructive virus that does not go memory
resident and only infects .com files.

BTW I am a moderator of the conference that held the file at CIX.

- -- 
=============================================================================
Malcolm S. Muir                              EMAIL: malcolm@muir.demon.co.uk
Sunderland                                   CIX: mmuir BIX: mmuir
England                                      CSERVE: 100012,31
======================= PGP 2.0 Public Key Available ========================

------------------------------

Date:    Mon, 16 Aug 93 02:48:50 -0400
From:    "Michal Weis or INFI" <WEIS@cc.elf.stuba.cs>
Subject: Re: Information on the 'Trident' virus (PC)

> Trident? Which of scanners reported this name? I have not Trident virus(es)
Trident polymorphics engine is reported as TPE. Scan also report this
encryptor, but there is a 'little' problem - alots false alarms  ;-)
It's not easy to detect it and u must know how....

> in my collection, but several viruses contain internal string "Trident":
Ooh, there is a little prbolem: "TridenT" is a name of virus research
group. The member of this group, MK (such a 'east' name like Mas??? Kadif?
- - I dont remember it exactly) done a polymorphic engine that is a MtE like
(only a like, because this engine is not as good as Darkie's MtE, it use
such a prototypes to create encryptor (thats why scan report so many false
alarms, cause they use a debuger as for a MtE encryptor and they must use
a large instruction set :-)
So .... there are severals viruses by TridenT ...

> BTW, did you have *real* attack? Maybe it's false alarm? Several scanners I
> tested generate false alarms on testing the files for TPE-based viruses.
lots of them generate false alarms...

 Regards,
   Mike

- - This is not a trick, this is -- _ --------------------------------------
                     ,     _  _  | )   ,
                    /|    / )/ ) |/   /|
                   / |   /  /  / /---' |
                  '   \_/  /  (_/|\     \_/
- -------------------------------- |_) ---- Origin: weis@cc.elf.stuba.cs ---

------------------------------

Date:    Wed, 11 Aug 93 04:57:01 -0400
From:    aryeh@mcafee.com (McAfee Associates)
Subject: NSH152A.ZIP - NETSHLD 1.52AV106 antivirus NLM for Novell3.11 (PC)

I have uploaded to WSMR-SIMTEL20.Army.Mil and OAK.Oakland.Edu:

pd1:<msdos.virus>
NSH152A.ZIP     NETSHLD 1.52AV106 antivirus NLM for Novell3.11

NETSHIELD Version 1.52a fixes a problem in reading the configuration
file from the 1.50 and 1.51 releases of NETSHIELD.  No changes other
than loading the new version should be necessary.

NETSHIELD Version 1.52 automatically ignores changes made to the Novell
NetWare bindery files NET$OBJ.SYS, NET$PROP.SYS, and NET$VAL.SYS when
performing CRC checking for unknown viruses.  This prevents NETSHIELD
from reporting that these frequently-changing data files have been
infected by a virus.

VALIDATION DATA

The validation results for Version 1.52a (V106) should be:

NETSHIELD V1.52A(V106) (NETSHLD.NLM)S:127,728  D:08-05-93   M1: 0FB0  M2: 10FF
NETSHIELD V1.52A(V106) (VIR.DAT)    S:46,287   D:06-24-93   M1: 5209  M2: 1ED0

Regards,

Aryeh Goretsky
McAfee Associates Technical Support
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
McAfee Associates, Inc.  | Voice (408) 988-3832 | INTERNET: aryeh@mcafee.COM
2710 Walsh Ave, 2nd Floor| FAX   (408) 970-9727 | IP# 192.187.128.1
Santa Clara, California  | BBS   (408) 988-4004 | CompuServe ID: 76702,1714
95051-      USA          | USR HST Courier DS   | America Online: McAfee

------------------------------

Date:    Sat, 14 Aug 93 19:22:31 -0400
From:    "William H. Lambdin" <73044.2573@compuserve.com>
Subject: August 1993 LAT (PC)

                       LAT 9308   August 14, 1993

 +--------------------------+----------+---------+-----------+-----+
 | SCANNER                  |  COMMON  |  POLY-  |    ZOO    |FLAGS|
 |                          |          | MORPHIC |           |     |
 |                          |          |         |           |     |
 |                          |36        |56       |1502   1454|     |
 +--------------------------+----------+---------+-----------+-----+
 | F-Prot 2.09              |36   100% |56  100% |1480  98.5%| S   |
 | TBAV 604                 |36   100% |55  98.2%|1462  97.3%| GS  |
 | Scan 106                 |35   97.2%|52  92.9%|1376  91.6%| S   |
 |                          |          |         |           |     |
 | Integrity Master 2.01    |36   100% |54  96.4%|1351  90.0%| GS  |
 | Dr Sol A-V toolkit 6.18  |34   94.4%|29  51.8%|1346  89.6%| C   |
 | VIRx 2.9                 |34   94.4%|34  60.1%|1300  86.6%| S   |
 |                          |          |         |           |     |
 | UT Scan 25.1 June 93 SIGS|29   80.1%|33  58.9%|1074  73.9%| CDG |
 | NAV 2.1 Aug 93 SIGS      |29   80.1%|24  42.9%|1014  67.5%| C   |
 | MSAV w/DOS 6.0           |28   77.7%|17  30.4%| 913  62.8%| D   |
 +--------------------------+----------+---------+-----------+-----+

      C- Commercial software

      D- This product does not scan for boot sector viruses inside
         droppers. This is why scanners that detect droppers were tested
         against 1335 viruses. Scanners that fail to detect droppers were
         tested against 1303 viruses. I tried to be fair.

      G- Generic Virus detector. The other utilities with this product may
         detect viruses that this scanner misses, so don't judge this
         product too harshly because the scanner isn't as effective as you
         would like.

      S- Share Ware or Free Ware procuct.

      A new version of Integrity Master should be released soon. I will 
      test it next month.

      I Removed HTSCAN, and the Share Ware release of CPAV because the 
      signatures were getting old. 
 ========================================================================
      I have tested the following generic products, and
      recommend them.

                                                      FLAGS
                                                     +------+
      F-Prot Professional (Command Software Systems) | IV   |
      Integrity Master (Stiller Research)            |*ISV  |
      PC-cillin (Trend Micro Devices)                | ASV  |
      PC-Rx (Trend Micro Devices)                    | ASV  |
      TBAV (Thunderbyte)                             |*ISV  |
      Untouchable (Fifth Generation Systems)         | ISV  |
      Victor Charlie (Bangkok Security Associates)   |*BEISV|
                                                     +------+
             *-Share ware product
             A-Activity Monitor
             B-Uses Bait files that try to get infected by unknown viruses
             E-extract the signatures for unknown viruses
             I-uses integrity checking
             S-Stores System areas. Boot sector, and Partition table
             V-comes with a Virus scanner.

      I placed the generic virus detectors in alphabetical order. I do not
      recommend one product over another. All of them work differently and
      may not fit the way you use a computer, so request information on
      several before you decide.
 ========================================================================
      I would like to thank most of these companies for providing me with
      evaluation copies of their software to test.

      If your company produces anti-viral software, and would like for me
      to test it in LAT, contact me at either of the addresses below.
 ========================================================================
      These tests were performed on a 33 MHZ 486

                        Bill Lambdin
                        102 Jones Lane
                        P.O. Box 577
                        East Bernstadt, Ky. 40729

                 Internet address> 73044.2573@compuserve.com
                    Compuserve ID> 73044,2573

------------------------------

Date:    Fri, 13 Aug 93 16:02:19 -0400
From:    "Rob Slade" <roberts@decus.ca>
Subject: "Link" virus (CVP)

DEFGEN6.CVP   930729
 
                           "Link" virus
 
This term will be familiar only to those using Atari and Amiga
systems, but for others, this is simply the standard "file
infecting" virus.  For most people, this is what is thought of as a
virus.  (For most, that is, who have *any* accurate idea of what a
virus is.  For all too many people, a "virus" is simply any computer
problem.)
 
File infecting viral programs "link", or attach, in many different
ways.  The largest number will place the bulk of the viral code to
the end of the program file, with a "jump" command at the beginning
of the file which "points" to the main body of the virus.  Some
viral code attaches to the beginning of the file: simpler in concept
but actually more difficult in execution.  These two techniques are
known as "appending" and "prepending" respectively, but the terms
are used less than they used to be.
 
Some viral programs do not attach to the beginning or end of the
file, but rather write their code into the target program itself. 
Most often this is done by simply overwriting whatever is there
already.  Most of the time the virus will also attach a jump command
at the beginning of the program which points to the virus, but, on
occasion, the virus will rely on chance to stumble on the code and
run it.  Of course, if a virus has overwritten existing code the
original "target" program is damaged, and there is little or no
possibility of recovery, other than by deleting the infected file
and restoring from a clean backup copy.  However, some overwriting
viri are known to look for strings of null characters.  If such can
be identified, the viral code can be removed and replaced with nulls
again.  (The Lehigh virus, for example, attaches "behind" the
COMMAND.COM file in a sense, but overwrites slack space at the end
of the file so as not to change the file size.)
 
Some viri do not physically "touch" the target file at all.  There
are two ways to "infect" in this manner.  One method is quite
simple, and takes advantage of "precedence" in the system.  In MS-
DOS, for example, when a command is given, the system checks first
for internal commands, then COM, EXE and BAT files in that order. 
EXE files can be "infected" by writing a COM file in the same
directory with the same filename.
 
The second method is more difficult.  "FAT" or "system" viral
programs, such as DIR-II, will not change the target program, but
will change the FAT (file allocation table) entry for the program so
as to point to the virus.  Therefore, the original file will not be
changed, but when the target program is called, the virus will be
run first instead.
 
copyright Robert M. Slade, 1993   DEFGEN6.CVP   930729

==============
Vancouver      ROBERTS@decus.ca         | "It says 'Hit any
Institute for  Robert_Slade@sfu.ca      | key to continue.'
Research into  rslade@cue.bc.ca         | I can't find the
User           p1@CyberStore.ca         | 'Any' key on my
Security       Canada V7K 2G6           | keyboard."

------------------------------

Date:    Wed, 11 Aug 93 19:47:56 -0400
From:    fortrie@cipher.nl
Subject: Call for Papers IFIP SEC'94 Caribbean

=================================================================
  Call for Papers IFIP SEC'94 - updated information August 1993
=================================================================

***************************************************************

                C A L L   F O R   P A P E R S

***************************************************************

Technical Committee 11 - Security and Protection in Information
Processing Systems - of the UNESCO affiliated INTERNATIONAL
FEDERATION FOR INFORMATION PROCESSING - IFIP, 

                      announces:

Its TENTH INTERNATIONAL INFORMATION SECURITY CONFERENCE, IFIP SEC'94
TO BE HELD IN THE NETHERLANDS ANTILLES (CARIBBEAN), FROM MAY 23
THROUGH MAY 27, 1994.

Organized by Technical Committee 11 of IFIP, in close cooperation with
the Special Interest Group on Information Security of the Dutch
Computer Society and hosted by the Caribbean Computer Society, the
TENTH International Information Security Conference IFIP SEC'94 will be 
devoted to advances in data, computer and communications security
management, planning and control. The conference will encompass
developments in both theory and practise, envisioning a broad perspective of 
the future of information security.
The event will be lead by its main theme "Dynamic Views on
Information Security in Progress".

Papers are invited and may be practical, conceptual, theoretical,
tutorial or descriptive in nature, addressing any issue, aspect or
topic of information security. Submitted papers will be refereed, and
those presented at the conference, will be included in the formal
conference proceedings.  Submissions must not have been previously
published and must be the original work of the author(s). Both the
conference and the five tutorial expert workshops are open for
refereed presentations.

The purpose of IFIP SEC'94 is to provide the most comprehensive
international forum and platform, sharing experiences and
interchanging ideas, research results, development activities and
applications amongst academics, practitioners, manufacturers and other
professionals, directly or indirectly involved with information
security. The conference is intended for computer security
researchers, security managers, advisors, consultants, accountants,
lawyers, edp auditors, IT, adminiatration and system managers from
government, industry and the academia, as well as individuals
interested and/or involved in information security and protection.

IFIP SEC'94 will consist of a FIVE DAY - FIVE PARALLEL STREAM -
enhanced conference, including a cluster of SIX FULL DAY expert
tutorial workshops.

In total over 120 presentations will be held. During the event the
second Kristian Beckman award will be presented. The conference will
address virtually all aspects of computer and communications security,
ranging from viruses to cryptology, legislation to military trusted
systems, safety critical systems to network security, etc.

The six expert tutorial workshops, each a full day, will cover the
following issues:

Tutorial A: Medical Information Security
Tutorial B: Information Security in Developing Nations
Tutorial C: Modern Cryptology
Tutorial D: IT Security Evaluation Criteria
Tutorial E: Information Security in the Banking and Financial Industry
Tutorial F: Security of Open/Distributed Systems

Each of the tutorials will be chaired by a most senior and internationally
respected expert.

The formal proceedings will be published by Elsevier North Holland
Publishers, including all presentations, accepted papers, key-note talks,
and invited speeches.

The Venue for IFIP SEC'94 is the ITC World Trade Center Convention
Facility at Piscadera Bay, Willemstad, Curacao, Netherlands Antilles.

A unique social program, including formal banquet, giant 'all you can eat'
beach BBQ, island Carnival night, and much more will take care of leisure
and relax time.

A vast partners program is available, ranging from island hopping, boating,
snorkeling and diving to trips to Bonaire, St. Maarten, and Caracas.
A special explorers trip up the Venezuela jungle and the Orinoco River
is also available.
For families a full service kindergarten can take care of youngsters.

The conference will be held in the English language. Spanish translation
for Latin American delegates will be available.

Special arrangements with a wide range of hotels and appartments complexes
in all rate categories have been made to accommodate the delegates and
accompanying guests. (*)
The host organizer has made special exclusive arrangements with KLM Royal
Dutch Airlines and ALM Antillean Airlines for worldwide promotional fares
in both business and tourist class. (**)

(*)(**) Our own IFIP TC11 inhouse TRAVEL DESK will serve from any city on
the globe.

All authors of papers submitted for the referee process will enjoy special
benefits.

Authors of papers accepted by the International Referee Committee will enjoy
extra benefits.

If sufficient proof (written) is provided, students of colleges, universities
and science institutes within the academic community, may opt for
student enrollment. These include special airfares, appartment accommodations,
discounted participation, all in a one packet prepaid price.
(Authors' benefits will not be affected)

**************************

INSTRUCTIONS FOR AUTHORS

**************************

Five copies of the EXTENDED ABSTRACT, consisting of no more than 25 double
spaced typewritten pages, including diagrams and illustrations, of
approximately 5000 words, must be received by the Program Committee no
later than November 15th, 1993.

We regret that electronically transmitted papers, papers on diskettes,
papers transmitted by fax and handwritten papers are not accepted.

Each paper must have a title page, which includes the title of the paper,
full names of all author(s) and their title(s), complete address(es),
including affiliation(s), employer(s), telephone/fax number(s) and
email address(es).
To facilitate the blind refereeing process the author(s)' particulars
should only appear on the separate title page. The language of the 
conference papers is English.
The first page of the manuscript should include the title, a keyword list
and a 50 word introduction. The last page of the manuscript should include
the reference work (if any).

Authors are invited to express their interest in participating in the
contest, providing the Program Committee with the subject or issue that 
the authors intend to address (e.g. crypto, viruses, legal, privacy, design,
access control, etc.) This should be done preferably by email to 
< TC11@CIPHER.NL >, or alternately sending a faxmessage to
+31 43 619449 (Program Committee IFIP SEC'94)

The extended abstracts must be received by the Program Committee on or
before November 15th, 1993.

Notification of acceptance will be mailed to contestants on or before
December 31, 1993. This notification will hold particular detailed
instructions for the presentation and the preparation of camera ready 
manuscripts of the full paper.

Camera ready manuscripts must be ready and received by the Program Committee
on or before February 28, 1994.

If you want to submit a paper, or you want particular information on
the event, including participation, please write to:

IFIP SEC'94 Secretariat
Postoffice Box 1555
6201 BN   MAASTRICHT
THE NETHERLANDS  -  EUROPE

or fax to:

IFIP SEC'94 Secretariat: +31 43 619449 (Netherlands)

or email to:

< TC11@CIPHER.NL >

***************************************************************

Special request to all electronic mail readers:

Please forward this Call for Papers to all networks and listservices
that you have access to, or otherwise know of.

****************************************************************

Sincerely

IFIP TC 11 Secretariat

Call for Papers - updated information August 1993
=================================================================

------------------------------

End of VIRUS-L Digest [Volume 6 Issue 113]
******************************************


