To:	   VIRUS-L@LEHIGH.EDU
Subject:   VIRUS-L Digest V6 #46
--------
VIRUS-L Digest   Tuesday, 23 Mar 1993    Volume 6 : Issue 46

Today's Topics:

Virus Code
Cross-platform viruses ?
Amiga viruses (Amiga)
Sun virus detector-avilable? (UNIX)
Michelangelo (PC)
Partition table viruses (PC)
Re: Michelangelo or STONE (PC)
Virus Development Program (PC)
Re: PC Magazine on Anti-Virus products (PC)
Re: Malta Amoeba: What is it? (PC)
lilsaver.zip (PC)
help - PC protection (PC)
Re: DBase virus (PC)
Variation of Michaelangelo? (PC)
Re: wordperfect virus? (PC)
Re: F-PROT 2.07 and Windows not compatible? (PC)
Int 21h fn 4Bh (PC)
Boot Process & FixUtil4 FreeWare (PC)
Can I Get Infected If... (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed.  Contributions should be relevant, concise,
polite, etc.  (The complete set of posting guidelines is available by
FTP on cert.org or upon request.) Please sign submissions with your
real name.  Send contributions to VIRUS-L@LEHIGH.EDU.  Information on
accessing anti-virus, documentation, and back-issue archives is
distributed periodically on the list.  A FAQ (Frequently Asked
Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5).  Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<krvw@FIRST.ORG>.

   Ken van Wyk, krvw@first.org

----------------------------------------------------------------------

Date:    Tue, 16 Mar 93 00:49:29 +0000
From:    rob.borek@rose.com (rob borek)
Subject: Virus Code


Date Entered: 03-15-93 19:43
OK. About thsi whole virus code thing: I believe that it should only 
be placed in VERY careful hands, such as virus researchers and 
anti-viral companies. I'm very competent, and understand viruses, but 
do not believe in distribution of viral code. It's just TOO hard to 
control the flow of "legal" distribution of viral code.

Rob Borek

 * Biology grows on you. 
- ---
   RoseReader 2.10  P003202
   RoseMail 2.00 : <Usenet> PowerNET/Sarnia, ONT. (519) 336-5863

------------------------------

Date:    16 Mar 93 10:30:04 +0800
From:    udptech@uniwa.uwa.edu.au (Denis Brown)
Subject: Cross-platform viruses ?

In the near future, my Department will have a mixture of IBMs and MACs
running on the same thin-ethernet backbone.  Are there any known viruses
which can propagate across platforms such as these ?  I assume that it
would be feasible to write a "programme" on either platform to deliber-
ately infect the other one, especially given that our network "lingua
franca" will be TCP/IP.  Am I worrying about nothing ??  If not, what
"programmes" should I be aware of on either platform ?

System setup:
At present the IBMs are thin-ethernet connected and use LANtastic peer-
peer software.  We're getting LANtastic-for-TCP and will connect to our
Uni. Campus LAN via a Cisco box (which will stop the raw Lantastic
traffic from getting into the Campus LAN).  The Apples will connect to
the common thin ethernet cable via their own adaptors and likewise will
run TCP/IP.  The IBMs will continue to run the (very successful) raw
LANtastic for their normal file/resource sharing.

Any advice appreciated.
Denis


------------------------------

Date:    17 Mar 93 14:47:41 +1000
From:    u9263012@uow.edu.au (Walker Andrew John)
Subject: Amiga viruses (Amiga)


Does anyone have a comprehensive list of amiga viruses and what they do?

Andrew Walker.


------------------------------

Date:    Wed, 17 Mar 93 18:13:27 +0000
From:    dennisk@aplcenmp.apl.jhu.edu (Dennis M. Kavanagh)
Subject: Sun virus detector-avilable? (UNIX)

Does anyone know of  products that purport to provide some virus
detection/corection for SUN's.
Thank you...


------------------------------

Date:    Wed, 10 Mar 93 14:34:03 +0100
From:    Malte_Eppert@f6051.n491.z9.virnet.bad.se (Malte Eppert)
Subject: Michelangelo (PC)

Hi Christer!

 > A friend of mine couldn't boot his computer today (6:th of
 > March). Could it be the Michelangelo Virus?

Yep :-(.

 > in that way? The partition of the drive was wiped away. How do
 > one recover the information on the disk?

I'm sorry, all one can say is: Forget it, it's impossible :-(((

cu!
eppi

- --- GEcho 1.00
 * Origin: No Point for Viruses - Eppi's Point (9:491/6051)

------------------------------

Date:    Wed, 10 Mar 93 14:32:02 +0100
From:    Malte_Eppert@f6051.n491.z9.virnet.bad.se (Malte Eppert)
Subject: Partition table viruses (PC)

Hi Sarel!

 > It trigger on any date in March. Reformatting the hard disk and
 > running fdisk, changing everything, has no effect. You have to
 > low level format the harddisc (IDE).

Try to rebuild the MBR by issuing "FDISK /MBR" after booting from DOS disk 
instead of LL-formatting a hard disk. If this doesn't work and there's no tool 
to remove the virus, you have to restore a saved backup of the MBR.

That's why I recommend to save a backup of it when it's still OK...:-) BTW, 
you can, with some effort, rebuild a completely outzeroed MBR from examining 
where the partitions on harddisk physically reside and where the DOS 
bootsectors are.

cu!
eppi

- --- GEcho 1.00
 * Origin: No Point for Viruses - Eppi's Point (9:491/6051)

------------------------------

Date:    10 Mar 93 07:24:00 +0000
From:    bill.lambdin%acc1bbs@ssr.com (Bill Lambdin)
Subject: Re: Michelangelo or STONE (PC)

Quoting from G.randolph Bickerton to All About Re: Michelangelo or STONE 
on 03-08-93

GB> Isn't the correct procedure to repartition the hard disk then reforma

Clean 100 had a problen removing Mich. Clean 102 is supposed to have fixed 
this problem.

It should never be necessary to low level format a hard drive to eradicate 
a virus.
 
Bill

- ---
 * WinQwk 2.0 a#383 * FINGERS activates after Nov 11th, 1990
                                                                               
                      

------------------------------

Date:    10 Mar 93 06:39:00 +0000
From:    bill.lambdin%acc1bbs@ssr.com (Bill Lambdin)
Subject: Virus Development Program (PC)

Quoting from Sgt Rock to All About Virus Development Program on 03-07-93

SR> development programs: The Phalcon/Skism Mass-Produced Code Generator,
SR> Virus Construction Set, and the Virus Construction Laboratory.
SR> These programs sound scarey to me. Does anyone out there know anythin
SR> about them? Where do they originate and are they available for genera

Those development programs are available on almost all underground BBSs.
 
Virus Construction Set is not a real threat. It just turns out variants of 
the Manta virus, and any repitable scanner can detect them.

The MPC and VCL can generate different types of viruses. nut most 
reputable scanners (F-prot, Integrity Master, etc) can detect any viruses 
made by these two virus generators.
 
Bill

- ---
 * WinQwk 2.0 a#383 * I like to dissect computer viruses.
                                                                        

------------------------------

Date:    10 Mar 93 06:51:00 +0000
From:    bill.lambdin%acc1bbs@ssr.com (Bill Lambdin)
Subject: Re: PC Magazine on Anti-Virus products (PC)

Quoting from Fridrik Skulason to All About Re: PC Magazine on Anti-V on 
03-07-93

FS> lest the 50-100 that are in the wild), the viruses they used are old,
FS> program that had not been updated for 18 months would have detected a
FS> one or two....and so on...

I couldn't agree more.
 
FS> Anyhow, I wrote them a 4-page letter about this...

Good for You! 

I hope they will 
a. improve their testing processes.
b. stop testing anti-viral software.
 
Bill

- ---
 * WinQwk 2.0 a#383 * CASINO activates Jan 15th
 

------------------------------

Date:    Sun, 14 Mar 93 18:24:13 -0500
From:    Wolfgang Stiller <72571.3352@compuserve.com>
Subject: Re: Malta Amoeba: What is it? (PC)

  nafziger@eagle.sangamon.edu (Scott Nafziger) writes:

 >  I heard of a virus called the Malta Amoeba.  I was wondering
 >what does it do.  How does it effect floppies, hard drives, and/or net
 >Also, is there any way to detect if someone has this virus without virus
 >scaning software?  Any information will be greatly appreciated.

 Here are are parts of a report I wrote about a year ago on this virus;
 I think it answers most of your questions:

  Stiller Research Virus Report - Copyright 1992 - The Maltese
  Amoeba

  Aliases: Irish (McAfee), Grain of Sand, Amoeba (mistakenly)

  A destructive memory resident infector of .COM and .EXE files.
  It will activate on Nov 1st and March 15th.

  The Maltese Amoeba is another variable encrypting (AKA polymorphic)
  virus.  This means that the bulk of the virus code is encrypted and
  the decryption routine uses variations of several patterns of
  instructions similar to the technique used in the V2Px series of
  viruses.  The decryption instructions are interspersed with variable
  numbers of irrelevant instructions and can appear in a varying order.
  While various (different) series of instructions are used for the
  decryption, the decryption is always accomplished by a simple
  exclusive or.  The decrypted code is not further garbled with
  irrelevant instructions.  The Maltese Amoeba infects only .COM and
  .EXE files using a different decryption pattern for .COM and than for
  .EXE files.

    It uses no stealth techniques and can be detected by doing a
  simple DIR and noting the file size changes.  Its only
  sophistication lies in its ability to make generation of virus
  scan strings difficult.  This virus spreads quite readily on all
  PCs tested (7).  It will infect files on either a DOS open or a
  load and execute (files read or executed programs will be
  infected).  After the first infected file is executed, the Maltese
  Amoeba goes resident in memory in the highest available 2K
  (usually at 9F00:0000 if 655,360 bytes are free).  It seems to
  play by the DOS rules and changes the MCBs (memory control blocks)
  so that DOS does not overlay the virus code, but it does not issue
  the DOS TSR request (no doubt in order to bypass monitoring
  programs).  This reduction in memory can be seen by doing a CHKDSK
  or a MEM command.

     This virus checks for its own presence in memory by issuing a
  DOS set date call with an invalid value and also checks for
  presence (in memory) of Ross Greenberg's anti-virus programs
  (FluShot+ and Virex-PC) as well as the PSQR virus.  If these
  programs are present the virus will not infect any programs.  It
  reportedly also detects and deactivates the Murphy virus but I
  have not confirmed this.  The virus will replace the (Int 24)
  critical error handler so you will not see the familiar "Abort,
  Retry, Fail" if the virus tries to infect a write protected
  floppy.

     On Nov 1st or March 15th , it will overwrite low numbered tracks on
  the hard disk and any diskettes, produce a flashing display and hang
  the PC.  The disk will probably be unreadable at this point.  I have
  not actually allowed this virus to destructively activate on my test
  systems; my results are based upon code inspection and reports
  published in the (UK) Virus Bulletin.  The code written into the
  partition sector (AKA Master boot record) contains encrypted poetry
  which displays the first four lines of Blake's Auguries of Innocence
  from the Pickering Manuscripts:

                "To see a world in a grain of sand
                And a heaven in a wild flower,
                Hold infinity in the palm of your hand
                And eternity in a hour."

                The Virus 16/3/91

  The next time the PC is booted the above text is displayed -- the
  PC then hangs.

  This virus was not detected prior to its activation in the UK on
  November 1st 1991.  It had managed to spread quite widely!  According
  to the December 1991 Virus Bulletin: "Prior to November 2nd, 1991, no
  commercial or shareware scanner (of which VB has copies) detected the
  Maltese Amoeba virus.  Tests showed that not ONE of the major
  commercial scanners in use (the latest releases of Scan, Norton
  Anti-virus, Vi-Spy, VISCAN, Findvirus, Sweep, Central Point Anti-virus
  et al.) detected this virus."

  This indicates the danger of depending upon scanner technology or
  active monitor technology for virus protection.

Regards, Wolfgang

Wolfgang Stiller, Stiller Research, 2625 Ridgeway St., Tallahassee, FL
32310 U.S.A.



------------------------------

Date:    Sun, 14 Mar 93 19:26:08 -0500
From:    HAYES@urvax.urich.edu
Subject: lilsaver.zip (PC)

To all:
if you see that program (LILSAVER.ZIP -- a small screen saver) it is a dropper
for the [ANTHRAX] virus.

As far as *I* know, this is the first occurence of this virus in central
Virginia.

Best, Claude.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Claude Bersano-Hayes     HAYES @ URVAX                 (Vanilla BITNET)
University of Richmond   hayes@urvax.urich.edu     (Bitnet or Internet)
Richmond, VA  23173



------------------------------

Date:    Tue, 16 Mar 93 11:45:42 +0000
From:    prwiertz@rcl.wau.nl
Subject: help - PC protection (PC)

                                    Wageningen,16-3-93

 When I read the articles in this group I want to protect my PC better
then I did before. Can someone send me the best anti-virus programm
there is at this moment? (I hope it isn't self infected what happend
to me last time).Thanks in advance.
                            M.N.G.M. Wiertz

Email:Prwiertz@rcl.wau.nl

------------------------------

Date:    Sun, 14 Mar 93 14:19:07 +1300
From:    dogbowl@dogbox.acme.gen.nz (Kennelmeister)
Subject: Re: DBase virus (PC)

bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes:
> dogbowl@dogbox.acme.gen.nz (Kennelmeister) writes:
> 
> > How widespread is the DBase virus?
> 
> Not at all...
> 
> > I've just run across it in an MS-DOS system I was checking.
> > Apparently it may have been on their machines for up to a year...
> 
> Are you sure that it is not a false positive? How many files were
> infected? Which scanner did you use? Which version of it?

I was asked to check it because their dbf files were being trashed every
so often. The scanner that picked it up was f-prot 2.06a.

There were only about a dozen infected files, but the system was only
being used for dbase work, so that's not too surprising.
The real clincher was discovering bugs.dat hidden in the root of C
drive.

Unfortunately, I have no samples, as the owners first reaction was to
reformat their hard drive, and I couldn't find any infected floppies.
They only backed up data, not executables, preferring to reinstall from
the original disks.

Virus source is unknown - machines which have been in contact with this
system all came up clean.

I guess it's just a case of an isolated machine harbouring an old virus,
coupled with complacency on the part of the owners that their 3 year old
scanning program would keep them clean.


- --
Alan Brown. (SysAdmin)
dogbowl@dogbox.acme.gen.nz                      Palmerston North
Dawghaus BBS -> +64 (6) 357-9245                New Zealand
             "A wet and windy place in the South Pacific"


------------------------------

Date:    Tue, 16 Mar 93 20:59:27 +0000
From:    garyb@pdx015.intel.com (Gary Brown)
Subject: Variation of Michaelangelo? (PC)

March 6 I was suprized to boot my PC and be greeted by:
    "Drive not ready error", etc..
Running fdisk I found that my partition was gone.  It looks like
MichaelAngelo.  A repartition and format and everythings okay.  

Here's my confusion:  Last year I detected and cleaned MichaelAngelo with
version 84 (I'm pretty sure) of McAffee.  This year I scanned with the same
version about mid-Feb and I was clean.  The only software I bought since
then was TurboTax, and I scanned that disk and it was clean.  I have only 
bought software during the last year.

I need to download the latest version of McAffee and scan with it, but my
question is:  Does anyone know of a modified MichaelAngelo that is not
detectable by software that could detect it last year??  

Gary Brown

------------------------------

Date:    Wed, 17 Mar 93 07:02:49 +0000
From:    bm29@cunixf.cc.columbia.edu (Bob Matsuoka)
Subject: Re: wordperfect virus? (PC)

[stuff omitted]

>>A number of our lab machines are exhibiting very strange WordPerfect
>>behavior.  For example, very small user documents are growing to
>>extremely large size, until they fill up available disk space.  Scans
>>with F-PROT do not identify any known virus.

Those files aren't kept on a Novell server, by any chance, are they?
There has been as thread the past couple of weeks concerning WP files
growing to huge sizes in one of the Novell groups.  I don't run WP
so I haven't been paying attention but I suggest you post your 
question there.  Bit.listserv.novell I think...

- --------------------------------------------------------------------------
Bob Matsuoka, Network Manager		           bm29@cunixf.colmbia.edu
New Lab for Teaching and Learning                  ph. (212) 722-5160 x152
The Dalton School                                  fax (212) 348-5885

------------------------------

Date:    Thu, 18 Mar 93 01:23:13 +0000
From:    oep@colargol.edb.tih.no (oep)
Subject: Re: F-PROT 2.07 and Windows not compatible? (PC)

Otto Stolz (RZOTTO@NYX.UNI-KONSTANZ.DE) wrote:

: Until Frisk will have looked into this matter, and will come up with a
: fix, I recommend *not* to use the new /COPY option on computers that
: have Windows installed on them.

With the current version of F-PROT, 2.07, it is not recommended that you 
use the /COPY /BOOT and /WARM-options on systems with "novice" users, yet.
As stated in VIRSTOP.DOC, which is included in the ZIP-file, these are new
options and you can run into problems using them with some applications (read
MS-Windows). 
F-PROT 2.08 will probably contain a version with these options working with
MS-Windows. 
Until then, try out the new options, if they don't work on your system, don't 
use them.

- - oep


------------------------------

Date:    Wed, 17 Mar 93 20:53:16 -0500
From:    padgett@tccslr.dnet.mmc.com (A. Padgett Peterson)
Subject: Int 21h fn 4Bh (PC)

From:    Donald G Peters <Peters@DOCKMASTER.NCSC.MIL>

>APP discusses how 4B works and leaves the reader to draw his own 
>conclusions. My question to APP is how do I resolve the difference
>between the description in Norton's book and Duncan's book regarding
>how to load a program WITHOUT executing it. One book says to use
>subfunction 1 and the other says subfunction 3. Neither book gives
>enough detail that I can gain a good understanding of it without
>experimenting first.

Actually, the best source for this information is Ralf Brown's
Interrupt List (current version is 33) found on many archives
(pub/msdos/info on oak.oakland.edu - be sure to get all four ZIP
files A,B,C,& Q).

Listed for Int 21h Function 4Bh are the following subfunctions:
(around line 21,319)

 00 load and execute
 01 Load but do not execute (what DEBUG uses)
(02 is not listed but think I have seen it somewhere)
 03 Load overlay (different organization than a .COM or .EXE)
 04 Load and execute in background (European MS-DOS 4.x only)

					Good luck,

						Padgett
ps Incidently, the idea of a .COM/.EXE scramble is not new, I first saw
it in a paper circulated in 1988. 


------------------------------

Date:    Wed, 17 Mar 93 20:54:08 -0500
From:    padgett@tccslr.dnet.mmc.com (A. Padgett Peterson)
Subject: Boot Process & FixUtil4 FreeWare (PC)

sarel@ford.ford.ee.up.ac.za (Sarel Lugtenburg) writes:

> Can someone tell me what happens during the whole boot process from
> poweron. Where does this virus get into the chain of the bootup
> sequence ?

Vesselin gave a good generic description however it should be noted
that diverse BIOSes act differently. Some *always* look at drive A
first, others (nearly every BIOS I've looked at dated after mid-1991)
allow selection of the boot drive. Some (Tandon) even do some validation
while the latest Award and AMI BIOSes can flag attempts to alter the
MBR or DBR. However, to do anything, the options must be turned on, the 
default is the traditional "boot from A first and don't check anything".

In line with this I have released an update to the FixUtilities (FixUtil4)
with two major differences: the utilites are now copyrighted FreeWare
instead of ShareWare (though donations will not be refused 8*), and
SafeMBR now supports booting from floppy - since this is not obvious
I will explain the concept:

For several years I have been saying that the first line of defense is not
to boot from unknown floppies. At the same time I recognise that
occationally it is necessary to do so for maintenance purposes. SumFBoot
was the first response: Ctrl-Alt-Del with a floppy in drive A would be 
refused, however if you really wanted to boot from a floppy, Ctrl-Alt-F
would reboot *only* from floppy. But this could not handle the case of
a cold boot.

Today things are different with nearly all PCs built since mid-1991 (and
many Zeniths, Compaqs, NECs, and Tandons built earlier) have had boot
selection. Yet this feature is rarely used since few people a) knew about
it or b) wanted to have to reset the CMOS to boot from a floppy (I need to
do so at least once a week when I defrag).

Accordingly SafeMBR v2.7 has the following switch: You can set the BIOS
to always boot from the C: drive and SafeMBR will always check the low
levels out first. However once checks are complete and if you hold the
Ctrl key down during the boot, the logo "Boot A" will appear and the boot
process will transfer to the disk in drive A. Thus even cold boots are
protected yet the user still has the ability to boot from A if really
necessary. This follows my personal philosophy that the users are 
responsible individuals but do not need to be computer experts.

So long as only known clean floppies are used to reboot, low level
viruses such as we have seen today cannot infect a machine (droppers
excluded but then the logo will not appear on boot). Yes, I know this
is not a perfect defense but it is effective against nearly "common"
MBR infections and the price is certainly right 8*).

Again, This new version is FreeWare and requires no licensing other than
the limited license included in the documentation (though I would like to 
hear who is using it). Enjoy.

					Warmly,
						Padgett


------------------------------

Date:    Thu, 18 Mar 93 04:02:04 +0000
From:    cftdl@ux1.cts.eiu.edu (Terry Lundgren)
Subject: Can I Get Infected If... (PC)

My system is clean.  I use Central Point's virus watch/safe.  With the
system running, I put in a student's (assume infected) disk.  I do a DIR
on the student's disk.  I take the disk out.  Now, is it possible that my
system caught the virus?  Any virus?  I received no warning messages of
any kind.  The system has not shown any symptoms.

I would appreciate your comments and advice.

- -- 
T. Dennis (Terry) "Bud" Lundgren, BE/AIS, Lumpkin Hall 343, 581-2162

------------------------------

End of VIRUS-L Digest [Volume 6 Issue 46]
*****************************************
