To:	   VIRUS-L@LEHIGH.EDU
Subject:   VIRUS-L Digest V6 #53
--------
VIRUS-L Digest   Wednesday, 31 Mar 1993    Volume 6 : Issue 53

Today's Topics:

Re: Laws and Viruses
Re: Should viral tricks be publicized?
Re: Should viral tricks be publicized? (was: Integrity checking)
Not about PCs ... (Acorn Archimedes)
Re: WIndows Virus (PC)
Re: New (?) virus ? (2294) (PC)
varients of MichelAngelo (PC)
RE: PC-TOOLS 8.0 (PC)
Re: Scanners and exe/com file compressors? (PC)
Re: 1575 virus (PC)
Re: Catch from DIR? (PC)
Re: Virus signature determination. (PC & Unix)
Re: Pc-Tools 8.0 (Pc)
virus checking in the CMOS? (PC)
Re:Scanners and exe/com file compressors? (PC)
Is "Untouchable" (V-analist-3) effective? (PC)
Loa Duong (PC)
New Viruses in Australia (PC)
VIRSTOP 2.07 (PC)
Thoughts On Viruses & Risk (PC)
damaged Anti Telefonica Boot virus (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed.  Contributions should be relevant, concise,
polite, etc.  (The complete set of posting guidelines is available by
FTP on cert.org or upon request.) Please sign submissions with your
real name.  Send contributions to VIRUS-L@LEHIGH.EDU.  Information on
accessing anti-virus, documentation, and back-issue archives is
distributed periodically on the list.  A FAQ (Frequently Asked
Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5).  Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<krvw@FIRST.ORG>.

   Ken van Wyk, krvw@first.org

----------------------------------------------------------------------

Date:    Tue, 30 Mar 93 14:33:58 +0000
From:    highlite!croaker@uunet.UU.NET (Francis A. Ney)
Subject: Re: Laws and Viruses

Just because malicious intent is difficult to prove does not mean it should
not be a key component of determining the existence of a crime.

Otherwise every beta release leaves us open to prosecution.

------------------------------

Date:    Tue, 30 Mar 93 09:39:49 -0500
From:    Donald G Peters <Peters@DOCKMASTER.NCSC.MIL>
Subject: Re: Should viral tricks be publicized?

This is an interesting revival of the recent thread on censorship.

YR pointed out that IR was "contributing" to forums (eg, Fidonet)
which are used by "bad guys". (re: anti-debugging techniques).

I sure hope I'm not defending a "bad guy", but IR stated recently
on this forum that we should NOT be discussing Int21/fcn4b here
because it might give ideas to virus writers. I don't think anyone
(including YR) agreed with IR, in fact I *disagreed* with IR in
Vol 6 Issue 50.

This is just one small fact, but I thought it was worth raising.

------------------------------

Date:    Tue, 30 Mar 93 23:11:47 +0000
From:    wolfie@netcom.com (Cinnamon DeWolf)
Subject: Re: Should viral tricks be publicized? (was: Integrity checking)

I think the concern over distributing viral 'tricks' to the public is one
that is at the same time unfounded and justified. Unfounded in that it is
doubtful that anyone on VIRUS-L is a major source of information about
new viruses; if you want that go to your local 2600 meeting. The impact
of people who can't attned those, read the newest Phantasy issue, etc.
is minimal compared to the benefits reaped by having many, many more "good"
guys learn about the trick. Don't get me wrong, I'm sure many virus
writers/would be writers read this newsgroup quite a bit. But the information
you're concerned about you can get by downloading VSUM, reading many, many
legit virus information bulletins, etc. And if you think the negative impact
of printing information in those mediums outweighs the potential and real-world
benefits, I'd be surprised.

Justified, though, in the concern that people who might not otherwise think
of this trick would suddenly be spurred to write a virus using this trick.
But I think the possibility of that, and the probability of that, is overrated.

Cinnamon Alexander Kevin DeWolf

------------------------------

Date:    31 Mar 93 08:06:39 +0000
From:    aglover@acorn.co.uk (Alan Glover)
Subject: Not about PCs ... (Acorn Archimedes)

While we're mentioning computers other than PCs, it's worth pointing out
that the recently posted FAQ paints a rather optimistic picture of the scene
for the Acorn Archimedes. (Ken: the figure below may well be higher than I
said when I sent the FAQ update)

At present the total number of virus families known is 42, with some
families having two or three variants (more in the case of one particular
one which is completely trivial to alter).

Most can be removed trivially -if you know what to look for-, but an
increasing number merge with programs requiring specialist software.

Alan

[ Declaration of interest: I a) work at Acorn and b) am the
author/maintainer or a commercial anti-virus package for the Acorn
Archimedes ]

------------------------------

Date:    Tue, 30 Mar 93 08:23:35 -0500
From:    sgr4211@ggr.co.uk
Subject: Re: WIndows Virus (PC)

>  From:    rogera@compnews.co.uk (Roger Allen)
>
>  	Has anyone else experienced a virus that fades the screen to
>  black after starting Windows 3.1.

Well,  someone  has to ask - it's not a Windows screen saver program, is
it?  The screen saver  supplied  with  Windows  3.1  doesn't  provide  a
"fade-to-black"   saver,  only  a  "blank-the-screen"  one.   There  is,
however, a "fade-to-black" saver for the shareware program  ScreenPeace,
and I suspect the commercial program After Dark would have one also.

Apologies of this is too obvious.

Steve Richards.

------------------------------

Date:    Tue, 30 Mar 93 12:58:31 +0000
From:    v922340@hildebrand.si.hhs.nl (Ivar Snaaijer)
Subject: Re: New (?) virus ? (2294) (PC)

bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes:
>v922340@hildebrand.si.hhs.nl (Ivar Snaaijer) writes:
>
 [ my text deleted ]
>
>You probably have the Terminator_II virus. It seems to be in the wild
>in the Netherlands.
>
>F-Prot 2.07 still does not recognize it. Dr. Solomon's FindVirus 6.15
>does recognize it and calls it Term-2294. SCAN 102 does recognize it
>too, but reports it as two viruses - Bert [Bert] and Terminator 2
>[Term2]. Don't confuse this with Terminator-B, which is reported as
>Terminator 2 [Tm2] by SCAN (note the difference in the virus id) or
>the Terminator.918 and Terminator.1501, which are reported as Cuban
>[Cub] by SCAN... Lots of naming confusion, I know... :-(

TBscan v5.10 Beta finds it, but this one says that it's the 2294 virus
Could you tell me more ?

>
>Regards,
>Vesselin

Thanx,

Ivar.

- -----------------------------------------------------------------------------
Rule one in program optimization : Don't do it.
Rule two in program optimization (for experts only) : Don't do it yet.
Rule three in program optimization (for athlets only) : Just do it.
- -- 
E-mail : v922340@si.hhs.nl    ... i can't help it, i'm born this way ...
- -----------------------------------------------------------------------------

------------------------------

Date:    Tue, 30 Mar 93 15:39:38 +0200
From:    Sjamayee <GHGAOAT%BLEKUL11.BITNET@FRMOP11.CNUSC.FR>
Subject: varients of MichelAngelo (PC)

Can anyone warn me if he has found a possible copy of Michelangelo, so that
I can take note of it for my new book?

kind regards,
- ---> SJAMAYEE

______________________________________________________________________
GHGAOAT@CC1.KULEUVEN.AC.BE *******************************************
______________________________________________________________________

                      ********************
                      *     SJAMAYEE     *
                      *    P.O. BOX 1    *
                      * B-3370 BOUTERSEM *
                      *      BELGIUM     *
                      ********************

_______________________________________________________________________

------------------------------

Date:    Tue, 30 Mar 93 10:41:37 -0500
From:    mikko.hypponen@mpoli.fi (Mikko Hypponen)
Subject: RE: PC-TOOLS 8.0 (PC)

Alessandro Lombardi (alexl@dec01.ing.como.polimi.it) writes:

> ... all was left to do was installing these DAMNED Pc-Tools!!
> When, at the end of installation, it asked me if to build an emergency
> diskette, answering yes, at the top left of the screen appeared
> this message (in Italian):"ATTENTION: big error of the drive while
> writing on unit D: retry?"

Was the message displayed something like this?

+-------------------------------------+
|                                     |
| ATTENTION: A serious disk error has |
| occured while writing to drive D:   |
| Retry (r)? _                        |
|                                     |
+-------------------------------------+

If it was, this is a known problem. You're using the Italian
version of Windows 3.1, right?

Microsoft's disk caching program SmartDrive, version 4, will
display this message when it decides that something has gone
terribly wrong. The reason you got the message in Italian is
simply because the localised version of Windows has also the
included smartdrv.exe translated.

Obviously, Microsoft thinks that EVERYONE automatically knows
that when such error is displayed, SmartDrive is in question.
Thus, they do not bother telling the users which program is
giving the error message.

You can easily simulate this error message by starting
SmartDrive with command line smartdrv.exe a+, inserting
a write-protected floppy and copying a file to it.

So, the problem is not in your BIOS, it's a some sort of clash
between SmartDrive, PC-TOOLS and perhaps also with SuperStor,
which you said you we're using.

I would suggest turning off SmartDrive during the installation,
or, better yet, substitute SmartDrive with some other disk cache.

I personally use HyperDisk, not just because it is faster,
but also because it's safer and more configurable (an obvious
plug for a great shareware product :).

Hope you get your PC-TOOLS operating.

- ---
          mikko.hypponen@compart.fi / mikko.hypponen@mpoli.fi
      Mikko Hypponen // Data Fellows Ltd's F-PROT Support, Finland
              PGP 2.2 public key available, ask by e-mail
                                 
------------------------------

Date:    30 Mar 93 16:20:58 +0000
From:    frisk@complex.is (Fridrik Skulason)
Subject: Re: Scanners and exe/com file compressors? (PC)

phil@wearbay.demon.co.uk (Philip Coull) writes:

>Do virus scanners "unpack" exe/com files that have been
>packed/compressed? 

Some do, some don't...Many scanners scan inside files compressed with the 
three most popular programs (DIET, PKLITE and LZEXE), but there are some
really obscure compressors available - I don't know of any program that can
scan inside KVETCH-compressed files, for example.

> If they do, how do they cope with all the various
>packing programs? 

Simply by uncompressing the file either in memory or on disk, and scanning
that.

>way.  Does it compromise the ability of scanners?

To a certain degree - but of course, this is only a risk if the software
has been infected before it is compressed.

>   resistant to disassembly or "reverse engineering" procedures. After a
>   file is compressed using this method, it cannot be expanded to match
>   the original executable file.

It cannot be expanded by PKLITE, that is...expanding it with a special
program is not a problem at all.

>What if a virus writer managed to deliberatley "distribute" his virus
>within such a file, would any scanners ever find the offending file???

Depending on which compressor is used and which scanner, maybe yes, maybe no..

- -frisk

- -- 
Fridrik Skulason      Frisk Software International     phone: +354-1-694749
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-1-28801

------------------------------

Date:    30 Mar 93 16:35:38 +0000
From:    frisk@complex.is (Fridrik Skulason)
Subject: Re: 1575 virus (PC)

hofstett@snake1.cs.wisc.edu (Dean Hofstetter) writes:

>13 bytes larger than the original size.  I was wondering if anyone had
>any similar experiences using F-Prot on this virus, or whether someone
>could explain what the additional 13 bytes are.  Thanks in advance for
>any info.

This is very common when files are being disinfected.  Many viruses add 1-15
extra bytes to files, before they append the virus code, so the virus begins
on a paragraph boundary.  It may be easy to remove the virus, but the removal
tool may be unable to determine how many "extra" bytes were appended, so the
resulting file may contain a few "garbage" bytes at the end.

However, normally the resulting file will run without problems - in the few
cases where it does not, you have to replace it with a "clean" original.

- -frisk

- -- 
Fridrik Skulason      Frisk Software International     phone: +354-1-694749
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-1-28801

------------------------------

Date:    Tue, 30 Mar 93 17:54:34 +0000
From:    antkow@eclipse.sheridanc.on.ca (Chris Antkow)
Subject: Re: Catch from DIR? (PC)

>I have received some excellent replies to my posting on catching
>a virus.  Basically the question is this:  Assume my system is
>clean and I have an infected disk.  I put the disk in the drive
>and do a DIR.  Then I take the disk out.  Can my system be
>infected now?
>
 There is not a way yet (At least under the current versions of DOS)
that by doing a simple DIR on an infected disk, that you will be
infected. When you do a DIR on an infected drive, it reads the FAT and
displays it in the form of a directory. No code is executed from the
infected disk by doing a simple DIR.

 Cheers...

 Chris
 antkow@eclipse.sheridanc.on.ca

------------------------------

Date:    30 Mar 93 22:44:23 +0000
From:    phys169@csc.canterbury.ac.nz
Subject: Re: Virus signature determination. (PC & Unix)

frisk@complex.is (Fridrik Skulason) writes:
> runefr@ifi.uio.no (Rune Fr|ysa) writes:
>>I'm planning to expand an anti-viral utility to include file
>>scanning, like Mc'Affe's scan program does...
>>   ...Therefore I would
>>be interested in more information of how I determine the signature
>>of any virus, including mutating ones. 

> What you would need to to:
> 
  5) Have a huge collection of valid commercial & shareware programs,
     to check that the signature you find doesn't accidentally occur
     in clean programs.

  6) Adjust to the pschological pressure of more and more viruses coming
     in to analyse every day. And to the possibility of virus writers
     targetting your software.

>>Is it also possible to get signature files from somewhere and 
>>implement them in the package? 
> 
> Yes, several such files exist...and using them would mean a lot less work
> required - however, the scanner would not be as good, as those files don't
> include any information on how to detect the polymorphic viruses.

And remember that publicly-distributed un-encrypted signatures can be a clue
to stupid (by common enough, I guess) virus rewriters to write a slightly
alterred virus to avoid detection for a few months.  Also, some signature
lists have copyright restrictions.  However, such lists are still a very
good idea, even if just for updating scanners until a new version comes with
built-in detection of the new virus.

I wonder whether, in the future, there will be companies or organisations
providing scanner writers with the bulk of their scan strings? I can think
of advantages and disadvantages in having specialist virus analysis teams
feeding other companies with information and scan strings. Imagine a user-pays
version of virus bulletin information? Hmmm.

For what its worth, I'm working on a public domain virus scanner for Unix
(and other systems) to look for DOS (and other??) viruses where file systems
are shared.   In these situations it is reasonable to combine scanning for
non-polymorphic viruses with change detection, because of the way that people
tend to use networked drives. 

Mark Aitchison.

------------------------------

Date:    Tue, 30 Mar 93 22:40:45 +0000
From:    leveret@warren.demon.co.uk (Nick Leverton)
Subject: Re: Pc-Tools 8.0 (Pc)

>... at the top left of the screen appeared this
>message(in Italian):"ATTENTION: big error of the drive while writing on
>unit D: retry?" (I use DR-DOS 6.0 with sstordrv). 

This message sounds to me like one which Smartdrive generates when you
load a second cache on top of it (or underneath it). Are you using
Smartdrive, or a DR-DOS equivalent cache ? I seem to remember that PC
Tools also includes a disk caching utility, and it's possible that it
may have automatically installed it in addition to the existing cache.
If I were you I'd check for double caching as a possible cause of the
problem.

Nick Leverton

------------------------------

Date:    Tue, 30 Mar 93 23:46:33 +0000
From:    scotth@cs.umr.edu (Scott Hayes)
Subject: virus checking in the CMOS? (PC)

I recently bought a 486 with a virus checking option built into the
CMOS options from ABS computers.  Does anyone know what this does?
I turned it on, of course, but what could it possibly do?

Also, (this may be related), how do UNTOUCHABLE and other non-scanner
anti-virus programs work?

Please respond via e-mail as I am not a regular here.

Thanks!

- -- 
Scott Hayes   scotth@cs.umr.edu   shayes@usgs.gov   Standard Disclaimers Apply

"We have become too proud to pray to the God that made us!"  --Abraham Lincoln

------------------------------

Date:    Tue, 30 Mar 93 22:40:09 -0500
From:    1070056@SAPHIR.ULAVAL.CA (PATRICK A. MORIN)
Subject: Re:Scanners and exe/com file compressors? (PC)

In reply to: phil@wearbay.demon.co.uk (Phillip Coull)

To answer your question, yes scanners (at least McAfee) do unpack/decompress  
programs. I have tested it with PKLite (shareware), I PKLited an infected 
program and Scan v100 found it with no problem,I do not know about the  
professional version of PKLite, but, there is a BUT, If the
PKLite header were to be trashed...then Scan would not know to decompress
the program. It would then miss completely te virus. You would have then what
I call a Stealth Bomber delivery system, when the virus would begin to spread,
it would then become scannable but you would not be able to find the source.

I tried this a couple of months ago. When I saw how easy it was, I became real 
scared... But you can't live your life in fear....

Live long and prosper

                                        Patrick A. Morin
                                        1070056@saphir.ulaval.ca

------------------------------

Date:    Wed, 31 Mar 93 10:49:06 +0000
From:    chermesh@chen.bgu.ac.il (Ran Chermesh)
Subject: Is "Untouchable" (V-analist-3) effective? (PC)

	Our department considers buying an anti virus package. High in the list
is an Israeli product, sold in Israel under the name V-analyst-3 and in the US
as Untouchable. The feature of most interest to us is the way this package
claims to deal with future viruses. Since this feature can't be tested
experimentally, the best way is to learn from the experience of other.
	Thus, please post a reply, or send me a private note what's your
experience with this feature of the package. Of most interest for us is your 
experience with cases where the package FAILED to deliver the good, meaning
to rebuid a useful binary file.
- -- 
Ran Chermesh                                  E - M A I L
Behavioral Sciences Dept.                     ===========
Ben-Gurion University                  Internet: CHERMESH@BGUVM.BGU.AC.IL
Beer-Sheva 84105                                 CHERMESH@BGUMAIL.BGU.AC.IL

------------------------------

Date:    Wed, 31 Mar 93 02:37:47 -0500
From:    A.APPLEYARD@fs1.mt.umist.ac.uk
Subject: Loa Duong (PC)

  (1) What is the exact proper spelling of 'Loa Duong'? I have met 3 spellings
so far.
  (2) We had Loa Duong in a PC III (running DOS 3.10) in Manchester University
(England), and I suspect that either it or the only antiviral that we use
(VET) or both between them deleted some files. Who issues VET? Who will have
information about it? Please someone send me fullest information about what Loa
Duong does. The version of VET that we had, found it but could not remove it.
In the end we resorted to the ultimate weapon: wiping and re-initializing the
hard disk.

------------------------------

Date:    Wed, 31 Mar 93 02:43:33 -0500
From:    "Roger Riordan" <riordan@tmxmelb.mhs.oz.au>
Subject: New Viruses in Australia (PC)

The following new viruses have recently appeared here.

1. Loren Virus

This is an apparently new virus, which was recently found in a local 
high school.  It contains the encrypted message; 

 		Your disk is formated by the LOREN virus.
 		Written by Nguyen Huu Giap.
 		Le Hong Phong School *** 8-3-1992

The virus infects .COM & .EXE files, increasing the length by 1387 
bytes.  It infects all files opened for execution, and all .COM & 
.EXE files referenced by Int 21 fn 11 & 12.  This is the old style 
Find First & Find Next functions.  These are apparently still used 
by the DIR command, so that if the virus is in memory DIR will 
infect all .COM or .EXE files opened.  Furthermore the handler for 
Fns 11 & 12 contains code to fake the file size, so that DIR does 
not reveal the increase in file length.

The virus counts the number of files infected, and if the counter 
reaches 20 the warhead is triggered.  This attempts to format 
cylinder zero, head zero, on drive C.  If this fails it then tries 
drives A, and then B.  If it succeeds in formatting any drive it 
gives the message above, and then resets the counter.  A low level 
format will normally be needed to recover affected hard disks, and 
IDE drives may have to be returned to the agents for repair.  

As the counter is reset when the virus is loaded into memory the 
warhead will only be triggered if 20 files are infected in a single 
session.  However this poses a serious threat.  For example there 
are about 40 eligible files in the normal DOS directory, but I never 
use more than 20 of these.  Thus if I got the virus I would trigger 
the warhead if I did a DIR on the DOS directory, even if I had had 
the virus for some time.

The virus is quite infectious, and is likely cause a lot of trouble, 
especially in schools, etc.

2. Gingerbread virus.

This is an apparently new virus, reported a few weeks ago in Sydney.  
It contains the following messages, which are not encrypted, but are 
apparently never displayed; 

 		You can't catch the Gingerbread Man!!
 		Bad Seed - Made in OZ

The virus infects .COM & .EXE files, increasing the length by about 
2773 bytes.  When an infected file is run it infects the hard disk, 
using a new technique to make detection more difficult.  When the PC 
is rebooted the virus goes memory resident, and then infects most 
.COM & .EXE files.  The virus is highly infectious, and incorporates 
a variety of stealth techniques which will probably fool most 
integrity checkers, unless the PC is first booted from a clean DOS 
disk.

It does not appear to be deliberately destructive, but it will cause 
loss of data on some older PCs (such as Olivetti M24s), in which the 
DOS boot sector and partition records immediately follow the Master 
Boot Record.  The stealth techniques used will probably clash with 
some applications software.

The author has gone to extreme lengths to hide the virus, and the 
code is very convoluted.  However the result is rather like a bank 
with elaborate locks on the front door, but none on the back door, 
and the virus is readily detected and removed.  VET 7.242 has been 
updated to handle the virus, and will detect it in memory, clean 
infected files, and remove it from infected hard disks.

The virus infects files in the normal way, appending itself to the 
file, and patching the start of .COM files or the .EXE file header, 
so that the virus is run first.  The file length is rounded to the 
next paragraph boundary, and then it is extended by 2774 bytes.  The 
messages are not encrypted, and are near the start of the viral code.

The virus uses the "Hello" call Int 21, AX = 0EEE7 to see if it is 
already active, and the approved reply is AX = D703.  If this is not 
received the virus reads the MBR, & checks the starting cluster 
entry for the active partition.  If this is not sector 2, head 0, it 
enters this value, and rewrites sector 1.  It then writes the virus 
to the following six sectors.

When the PC is next rebooted the altered value for the first cluster 
causes the Master Boot Record to load the first sector of the virus, 
instead of the normal DOS boot sector, so that the virus is loaded.

Thus only irregularity in the areas normally checked is the 
incorrect entry for the starting cluster of the active partition in 
the MBR.  This is unlikely to be noticed by any software which has 
not been installed for the PC, as the new value was normal in many 
early PCs.

The viral code is very involved, and has a number of tricks designed 
to prevent tracing.  It appears that Int 1 and Int 3 are used for 
some operations, and a large number of DOS function calls are 
intercepted.  Virtually all access to files via DOS will be faked, 
so that the virus will not be given away by changes in length, etc.  

However the virus cam readily be detected by the change in the top 
of memory, and the messages are easily found in memory, and if 
infected files are examined on a clean PC.  The virus also causes 
noticeable extra disk activity, especially when clean files are 
infected.

The virus sets the SECONDS field in the directory entry to zero (or 
60?) when it infects files, and uses this as the infection marker.  
It takes special action for CHKDSK, MEM, and WIN, and does not 
appear to infect COMMAND.COM.  It also does not seem to infect some 
short files.  

It appears that viruses are being downloaded from virus BBS's here, 
as we have recieved specimens of Helloween and Stardot.789 from the 
field recently.

VET 7.242 will detect all these viruses, and repair infected files.   
It will also remove the Gingerbread virus from infected hard disks.

Roger Riordan                 Author of the VET Anti-Viral Software.
riordan.cybec@tmxmelb.mhs.oz.au

CYBEC Pty Ltd.                                 Tel: +613 521 0655
PO Box 205, Hampton Vic 3188   AUSTRALIA       Fax: +613 521 0727

------------------------------

Date:    Wed, 31 Mar 93 06:08:28 -0500
From:    Jagdev Panesar <ada01jsp@scorpio.gold.ac.uk>
Subject: VIRSTOP 2.07 (PC)

I tried out the /FREEZE /BOOT /COPY /WARM options for VIRSTOP 2.07 and
didn't find any problems (e.g. in Windows 3.1, cf. recent postings) UNTIL
I tried to re-boot the machine with CTRL-ALT-DEL when all I got was:

VIRSTOP: Virus-checking A:

and the machine hung. I couldn't re-boot with CTRL-ALT-DEL, I had to switch it
off. There was a disk in drive A, but no activity lights. I am using a
DELL 486P/25 with DOS 5.0.
Any ideas on this ?

------------------------------

Date:    Wed, 31 Mar 93 06:17:04 -0500
From:    markb@grv.grace.cri.nz
Subject: Thoughts On Viruses & Risk (PC)

Dear List,

I have been considering the integrity requirements of PC systems and
applications, and thinking about the problem of full system scanning
and user resistance because of the time involved.

This leads me to ask members of the list more experienced than I
in these matters the following question:

Can risk analysis techniques be applied to the problem of viruses,
ie do we have the base data needed to assess the risk of attack by
various viruses and apply only the required countermeasures?.  Do we
have the methodology?

For instance, if such an analysis reveals that only (say) the STONED
and MICHAELANGELO viruses pose a threat in excess of acceptable risk
then boot sector protection will provide an acceptable countermeasure
without the overheads of full system scanning.   Do I speak heresy?

I would appreciate any comments....


Malcolm Shore

Wellington
New Zealand       MARKB@GRV.GRACE.CRI.NZ

------------------------------

Date:    Wed, 31 Mar 93 07:04:27 -0500
From:    Martin Zejma <8326442%AWIWUW11@helios.edvz.univie.ac.at>
Subject: damaged Anti Telefonica Boot virus (PC)

Recently I've got a sample of the Anti Telefonica Boot virus.  It is
an almost unencrypted virus, therefore dissecting it wasn't very
difficult. But there are 2 allocations which seem to be damaged, and
I'd like to know if MY sample was buggy or if the 'original' virus is
buggy itself ( buggy = senseless code where something is expected ).
If the latter is true, then an infected harddisk shouldn't be able to
boot and hang the computer (I had no unneccessary one handy, sorry :)
).

So the question once again : is MY sample buggy or ALL samples ?

The virus consists of 2 parts , one allocated in the BR (floppy) and
the other one at (0,0,6). Regarding the running discussion about not
instructing the 'bad' guys, I'll be as unspecific as possible, just
showing a small snapshot from the code. The first damage is located in
the BR-part, at offset f7-fc the sequence '8a 8e a9 c7 00 00' is found
,meaning IMHO just @#$@%.  And the second damage is a single misplaced
bit in the 2nd part at offset 3a-3d where instead of '8a 16 ec 00' '8a
17 ec 00' is found.

I think nobody can retrieve any useful information out of this, if he/she
hasn't got the virus itself.

Scan 102 detects it as Anti-Tel, F-Prot 2.07 as possible new variant of Campana.

						Regards, Martin

+-----------------------------------------------------------------------+
| Martin Zejma                                  8326442@AWIWUW11.BITNET |
|                                            Martin.Zejma@wu-wien.ac.at |
|                                                                       |
| Wirtschaftsuniversitaet Wien  ---   Univ. of Economics Vienna/Austria |
+-----------------------------------------------------------------------+


------------------------------

End of VIRUS-L Digest [Volume 6 Issue 53]
*****************************************
