To:	   VIRUS-L@LEHIGH.EDU
Subject:   VIRUS-L Digest V6 #43
--------
VIRUS-L Digest   Wednesday, 17 Mar 1993    Volume 6 : Issue 43

Today's Topics:

Bill Gates visit
Re: wordperfect virus? (PC)
Re: Partition table viruses (PC)
Kampana virus (PC)
Re: standardization (PC)
[Stoned] (PC)
Re: Michelangelo (PC)
Re: Signitures (PC)
Scanners and Compressed Disk Boot Sector (PC)
[New?] virus at University of Washington (Seattle) (PC)
Michelangelo Virus (PC)
Re: EXE/COM switch (PC)
wordperfect virus? (PC)
Looking for OPCODE lists (PC)
Re: Effect of Form (PC)
Results of updated MtE tests (PC)
F-PROT 2.07 and Windows not compatible? (PC)
New virus found in Brazil. (PC)
Integrity checking (was: Scanners (PC))
Re: wordperfect virus? (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed.  Contributions should be relevant, concise,
polite, etc.  (The complete set of posting guidelines is available by
FTP on cert.org or upon request.) Please sign submissions with your
real name.  Send contributions to VIRUS-L@LEHIGH.EDU.  Information on
accessing anti-virus, documentation, and back-issue archives is
distributed periodically on the list.  A FAQ (Frequently Asked
Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5).  Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<krvw@FIRST.ORG>.

   Ken van Wyk, krvw@first.org

----------------------------------------------------------------------

Date:    Mon, 08 Mar 93 20:50:31 -0500
From:    padgett@tccslr.dnet.mmc.com (A. Padgett Peterson)
Subject: Bill Gates visit

At Comdex a drawing was held to demonstrates the "availability" of
Microsoft executives to the public. Representatives of attending
computer clubs were invited to participate in a drawing for talks
to be given by the execs. 

When the Central Florida Computer Society "won" Bill Gates it seemed 
too good to be true. It was.

Now  the CFCS is not a group of dyed-in-the-wool nerds, rather it is made
up of a wide cross-section of the population ranging from professionals
to retirees just sharing an interest in computers.

Monday March 9th was to be the big day, Microsoft made the arrangements
at one of the Maitland (about five miles North of central Orlando) hotels
& members were told that seats would be held and to arrive around 7 pm
for the 7:30 talk.

However, a small glitch occured. Bill's minions invited a few friends to
also attend. A few *thousand* friends. At 6:45 I was a half-mile from the
hotel on the off-ramp. At 7:30 I was still on the off-ramp (not usual in 
Orlando). Arriving at the hotel, the doors were closed since the room was 
full but I saw many of the other club members also in the corridor. I was 
told that the "reserved" seats had gone first but *not* to club members. 
Guess Microsoft knew who they wanted in the audience...

				Warmly,
					Padgett

ps also was told that MicroSoft had sent out postcards to *valued
customers*. Funny thing, I am a registered purchaser of MS-DOS 5.0,
Windows 3.1, MASM (just got an upgrade solicitation), and a number 
of other products, but just one each. I didn't get a postcard.

------------------------------

Date:    Mon, 08 Mar 93 15:40:45 +0000
From:    gary@sci34hub.sci.com (Gary Heston)
Subject: Re: wordperfect virus? (PC)

GMS@PSUVM.PSU.EDU (Gerry Santoro - CAC/PSU 814-863-7896) writes:
>A number of our lab machines are exhibiting very strange WordPerfect
>behavior.  For example, very small user documents are growing to
>extremely large size, until they fill up available disk space.  Scans
>with F-PROT do not identify any known virus.

Is anything being found in the additional area that's used? 

I've seen something like this occur when someone running WP tried to
edit a spreadsheet file (*.WQ1 stuff). They'd generate a 20-30MB
file, and then call and complain that their system was not working.

>Can anyone clue me into what is happening?  In all cases the version
>of WP5.1 is being run from a read-only volume of a Banyan network
>server.

First, try looking at the files to see if something is in that extra
space. Could be someone doing multiple retrieves without understanding
what it means. Also, use "reveal codes" to look for strange formatting
commands.

Second, reinstall the WP executables and libraries; something may have
gotten glitched.

Try to do some analysis and determine a pattern to what's happening.
Is it only one users' files? Files with a certain extention? Files that
use a common "header" (file with an outline of the document already
set up)? What happens if one of the bloated files is pulled up with
another copy of WP?


- -- 
Gary Heston    SCI Systems, Inc.  gary@sci34hub.sci.com   site admin
The Chairman of the Board and the CFO speak for SCI. I'm neither.
Remember: A majority of the American people voted against *all* of the
Presidential Candidates. How encouraging....

------------------------------

Date:    Mon, 08 Mar 93 16:10:47 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Partition table viruses (PC)

sarel@ford.ford.ee.up.ac.za (Sarel Lugtenburg) writes:

> We had just an outbreak of a virus that infects the partition table.
> It trigger on any date in March. Reformatting the hard disk and
> running fdisk, changing everything, has no effect. You have to low
> level format the harddisc (IDE). I was always under the impression
> that a high level format from a clean , booted floppy would be enough
> but this is apparently not so.

Well, first let me tell you that a low-level format is NEVER necessary
to remove a virus. On the top of that, low-level formatting of some
IDE drives can damage the drive.

In general, to remove a MBR infector, all you need to do is to boot
from an uninfected write-protected DOS 5.0 (the version is important)
system diskette, and to run the command FDISK/MBR. This will rewrite
the MBR loader of the first hard disk, without touching the partition
information. In some cases this may have some unwanted effects - e.g.,
if you have a program in the MBR that asks for a password at boot
time, the above procedure will simply remove it.

However, having in mind that you are from South Africa and have a MBR
infector that triggers on any date in March, I strongly suspect that
you have a version of the Exe_Bug virus. This virus has one
peculiarity - it modifies the CMOS to indicate that no A: drive is
present. On some machines this has the effect to force them always
boot from the hard disk, even if a diskette in drive A: is present.

This makes it a bit difficult to fulfill the "boot from a clean
diskette" condition - because the computer refuses to boot from a
diskette at all... On the top of that, the virus is stealth, so if it
is active in memory, you cannot see it in the MBR.

If this is indeed your case, you have two options:

1) Use an anti-virus program that is able to deactivate the virus in
memory and then disinfect the hard disk.

2) Run the CMOS Setup program (accessibly by hitting the Del key at
boot time on most computers) and indicate that drive A: -is- present.
This way you will be able to reboot from a clean diskette and to run
FDISK/MBR, which will remove the virus.

> Can someone tell me what happens during the whole boot process from
> poweron. Where does this virus get into the chain of the bootup
> sequence ?

At poweron the computer performs some initial tests, then checks if
there is a diskette in the first floppy drive. If there is one, it's
first sector is read at address 0000:7C00h and control is passed to
it. Otherwise, the first sector of the hard disk is read at that same
address and control is passed to it. This sector of the hard disk
normally contains the partition table and a small program that locates
the active partition in this table, loads the first sector of that
partition and transfers control to it. This sector has the task to
load the operating system further.

In your particular case, the virus has replaced the small program in
the first sector of the first hard disk (the program that searches the
partition table for an active partition). It gets control before the
operating system is loaded.

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Mon, 08 Mar 93 11:46:18 -0500
From:    Fabio Esquivel <FESQUIVE@ucrvm2.bitnet>
Subject: Kampana virus (PC)

Hi netters.

In 1992 I found what F-Prot called the Kampana virus in a friend's
diskette (I don't remember the versions I used when I identify it).

Well, right now Scan V102 says it is the Anti-Tel A-Vir! virus, and
F-Prot 2.07 says it is a "New variant of Kampana".

I inmediately read my VsumX of January 1993 and found some description.
The variant I have infects diskettes as described there, but the
encrypted messages are different (the encryption consists of applying
NOTs to the text bytes).

In the encrypted boot record you can read (literally):

    "Campa:a Anti-TELEFONICA (Barcelona)"

and in the second part of the virus, also encrypted, yo can read:

    "Grupo Holokausto"

VsumX says that this virus activates after booting 400 times; the variant
I have has the counter in the second part of the virus code.  I debugged
the code using Borland's Turbo Debugger and found that this variant
overwrites some tracks after the counter has reached 334 boots.

I also have the Alameda virus, which I found several years ago.  F-Prot
2.07 says it is a new variant of Alameda (this didn't happen before).

I thought that maybe the binary image was damaged, and then I compared it
with other active samples of the virus and got the same message.

Do I really have new variants of these viruses?  Or is it just a problem
of misidentification by F-Prot?

I'll be glad of sending copies of both viruses to Fridrik and Aryeh, if
they are interested; the trouble is that I'm on a BITNET node and I think
I can't send binary files to InterNet nodes (just simple mail).

Regards,
                                     /&\
                                    (O O)
 * * * * * * * * * * * * * * * *OOO* (_) *OOO* * * * * * * * * * * * * *
*                                     U                                 *
* Fabio Esquivel Chacon    *    Computerize God - It's the new religion *
* fesquive@ucrvm2.bitnet   *  Program the Brain - Not the heartbeat     *
* University of      * * * *  Virtual existence / Superhuman mind       *
* Costa Rica         *    The ultimate creation / Destroyer of mankind  *
*    "My girlfriend, * Termination of our youth / For we do not compute *
* ____/|  music and  *                                                  *
* \'o O'  computers  *           "Computer God" - Dehumanizer           *
* =(_*_)= drive  me  *         Ronnie James Dio - Black Sabbath (1992)  *
*    U    crazy..."  *                                                  *
 * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


------------------------------

Date:    Mon, 08 Mar 93 16:44:19 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: standardization (PC)

sbonds@jarthur.Claremont.EDU (007) writes:

> I agree that CARO names tend to be somewhat unwieldly for "general"
> reporting, which is part of the reason I suggested to frisk a /CARO
> command-line switch rather than ALWAYS including them.  Perhaps only
> the tail end of the CARO name could be used by default?  For example,
> report Jerusalem.AntiCAD.4096.Mozart as "Mozart".  If ambiguity
> results, back up the chain until it is unambiguous.

Hm, that's rather natural, maybe we should include this in the naming
scheme... Currently it allows abbreviations in the "opposite
direction", i.e., if your scanner cannot distinguish between
Jerusalem.AntiCAD.4096.Mozart and Jerusalem.AntiCAD.4096.Danube, you
are allowed to report just Jerusalem.AntiCAD.Mozart. If you cannot
distinguish between the members of the Jerusalem.AntiCAD subgroup, you
can report just Jerusalem.AntiCAD and so on. But your idea is also
good, we'll discuss that in CARO.

> Another possibility would be to limit reported names to a certain number of
> characters.  I agree that seeing "Dark_Avenger.2000.Traveller.Zopy" pop up on
> the screen while scanning could panic out an unsuspecting individual.
> Reporting this virus as "Rocko" seems a bit TOO brief.  Viruses with shorter
> names like Cascade.1704.A should be reported in full, as this seems short
> enough not to cause a panic.

Well, currently there is a limit for each part of the name (I think
that "Green_Caterpillar" is the longest name). The full CARO name is
constructed by concatenating the different parts and delimiting them
with a dot.

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Mon, 08 Mar 93 16:55:41 +0000
From:    theodore@unity.ncsu.edu (Andrew M Smith)
Subject: [Stoned] (PC)

Has anyone heard of the [Stoned] virus and if so, then what does it do?

Also, I have an odd question concerning infected disks...If I have an
infected disk and run a magnet across it, will all data (and the virus) be
erased???

------------------------------

Date:    Mon, 08 Mar 93 17:29:03 +0000
From:    streb@ee.rochester.edu (Chuck S.)
Subject: Re: Michelangelo (PC)

d91-cni@nada.kth.se (Christer Nilsson) writes:
>A friend of mine couldn't boot his computer today (6:th of March).
Dido We had a drive die just as it was turned on Sat. 

Mikey was not announched this time around and got us!

chuck


- -- 
- -----------------------------------------------------------------------------
=  Chuck Streb   lookin' before leapin'     = 
=                                           =                     
=  internet streb@galaxy.ee.rochester.edu   =

------------------------------

Date:    08 Mar 93 18:24:12 +0000
From:    hdg@fm11ap03.tu-graz.ac.at (Bernhard Heidegger)
Subject: Re: Signitures (PC)

motazev@hobo.ECE.ORST.EDU wrote:
: To check for an executable file a virus will read in the appropriate bytes
: and check to see if it is "MZ".

: Why do some viruses check for "ZM"? What kind of file does this denote?

I think the signature is always "MZ" but Intel - processors (like 80386)
store a word (2 Bytes) in the form "lo-byte hi-byte". So, if a virus
checks the signature as a word it test for "ZM".

Bernhard.

( Bernhard Heidegger, Internet: hdg@fm11ap01.tu-graz.ac.at )


------------------------------

Date:    Mon, 08 Mar 93 13:58:04 -0500
From:    Wolfgang Stiller <72571.3352@compuserve.com>
Subject: Scanners and Compressed Disk Boot Sector (PC)

padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) writes:

 > Recently there has been some discussion concerning a problem with
 > scanning compressed drives for viruses and constantly getting a flag
 > that the "boot sector has changed".

 > As a consequence, the fact that the A-V is checking the STACed drive boot
 > sector means more than just an error is being flagged each time, it would
 > make me concered that the real boot sector may be skipped.

I can see why you'd be concerned about that.  To reassure anyone reading
about your concern (since a question regarding Integrity Master started
this conversation), I'd like to mention that whether you have IM check
the psuedo boot sector on a compressed partition (such as a Stacker
disk) has no bearing on its checking of the real boot sector.

Integrity Master takes has a broader focus than just that of an anti-virus
product.  Integrity Master wants to check all partition and boot sectors
on all of your disks (you can of course decide which disks to check).
All physical disks will have a partition sector (AKA Master Boot Record or MBR)
and logical DOS disks generally appear to have a boot sector.  Integrity
Master is not just checking for viruses but checking the integrity of your
disk.  Viruses only account for a very small percentage of all otherwise
undetected data and program corruption and the situation seems to be getting
worse with gigabyte and larger disks and the increasingly complex software
most of us are running on our systems.

(I know you understand all this, Padgett; I'm writing this for the benefit
those that don't understand the focus of our product).

Regards, Wolfgang

Wolfgang Stiller, Stiller Research, 2625 Ridgeway St., Tallahassee, Florida
32310 U.S.A.



------------------------------

Date:    08 Mar 93 19:08:05 +0000
From:    mramey@hardy.u.washington.edu (Mike Ramey)
Subject: [New?] virus at University of Washington (Seattle). (PC)

I am cross posting the following local article to comp.virus with the
author's permission.  Jake Oshins gave me a copy of the virus last week. 
I sent a message to both Frisk and McAfee.  I received a request from
McAfee for a copy of the virus, which I will send them shortly.  Hope this
info will help others prevent or recover from similar infections. 
- --Mike Ramey, Civil Engineering Dept, Univ of Washington, Seattle


Path: news.u.washington.edu!carson.u.washington.edu!joshins
From: joshins@carson.u.washington.edu (Jacob Oshins)
Newsgroups: uw.pc.ibm
Subject: Virus outbreak on campus
Date: 5 Mar 1993 00:36:04 GMT
Organization: University of Washington
Lines: 39
Distribution: uw
Message-ID: <1n679kINN7ub@shelley.u.washington.edu>
NNTP-Posting-Host: carson.u.washington.edu
Keywords: Virus, Spanish Telecom, A-vir, Kampana


Hello,
  We here at the School of Business have contracted a computer virus
that is not detected by the anti-virus software distributed on
ftp.cac.washington.edu.  Since we were not aware of it for the first
week or two that we had it, our lab distributed it to several hundred
users who may have carried it to other labs on campus.  In order to
innoculate yourself against it, you need to get one of the following
packages: 

1)  McAfee's VIRUSCAN, VSHIELD and CLEAN-UP, version 102.
	This package calls the virus A-vir.

2)  F-prot 2.07.  (this one can't remove the virus)
	This one calls it "A new variant of Kampana."

3)  Norton Antivirus
	This one calls it "Spanish Telecom."

Other packages might work, but I haven't tried them.

Removal of the virus is easy if it is on a hard disk that was
partitioned with DOS 5.00.  Just boot from a clean floppy and issue
the command: FDISK /MBR.

This is a boot sector/partition table virus that is passed from
floppy to hard disk when you try to boot with an infected floppy.  The
virus will even move from a "non-bootable" floppy to a hard disk if
the floppy is in drive A: when the machine boots.  It is passed from
an infected hard disk to floppy disks during almost any access or copy
operation.

If you have any other questions, please call me or send me a message.

Jake Oshins
BACS
U.W. School of Business
685-2275
joshins@u.washington.edu

------------------------------

Date:    Mon, 08 Mar 93 20:01:36 +0000
From:    tac@world.std.com (Tackey Chan)
Subject: Michelangelo Virus (PC)

	I was wondering if anyone can tell me about how this virus
works? Does it only affect that one day or does it tag allow somwhow
onto things posted on "nn"? Anything you can tell me would be
appreicated do that I can know what to look for. 

		E-Mail tac@world.std.com

			-----TAC

------------------------------

Date:    Mon, 08 Mar 93 15:42:54 -0500
From:    Donald G Peters <Peters@DOCKMASTER.NCSC.MIL>
Subject: Re: EXE/COM switch (PC)

It has been some time since I proposed the EXE/COM switch, and
now I feel entitled to reply to the responses (now that I'm back.)
I will use "initials" to refer to people that wrote on this subject.

FE spoke about changing EXE to EEE and COM to CCC. The results were
terse: "the experiment failed". A list of viruses reportedly were
tested and all infected the renamed files. Well, if the experiment
is to be believed, it still doesn't apply to my proposed defense.

VB wrote that my proposal was already discussed in "Virus News
International." This publication is not available in any of 10,000
libraries in the USA, including the Library of Congress, so I am
unable to verify his claim. (I had the OCLC database searched.) The
publication is a new, small, costly, British publication from
Paul Robinson. Since I don't know VB personally, I would like to 
see a copy of the unnamed article before I will believe it, but 
it is unobtainable in the USA.

VB went into depth about "some" viruses which won't be affected by
this system. Didn't I already state that? What I had asked for the
"experts" to do was to indicate which types (or which specific 
viruses would not work with this method. VB's reply was highly 
generic (so far; but see below.)

VB pointed out the advantage to using CCC/EEE instead of switching
EXE and COM around. I thought that was clear to see from my post,
but if not I agree. The difference is in my proposal there is no
need to mess with COMMAND.COM which causes many problems of its own.
I was concerned with finding a simple idea that worked at least 50%
of the time, not a complex one that worked 60% of the time.

VB stated that "most viruses" will not be fooled by the EXE/COM
switch. I suppose we could all accept this statement by faith.
However, my original post did ask for details to justify any such
claim. VB later said that "dozens" of intelligent viruses would 
still work despite my method. Isn't that a contradiction, 
considering the large number of viruses out there?

VB pointed out that "many" resident viruses infect files
during a DOS EXEC (function 4B). Is "many" a relative or absolute 
term? Even if they used EXEC, that does not mean that they will 
succeed when the EXE/COM switch is pulled on them. At this point it
seems to me that VB is just "arguing" without "justifying"
his position.

VB then goes on to say that those viruses which don't have smarts
"will crash". So VB says my method will stop non-resident viruses 
and fast infectors. Great news! The method works with these two
entire CLASSES of viruses.

VB says it is not a "reliable protection scheme". And AN said it
was "not a sufficient solution". I agree that it is not sufficient;
of course no software that money can buy is perfect, either. If
it helps, and it is cheap, then it is good for SOME people.

VB educated me (and others, I hope) about using a COPY command
in AUTOEXEC to replace the COMMAND.COM file at bootup. Hey, I like
that too. Maybe a combination of these "little" things will make
a significant (but never "ideal") system.

Overall, I appreciated VB's reply even though I took issue on a few
points.

FS states that the EXE/COM switch "is of no use". Maybe he and
VB should hash it out directly, as they have a significant difference of
opinion, and I don't want to be a middleman in their discussion.

CA states that any virus which uses function 4B to infect will not
be fooled by the EXE/COM switch "provided the virus was written
correctly". Which really means, "a virus will not be fooled by this
approach unless they didn't take this approach into account."
That is my point exactly!

AN states that most viruses will not be fooled by the EXE/COM switch.
Then, amazingly, AN states that this method is "already used today
in several virus traps." Very puzzling, and therefore hard to believe.

APP discusses how 4B works and leaves the reader to draw his own 
conclusions. My question to APP is how do I resolve the difference
between the description in Norton's book and Duncan's book regarding
how to load a program WITHOUT executing it. One book says to use
subfunction 1 and the other says subfunction 3. Neither book gives
enough detail that I can gain a good understanding of it without
experimenting first.

Conclusion: My question to the "experts" was partially answered
when VB said that non-resident infectors and fast infectors would
be fooled by this technique. That is quite a statement of support
in my view, and makes this method worthy of consideration for some
environments.

Question: Has this forum ever listed and categorized the existing
viruses? I would like to be able to construct a list of non-resident
and fast infectors that would be stymied by the EXE/COM switch.

Controversially,
Don Peters

------------------------------

Date:    Sun, 07 Mar 93 12:27:00 +0100
From:    Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv)
Subject: wordperfect virus? (PC)

 To: GMS@PSUVM.PSU.EDU (Gerry Santoro - CAC/PSU 814-863-7896)

 > A number of our lab machines are exhibiting very strange WordPerfect
 > behavior.  For example, very small user documents are growing to
 > extremely large size, until they fill up available disk space.  Scans
 > with F-PROT do not identify any known virus.

To answer you on that topic: I've seen such a case before with an old version 
of WP. But in this case the EXE file WP.EXE itself has increased in size 
tremendously. The reason was a Jerusalem virus that infected the file and for 
some reason the file was then appended by some code that partly overwritten 
the virus code. The result was amazing: An infected file that NO anti virus 
has detected anything in it, but when you execute the file the virus will load 
and start infecting. I don't believe that this is your case since there is no 
reason for DATA files to grow in such a case, unless you have a virus that 
interperts the DATA files as overlays of the exe file.

I would suggest that you compare the original EXE file with the one on your 
network, see if there is a significant growth factor, then try to create a 
SMALL data file and play with it a few times, see if it grows. If so analyz 
the file with an anti virus.

Another possibility is that you are experiencing a mallfunction of the program.
The answer should be obtained from the history of the mallfunction: when did 
it start? What did you do before it started? Is WordPerfect capable of working 
from a Read Only media? etc...

Hope this helps a bit...
Regards

* Amir Netiv. V-CARE Anti Virus, head team *

- --- FastEcho 1.21
 * Origin: <<< NSE Software >>> Israel (9:9721/120)

------------------------------

Date:    Tue, 09 Mar 93 10:53:44 +0000
From:    chowes@sfu.ca (Charles Howes)
Subject: Looking for OPCODE lists (PC)

Someone recently mentioned 'serializing' an executable program by using
alternate opcodes as binary ones, to the regular opcodes' zero.
That was in comp.security or alt.security.

I thought 'Hey, the folks in comp.virus know a lot of this technical stuff,
I'll ask them!'.  This could also be tied in to the earlier discussion of
polymorphic viruses, if necessary.

My question:

  What are some opcodes that have two possible numeric values?
  This is for the 80x86 family of machines.

(I want to serialize software, not write viruses, polymorphic or otherwise.)

Thank you!
Charles Howes -- chowes@sfu.ca

------------------------------

Date:    Mon, 08 Mar 93 08:52:20 -0500
From:    Garry J Scobie Ext 3360 <GSCOBIE@ml0.ucs.edinburgh.ac.uk>
Subject: Re: Effect of Form (PC)

> From:    eugene@kamis.msk.su (Eugene V. Kaspersky)

> This is a very dangerous virus. It hits Boot-sector of floppy disks during
> an access to them and Boot-sector of the hard disk on a reboot from an
> infected floppy disk. The virus acts on the 24th of every month. It
> processes a dummy cycle while pressing on the keys. If you work with a hard
> disk, the data can be lost.

The University here has had several hundred FORM infections reported
but never data loss on the hard disk. The payload is only a keyboard
beep in our case on the 18th of the month (Vesselin noted why in
digest vol 5 issue 169). I imagine given the widespread availability
of this virus and the fact that the infection mechanism works we will
see variants in the near future. Anyone any word on this?

As an aside I see an advert in PC-PLUS Issue 78 (March 93)

FPROT - Excellent newcomer to the scene
                  ^^^^^^^^

The same catalogue mentions a product called WYNTKAV, a virus
information program. Anyone seen this?

Cheers

Garry Scobie    Lan Support: Edinburgh University Computing Services
Scotland e-mail: g.j.scobie@ed.ac.uk


------------------------------

Date:    Mon, 08 Mar 93 08:54:43 -0500
From:    brunnstein@rz.informatik.uni-hamburg.dbp.de
Subject: Results of updated MtE tests (PC)

As material for my lecture on "Methods and Requirements for Quality Assurance
of AntiVirus Products" in 6th International Computer Security and Virus Confe-
rence" (New York, March 11-12, 1993), Vesselin Bontchev kindly repeated the
MtE tests published in Virus-L last year. Here are the major changes:

          In November 1992, CATCH-MTE 1.5, F-PROT 2.05, FINDVIRU 6.01
                        and VirScan 2.2.3A detected *all* instances (2000 each)
                        of CoffeeShop, Cryptlab, Dedicated, Fear, Groove/EXE,
                        Groove/COM, Pogue and Questo. 

          On March 7, 1993, CATCH-MTE 1.8, F-PROT 2.06a, FINDVIRU 6.10,
                        and VIRSCAN 2.2.3A
                        AS WELL AS: HTScan 1.19, PC Vaccine Professional 1.13,
                                    SCAN V100 and TBScan 4.3 detect *all*
                                    (8*2000) instances on the same testbase.

                        Moreover, VirX 2.6d detects *all instances but 1 Pogue
                                    sample*.

This significant improvement in recognition quality of AV products may be re-
garded as a result of the public discussion on test results published (and
somehow controversially discussed) last year by VesselinBontchev. VTC plans 
to update it's procedure to also test recognition of 8 new MtE-based viruses.

Klaus Brunnstein (Univ Hamburg, March 8, 1993)

PS: Vesselin's paper "MtE Detection Tests" may be downloaded from VTC ftp site
    (document: MTETESTS.ZIP). The paper on "Quality Assurance on AV Products"
    will be available for downloading after the New York conference (document:
    QAAV933.ZIP on VTC's ftp site). Vesselin or I may also send the documents
    on request if you have no access to ftp.



------------------------------

Date:    Tue, 09 Mar 93 08:57:20 -0500
From:    Otto Stolz <RZOTTO@NYX.UNI-KONSTANZ.DE>
Subject: F-PROT 2.07 and Windows not compatible? (PC)

========================================================================
Hello,

VIRSTOP is the TSR component of the F-PROT package. VIRSTOP 2.07 has
been enhanced with new features, which can be invoked via command line
options. Apparently, one of the new options, viz. "/COPY", is not com-
patible with Windows. The symptoms are thus:

  A user has installed DOS 5.0 and Windows 3.1 on a 486-type computer.

  When VIRSTOP was loaded specifying the /DISK /COPY /BOOT and /WARM
  options, it still worked while commands were issued to the DOS prompt;
  however, Windows applications could no longer open their files, and the
  Windows File Manager could not be invokedat all. In both cases,
  exceptios (such as "illegal instruction", or "protection error") were
  reported to occurr in a module named USER.EXE.  These errors pertained,
  regardless whether VIRSTOP had been installed via the CONFIG.SYS (by
  the DEVICEHIGH command) or via the AUTOEXEC.BAT (by direct invocation).
  When the windows session was closed, Virstop continued to work as
  expected.

  When the /COPY option was removed from the VIRSTOP invocation, all
  went well (though infected programs could be copied, of course).

Until Frisk will have looked into this matter, and will come up with a
fix, I recommend *not* to use the new /COPY option on computers that
have Windows installed on them.

Best regards,
                    Otto Stolz <RZOTTO@DKNKURZ1.Bitnet>
                               <RZOTTO@nyx.uni-konstanz.de>


------------------------------

Date:    Tue, 09 Mar 93 09:30:03 -0500
From:    sapao@dcc.ufmg.br
Subject: New virus found in Brazil. (PC)

A new polymorphic virus was found in Brazil, wich infects both COM and
EXE files. It is memory resident (mem reports less memory when the
virus is active) and can infect near 90% of a 40 meg hard disk in a
day. The decryption routine has a variable lenght but the encrypted
code is always 8DFh bytes long.

None of the scanners tested will detect it (unless used in heuristic mode):
F-prot 2.07, scan v102, tbav 5.03.
 
Four different decryption routines have been detected and all of them can be
detected by the following strings (prepared for HTSCAN):
           B96F04**35**E2
           B9DF08**34**E2

The strings "COMMAND.COM", "*.COM" , "*.EXE", "Hi Fridrik!", "Freddy
KRueG" and "Freddy KRueGer 2.1" can be found in the encrypted body of
the virus, so it is being called Freddy 2.1.

No payload has been detected yet but sometimes a "memory allocation error" 
will occur if the virus is active in memory. 

A small detector for this virus has been uploaded to garbo.uwasa.fi and 
risc.ua.edu and can be downloaded by anonymous FTP. The file name is
fmutant.arj. If you do not have ftp access or want to receive the file
directly from me, just send mail to Sapao@dcc.ufmg.br.

Lucas de Carvalho Ferreira
Computer science student - UFMG - Brazil
Internet adress: Sapao@dcc.ufmg.br

PS: Samples of the virus will be sent to well known virus researchers.



------------------------------

Date:    Tue, 09 Mar 93 09:41:43 -0500
From:    Y. Radai <RADAI@vms.huji.ac.il>
Subject: Integrity checking (was: Scanners (PC))

  Malte Eppert writes:
>> Making CRC checks from a BOOTING FLOPPY will also catch ANY
>> virus, provided it hasn't infected your floppy yet.
>
> Sorry, it won't. It will catch any modification, that's true. But if you get
> infected with a slow virus, the user just would regard the change as
> legitimate.

That's true by definition of a "slow" virus, but there are some
"extra-curricular" measures (i.e. beyond pure integrity checking)
which can be taken to detect such viruses.

>             Then, Vesselin introduced the idea of a DOS file fragmentation
> attack. You could not detect that with a file-oriented CRC checker, too.

First, Vesselin didn't introduce the idea.  It was known to some of us
in 1988.  Second, such an attack *IS* detectable by a sufficiently
clever integrity checker, such as Untouchable.

                                     Y. Radai
                                     Hebrew Univ. of Jerusalem, Israel
                                     RADAI@HUJIVMS.BITNET
                                     RADAI@VMS.HUJI.AC.IL


------------------------------

Date:    Tue, 09 Mar 93 10:19:38 -0500
From:    Y. Radai <RADAI@vms.huji.ac.il>
Subject: Re: wordperfect virus? (PC)

  Robert Slade writes:
> "This question"?  Your Subject line seems to ask about a "Word
> Perfect" virus.  There was a postulation, around 1988 and 89, that a
> virus had specifically targetted the Word Perfect program.  This was
> later found to be false: an artifact of the fact that the WP.EXE file
> sometimes stopped working after it had been infected.  This was thus
> often the first indication of a virus infection which was not being
> detected by other means.

I think it's worth adding that this phenomenon occurred when the EXE
file of WP 4.2 was infected by the Jerusalem virus.  This virus con-
tains a bug, wherein it decides where to write itself according to the
file length in the header instead of the true file length; the two are
different in the case of WP 4.2 and certain other EXE files.  As a re-
sult, the virus overwrote the WP.EXE file instead of appending itself
to it.
  (This is mainly of historical interest; I presume it has nothing to
do with the current problem.)

                                     Y. Radai
                                     Hebrew Univ. of Jerusalem, Israel
                                     RADAI@HUJIVMS.BITNET
                                     RADAI@VMS.HUJI.AC.IL

------------------------------

End of VIRUS-L Digest [Volume 6 Issue 43]
*****************************************
