To:	   VIRUS-L@LEHIGH.EDU
Subject:   VIRUS-L Digest V6 #58
--------
VIRUS-L Digest   Wednesday,  7 Apr 1993    Volume 6 : Issue 58

Today's Topics:

Re: Should viral tricks be publicized? (was: Integrity checking)
Re: Should viral tricks be publicized? (was: Integrity checking)
Sending viruses over Internet
Re: Best Net Antivirus (Novell)
Re: Catch from DIR? (PC)
Re: CLEAN Recovery? (PC)
Re: D2 virus (PC)
Re: F-PROT and Novell (PC)
Re: help-Maltese Amoeba (PC)
Re: Help with Michelangelo! (PC)
Re: Int 21 fn 4bh (PC)
Re: Is "Untouchable" (V-analist-3) effective? (PC)
Re: Loa Duong (PC)
Re: McAfee against f-prot virus programs (PC)
Re: MSDOS 6.0 ... VSAFE and MSAV out of synch (PC)
Re: Port Writes (PC)
Re: New (?) virus ? (2294) (PC)
Re: Problems with DOS 6.0 Microsoft Anti-Virus (PC)
Re: Proffesional Group Virusized ! (PC)
Status of victor charlie (PC)
Re: Scanners and exe/com file compressors (PC)
Re: Virstop 2.07 (PC)
Re: What is the Genb or Form Virus??? (PC)
Re: damaged Anti Telefonica Boot virus (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed.  Contributions should be relevant, concise,
polite, etc.  (The complete set of posting guidelines is available by
FTP on cert.org or upon request.) Please sign submissions with your
real name.  Send contributions to VIRUS-L@LEHIGH.EDU.  Information on
accessing anti-virus, documentation, and back-issue archives is
distributed periodically on the list.  A FAQ (Frequently Asked
Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5).  Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<krvw@FIRST.ORG>.

   Ken van Wyk, krvw@first.org

----------------------------------------------------------------------

Date:    Mon, 05 Apr 93 17:40:02 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Should viral tricks be publicized? (was: Integrity checking)

RADAI@vms.huji.ac.il (Y. Radai) writes:

>   However, what you have written above raises a much more fundamental
> question:  When one of the "good guys" learns of a trick, knowledge of
> which would help the bad guys as well as the good guys, under what
> condition(s) may he or should he disclose this trick in a public
> forum, where bad guys might also be listening?

It depends on the particular case, of course. In general, one should
aim to maximize the impact from the good guys learning about it and
minimize the impact of the bad guys learning about it... There are
things that we know the bad guys already know, so it's a shame not to
tell the good guys about them...

>   For example, even though I knew of extension companions, path com-
> panions, the "fragmentation" attack, and "slow" viruses in 1988, I
> felt that it would have been irresponsible of me to describe them in
> Virus-L.

Meanwhile the first PATH companion was written in 1989 (TP Worm), so
your silence on the subject didn't help that much. On the other hand,
delaying the publication of the DOS file fragmentation attack did help
- - nowadays this attack is made almost obsolete by DOS 5.0 or higher...

My point is that keeping the dangerous knowledge for yourself is
probably OK when the bad guys have not figured it out yet. But after
you know that they know about it, it seems unfair to me not to tell
the good guys too...

>   Up to here, I think you agree with me.  However, you seem to be
> saying that your criterion for when to publicize info is that "the
> good guys should be informed about whatever the bad guys already
> know." 

Yes.

>   First, you speak of "the bad guys" collectively, as if they all had
> exactly the same knowledge. 

My experience shows me that the bad guys are less knowledgeable but
better organized and learning faster than the good guys... And I am
not excluding even us, when I am speaking about "better organized".

> If a few virus writers in Bulgaria know
> something, does that imply that virus writers all over the world know
> it? 

Yes. I am getting virus collections from all over the world. Do you
know how many of them bear the signature of being downloaded from
Todor Todorov's BBS?

> For example, you learned (you say it was in 1990, but wasn't it
> really 1991?) that some Bulgarian virus writers were discussing the

It was early 1990.

> fragmentation attack.  Does that mean that virus writers in other
> parts of the world also know about it?  Perhaps you feel that it's
> safer to *assume* that they do, and that would justify your publi-

Yes, I think that it is safer to assume that they do.

> cizing it.  But isn't it possible that your assumption about they're
> all knowing the trick (or learning of it within a short time) is not
> correct, and if it isn't, then maybe you're doing more harm than good
> by publicizing it?  (Actually, the fragmentation attack was never a
> very practical threat, and won't even work on DOS 5 and up, but this
> is just an example.)

No, I don't think that it was dangerous to publicize it. For several
reasons:

1) As you are noting yourself, the attack is not a serious threat in
contemporary versions of DOS.

2) The attack in dangerous only against a particular kind of
anti-virus software - integrity checkers. I publicized it exactly when
this kind of integrity checkers became to be popular, in order to warn
their producers. If I have not done so, there was a good chance that
no producer of integrity checkers will try to thwart this attack in the
forceeable future. This would have caused much more harm, even if the
bad guys have learned about the attack with some delay.

>   Secondly, I wonder if you're consistent in your criterion.  As you

I am, but I am trying to decide on a per-case basis...

> know, there are books (e.g. Burger's and Ludwig's), underground elec-
> tronic magazines (e.g. 40 Hex and Crypt), electronic forums (e.g.
> FidoNet), etc. which discuss such tricks.  If, as you state above, the
> good guys should be informed about whatever the bad guys already know,
> why don't you encourage everyone on this forum to read such publica-
> tions?

Burger's and Ludwig's books are crap - they don't teach you anything,
even how to write good viruses. They don't contain useful information,
so I don't recommend anybody to read them (unless they want to learn
how to write clumsy viruses, of course).

Some articles in 40-Hex are interesting. I wouldn't recommend the
- -distribution- of this electronic magazine, because it contains
potentially harmful code (viruses in source or as DEBUG scripts), but
if some "good guy" already has it, I would recommend him/her to read
it. Besides other things, it shows how the (mostly US-based) virus
authors think and what can be expected from them. It also presents a
roughly correct picture of their knowledge, so we can figure out what
they already know and what they still don't.

>   Please don't misunderstand me.  I'm not criticising, but merely
> questioning.  At this stage all I'm trying to do is to get you to
> formulate a criterion which will cover those and only those actions
> which you really consider legitimate (taking into account the above
> two points).  Then we can discuss your criterion and compare it with
> alternative criteria.

I'm afraid that I cannot give you a general criterion. As I already
said, I am trying to decide on a per-case basis. In general, I am
trying to publicize anything that I have reasons to believe will cause
more good than harm. Of course, there still exists the possibility
that I am dead wrong, but only time can show this...

>   Btw, it should be noted that on Fidonet there appeared an article
> describing tricks which can be used by virus writers to prevent tra-
> cing and disassembly of their code.  The reason I mention this parti-
> cular article is that it appeared under the name of someone who has
> been contributing to this forum recently, Inbar Raz.  The article is
> called "Anti Debugging Tricks", and one of the virus writers found it
> useful enough to forward it to 40 Hex (Number 9).

Well, this does not mean that this article is harmful per se. As you
probably have noticed, all tricks described there are relatively
trivial to circumvent. Furthermore, anti-debugging techniques are
often used in implementing copy protection schemes (not that I
advocate the usage of copy protection, mind you). At last, some of my
articles have also appeared in 40-Hex (without permission, of course).
I hope this does not automatically classify me as a bad guy or 40-Hex
as a "good" publication... :-)

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Mon, 05 Apr 93 18:11:24 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Should viral tricks be publicized? (was: Integrity checking)

wolfie@netcom.com (Cinnamon DeWolf) writes:

> I think the concern over distributing viral 'tricks' to the public is one
> that is at the same time unfounded and justified. Unfounded in that it is
> doubtful that anyone on VIRUS-L is a major source of information about
> new viruses; if you want that go to your local 2600 meeting. The impact

I disagree with both claims. First, almost all world virus experts are
reading Virus-L/comp.virus and often contribute with useful comments.
So, if you need reliable technical information about viruses, it is
most probable to find it exactly here. Second, 2600 supports mainly
hacking (cracking, I mean), and, according to my own experience, most
good crackers are not good virus writers and vice versa.

> writers/would be writers read this newsgroup quite a bit. But the information
> you're concerned about you can get by downloading VSUM, reading many, many

Second disagreement. I disagree that you can learn anything dangerous
by reading VSUM. In fact, I disagree that you can learn anything
entirely correct and -any- virus-related subject by reading VSUM...

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Mon, 05 Apr 93 14:59:17 -0400
From:    Donald G Peters <Peters@DOCKMASTER.NCSC.MIL>
Subject: Sending viruses over Internet

When people send viruses to each other for research (or commercial)
purposes, how is it done? Internet mail? US Post Office?

My concern is that it would be easy for an untrustworthy Internet
node to trap all mail to/from a certain Internet address in order
to obtain virus code.

Of course, similar concerns exist for other networks like Fidonet
and local area networks as well.

And how does one determine if the person to whom you intended to
transmit the data is really a "bona fide" researcher, or even a
person at all? 

If some form of encryption is used (properly!), then that is a good
thing, but I am not able to help you determine the value of a
specific system.


------------------------------

Date:    Mon, 05 Apr 93 18:23:08 +0000
From:    swimmer@fbihh.informatik.uni-hamburg.de (Morton Swimmer)
Subject: Re: Best Net Antivirus (Novell)

keren@math.tau.ac.il (Keren Shmuel) writes:


>  Hello there

>  I am sorry if it is not the right place to ask this Q but i dont know
>   where else i can post it:

>  The Q is : what is the best AntiVirus for a net (NOVELL) today ?

Of course it is: Mine by ______________
                         ^ ^ ^ insert company name here :-)

Oh, and by the way my company is: S&S International (Deutschland) GmbH

Cheers, Morton
- -- 
 ..morton swimmer..virus-test-center..university of hamburg....odenwaldstr. 9..
 ...2000.hamburg.20..frg........eunet: swimmer@fbihh.informatik.uni-hamburg.de.
 ...God grant me the solemnity to accept the things I cannot change/Courage to.
 .change the things I can/And the wisdom to tell the difference..R. Niehbuhr...

------------------------------

Date:    Mon, 05 Apr 93 15:16:10 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Catch from DIR? (PC)

antkow@eclipse.sheridanc.on.ca (Chris Antkow) writes:

> infected. When you do a DIR on an infected drive, it reads the FAT and
> displays it in the form of a directory.

:-). It certainly does NOT display the FAT in the form of a
directory... :-) It does read the FAT and interprets it, but only in
order to locate and read the contents of the current directory on the
floppy, which it displays in the form of a... directory, of course...
:-)

> No code is executed from the
> infected disk by doing a simple DIR.

Except that some code may be -interpreted-, which allows ANSI-bomb
type of attacks, but they are not of serious concern; see my other
message on this subject.

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Mon, 05 Apr 93 15:21:17 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: CLEAN Recovery? (PC)

antkow@eclipse.sheridanc.on.ca (Chris Antkow) writes:

>  Their system was an old 8086 with a 30mb HD running DOS v3.1 (Yeah!
> OLD!). Stoned was nestled in the partition table... CLEAN did a great
> job getting rid of Stoned in the partition table, but it also did a
> great job of getting rid of the partition table...

A nice demonstration of the effects of not performing exact
identification when removing a virus...

>  My question is, is there any way of rebuilding a "CLEANed" partition
> table??? Wouldn't this be considered a rather LARGE bug on the part of
> CLEAN?

Try "clean c: /maint" and then "clean c: [genp]". The idea is to try
to create any plausibly looking partition table in the MBR (with the
first command; you might also use NDD with more success), and then
tell CLEAN to look for the "Generic Partition Table Virus". This
actually means that CLEAN is beginning to scan your disk for something
that looks like a saved copy of the MBR. Of course, if the virus has
encrypted it, you are simply out of luck, but with most Stoned
variants this is not the case.

>  Any feedback ASAP would be greatly appreciated...

Sorry for not replying at once, but I was not available on the net for
some time...

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Mon, 05 Apr 93 15:28:01 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: D2 virus (PC)

hitesh@sarang.iitb.ernet.in (Hitesh Shah) writes:

> I seem to have D2 virus on one of our machines and clean says it cannot
> safely recover command.com so I asked it to delete it. However, after I
> copy a clean command.com onto c: I still have D2 sitting there. Also

This is how McAfee's SCAN calls the Dir_II virus. According to my
experience, CLEAN -is- able to remove this virus reliably, at least it
was so the last time I tested it. Are you sure to have booted from a
clean floppy first? If CLEAN is still unable to disinfect the virus,
it is either a new variant or a false positive (or a
misidentification). I'm not sure how exactly CLEAN identifies this
virus, but if it doesn't perform exact identification, the
consequences may be DISASTROUS! That is, you may lose all your
executable files.

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Mon, 05 Apr 93 15:32:52 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: F-PROT and Novell (PC)

Michael_Kessler.Hum@mailgate.sfsu.edu writes:

> Until recently I have been using F-Prot's VIRSTOP on every networked 
> station, loading into memory thorugh the autoexec.bat file.  However I have 
> just discovered that if I want to unload Novell's network drivers from 
> memory, I first must unload anything that was loaded after, such as 
> VIRSTOP.  I did not see anything in the documentation (Install.doc and 
> virstop.doc) which indicates that virstop can be removed from memory.  Does 
> anyone have any solution?

One solution is to use the MARK/RELEASE utilities or any other
equivalent TSR management tools. However, the question is - why do you
want to have an easy way to unload VirStop from memory? Or, more
exactly, why do you want to provide the viruses an easy way to remove
the anti-virus program from memory?

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Mon, 05 Apr 93 15:35:27 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: help-Maltese Amoeba (PC)

smasilam@midway.ecn.uoknor.edu (Senthilamudhan Masilamani) writes:

> 	A file I have is infected with the Maltese Amoeba. I installed
> Norton Desktop for Windows 2.0 and installed the Norton Anti-virus. For
> some stupid reason , I scanned a disk I had and NAV reported  
> a strain of the maltese amoeba. The latest McAfee scan did not report
> the virus (version 102?). Luckily I havent executed the .exe infected file

According to my tests, SCAN 102 -is- able to detect the Maltese_Amoeba
virus reliably. On the other hand, NAV 2.0 is known to cause a false
positive on this virus (recall the PKZIP 2.04f story). You almost
certainly do not have a virus. I would suggest that you contact your
local Symantec technical support and obtain an update for NAV - a fix
for that particular problem has been made available by them since a
long time.

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Mon, 05 Apr 93 15:38:38 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Help with Michelangelo! (PC)

weis@elf.stuba.cs (Michal Weis (Infi)) writes:

> * Miki's action: on 6th march he (after re-boot-ing) owerwrite a disk from
> data from memory (adress 5000:5000 - un-defined bytes in memory). He
> owerwrite first 255 tracks of Hard-disk 0 completly (all sectors on all
> heads). It stars from track 0 (of course), up to 255, (if you didn't turn
> him off before he finish...)

Sigh... I have yet to see a completely error-free description of what
the Stoned.Michelangelo.A virus actually does... In particular, there
are two mistakes in the above paragraph - the virus destroys only
sectors 1-17 on heads 0-3. On several kinds of hard disks this will
mean that there will be sectors left intact...

Nevertheless, trying to recover something after Mich has triggered is
a task that I wouldn't like to perform... :-)

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Mon, 05 Apr 93 15:46:47 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Int 21 fn 4bh (PC)

Peters@DOCKMASTER.NCSC.MIL (Donald G Peters) writes:

> There are legitimate uses for DOS functions like Int 21 Fcn 4B. I disagree
> with "IR" who recently said that we should not be discussing the subfunctions
> of Int 21 fcn 4B. IR seemed concerned that it might help virus writers.

I've missed the original message, so I have no idea who "IR" is, but
such a suggestion doesn't seem very wise to me... The DOS functions
are documented more than well in Ralf Brown's Interrupt List. The
latest version is 34 and was recently uploaded to Simtel20, available
to anybody.

> This week I was exploring how to add an envelope around an EXE file in
> order to make the EXE file behave differently. Without going into
> excessive detail (I haven't figured it all out, either) I was trying
> to add "Loading, please wait..." to the start of an EXE. EXE header
> formats still confuse me, especially the fact that files can be
> bigger than DOS-addressable memory!

The full description of the EXE header (and of the NewEXE header, and
of many, many, other things) can be found in the source mentioned
above. As I wrote some time ago, the bad guys are already widely using
this wonderful source of information, so, please good guys :-), make
use of it too...

Anyway, adding a wrapper around the files is not something I would
recommend. There are many files that will stop working if "wrapped".
For instance, self-checking programs, Windows applications, huge
programs with internal overlay structure, programs with symbolic debug
information (this information will become invisible), etc.

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Mon, 05 Apr 93 15:53:13 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Is "Untouchable" (V-analist-3) effective? (PC)

chermesh@chen.bgu.ac.il (Ran Chermesh) writes:

> 	Our department considers buying an anti virus package. High in the list
> is an Israeli product, sold in Israel under the name V-analyst-3 and in the U
S
> as Untouchable. The feature of most interest to us is the way this package
> claims to deal with future viruses. Since this feature can't be tested
> experimentally, the best way is to learn from the experience of other.

I like this package very much, although the part of it that I consider
to be best is the integrity checker, not the generic disinfector. The
generic disinfector is a very nice tool, but you should not rely on
it to automatically disinfect any virus. Read carefully the ads and
don't let them fool you - what they are actually saying is that if the
package happens to disinfect a file, it is guaranteed that the
restored image will be the same as the original, not that it is able
to disinfect files in 100% of the cases. Nevertheless, I highly
recommend the package. Install it and -use- it, especially the
integrity checker.

> experience with this feature of the package. Of most interest for us is your 
> experience with cases where the package FAILED to deliver the good, meaning
> to rebuid a useful binary file.

The last time I checked, the generic disinfector was unable to recover
a file from any kind of virus that overwrites the beginning of the
file and stores the overwritten part ENCRYPTED at the end of the file.

You may also consider the generic disinfector in the TBAV package
(shareware, available from Simtel20). It might be a good idea to
combine the two programs together, although, as I mentioned, I don't
have much faith in generic disinfectors...

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Mon, 05 Apr 93 16:00:30 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Loa Duong (PC)

A.APPLEYARD@fs1.mt.umist.ac.uk writes:

>   (1) What is the exact proper spelling of 'Loa Duong'? I have met 3 spelling
s
> so far.

The standard CARO name for this virus is Lao_Doung. I have no idea
where the name comes from. I know that McAfee is using a different
spelling.

>   (2) We had Loa Duong in a PC III (running DOS 3.10) in Manchester Universit
y
> (England), and I suspect that either it or the only antiviral that we use
> (VET) or both between them deleted some files.

Lao_Duong is a boot sector virus, thus the anti-virus program has no
job messing with the files when trying to disinfect it. And, the virus
does not delete any files. Something else should have caused the
deletion - probably a user error.

> Who issues VET?

Roger Riordan from Cybec, Australia, PO Box 205, Hampton VIC 3188,
Tel.: (03) 521-0655.

> In the end we resorted to the ultimate weapon: wiping and re-initializing the
> hard disk.

This is never necessary. A simple boot from a clean floppy and a SYS
C: would have fixed the problem for your hard disk...

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Mon, 05 Apr 93 16:09:11 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: McAfee against f-prot virus programs (PC)

alpham@cirrus.SEAS.UCLA.EDU (Alan V. Pham) writes:

> Will you please give me your opinions/comparison between McAfee and f-prot
> computer virus program?  What are their advantages/disadvantages?

1) SCAN and F-Prot detect approximately the same amount of viruses;
F-Prot detects slightly more, according to my tests.

2) SCAN/VSHIELD provide some (crude and insecure) integrity checking,
F-Prot - none at all (yet).

3) F-Prot has MUCH better identification than SCAN.

4) F-Prot has MUCH, MUCH better disinfection than CLEAN.

5) F-Prot has much better detection of new variants of the known
viruses than SCAN.

6) F-Prot has MUCH, MUCH better classification of the viruses found
than SCAN.

7) F-Prot provides better information about the viruses it detects
than SCAN, although it is far from sufficient, IMHO.

8) F-Prot has both interactive and command-line user interface; SCAN
has only command line. (But many third-party shells for SCAN exist.)

9) SCAN+CLEAN+NETSCAN+VSHIELD costs $25+$35+$35+$25 for individual
use, F-Prot is free for individual use and costs $1 for corporate use.

10) There are probably some other minor differences - for instance, I
cannot load VirStop high with DR-DOS; dunno what the problem is...

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Mon, 05 Apr 93 13:00:20 -0400
From:    "Francisco javier Fernandez" <FFERNAND@utfsm.bitnet>
Subject: Re: MSDOS 6.0 ... VSAFE and MSAV out of synch (PC)


Hi all!
    In last virus-l issue we read about the troubles of msav and vsafe
cause "vsafe detect a viruss that msav doesn't!!! " . Well, that's the
easyest way to explain the fact.
    It happened to me last week. Vsafe find a virus and msav don't.
I reseted my computer , starting it up without any config or autoexec.
I scaned the whole drive and memory and ... magically the virus was not found.
WHY??? (nice question). I have a theory.
All anti-virus have to encrypt their COMPARABLE STRINGS not to be detected
by others. Well, i think that vsafe detects the string of the virus uploaded
to memory by msav in the compare phase or just reading the msav files.
As vsafe is a resident program, when msav unencrypt their codes, vsafe can
detect it.
    That's the most reasonable explanation i could find.
 Francisco J. Fernandez.....  comments -->   ffernand@loa.disca.utfsm.cl



------------------------------

Date:    Mon, 05 Apr 93 17:06:35 +0000
From:    cornet@zen.et.tudelft.nl (Jan-Pieter Cornet)
Subject: Re: Port Writes (PC)

Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz) writes:

>A couple of days ago, I first succeeded in compiling and running a routine to 
>access disk using port writes only, therefore avoiding any interrupt 
>whatsoever.

>Is there any EXISTING control program to inhibit such access? If a virus were 
>to use port writes, no anti-virus shield would be able to stop it.

I think the virus will not work under OS/2, as a real operating system like
OS/2 shields the hardware from the user program. I'm not sure about other
operating systems. This absolutely requires a 386+, tho'

Also, will your virus work on 2.88M drives? SCSI drives? Wang/DEC/
other incompatible computers? (sold as IBM clones of course, not VAXes etc ;)

On the other hand I think there are a lot of virusses not able to replicate
on all systems... so on the majority of systems "your" virus will probably
be effective regardless of any virus shields.

- -- Jan-Pieter
cornet@duteca.et.tudelft.nl



------------------------------

Date:    Mon, 05 Apr 93 16:53:42 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: New (?) virus ? (2294) (PC)

v922340@hildebrand.si.hhs.nl (Ivar Snaaijer) writes:

> TBscan v5.10 Beta finds it, but this one says that it's the 2294 virus
> Could you tell me more ?

Well, it -is- 2294 bytes long. Uses variable encryption, memory
resident, takes 2448 bytes of memory, uses tunnelling (interrupt
tracing), has a critical error handler, infects COM and EXE files,
stealth, fast infector.

Infects only files that don't contain "SCAN" in their name and that
are bigger than 1388 bytes. The last two bytes of the infected files
are set to 1000h and the seconds field in their time of last update is
set to 56 - the virus uses these criteria for self-recognition.
Triggers about two months after the infection (the condition is a bit
complex; I haven't figured it exactly), slows down the computer,
gables the printer output (again, from a fast browsing of the code I
couldn't tell what exactly gets changed), hooks the keyboard interrupt
(changes "0"s to "9"s?), overwrites parts of the hard disk, wipes the
CMOS, displays something ("TERMINATOR"?), etc. You'd better get rid of
it before it becomes too late...

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Mon, 05 Apr 93 17:18:51 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Problems with DOS 6.0 Microsoft Anti-Virus (PC)

acrosby@uafhp..uark.edu (Albert Crosby) writes:

> WARNING:  MSAV CANNOT DETECT OR REMOVE SOME 1575/1591 VARIANTS. 

I'm afraid that this is not the only problem with MSAV... Users are
strongly advised NOT to rely on it and at least combine it with
something else... unless it causes false positives (very probable), in
which case they should simply throw it away...

> and instructed me to use MSAV to remove the infection.  But MSAV doesn't know
> about the virus!  THE MSAV AND THE VSAFE PROGRAMS ARE OUT OF SYNCH.  THIS
> POINTS TO A POTENTIAL MAJOR FLAW WITH MSAV/VSAFE.  

Major? Just because it does not know about a particular widespread
virus? C'mon, you are kidding... How about CRASHING when scanning some
files, how about the easy way to remove the resident part from memory
(8 bytes of code can do that), how about many other things...

> At least MS promises upgrades to the detection portion from their bulletin
> board.  They *DO NOT* explicitly promise these to be free.  No charges are

At the CeBIT'93 show, the MS guy told us that the first two upgrades
will be free. To the question what are the users going to do after
that (that is, two months after), he basically replied that, what do
you want, you get two upgrades for free, if you want more, you'll have
to pay for it...

> the next will follow in 3-4 months.  Implication:  Microsoft KNOWS that the
> MSAV product included with DOS 6.0 is insufficient and wants an extra $9.95

At the CeBIT'93 show I demonstrated to another (technical) Microsoft
guy that the product is rather bad and unreliable (I asked him to scan
a diskette and guess what, the scanner crashed). He replied essential
that, look, we've got that product from Central Point Software and we
haven't introduced any changes in it, so blame CPS. I hope that this
is not an official MS statement....

> *NOW* to make it right.  IMHO, that is poor buisness practices, especially
> where something as series as anti-virus software is concerned.

IMNSHO, the whole DOS 6.0 is an atrocity that has to be deleted
before it has caused any harm... I'm speaking only for myself, of
course...

> Personally, I think Frisk and McAfee can rest assured.  I, for one, CANNOT

Yes, DOS 6.0 has definitively created more market for the AV people...
And for the data recovery people too...

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Mon, 05 Apr 93 17:33:23 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Proffesional Group Virusized ! (PC)

mac%utkvx.BITNET@utkvm1.utk.edu (Richard J. McDougald) writes:

> 500 members) with the Michelangelo Virus as a free bonus!  Was detected
> quickly (mass mailing went out) and haven't heard of anyone losing their
> whole shebang, but it was real all right (one guy intentionally tried it
> on an old XT he didn't mind reformatting and also on a spare hard drive
> for his 386 and sure enough, ol' Mikie made scrambled eggs of them!)

Uh, wait a minute... Mich uses INT 1Ah to get the current date, so it
usually does not trigger on XTs... Or did yours have some kind of CMOS
clock?

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Mon, 05 Apr 93 13:38:58 -0400
From:    John Kida (jhk) (Vienna) <jhk@washington.ssds.COM>
Subject: Status of victor charlie (PC)

Is Victor Charlie 5.0 now sharware?
The last package I reviewed I thought was Commerical?

 +----------------------------------+----------------------------------------+
 |  John H. Kida                    |  Voice:   (919) 867-7738               |
 |  Network Administrator           |  Data :   (919) 867-0754               |
 |  SSDS, Inc. (Remote)             +----------------------------------------+
 |  601 Dashland Ave.               |  Internet:  jhk@washington.ssds.com    |
 |  Fayetteville, N.C.  28303       |  UUCP    :  !uunet!ssds!jhk            |
 +----------------------------------+----------------------------------------+


------------------------------

Date:    Mon, 05 Apr 93 17:35:47 +0000
From:    cornet@zen.et.tudelft.nl (Jan-Pieter Cornet)
Subject: Re: Scanners and exe/com file compressors (PC)

shakib.otaqui@almac.co.uk (Shakib Otaqui) writes:

> 1070056@SAPHIR.ULAVAL.CA (PATRICK A. MORIN) writes:
>> To answer your question, yes scanners (at least McAfee) do
>> unpack/decompress programs. I have tested it with PKLite
>> (shareware), I PKLited an infected program and Scan v100 found it
>> with no problem,I do not know about the professional version of
>> PKLite, but, there is a BUT, If the PKLite header were to be
>> trashed...then Scan would not know to decompress the program. It
>> would then miss completely te virus. 

> ...
>  Investigation showed that the file was compressed with PKLite
>  1.15, and that a hex editor was used to replace the PKLite
>  signature with null characters.  This apparently defeated SCAN,
>  which treated it as an ordinary file.  After uncompressing the
>  file with PKLite, one user said SCAN apparently identified it as a
>  virus, though I suspect it's more likely to be a trojan.

I would like to make you aware of the DISLITE program that I wrote.
This program is able to undo ANY pklite compression, regardless of
the "PKLITE" signature. Also, you are able to recognise PKLITEd
executables using this program.

Allow me to quote a few lines from the recent upload announcement:

| I have uploaded to WSMR-SIMTEL20.Army.Mil and OAK.Oakland.Edu:
|
| pd1:<msdos.execomp>
| DISLT115.ZIP    DISLITE, expands all PKLITEd files to original
| 
| DISLITE expands all programs compressed by PKLITE to their original
| image.  Expanding your files has many benefits over leaving them in
| their compressed state.
| 
| Most important, the uncompressed image can be examined by other
| tools, such as virus scanners.  A regular virus scanner can never
| detect a virus embedded in a compressed file (unless by executing
| and checking for suspicious actions), but on the uncompressed image
| a much faster pattern matching algorithm can be used.
| 
...
| This version has the following improvements over the previous version:
| 
...
| - Has better detection of PKLITEd executables than other utilities,
|   DISLITE does not need the "PKLITE" identification string in the
|   header, unlike most other utilities (like CHK4LITE)
| - Has an option to only list the version of PKLITE that compressed
|   the file.
...

- -- Jan-Pieter
cornet@duteca.et.tudelft.nl

------------------------------

Date:    Mon, 05 Apr 93 18:17:00 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Virstop 2.07 (PC)

u920400@daimi.aau.dk (Thorbj|rn Tau Christensen) writes:

> VIRSTOP is a memory resistent program that prevent things like
> Editing Interupts, like Ctrl-Alt-Break.. Which is wath windows
> dose!

I'm afraid that you are mistaken. VirStop is essentially a resident
scanner, that is, a program that does not allow you to execute a
program which contains a scan string for some of the known viruses.

> The VIRSTOP program is exeptional to stop viruses before they
> do any harm, but they have a litle problem! It dose not only
> prevent viruses in duing somthing spokey !!!

You seem to think that VirStop is a monitoring program; that is, that
it does not allow the viruses to perform dangerous actions. This is
not the case; it just prevents the infected programs to be executed in
the first place. Once the (unknown) virus is executed, nothing can
prevent it from doing whatever it wishes... Well, the last statement
is a bit too hard, but it is, essentially, true...

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Mon, 05 Apr 93 18:21:39 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: What is the Genb or Form Virus??? (PC)

crk5@vm2.cis.pitt.edu writes:

> Yesterday one of our machines contracted the Genb virus at boot up.  When I
> cleaned it off it said that is was the Form virus.  I suppose one is a
> variant of the other.  I have not been able to find any information on
> either of these viruses and what they do, or how dangerous they are.

I'm sorry for you, but Genb means essentially "Generic Boot Sector
Virus". In practice, this means that SCAN has found one of the two
wildcard scan strings it uses for that purpose in the DOS boot sector.
Due to the total lack of exact identification in SCAN, it can mean
anything, including a new Form variant. The only thing that it sure is
that it is very probable indeed a virus (i.e., not a false positive).
In order to tell you more, I'll have to see the virus itself, since,
as I told you, SCAN's identification cannot be trusted, especially in
this case.

However, you'll be probably able to use "clean c: [genb]" to disinfect
the virus. Not guaranteed to succeed, but very probable to. If it
fails, try SYS C:. After booting from a clean floppy, of course...

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Mon, 05 Apr 93 18:30:39 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: damaged Anti Telefonica Boot virus (PC)

8326442%AWIWUW11@helios.edvz.univie.ac.at (Martin Zejma) writes:

> So the question once again : is MY sample buggy or ALL samples ?

I think that YOUR sample is buggy.

> showing a small snapshot from the code. The first damage is located in
> the BR-part, at offset f7-fc the sequence '8a 8e a9 c7 00 00' is found

My sample contains 8A EB 8A 16 EC 00 there.

> ,meaning IMHO just @#$@%.  And the second damage is a single misplaced
> bit in the 2nd part at offset 3a-3d where instead of '8a 16 ec 00' '8a
> 17 ec 00' is found.

Mine also contains 16 instead of 17. Which shows me that you are
talking about Kampana_Boot.C. The .B variant contains something
entirely different in the first part and the .A variant (the most
widespread one) contains something rather different in the second
part.

> I think nobody can retrieve any useful information out of this, if he/she
> hasn't got the virus itself.

Well, in general, it could tell the author of a buggy virus where the
bugs are and how to correct them, but in this particular case it is
not dangerous.

> Scan 102 detects it as Anti-Tel, F-Prot 2.07 as possible new variant of Campa
n

Yes, F-Prot calls both the .B and .C variants "new variants" (and is
correct, of course). SCAN doesn't bother to identify the virus exactly
(as usual).

There is a remote possibility that you have a "natural" mutation of
the .C variant (that is, naturally corrupted in the replication
process virus, which is nevertheless functional), but I am unable to
tell you more without seeing the virus itself.

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

End of VIRUS-L Digest [Volume 6 Issue 58]
*****************************************
