To:	   VIRUS-L@LEHIGH.EDU
Subject:   VIRUS-L Digest V6 #64
--------
VIRUS-L Digest   Friday, 16 Apr 1993    Volume 6 : Issue 64

Today's Topics:

Re: Sending viruses over Internet/Fidonet
Re: Beneficial/Non-Destructive
Re: Survey
Re: Scanners getting bigger and slower
Macintosh [and non-PC] Postings
Re: Should viral tricks be publicized?
What is a fragmentation virus
Re: Censorship/40-Hex
Removing PingPong virus from boot sectors (PC)
VSUM (PC)
McAfee latest version (PC)
Re: VSUM (PC)
Re: gerbil.doc virus (PC)
Re: Help with Michelangelo! (PC)
Re: "DIR" infection, or "Can internal commands infect" (PC)
Re: Censorship/40-Hex (PC)
Re: "DIR" infection, or "Can internal commands infect" (PC)
Re: McAfee latest version (PC)
Re: New (?) virus ? (2294) (PC)
Re: Scanners and exe/com (PC)
Re: Scanners and exe/com (PC)
Virus Defense Activated - System Halted ??? (PC)
re: Virus Buster (PC)
FTP Available Virus Protection (PC)
Single state machines and warm reboots (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed.  Contributions should be relevant, concise,
polite, etc.  (The complete set of posting guidelines is available by
FTP on cert.org or upon request.) Please sign submissions with your
real name.  Send contributions to VIRUS-L@LEHIGH.EDU.  Information on
accessing anti-virus, documentation, and back-issue archives is
distributed periodically on the list.  A FAQ (Frequently Asked
Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5).  Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<krvw@FIRST.ORG>.

   Ken van Wyk, krvw@first.org

----------------------------------------------------------------------

Date:    Wed, 14 Apr 93 12:06:06 -0400
From:    Donald G Peters <Peters@DOCKMASTER.NCSC.MIL>
Subject: Re: Sending viruses over Internet/Fidonet

One additional concern that I have with Fidonet is that there has
been at least one "bug"(?) in a Fidonet program which allowed the
author(s?) of the well-respected program to log in to any BBS
running their software as a privileged user. Naughty stuff. I s'pose
life is a risk, though.

I liked David Hanson's argument with VB that people should have
access to 40-Hex. May I suggest that the good guys at least limit
distribution of 40-hex to poor quality photocopies (to prevent
scanning) and keepa master copy of the good-guy mailing list. Okay,
that idea causes extra work, but it would help to prevent the
spread of the rag to anonymous bad guys, at least electronically.
Personally, I would think it is fair to email it to anyone with
a government Internet address (is this reasonable?) or to anyone
that one thinks is probably a good guy. Life's a risk.

Of course, I have not yet seen 40-Hex. If it also contains material
on how to commit crimes (eg, I have seen an email mag which tells
people how to commit murders) then I may change my mind. Somehow
I don't think writing a virus is as bad as committing a murder.
Right now I would equate virus magazines with gun magazines. In
theory, no harm done. 

------------------------------

Date:    Thu, 15 Apr 93 09:13:24 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Beneficial/Non-Destructive

kari.laine@compart.fi (Kari Laine) writes:

> First if virus would come to my system and start infecting my
> programs I wouldn't like that all and when I noticed it I would
> SWAT it. Because I am sure it would cause some problems with
> my existing hardware and software and if for example it would
> have some problems with my cache-program and I wouldn't notice
> that it would possibly ruin my data - and that not so nice thing
> to do.

Don't be so sure... Suppose that the beneficial virus does the
following:

1) Modifies only one executable file on your system.
2) This file is an anti-virus program.
3) The modification consists of replacing the program with a newer
copy.
4) The virus infects your computer when you log to the LAN server.
5) The virus has been installed on the LAN server by the LAN
administrator.
6) The LAN owner has a policy that no workstations are allowed to log
in unless they are running the latest version of this particular
anti-virus software.
7) The virus (actually a worm - it does not "attach" itself to
programs and spreads via networks) does not do anything else.
8) The whole thing is marketed by the producer of the anti-virus
software not as a virus, but as "a centralized method for automatic
update of the software on the workstations".

I guess, you won't SWAT a virus like that, unless you want to lose
your right to use the LAN. I don't see any kind of damage that a virus
like that could cause, at least not more damage than any other piece
of software that you run from the server. And there is a clear
beneficial effect - all workstations automatically get updated copies
of the latest version of the anti-virus software, so you don't need to
update the manually.

> Second If we think we would have such a beneficial virus (huh)O
> there is a problem with support. What do you think would happen
> If I have this 'beneficial' virus in my system and everything
> is working fine. Then after some period I am starting to get
> problems with other software. When I call the supportline of
> this software maker I am sure they will say "Hey get first rid
> of that virus and THEN after that call here when you have
> a clean system".

How is this different with any other piece of software? I am running
DR-DOS 6.0 and have problems with some programs. The producers of
those programs are telling me "Sorry, that's probably a problem with
DR-DOS, get rid of that first".

In your particular case, you report the problem to your LAN
administrator. He either fixes the problem, or reports it to the
producer of the virus. The producer either ships a fix, or the LAN
admin deinstalls the virus from the server. What is so problematic
with this? The main problem is in your mind, because you are afraid of
the word "virus"; if it is sold to you as something else, you'll
happily use it...

> Other point to this is that if there is a need for certain
> kind of a software why not make 'normal' version of that
> and distribute it like ShareWare or PD.

What means "normal"? I am speaking about normal programs, sold by
Central Point Software, Fifth Generation Systems, etc. The
self-spreading across LANs capability is a very useful and necessary
feature.

> So actually I am asking you what would be that kind of a need
> that you have to do it viruslike? I can't thing of any. And
> the benefits of using viruslike methods have to be so big
> that they make up for the trouble caused by viruslike distribution
> of software.

The main problem is that when talking about beneficial viruses, most
people think about what is well-known to be a virus (something nasty
that spread without your permission and often destroys something) and
then try to fit it into the frame "beneficial". Of course it doesn't
fit. Instead, it should be the other way around - think of what is
beneficial (good user interface, you have full control of it, performs
useful functions) and then try to add virus-like capabilities to it
(i.e. self replication) without losing any of the beneficial
capabilities. Additionally, for the peace of mind of the general
public, don't call it "virus", but something more sophisticated et
voila!

> And lets take an example if there is that kind of a beneficial
> program that is distributed like a virus. Then when I got
> software from someone they have to tell me whether they are
> infected by this 'beneficial' virus or not otherwise I would
> sue them.

Of course they are telling you. The virus itself is telling you. It
says "An old version of this software has been found; the policy of
this LAN allows you to log in only if you are running the latest
version of the software. Do you want me to update your software or to
log you out?" You can't sue them, because the owner of the LAN has the
full right to decide what the policy is - even if it is to format your
hard disk before allowing you to log in. If you don't like it - just
don't use the LAN. Of course, it has to warn you before performing the
action and must allow you the choice to deny the action and not to log
in.

> If you want information about this subject try to locate
> material from Fred Cohen who has been writing about this
> a long time and then there has been articles in Virus Bulletin
> and Virus News International and I have a feeling that Vesselin wrote
> something about this a some time ago.

I am afraid that the publications in VB and VNI have not payed enough
attention to what Dr. Cohen talks about... On the other side, he often
commits the mistake to think that some things are "obvious" to 
everybody, if they are obvious to him...

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    15 Apr 93 13:05:38 +0000
From:    frisk@complex.is (Fridrik Skulason)
Subject: Re: Survey


mdallin@lamar.ColoState.EDU (ABCDefghIJKLm) writes:

>To research it, I decided to throw together a survey, and send it to three
>places - a general all interest network, a bbs with frequent up/downloads,
>and to the experts on viruses (here).

I have one comment on two of the questions in the survey:

>2.  Do you believe that some countries write viruses designed to infiltrate
>    computers in other countries?

Well, as countries don't write viruses, but people do, this question can
be assumed to mean either:

2.  Do you believe that programmers in some countries write viruses designed
    to infiltrate computers in other countries?

or

2.  Do you believe that it is an official policy in some countries to write
    viruses designed to infiltrate computers in other countries?

You should clarify what you mean....

- -frisk
- -- 
Fridrik Skulason      Frisk Software International     phone: +354-1-694749
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-1-28801

------------------------------

Date:    15 Apr 93 13:43:34 +0000
From:    frisk@complex.is (Fridrik Skulason)
Subject: Re: Scanners getting bigger and slower


Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz) writes:

>But still, the more viruses there are, the more time you'll have to spend 
>searching, or, to put it in other words, there are more things to search for.
>in every scanned file, that is, exclusive of various 'Turbo Scanning' 
>techniques...)

True, but as I said, one can significantly increase the number of viruses
that a program searches for, without affecting the speed noticably. 
 
>disinfector. Maybe a generic scanner, but what good is a scanner without a 
>disinfector?

Generic disinfectors exist...

- -frisk
- -- 
Fridrik Skulason      Frisk Software International     phone: +354-1-694749
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-1-28801

------------------------------

Date:    Thu, 15 Apr 93 10:12:42 -0400
From:    "Charles A. Patrick" <PATCHAS@VM.NRC.CA>
Subject: Macintosh [and non-PC] Postings

Of late I have noticed that there has been a distinct dearth of postings
about NON-PC's. In particular, I have seen no postings about Macintosh virii.
Certainly I have no recollection of postings about the most recent one that
precipitated version 3.1 of Disinfectant.

Has there been some change in policy? Is there an alternative forum for
Macintosh virii? If a policy change was announced, it is very likely that I
missed it since I (CHAGRIN) rarely read the administrivia issues.

If it is indeed the case that postings for Macintosh virii will no longer be
listed, please take my address of the mailing list. But please point me to
the new Macintosh forum.

[Moderator's note: No change in policy at all; the content of the
group is what the contributors make it to be.  If you'd like to see
more Mac postings, then please submit postings.]

Thank you.


------------------------------

Date:    Thu, 15 Apr 93 11:40:54 -0400
From:    Y. Radai <RADAI@vms.huji.ac.il>
Subject: Re: Should viral tricks be publicized?

 Inbar Raz writes:
> I work as a programmer, as you probably know, and the main field I work in is
> Data Security. ....
> really a matter of being loyal, obedient and trustful ....
> ... if you don't trust your people, ....

Forgive me for yanking these words completely out of the context in
which you wrote them, but still, all this talk of TRUST, etc. reminds
me of something I wrote a few weeks ago:

>>   Btw, it should be noted that on Fidonet there appeared an article
>> describing tricks which can be used by virus writers to prevent tra-
>> cing and disassembly of their code.  The reason I mention this parti-
>> cular article is that it appeared under the name of someone who has
>> been contributing to this forum recently, Inbar Raz.  The article is
>> called "Anti Debugging Tricks", and one of the virus writers found it
>> useful enough to forward it to 40 Hex (Number 9).

It's true that Vesselin has expressed the opinion that all tricks de-
scribed in your article are relatively trivial to circumvent.  How-
ever, that's irrelevant from my point of view.  It's hard for me to
imagine that anyone who wrote such an article could have had any
intention other than to help the *virus writers*, not the AV people.
Do you care to deny that? (or do I have to quote passages from it to
prove my point?)  I have absolutely no complaints about the postings
that you have submitted so far to the present forum.  Nevertheless, it
seems very strange to me that while you continue to submit articles on
other subjects, you do not (unless I've missed some posting of yours)
have a *single word of explanation* to offer on the above matter,
which concerns you so personally.  Isn't your silence an admission of
guilt, Inbar ...?

                                     Y. Radai
                                     Hebrew Univ. of Jerusalem, Israel
                                     RADAI@HUJIVMS.BITNET
                                     RADAI@VMS.HUJI.AC.IL


------------------------------

Date:    Thu, 15 Apr 93 11:05:30 -0600
From:    ST29701@vm.cc.latech.edu
Subject: What is a fragmentation virus

I have an old copy of the FAQ so pleas tell me if the answer to this
question is in the current version of the FAQ.
 
I have heard people talking about a new type of virus and a way for it to
hide.  They called it a fragmentation virus (this is not the name
of a particular virus but a type of virus).
 
Could someone give a detaled explination of this??
You can post the message here so others can see or send it to me  directly.
 
Thanks
Alan
 

------------------------------

Date:    Thu, 15 Apr 93 12:46:53 -0400
From:    "Steven W. Smith" <SMITH_S@gc.maricopa.edu>
Subject: Re: Censorship/40-Hex

  David Hanson wrote:
> 
>How about distribution of a "clean" version of 40-Hex to the "good" guys?
>ie., Strip it of code, but leave comments and pseudocode.
..
>This would be censorship, of course, but it certainly has an element of
>reason missing from the fear response of total censorship.
> 
>Comments?
> 
  OK, but only if you promise there won't be any code _OR_ naughty words.
Maybe could get Tipper Gore to do the editing, eh?  (note to the humorless: 
that was a joke.)
  In my opinion, "partial censorship" reeks as badly, if not worse, than total 
censorship.  I've wondered where 40-Hex comes from, I'd read it, and I've got a
 
career that I wouldn't flush down the toilet by doing something as stupid as 
releasing computer viruses.
  If you think an electronic publication like 40-Hex is "dangerous" I think 
you've lead a sheltered existance (no offense intended).  If you want a truly
dangerous document, consider the _U.S. Army Improvised Munitions Handbook_ - 
available to any yahoo with $9.95.

  _,_/|   Steven W. Smith, Programmer/Analyst
  \o.O;   Glendale Community College, Glendale Az. USA
 =(___)=  SMITH_S@GC.BITNET
    U     smith_s@gc.maricopa.edu
"Barney must not be allowed to reproduce"


------------------------------

Date:    Wed, 14 Apr 93 14:11:57 +0000
From:    dnebing@andy.bgsu.edu (Dave Nebinger)
Subject: Removing PingPong virus from boot sectors (PC)


  One of the IBM's that I manage has pingpong virus in the boot blocks of
the hard drive.  I have Norton's AntiVirus, but it will not remove it.  What
do I have to do to remove the pingpong virus, or is it really nothing to
worry about?

Dave Nebinger
dnebing@andy.bgsu.edu
Biology Network Manager

------------------------------

Date:    Wed, 14 Apr 93 16:37:10 -0400
From:    padgett@tccslr.dnet.mmc.com (A. Padgett Peterson)
Subject: VSUM (PC)

I have recently seen the new version of VSUM (currently VSUMX303) and
must say that the user interface is much improved, particularly the
part that lets you search the database for a particular string, I
do not need to use LIST to examine the H! any more (also there is
no more H!, been replaced by an .XDB). 

Detractors say that it is flawed in the same way that Ralf Brown's
interrupt list is flawed and it does have errors but I cannot think
of anything today that is perfect - certainly if you have to ask, it
is a good place to start.

I do still miss the old printable flat ASCII file but that was when
VSUM still fit on a single 360k floppy. Today the hypercard-type
file occupies nearly 2 Mb of disk space and I suppose that LIST on
an XT might complete a search in my lifetime but one never knows.

For those on the net, it is available via anonymous FTP from mcaffee.com
or can be downloaded from many sources but be advised, even compressed
it is over 800k - bare 2400 baud will take nearly an hour.

Last year I heard about several other compilations "in the works" but
have not seen any yet so at least for now it is still an essential work.

					Warmly,
						Padgett


------------------------------

Date:    Wed, 14 Apr 93 22:59:55 -0400
From:    Mikael Larsson <mikael@vhc.se>
Subject: McAfee latest version (PC)

lastort@access.digex.com (Mike Lastort) writes:

Hello Mike,

> I was just wondering if there was an address where McAfee's programs are
> available through Internet. I used to subscribe to Compu$$erve but have
> given up that habit when I got this account. Any info on how to ftp
> McAfee's programs would be greatly appreciated.

Yes, McAfee Associates themselves have setup an FTP site where you
can get the files.. the address is mcafee.com [192.187.128.1] and
the antivirus files are to be find in pub/antivirus - You can also find
their utilities in pub/utilities.

If you have any problems with the program you can either mail to mcafee
at support@mcafee.com or mail to me (mikael@vhc.se) since I am
authorized McAfee Agent in Sweden.

Best Regards,

MiL

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Virus Help Centre     Phone:  +46-26 275740   Email: mikael@vhc.se
Box 7018              Fax:    +46-26 275720   or   : mikael@abacus.hgs.se
S-811 07  Sandviken   BBS #1: +46-26 275710   Fido : 2:205/204 & 2:205/234
Sweden                BBS #2: +46-26 275715   Authorized McAfee Agent!

------------------------------

Date:    Wed, 14 Apr 93 22:59:44 -0400
From:    Mikael Larsson <mikael@vhc.se>
Subject: Re: VSUM (PC)

bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes:

> It for sure cannot contain "info about all known viruses", because
> new viruses appear averagely three per day and it is updated monthly.
> But this is not the only problem - I have found almost all articles in
> VSUM to be very inaccurate, incomplete, verbose, and just plain
> wrong... So, no, I don't agree that it can be considered to be quite
> good...

Well, Okay, I maybe expressed myself a bit dizzy, but I still think it
is quite good for the average user - Okay, not for us who knows a lot
about viruses, but for the "common-people" I think VSUM can be used with
great satisfaction - even though it contains inaccurate information in
some cases.

What do you recommend as a better alternative, instead of VSUM then?

MiL



- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Virus Help Centre     Phone:  +46-26 275740   Email: mikael@vhc.se
Box 7018              Fax:    +46-26 275720   or   : mikael@abacus.hgs.se
S-811 07  Sandviken   BBS #1: +46-26 275710   Fido : 2:205/204 & 2:205/234
Sweden                BBS #2: +46-26 275715   Authorized McAfee Agent!


------------------------------

Date:    Thu, 15 Apr 93 05:43:08 +0000
From:    s9106568@sandcastle.cosc.brocku.ca (PAUL NOLL)
Subject: Re: gerbil.doc virus (PC)

Paul Ducklin (duck@nuustak.csir.co.za) wrote:

: Thus spake colcloug%helios.usq.edu.au@zeus.usq.edu.au (Steven Colclough):

: >anyone come across this one?  The gerbil.doc virus?

: >takes a text file, turns it into rubbish and at the top it says
: >gerbil.doc.

: This was one of the early Crazy Stories About Viruses which made it
: into print -- in Computers and Security about three years back, as
: I recall, under a title like "The Case of the Gerbil Virus That 
: Wasn't", or some such.

: [Moderator's note: I remember it now; the article was written by Ray
: Glath, and it described a (non)incident that was reported to him.  The
: bottom line was that no such virus existed.]

: Software problem combined with an old, internal pre-release name
: ["gerbil"] never mentioned in the manual, if my memory serves me.

- --

I have read the article doing research on computer viruses for an University
report.  You are correct.  Something about the program writting gerbil
to file names if my memory is correct, but which word processor was it again?

Be Seeing You.

###############################################################
        " We live on a placid island of ignorance,
          in the midst of black seas of infinity,
          and it was not meant that we should 
          voyage far ... !  "
            --  H. P. Lovecraft (1890 - 1937)

Paul Noll                   s9106568@sandcastle.cosc.BrockU.ca
###############################################################



------------------------------

Date:    15 Apr 93 08:26:45 +0000
From:    frisk@complex.is (Fridrik Skulason)
Subject: Re: Help with Michelangelo! (PC)


Robert_Hoerner@f2170.n492.z9.virnet.bad.se (Robert Hoerner) writes:


>But the result is the same : you have to format your drive.

No, not always.  I have been able to recover practically everything from some
Michelangelo-trashed drives, by rebuilding the MBR and DOS boot sector
manually, and using programs like NDD to recover the FAT.

However,  in general this will only work if (a) the drive is large and (b)
if the computer was rebooted, or turned of before the virus got a chance to
overwrite all tracks.

This is time-consuming and difficult - and should only be attempted if no 
decent backup exists.

- -frisk


- -- 
Fridrik Skulason      Frisk Software International     phone: +354-1-694749
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-1-28801

------------------------------

Date:    15 Apr 93 08:30:14 +0000
From:    frisk@complex.is (Fridrik Skulason)
Subject: Re: "DIR" infection, or "Can internal commands infect" (PC)


Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) writes:

>unreported). There is a reason for all that: every program that needs more 
>memory MAY overwrite the TRANSIENT part in memory (so more memory is available
 
>to programs).

Small correction:  Some TSRs may NOT overwrite that part, if they may get
called while COMMAND.COM is active.  This includes all programs that
intercept INT 21, AH=4B, some INT 2FH functions etc...

- -frisk

- -- 
Fridrik Skulason      Frisk Software International     phone: +354-1-694749
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-1-28801

------------------------------

Date:    Thu, 15 Apr 93 09:41:28 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Censorship/40-Hex (PC)

afrc-mis@augsburg-emh1.army.mil (David Hanson) writes:

> How about distribution of a "clean" version of 40-Hex to the "good" guys?
> ie., Strip it of code, but leave comments and pseudocode.

And to have the "bad guys" suing the "good guys" for breach of
copyright or something like that? Black is white. White is black.

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Thu, 15 Apr 93 09:43:10 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: "DIR" infection, or "Can internal commands infect" (PC)

Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) writes:

> VB:
>  > DIR is an internal command and is executed by the currently loaded
>  > command interpreter. It DOES NOT require reloading of the command
>  > interpreter. Thus, even if the command interpreter on the floppy
>  > is infected, it WILL NOT be loaded (and executed) if you
>  > do a DIR on that floppy. Therefore, you CANNOT get infected this way.

> This is only partialy true because of the following:

It is ENTIRELY true.

> COMMAND.COM is devided into 3 major parts:

[excellent description deleted]

> In conclusion: If you use a floppy drive system (assuming you've booted from 
> it) and you type "DIR" it is possible (but not likelly) that the TSR part of 
> COMMAND.COM will try to load the TRANSIENT part from the infected floppy. 

Wrong. It doesn't follow at all from your description. COMMAND.COM
computes a checksum of the transient part and verifies it each time it
displays the prompt. That is, after each program termination. EXTERNAL
program. Any program can destroy the transient part of the command
interpreter, but it will be reloaded right after this external program
terminates. And it will be reloaded from your boot disk, BTW, not from
the current one. (Well, more exactly, from the place pointed to by the
COMSPEC variable.) During the reload, the checksum will be re-computed
and DOS will keep insisting that you supply the real thing until the
checksum matches. That's why you cannot use a different version of the
command interpreter, even if you change COMSPEC to point to it. (You
CAN use a different -copy- of the same command interpreter, located
somewhere else, if you change the COMSPEC variable.)

However, the DIR command is internal and its execution does NOT
destroy the transient part of COMMAND.COM, therefore it NEVER causes
its reloading.

> However: to infect the TRANSIENT part alone in such a way
> that the TSR will load exactly what you want is an un-easy task (however 
> possible), but the *INFECTED* COMMAND.COM should be present at boot time since
> the TSR knows the file it is using to refresh the TRANSIENT by meens of a 
> CHECKSUM generated at first loading.

That's true, but we are talking about the DIR command performing this.
It it IMPOSSIBLE.

> Thus: simply switching COMMAND.COM to an infected one (after the system is 
> already booted) will not sufice.

More exactly, switching to an infected (or otherwise prepared)
diskette that contains COMMAND.COM and using DIR to view the contents
of the directory of this diskette WILL NOT cause reloading of the
transient part of COMMAND.COM from the diskette and will not cause
infection of the computer. (Except the simple case with an ANSI bomb,
which I already discussed.)

> My conclusion si also that it is not possible (in normal conditions) to get 
> infected just by typing "DIR".

It is not possible under any conditions (ANSI stupidities excluded).

> I think I explained above how you *might* execute some code by "DIR".

Nope, you didn't. I challenge you to describe me a reproducible
situation in which executing the internal DIR command (on an
uninfected system and no ANSI keyboard programmability) will cause
reloading of the command interpreter from the diskette that is being
examined.

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Thu, 15 Apr 93 06:50:49 +0000
From:    fabbr001@staff.tc.umn.edu ()
Subject: Re: McAfee latest version (PC)

lastort@access.digex.com (Mike Lastort) writes:

>I was just wondering if there was an address where McAfee's programs are
>available through Internet. I used to subscribe to Compu$$erve but have
>given up that habit when I got this account. Any info on how to ftp
>McAfee's programs would be greatly appreciated.

Since you have access to the Usenet News and FTP, there is a
good chance that you have archie installed on your system.
Assuming you're on a Unix machine:
Send this command(some pieces are optional, just my way):

  archie -N1000 -m10 -s scan > scan.loc &
            |      |  |   |       |     |_ to start a backg. proc.
            |      |  |   |       |__ a file name to store the result
            |      |  |   |__ the string you're looking for
            |      |  |__ option to match a (sub)string no-case sens.
            |      |__ max. number of hits (increase if necessary)
            |__ niceness level

Consult also the man pages for archie.
- -- 
Mauricio Fabbri - University of Minnesota, Minneapolis, MN, USA                
 
Civil and Mineral Eng. Dept., and | In Brazil: Space Res. Instit. (INPE)
Minnesota Supercomputer Institute | Lab. for Materials and Sensors (LAS)
fabbri@msi.umn.edu                | fabbri@las.inpe.br           

------------------------------

Date:    Thu, 15 Apr 93 10:26:03 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: New (?) virus ? (2294) (PC)

v922340@kemp.si.hhs.nl (Ivar Snaaijer) writes:

>  The name of this virus is Terminator 2294. F-Prot can't detect it
>  and scan v100 recognizes it as Terminator 2.

SCAN also calls a different (completely unrelated) virus "Terminator
2", so it is important to provide the virus IDs here: "your" virus is
reported as [Term2] and [Bert] by SCAN 102 (only as [Term2] by SCAN
100) and the other one is reported as [Tm2].

> The virus seems to intercept INT
>  13h and INT 21h and point them to 9f67:08f7 and 9f67:029C. The virus is

The offsets are correct, but the segment depends on the amount of
conventional memory in the system. The above values assume a 640 Kb
system.

>  changes the encrypting number is some parts so it's almost imposible to 
>  uncrypt it without debugging the virus, but it contains tricky code to avoid
>  that and it also hangs the system.

Uh, what tricky code? The main decryption loop is trivial to debug and
the rest of the code is almost straightforward...

>  time the virus hang the system and it seems to stay resident after pressing
>  CTRL-ALT-DEL so it can infect at boot time and then keep infecting normally

No, that's not true. The virus does not survive warm reboot. However,
due to the way it installs itself in memory and due to the fact that
it is a fast infector, the first thing that it does is to infect the
command interpreter. Of course, after a reboot, the virus will be
present in memory - loaded there from the infected command
interpreter.

>  thing a know for shure is that this virus only infects REAL .EXE's, not
>  disguized .COM's.

That is, it checks the MZ magic number. It doesn't check for ZM,
however.

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Thu, 15 Apr 93 10:43:23 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Scanners and exe/com (PC)

shakib.otaqui@almac.co.uk (Shakib Otaqui) writes:

>   Further reports on Fido-Net say that once uncompressed, SCAN
>   identifies the Taiwan virus in the file.  F-Prot 2.07 says it has
>   ACAD.

This is one and the same virus. The question is - which one exactly?
Here are the possibilities:

Full CARO name:                  F-Prot 2.07:              SCAN 102:
- ---------------                  ------------              ---------
Jerusalem.AntiCAD.2576           Jerusalem (AntiCad-2576)  Taiwan4 [T4]
Jerusalem.AntiCAD.2900.Plastique Jerusalem (AntiCad-2900)  Taiwan3 [T3]
Jerusalem.AntiCAD.3088           Jerusalem (AntiCad-3088)  Taiwan4 [T4]

>   Fido-Net Batchpower and Debug conferences.  There are two variants
>   of the script:  each produces a file called TNYCACHE.LZH, but the
>   executable within it is a COM file in one case and an EXE in the
>   other.  There's a consensus that the COM version is a virus but
>   some disagreement about the EXE:  some people have reported it as
>   harmless and others have said it also is infected.

It should be trivial to verify whether the EXE file contains the
virus; it might be a COM file converted to EXE format with the utility
that comes with LZEXE.

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    15 Apr 93 11:51:01 +0000
From:    frisk@complex.is (Fridrik Skulason)
Subject: Re: Scanners and exe/com (PC)


shakib.otaqui@almac.co.uk (Shakib Otaqui) writes:

>  Further reports on Fido-Net say that once uncompressed, SCAN
>  identifies the Taiwan virus in the file.  F-Prot 2.07 says it has
>  ACAD.

Well, those names are (sort of) aliases.  SCAN calls some of the
Jerusalem.AntiCad viruses "Taiwan", which may be slightly confusing, as they
are not members of the "Taiwan" family at all.

- -frisk
- -- 
Fridrik Skulason      Frisk Software International     phone: +354-1-694749
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-1-28801

------------------------------

Date:    15 Apr 93 14:00:29 +0000
From:    tony@microware.co.uk (Tony Mountifield)
Subject: Virus Defense Activated - System Halted ??? (PC)


Hi Folks,

I have a strange problem with a friend's 386SX PC (Elonex PC-320X).

He had had some problems with system files disappearing, which could
well have been finger trouble (he is fairly new to computing). This made
his C: drive non-bootable, so I booted from the Elonex DOS 5 Setup Disk.
It automatically started up SETUP.EXE, so I went through the questions
(keyboard type, etc.).

After accepting the default values for "Install to" (C:\DOS) and "Run
Shell on startup" (YES), and trying to continue to the next screen, the
system gave a series of beeps of different frequencies, and then cleared
the screen and displayed the message "Virus Defense Activated - System
Halted".

At this point Control-ALT-Delete does not work, although the RESET
button does.

Does anyone know the cause and meaning of this message?

I used both F-PROT (Nov 1992) and McAfee to scan both the hard disk and
the Setup Diskette for Viruses, and they both gave an "all clear".

Please Email responses - I will summarize if asked to.

Thanks in advance,

Tony.
- -- 
Tony Mountifield     (G4CJO)       | Microware Systems (UK) Ltd.
- -----------------------------------| Leylands Farm, Nobs Crook,
Email:  tony@microware.co.uk       | Colden Common, WINCHESTER, SO21 1TH.
(or:  ...!uknet!mwuk!tony)         | Tel: 0703 601990   Fax: 0703 601991
- ------------------------------------------------------------------------
** Any opinions are mine, not Microware's - but you knew that anyway. **
- ------------------------------------------------------------------------

------------------------------

Date:    Thu, 15 Apr 93 10:51:29 -0400
From:    karel@ic.uva.nl
Subject: re: Virus Buster (PC)

On 09 Apr 93 15:15:36 +0000 hq!fhi0055@dsac.dla.mil (Marc Poole) wrote:

> In reviewing the software VIRUS BUSTER, I came across some very
> interesting circumstances that might be of some interest to those
> looking for Anti-viral software.
>
> When installing the software, there is a watchdog capability which does
> not allow the document to be changed.  This feature causes a redundant
> hassle when modifying files.
>
> The watchdog feature also creates a large problem when trying to use
> some executable files, for example the exe files to run a program (i.e.
> windows, modem software, word processors).  I allows the execution to
> take place as far as loading the software, but does not allow the
> software to actually run.  On occasions, the software will run with no
> problem, other times it just quits.
>
> On modem software, for example Quick Link II, it will not allow
> uploading of any files.  It also, more than often, will not let the
> program run at all.
>
> That's as far as I got, after the few hassles, I cleaned off the virus
> software and replaced it with another.
>
> Hope this helps.

Marc's message puzzled me as I have been using Virus Buster for almost two 
years now and have not encountered similar problems. The Watchdog TSR is a 
combination of an activity monitor and a change detector, although the latter 
part is best left unused as this involves adding a checksum to the end of 
executable files which some programs don't like. In the newest Virus Buster 
system (v4.00) change detection is the sole task of the Buster program, which 
exits completely when done. VBTSR (a combination of the "old" VBShield and 
Watchdog) no longer supports it.
If you want to give the "old" Virus Buster another try, Marc, you might try 
activating Watchdog with the flags I have been using lately:

 Watchdog /A /L- /M /N- /P /Q /R /T-

Hope this helps.

Karel Sprenger                     |   Email: karel@ic.uva.nl OR ks@ic.uva.nl
IC/IT, University of Amsterdam     |   phone: +31-20-525 2302
Turfdraagsterpad 9                 |   fax  : +31-20-525 2084
NL-1012 XT  AMSTERDAM              |   home : +31-20-675 0989

------------------------------

Date:    Thu, 15 Apr 93 14:30:19 +0000
From:    lindsas@ecf.toronto.edu (LINDSAY STUART JOHN)
Subject: FTP Available Virus Protection (PC)

With a million virus protection programs out there I was wondering if
someone could give me a hand.  I have Central Point Anti-Virus protection
but I've been told it isn't such an effective virus protection program.
What is the best ftp-available (money is tight) virus protection program
that I can use on it's own or in conjunction with CPAV?  Thanks in advance.
- -- 
*******************************************************************
* Stuart Lindsay    Electrical Engineering, University of Toronto *
* Address all Internet Correspondence to lindsas@ecf.utoronto.ca  *
*******************************************************************

------------------------------

Date:    Thu, 15 Apr 93 12:27:34 -0400
From:    padgett@tccslr.dnet.mmc.com (A. Padgett Peterson)
Subject: Single state machines and warm reboots (PC)

Several people have mentioned the ability of some viruses to survive
warm reboots and suggested that only cold (power off) reboots be used.

In fact what is happening is that the virus has intercepted the keyboard
handler and is simulating a warm reboot rather than actually executing
one. I know of no virus (and am sure will be corrected if wrong 8*) that
can survive a *real* warm reboot.

Next, since the PC is a single state machine, any program that runs is,
while running, in complete control of the PC. Therefore if a warm reboot
command is issued explicitly, a virus cannot intercept if issued as a
direct call to ROM. Accordingly the following code is presented as 
an explicit way to generate a warm reboot that would be difficult
(but not impossible - this is software after all but a virus would have
to be looking for this specific sequence) to intercept (and there is a very
large number of ways to express the same thing).

XOR AX,AX
MOV DS,AX
MOV AX,1234
MOV [472],AX
JMP FFFF:0000


For those who are interested, the 1234h in 0:472h tell the BIOS not to run
the full POST but just to clear conventional memory (usually) and restart.

					Warmly,
						Padgett

ps With reguard to the Russian virus that traps the "device ready" intercept:
   I have not studied this one but at BIOS time all interrupt vectors must
   point to ROM BIOS or something is wrong & this is easy to detect (single
   state again). 

------------------------------

End of VIRUS-L Digest [Volume 6 Issue 64]
*****************************************
