To:	   VIRUS-L@LEHIGH.EDU
Subject:   VIRUS-L Digest V6 #69
--------
VIRUS-L Digest   Thursday, 22 Apr 1993    Volume 6 : Issue 69

Today's Topics:

Re: Sending Viruses over Internet/Fidonet
sharing virus related info
Viral "code"
Re: Contest (was Beneficial/Non-Destructive)
Re: Virus Signatures
Scanners getting bigger and slower
Sending viruses over Internet
Re: Can a virus infect NOVELL? (PC)
Re: Can a virus infect NOVELL? (PC)
Re: Censoship/40-Hex (PC)
Re: Got rid of Stoned -- but where did it come from? (PC)
Re: Help needed with the Bootexe virus (PC)
Re: Unknown little virus? (PC)
Re: Viruses which cost $$$ (PC)
Windows 3.1 virus (PC)
Re: Help wanted with Dir-II virus (PC)
Invol virus (PC)
TSR programs are too big (PC)
NAV Updates (was Central Point Anti-Virus Updates) (PC)
Re: Viruses that cost $$$ (PC)
Re: V-Sign? (PC)
Re: Censoship/40-Hex (PC)
TBAV600.ZIP - TBAV anti-virus software (complete pkg v6.00) (PC)
FP-208.ZIP - F-PROT v2.08: Virus detection/removal software (PC)
Survey Results

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed.  Contributions should be relevant, concise,
polite, etc.  (The complete set of posting guidelines is available by
FTP on cert.org or upon request.) Please sign submissions with your
real name.  Send contributions to VIRUS-L@LEHIGH.EDU.  Information on
accessing anti-virus, documentation, and back-issue archives is
distributed periodically on the list.  A FAQ (Frequently Asked
Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5).  Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<krvw@FIRST.ORG>.

   Ken van Wyk, krvw@first.org

----------------------------------------------------------------------

Date:    Wed, 21 Apr 93 10:23:21 -0400
From:    Donald G Peters <Peters@DOCKMASTER.NCSC.MIL>
Subject: Re: Sending Viruses over Internet/Fidonet

> I think relating it to a gun magazine is a fairly good analogy, except
> that gun mags usually don't have guns kits included that require minimal
> assembly to become fully functional.

I see the point that you and others have made here, but your point that gun
magazines don't come with guns is not the final word.  

First, some of the "bad books" (presumably legal under the 1st amendment) show
you how to do crimes from readily available materials.  I have heard of the
Anarchist's Cookbook.  And the email mag that I referred to before tells you
how to kill someone with a potato!  Now, they didn't have to INCLUDE the
potato for that material to exceed standards of human decency.  Using your
argument, spreading the information on how to kill someone with a potato is
acceptable as long as they don't include the potato!  (Ie, it isn't "fully
functional".)

Second, by your definition even 40-Hex doesn't include "fully functional"
viruses because it doesn't include the computer. (No groans please, as this
could be a real point made to defend the 40-Hex people in court if it should
ever come to that.)

Third, PC's and guns and potatos are all readily available in this country, so
instructions on how to do bad things with each of these items should fall into
the same category.  The question is, which takes precedence, the first
amendment or human decency?  Indeed, would you choose between the first
amendment or national security???


------------------------------

Date:    Wed, 21 Apr 93 10:28:25 -0400
From:    rreymond@vnet.IBM.COM
Subject: sharing virus related info

Hi all there. I wanna point that I agree at 100% with the previous append of
Suzana, about Hex40 and info share. My point is: there are "bad Girls/Guys" and
there are "good Girls/Guys"; in my opinion, stated that is not so important to
question about the black that is white or so, but on the characteristics of
those two groups of people. I intentionally don't care about those "grey level"
people that we can found one time on our side, another on the opposite. Every-
body has the freedom of choice, in free countries. Let's state we count them as
"bad G/G", for make all a bit easy.
Now, let's suppose a new trick was discovered, enabling the construction of
some hellfire virus, able to nuke any PC. Most probably, the underground tam-
tam (Hex40,BBS,Books,Clubs etc.) will share that info and/or samples in a quite
little time. So, I think we can suppose a lot of "bad G/G" working on that; I
also think only few of them will be strong programmers, but almost all will
know something about ASM and so on. In such a scenario, I suppose isn't too
difficult that, with a lot of brains at work, at least one 'good' (I mean
strongly functional) idea spread out, and this will immediatly shared in the
"bad G/G" group. And so the first Hellfire Virus spreads...
On the other hand, if this virus or related code is discovered by one of us,the
"good G/G", it seems to me (by reading this Digest) it's quite probable that
the related info (code, structure, etc.) will be carefully keeped by the one
that first jump into, and at maximum shared with those few s/he well knows.
So, while the Bad Army has (can expect to have) a lot of people at work, the
Good Army can face that with only four or five persons. Don't misunderstand me,
I'm sure we have the best researchers/developers, but I think that there's a
lot of people on the good side that can also work about, and perhaps bring
some good hints. And that have also the right to know.
I'm really not so scared about the "bad G/G" that can be tuned, intercepting th
e info the "good G/G" are sharing between them; if they don't have them yet,
they will in a while; about info sharing theyr organisation seems to me better
than our. I only agree not to share executable samples, viruses 'ready to use'.
Those can be a danger, I admit. If someone gets a such-a-file, the virus has
great chance to spread. But code... a virus writer has no need of sources from
us, and other people... Do you know how much time it require to copy row after
row some seven-pages source virus code? Yeah, someone get the effort (life is a
GREAT risk), but I don't think they're the major part of whom will receive it.
And, anyway, share an Hex40 issue means only to show at Goods what Bads yet
have (no hint for them).

                                                Bye|           Roberto

Roberto Reymond      IBM C.E.R.T. Italy         RREYMOND@IBM.VNET.COM
- -------------------------------------------------------------------------------
All above is my PERSONAL opinion, and NOT that of my employeer.



------------------------------

Date:    Wed, 21 Apr 93 11:06:52 -0400
From:    Donald G Peters <Peters@DOCKMASTER.NCSC.MIL>
Subject: Viral "code"

People seem to think (as I have in the past) that somehow viral "code" is the
thing we must not publish.  Do these people think that a documented
description of the virus function is also wrong?  In fact, an accurate
description of a program is "functionally equivalent" to the program itself.
Indeed, an assembler source code program is just a "description" of the
program it represents.  And a high level language (or English itself) can take
indirection one level further, without loss of, or change in, functionality.

Certainly even an "innocent" forum such as VIRUS-L goes into extensive
detail (in English) of the functionality of viruses. Sure, you need
to be a good programmer to convert English to Assembler, but this is
something that they teach you in school. As I analyze myself here and
now, I think the inner reason I started reading VIRUS-L was to learn
more about the things viruses actually do, partly to enhance my
knowledge of DOS, and partly to learn things that I wasn't "supposed"
to know. Is it any surprise that the books that attract me are often
titled "Tricks, Tips and Traps?"

This forum certainly does not provide you with code for writing viruses.
That's great.  But what does it provide?  Lots and lots of information about
the things viruses do; the way they work; their functions.  Call it an "idea
well" or call it an "informal specification forum", it still contains many
English language functional descriptions that bad guys(/gals) could use.

In fact, if the moderator doesn't get mad at me (Ken, there may be a degree
of truth to the following but it's not the whole story of course) I would
propose that the FAQ which is available from this forum could be called
"An English Primer for Would-Be Virus Writers". (Again, Ken, I see a lot
of value to the FAQ, which is why I have contributed to it. For people who
can't read between the lines of my post, my theme remains the same: the
benefits of knowledge outweigh the risks. Of course there are exceptions
such as nuclear bomb technology but I don't see virus-related technical
information as fitting that category.)

Just in case it isn't obvious, my opinions are my own (the facts are
public domain. :-)

[Moderator's note: I have to admit that I never considered the FAQ to
be a primer to writing viruses.  Your point is well taken, however; it
is essential to know something about viruses in order to administer
effective countermeasures.  The intent of the FAQ was - and is - to
provide some of that basic knowledge to would-be virus _removers_.  If
that causes it to also provide some knowledge to the virus writers,
then so be it.  I think, however, that most (all?) virus writers
wouldn't find much new (to them) information in the FAQ.]

------------------------------

Date:    Wed, 21 Apr 93 16:21:28 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Contest (was Beneficial/Non-Destructive)

CELUSTP@cslab.felk.cvut.cs writes:

> >1) Modifies only one executable file on your system.

> Very unusual virus behaviour.

Is it? Maybe my mistake was in specifying the word "file", but I
thought you know enough about viruses to understand what I mean...
There are a couple of hundreds of viruses that infect only a SINGLE
executable on the attacked computer.

> >2) This file is an anti-virus program.

> Very suspicious activity.

Elaborate, please. Do you consider it suspicious for somebody to use
an anti-virus program? Or do you consider it suspicious if the owner
of a LAN insists that all users are using the latest version of a
particular anti-virus program?

> >3) The modification consists of replacing the program with a newer copy.

> How do you know it is the better or correct one?

That's so obvious that I left it as an exercise to the reader.
Remember, it was the system administrator who put it there. It is
his/her right to decide whom to permit to log in to the server. The
policy might be "have the latest version of VShield installed" or
"Don't run MS Windows". It doesn't mean that VShield is "better" or
that Windows is "worse" - just such is the policy.

A little bit more tricky is the question how the program on the server
ensures that the program being replaced on the workstation is really
an older version of itself, but this is a technical quibble and can be
solved easily.

> >4) The virus infects your computer when you log to the LAN server.

> First was said it infects only one executable file. Now is whole computer.
> Hmm...

What's so strange about it? Stoned infects only one thing - the MBR.
Yet, when it happens, we are saying that the computer is infected with
Stoned.

> >5) The virus has been installed on the LAN server by the LAN
> >administrator.

> It means deliberately entered into system.

Of course, that's the point. Deliberately, intentionally, willfully,
etc. By a person who owns the system - by the supervisor on the server
and by the user on the workstation. The supervisor does the initial
installation and the user permits the update.

> >6) The LAN owner has a policy that no workstations are allowed to log
> >in unless they are running the latest version of this particular
> >anti-virus software.

> Blackmail.

Please, read the definition of "blackmail". I don't have it handy, but
it says something about "with threats making unwaranted promises".
Here the situation is different - the user has the choice to accept
the update or not to log in. And if s/he accepts the update, s/he is
granted access - no unwaranted promises.

> >7) The virus (actually a worm - it does not "attach" itself to
> >programs and spreads via networks) does not do anything else.

> If virus is something "attaching" itself to programs, then some of existing
> viruses (boot viruses or companions) are not viruses too.

We've already been through all this a few times in the past. Please,
read the appropriate back issues. It all depends on how you define
"attach".

> >8) The whole thing is marketed by the producer of the anti-virus
> >software not as a virus, but as "a centralized method for automatic
> >update of the software on the workstations".

> Why this whole story about beneficial virus then?

See below.

> Exactement (=exactly for non-French speaking people). Don't call a "virus"
> something you are not sure is a virus.

You are missing the point. I am trying to explain to everybody
(including you) what Dr. Cohen means when he is speaking about
"beneficial viruses". Those are programs that are beneficial and that
match his definition for a virus. They might not match -your-
definition for a virus, or the definition that most people use for the
term "virus", or whatever. It doesn't matter, because it is not you or
"most people" who are speaking about "beneficial viruses", it is Dr.
Cohen. So, it is more than natural that he will use his definition of
the term - especially having in mind that he was the first one to
define it. So, if you want to understand what Dr. Cohen means when
speaking about beneficial viruses, don't jump on him - instead try to
understand his definition of a virus and assume that he is using it
when speaking about beneficial viruses.

> How can you be sure something is a
> virus?

Simple - you call "virus" everything that matches your definition for
this term.

>      CONTEST FOR THE BEST COMPUTER VIRUS DEFINITION      

> 1. Technical definition (in plain language - preferably English)
> 1. This definition should be short as much as possible, cleared of attributes
> as "good", "bad", "beneficial" or similar, not mentioning state of user's
> mind,etc., it should be clearly stated for which environment (e.g. operating
> system) is applicable and definition should be undoubted.

It should also emphasize the main capability of the virus that makes
it different from other programs - merely its ability to spread. Its
optional side effects (damage, etc.) should left out of the
definition.

> 2. Technical definition (mathematical)
> 2. The meaning of every symbol in mathematical formula(s) should be clearly
> explained.

I have one here. It is actually Dr. Cohen's definition, with all
symbols explained and without the abbreviation shortcuts he usually
uses. It's hand-written and is one A4 sheet of formulae.
Unfortunately, I don't know TeX enough to translate it into
electronical form.

> 3. Legislative definition
> 3. This definition should contain statement which part of virus code could
> be considered as punishable (supposing virus writing is criminal act).

Supposing that virus writing is a criminal act would be wrong, because
it isn't, according to the legislation of most countries. Instead, the
definition should concentrate on causing (directly or indirectly)
unauthorized modifications of information stored in computers. It
doesn't need to deal with the term "virus" at all - the more general,
the better. It could very well include trojan horses, logic bombs,
spoofs, hacking, etc. It is all the same from the legal point of view
- - causing directly on indirectly unauthorized modifications to
computer information, and -this- is what should be a crime.

> Everybody who doesn't want to compete and feel enough
> competent to judge quality of definitions is welcome.

I do feel competent to judge the quality of the first two definitions
- - the technical ones.

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Wed, 21 Apr 93 13:12:02 -0400
From:    "Info Security 3-9797" <Information.Security@Forsythe.Stanford.EDU>
Subject: Re: Virus Signatures

In volume 6 issue 65, Alan Jones wrote:

> I was wondering why there is not anyone that periodically post NEW
> virus Signatures.  This would be very helpful to people in between
> releases of different virus scanners.

> I know this might be helpful to the writter of that virus but
> there has to be a middle ground.

It seems to me that there is a big risk here.  If I post a false
signature, but one that will register a hit on some popular piece
of software, and this signature accidently gets incorporated into
one or more anti-viral software packages, then some people are
going to get false-positives.  What a waste of time for everyone.
But, given the opportunity, I have no doubt that people will try
this ploy.  Even if the phoney signature is only used by individuals,
those individuals may be tricked for awhile to think they have a
virus when they don't.

Bill Bauriedel


------------------------------

Date:    Sun, 18 Apr 93 12:44:00 +0100
From:    Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv)
Subject: Scanners getting bigger and slower

Hi Inbar:

On the example given on how to search quickly for a virus:
IR:
 > This is an interesting idea. What I do today, is this:
 > Each virus has its information, namely a search
 > string, and a location. The location would usually be
 > an offset from the first CALL/JMP opcode. This is what
 > I had in mind, therefore, when I wrote the message.
Hope my idea helps, try to develop it, you might benefit from it.

IR:
 > Second, even today, there is not much memory needed. I
 > don't think it will be short before programs have to
 > use extended/expanded memory for virus database or
 > code overlays, due to memory problems. Maybe for SPEED
 > reasons - memory is faster than disk.
If it's there, hay not use it? if it isn't, its the same old story...

IR:
 > Yes, BUT, you must agree that the key point in
 > disinfecting, rises when the virus encrypts, either
 > itself, the original overwritten bytes of the victim
 > (often replaced with a JMP/CALL instruction) or the
 > entire file. When we're talking polimorphic viruses,
 > that's a lot of trouble. Even Haifa presented a
 > problem which did not exist then, of true polimorphism
 > in algorithm and encryption key (the key thing did
 > exist at the time. I think 512 used it too).
I agree on the fact that if a virus encrypts the host program, it might not be 
possible to recover it (unless you keep a backup of some sort, and this is 
also the most generic method of all). But if the virus "damaged" the file so 
that only a key-part of it is encrypted (like HAIFA realy does) that poses a 
problem in *Specific* cleaning but non for grneric one (suppose the signature 
you keep on the file containes just the information missing).

AN:
 >> Please recall the method of renaming files to clean the DIR-II virus,
 >> (as well as meny other methods), wouldn't you call a program that uses
 >> it a "GENERIC DISINFECTOR" ?
IR:
 > No, because I see that as using special techniques for
 > special cases. Then again, whenever one method works
 > for more than one virus, you may call it generic.
By definition a method that may do its task whithout knowing the identity of 
the attacker should be called "generic". FDISK /MBR is the generic method to 
clean most MBR viruses, SYS.COM it a generic BOOT-SECTOR cleaner (even if 
MicroSoft did not intend to do it) etc...

Yours,

* Amir Netiv. V-CARE Anti-Virus, head team *

- ---
 * Origin: <<< NSE Software >>> Israel (9:9721/120)

------------------------------

Date:    Mon, 19 Apr 93 12:51:07 +0100
From:    Malte_Eppert@f6051.n491.z9.virnet.bad.se (Malte Eppert)
Subject: Sending viruses over Internet

Hi Vesselin!

 > On FidoNet the situation is slightly different. If NetMail is
 > used, then you are calling directly the telephone of the recipient, so

This is not completely true. NetMail is also routed, you need to specify 
Direct- or Crash-Mail for that purpose. Don't send virus code via FIDO and 
Compatibles just by simple netmail!

cu!
eppi

- --- GEcho 1.00
 * Origin: No Point for Viruses - Eppi's Point (9:491/6051)

------------------------------

Date:    Wed, 21 Apr 93 10:00:44 -0400
From:    Donald G Peters <Peters@DOCKMASTER.NCSC.MIL>
Subject: Re: Can a virus infect NOVELL? (PC)

In PC WEEK, Nov 9, 1992, there was a major review of "Network Operable
Anti-Virus Software." I see this as a valid way of interpreting your
question but realize that you may have had something else in mind.
In any case, you may find this useful.


------------------------------

Date:    Wed, 21 Apr 93 16:04:53 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Can a virus infect NOVELL? (PC)

GSCOBIE@ml0.ucs.edinburgh.ac.uk (Garry J Scobie Ext 3360) writes:

> Novell/Viruses/Access Rights. It would be best to consult these. In
> Sept 1992, vol 5 issue 151 I asked

>      If a virus can infect my applications volume where
>      everyone has only read and filescan permission set as a trustee
>      assignment then I would appreciate being told about it as soon as
>      possible.

> The thread appeared to end there as no-one could say either way. I
> suspect the answer is still no.

The answer is still "it depends".

First, it depends on what version of NetWare you are using. It seems
to me that you are implying 3.11 and I don't have much experience with
it. If you are using anything below, and if you have not applied the
security patch from Novell, then it is possible for a virus to use the
mechanism of the KNOCK.EXE program to obtain supervisor privileges and
do with your files whatever it wishes. Note however that this trick
doesn't work under 3.11 and no such virus has been written yet anyway
- - it is just a possibility.

Second, what does "everyone" mean? A user with supervisor privileges
is obviously able to do anything with those files. In practice, this
means that if a virus succeeds to infect such a user, the virus will
be able to do anything with the protected files. So, it is important
not only what the protection settings of the protected files are, but
also can a virus infect a user with supervisor privileges? That is,
can such user execute something from a place where a regular user has
write privileges? (That is - is there a transitive information flow
from users with low security privileges to users with high security
privileges?)

Third, it is possible to use a variant of the PATH companion attack to
make the protected files "look" as infected, but such "infection"
doesn't spread between users and is not of serious concern anyway.

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Wed, 21 Apr 93 16:15:43 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Censoship/40-Hex (PC)

duck@nuustak.csir.co.za (Paul Ducklin) writes:

> >things. You don't demand that NASA takes you in the Shuttle, in order
> >to verify the claims that the Earth is round with your own eyes, do
> >you?

> As someone pointed out in another newsgroup [sci.crypt?] a while back,
> you *don't* need to get a shuttle ride to demonstrate the the earth is
> round; it can be done in the comfort of your own home [you need a

My analogy in this case is still a proper one - demanding from the
anti-virus researchers that they make the viruses in their collections
publicly available, just because some Joe Random wants to verify that
computer viruses exist and are able to do all kinds of things is just
like demanding NASA to take you in the Shuttle, in order to verify
that the Earth is round - in both cases there are much cheaper,
easier, more practical, etc. ways to do it. And a demand like that is
something that the concerned people (AV researchers or NASA) will just
not care about, regardless how much the other part is yelping.

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Wed, 21 Apr 93 16:53:59 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Got rid of Stoned -- but where did it come from? (PC)

bruno@mcrcim.mcgill.edu writes:

> I administer a bunch of Intel-based UNIX systems, and found that one
> of them just stopped booting.  I could mount the disks on another
> machine, and everything seemed mostly OK, except for the boot sector.
> Upon inspection, the boot sector had been infected by the Stoned
> virus.

[stuff deleted]

> ===> What is the specific mechansim that Stoned uses to propagate its 
>      self?  Must one boot with an infected floppy, or does it live
>      next to an execuatble, or...

See the FAQ about how to get the answer for your first question.
Regarding you second question - it lives on the boot sector of a
floppy and the MBR of the hard disk; not in the executable files. It
can infect an IBM PC compatible machine (regardless of the operating
system it runs) if you TRY to boot from an infected floppy. Note that
the attempt to boot does not need to be successful - i.e., it can be a
blank, formatted diskette, with no executable files or operating
system on it.

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Wed, 21 Apr 93 17:00:29 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Help needed with the Bootexe virus (PC)

RHY@CU.NIH.GOV writes:

> If you have any information on the Bootexe virus.

Our Computer Virus Catalog contains a technical description of this
virus. Read the FAQ for information about how to get the CVC.

> What exactly is it?

Memory resident EXE and boot sector infector of Russian origin.

> How to remove it without destroying
> any data?  Will appreciate any info.

Boot from a clean diskette and do a SYS C: to remove it from the hard
disk's boot sector. Removing it from the files is trickier - it
overwrites the EXE header and you need an anti-virus program to repair
the infected files. For instance, F-Prot 2.07 is able to disinfect
this virus correctly.

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Wed, 21 Apr 93 17:09:28 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Unknown little virus? (PC)

frisk@complex.is (Fridrik Skulason) writes:

> Hmmm...I don't have any 27 byte one :-) 

Heh... There are at least two 27-byte viruses and you are detecting
them as Trivial (27-A) and Trivial (27-B)... :-)

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Wed, 21 Apr 93 17:11:17 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Viruses which cost $$$ (PC)

Peters@DOCKMASTER.NCSC.MIL (Donald G Peters) writes:

> I think I recall seeing the following warning in one of my books:
> "Improper use of this register may cause physical damage to your monitor."

That information is a bit out-of-date. It was real, it was a hardware
bug (in the controller for monochrome monitors, not in the monitors
themselves), but those (buggy) controllers and not produced any more
since a long time.

> Am I correct, is there physical damage that can be done through
> software?

Not to the contemporary hardware.

> Monitors sounds likely. Disks, possibly. With CPU's
> that run hot and can be configured perhaps through software, then
> maybe them too!

Nope. None of the above.

> I know of a simple way that a virus could cost a user lots of money,
> [in fact the virus author could MAKE money from the victim!!!]
> {if that doesn't whet the appetite I don't know what will!!!]
> without causing physical damage, but I am unsure if I should
> mention that here. Even though the method is absurdly simple.
> Any comments?

You are right, a simple virus could cost a user or a company lots of
money. Even if the virus does NOTHING but spreads. Actually, even a
false positive (a non-virus) could cost a LOT of money...

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Mon, 19 Apr 93 12:45:06 +0100
From:    Malte_Eppert@f6051.n491.z9.virnet.bad.se (Malte Eppert)
Subject: Windows 3.1 virus (PC)

Hi Philip!

 > I keep seeing people who report "general protection faults" and
 > similar things and attribute them to virus action.  I'm having

This could be, but need not. General protection faults occur from time to time,
sometimes without an obvious reason. Sometimes you can fix this by correctly 
configuring Windows (e.g. if you try to print in a BANYAN VINES network, you'
ll get this one. You must insert NETSPOOL=YES at the entry [spooler] in WIN.
INI, then it works).

 > Today, someone reported actually cleaning up a 36 byte virus.
 > I,have real trouble believing this; the smallest I know of is 44 bytes
 > and isn't viable, much a Windows specific infector.

There are smaller ones (the smallest 30 bytes if I remember correctly), but 
these are all overwriting COM-infectors and non-windows specific.

cu!
eppi

- --- GEcho 1.00
 * Origin: No Point for Viruses - Eppi's Point (9:491/6051)

------------------------------

Date:    Sun, 18 Apr 93 12:14:00 +0100
From:    Robert_Hoerner@f2170.n492.z9.virnet.bad.se (Robert Hoerner)
Subject: Re: Help wanted with Dir-II virus (PC)

Hello Raymond,

 RK> I recently discoverd the Dir-II virus on my system (486/33 with a
 RK> 212 Mb Hd). I've a bootable flop  which contains no virus and
 RK> includes a virusscanner, scan v102 from Mcafee. I scanned the HD but
 RK> scan didn't detect any virus. So I assumed that the HD was clean.
 RK> I have read in the virlist.txt that the dir-II virus uses stealth
 RK> techniques and selfencryption . Maybe this is the reason that the
 RK> virus can't be detected.

no : a virus is only "stealth" if it is running. If you have booted from a 
clean disk, the virus did not run and therefore was "naked", not stealth.

 RK> describes that the dir-II virus crosslink files and directories I used
 RK> I used chkdsk and norton diskdoktor to correct the problem. There are RK>
 RK> crosslinked files and directories. Norton disktor (ndd) repairs the files.

... he killed them...

To remove a DIR-infection the only secure way is to copy all executables to 
files with non-executable extensions with THE VIRUS ACTIVE IN MEMORY ! This 
way the virus itself will "desinfect" the files, it will act as a "low-level-
cleaner" :-))

"COPY *.COM *.MOC"
"DEL *.COM"
"COPY *.EXE *.XEX"
"DEL *.EXE"

in every (sub and root) directory, on every exe and com-file (uses ATTRIB from 
DISK to remove any hidden and sys attributes, but write on a piece of paper, 
which files have been hidden /system/read-only to re-set these attributes at 
the end of the session), some programs may require these.

then reboot from a clean disk and (from now on we don't need the virus anymore)
type

"SYS C:"
"UNFORMAT /PARTN" - note : only valid, if you have run MIRROR /PARTN before 
the infection occured. *recommended* ! Very useful.
"REN *.MOC *.COM"
"REN *.XEX *.EXE"

in every directory.
reboot again from C:, your computer is clean.

Using CHKDSK /F on a DIR-infected disk without the virus in memory will 
DESTROY all infected files if you allow CHKDSK to "repair" anything.

Greetings from karlsruhe, frgdr
      Robert

- ---
 * Origin: Virus Help Service Karlsruhe, 49-721-821355 (9:492/2170)

------------------------------

Date:    Wed, 21 Apr 93 03:00:18 -0400
From:    al026@yfn.ysu.edu (Joe Norton)
Subject: Invol virus (PC)

  Does anyone have a bit more info on the Invol virus than is in
Vsum?  I had a client with it today.  As soon as he ran our go.exe
installation program it poped up with it's little message.  I was
just wondering what causes it to activate mostly.  Vsum mentions
the message as being visable in infected sys files, and encrypted
in exe files, but doesn't mention the display of the message.
  The client was in California, and I'm in Michigan, do I don't
have access to his PC, or a sample of his infection.
- -- 


------------------------------

Date:    Wed, 21 Apr 93 05:38:43 -0400
From:    "Werner Ente 21-APR-1993 11:36:51.58" <wente@ifw.uni-kiel.dbp.de>
Subject: TSR programs are too big (PC)

Moin,

there are several mails about too big scanners, but that's not
my problem. I have a problem with the size of the TSR-program which 
I use for security. 
I need at least! 480KB of base memory for one DOS program and
get it with some difficulties without my actual security program 
VSHIELD. The HMA and the UMB are filled with DOS, several 
drivers (Network, SCSI) and the EMS page. The PC is a 486 with 16MB memory. 

Is there a security TSR program, which can be loaded (partly) in the 
extended or expanded memory ? 
If not, is any developer planning to create such an option in his
program(s) ?

The "/lh" switch in VSHIELD allows only loading into the UMB 
and that doesn't work. So the program will be not loaded.


Werner

*----------------------------------------------------------------*
| Werner Ente                          wente@ifw.uni-kiel.dbp.de |
| Kiel Institute of World Economics    +49 -431 /8814-277        |
| D2300 Kiel 1, Germany                                          |
*----------------------------------------------------------------*



------------------------------

Date:    Wed, 21 Apr 93 14:54:34 -0400
From:    cjkuo@symantec.com (Jimmy Kuo)
Subject: NAV Updates (was Central Point Anti-Virus Updates) (PC)

Robert Slade writes:
>A whole bunch of people have asked:

>>I'm just wondering if there is an ftp site that supports updated virus lists
>>for the Central Point Anti-Virus program.  Thanks a lot.

>Is it time we put this in the FAQ?

If it is, certainly, I hope you don't write the entry!  And in the future,
please do NOT make statements representing the NAV product.

>CPAV is a commercial product.  CP also wants to make some return on
>the bucks they put into keeping the program updated.  Therefore:

>No, you are not likely to see any updates for the CPAV signature files
>(or NAV, or MSAV) on ftp servers.  Or public bulletin boards.  If you
>do, they have not been posted with the consent of Central Point.

NAV update files are available *free* on Compuserve, on Symantec's BBS
at 408-973-9598 or 408-973-9834.  They may be purchased on a one-time
basis by people who do not have access to those things or any networks.
And they can be subscribed to for regular delivery for a fee.  (I'll just
say, call 1-800-343-4714 x756 for further information on the services
that cost money.)

Back to the *free* ways to get updates:  They are available free through
me by individual request.  They are available through the Virus Help Centre
(Sweden), ask mikael@vhc.se, even if *he* is a McAfee Agent.  They can be
available through anyone who wishes to redistribute.

Basically, NAV definition file updates are and can be freely distributed in
its present form (note lack of copyrights).

>Both CP and Symantec/Norton provide update services in various ways.
>Some require a license and some don't.  None, however, involve free
>ftp access.

We don't support ftp access yet.  We may.  But that's under someone else's
jurisdiction and has nothing to do with wanting to charge for the updates
since I already send out updates to anyone who asks.  [Updates are only
available for 2.1.]

Jimmy Kuo                                       cjkuo@symantec.com
Norton AntiVirus Research


------------------------------

Date:    Wed, 21 Apr 93 14:54:36 -0400
From:    cjkuo@symantec.com (Jimmy Kuo)
Subject: Re: Viruses that cost $$$ (PC)

Donald G Peters writes:
>I think I recall seeing the following warning in one of my books:
>"Improper use of this register may cause physical damage to your monitor."

Yes, it was possible to destroy an original IBM Monochrome monitor
through software activity.  But not too many of them around any more.
(All been destroyed?  :-)  )  But that was only the IBM Monochrome
monitor and some "really good" clones.  As soon as this was discovered,
manufacturers realized the circumstances and made new ones that would
not have that problem.  (Sorry, I'm not a hardware guy.)

>Am I correct, is there physical damage that can be done through
>software? Monitors sounds likely. Disks, possibly. With CPU's
>that run hot and can be configured perhaps through software, then
>maybe them too!

The concept of destroying hardware with software is a possibility.
There are many concepts that can be applied.  But that's not the only
way to assess "Viruses which cost $$$".  Even though mainframes have
circuit breakers when they get too hot, if you can turn off the fan
that would result in a subsequent activation of the circuit breaker,
you've caused the machine to go down.  Downtime costs $$$.  So,
simply crashing the machine costs $$$.

So, whereas the possibility to destroy hardware through software might
be real, there's really no need.  You cause enough loss just by getting
a virus onto the system.

Jimmy

>If this is a threat should we discuss it here? I think so. Of
>course, I don't want the details spelled out here. Just enough
>generic information that we can be sure the info is correct.

>I know of a simple way that a virus could cost a user lots of money,
>[in fact the virus author could MAKE money from the victim!!!]
>{if that doesn't whet the appetite I don't know what will!!!]
>without causing physical damage, but I am unsure if I should
>mention that here. Even though the method is absurdly simple.
>Any comments?


------------------------------

Date:    Wed, 21 Apr 93 23:10:54 +0000
From:    mechalas@expert.cc.purdue.edu (John Mechalas)
Subject: Re: V-Sign? (PC)

bc1w+@andrew.cmu.edu (Barbara Carlson) writes:
>A computer in a public cluster here turned up with what f-prot called
>"V-Sign". It said it infected the boot sectors of each of the drives
>(c,d,e,f) and listed garbage as the name for one of them. Has anyone
>heard of this virus? There is no mention of it in the listing that comes
>with f-prot. The version of f-prot was current -- 2/93. They had to do a
>hardware reformat of the disk - *three times* - could this thing have

Reformatting is almost never necessary.

>stuck around and diverted a format? Anything out there that could get
>rid of it??

We had V-Sign in our labs on campus a while ago.  FDISK /MBR took care of it.

- -- 
John Mechalas                    \ If you think my opinions are Purdue's, then
mechalas@expert.cc.purdue.edu     \     you vastly overestimate my importance.
Purdue University Computing Center \         Stamp out and abolish redundancy.
General Consulting                  \  If you can read this you are too close.

------------------------------

Date:    Wed, 21 Apr 93 21:18:22 -0000
From:    phil@wearbay.demon.co.uk (Philip Coull)
Subject: Re: Censoship/40-Hex (PC)

bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes:

>...... One thing is certain - I didn't get them from virus
>exchange BBSes, because I don't call -any- BBSes.
                         ^ ^^^^^ ^^^^ ^^^^^ ^^^^^
I'm puzzled - you seem to know a lot about virus exchange bbs's - how
do you get your info, if you don't call them??

- ---------------------------------------------------------------
Phil Coull g3xvy     phil@wearbay.demon.co.uk     CI$ 76046,332


------------------------------

Date:    Wed, 21 Apr 93 03:07:54 -0400
From:    bondt@dutiws.TWI.TUDelft.NL (Piet de Bondt)
Subject: TBAV600.ZIP - TBAV anti-virus software (complete pkg v6.00) (PC)

I have uploaded to WSMR-SIMTEL20.Army.Mil and OAK.Oakland.Edu:

pd1:<msdos.virus>
TBAV600.ZIP     TBAV anti-virus software (complete pkg v6.00)

Thunderbyte Anti-Virus (TBAV) is a toolkit designed to protect against,
and recover from computer viruses.  It is claimed to be the most
complete anti-virus system available.  Included are TbScan, TbScanX,
TbSetup, TbClean, TbDisk, TbFile, TbMem, TbCheck, and TbUtil.

This file has replaced TBAV504.ZIP.

Greetings,

Piet de Bondt                   E-mail: bondt@dutiws.twi.tudelft.nl
- - -
FTP-Admin for the MSDOS Anti-virus software, @dutiws.twi.tudelft.nl


------------------------------

Date:    Thu, 22 Apr 93 05:37:59 -0400
From:    frisk@complex.is (Fridrik Skulason)
Subject: FP-208.ZIP - F-PROT v2.08: Virus detection/removal software (PC)

I have uploaded to WSMR-SIMTEL20.Army.Mil and OAK.Oakland.Edu:

pd1:<msdos.virus>
FP-208.ZIP      F-PROT v2.08: Virus detection/removal software

Version 2.08 - major changes:

   The identification and disinfection information has now been moved to
   the file SIGN.DEF, which reduced the memory requirements considerably,
   by 50K or so.

Version 2.08 - the following problems were found and corrected.
   A few minor false positives were corrected:

        "Possibly a new variant of ARCV" in a version of SPINRITE.COM
        "TPE" in a few non-executable files.

   The disinfection of the following viruses was corrected, but previously
   F-PROT was not able to clean all infected files correctly: Tula-419,
   Prudents, Tiny.198, Macedonia, Gotcha.C, Vbasic.B, Vbasic.C

   The VIRSTOP program could not be run after the APPEND program was
   loaded.  Fixed now.

   Some problems with /WARM and /COPY have been fixed.

Version 2.08 - new viruses:

   The following 14 new viruses can now be detected but not removed,
   only deleted.  This is because they overwrite infected files, or
   damage them irreversibly.

        Burger.560.Liquid
        Itti.Toxic
        Leprosy (FVHS.1644 and Surfer)
        Milan.BillMe
        Trivial (Wolverine, 30-D, 64 and 81)
        VCL (408, 423, 481, 666 and Dome)

   The following 115 new viruses can now be detected and removed. (Many of
   them were detected by 2.07 (or earlier versions) as new variants of
   known viruses).

        _388
        _558
        Arcv.Lurve
        Armagedon.1074
        Beer (2794, 2850 and 3164)
        Baobab.731
        Black Jec.307
        Comvirus
        Creeper.476
        Danish Tiny (177 and 180)
        Dark Avenger.1800.Quest
        Diamond (444, 465, 594, 602, 606, 607, 608, 620, 621, 624, 626,
                 891,1013 and Sathanyk-1399)
        Dreamer
        Dutch Tiny.124.B
        Frajer
        Fumble.D
        Gotcha.F
        Hamster
        Intruder (1326, 1440, 1967, 1988 and 2136)
        Jerusalem.Glory
        July 13th.1199
        Kiwi
        Liquid
        Marauder.860.B
        Phalcon.Elvis
        Pixel (Cheef and 762)
        Polish Tiny.176
        Print Monster
        Problem.854
        Protect.2535
        PS-MPC (Alien, Bamestra.1, Bamestra.2, Bamestra.3, Bamestra.4,
                Bamestra.5, Bamestra.6, Bamestra.7, Bamestra.8, Bamestra.9,
                Bamestra.10, Cinco, Demoexe, Gold, Jo.916, Jo.942,
                Tim.301, Tim.401, Tim.515, Warez
        Russian Tiny (C.146, C.150, C.157, D.129, D.130, D.132)
        Semtex (619 and 1000.C)
        Shaman
        SillyCR.178
        Simple 1992
        Sinep
        Star One (222, Cybertech.A, Cybertech.B)
        StinkFoot.2-E
        SVC (1228 and 5.0-C)
        Timid (290, 297, 320, 371, 382, 513 and 526)
        Uruk-hai (300, 361 and 394)
        Vienna (518, 561, 600, 618.B, 648.E, 700, 851, MD.354, MD.498,
                MD.499, MD.557, New Years, Vio-lite and Violator.Baby)
        Youth.Hannibal

   The following 6 new viruses can now be detected but not yet removed.

        VCL(933, Chuang and Diarrhea)
        X-1.570
        Yankee.XPEH.4752
        Zherkov.1940

   The following 3 viruses which were detected by earlier versions can
   now be removed.

        Cascade (1703-Jojo and Formiche)
        Ear.Ear

   In addition over 100 new viruses are detected, but not identified
   accurately, and have not been analysed.  They will be listed later.


frisk
- - -
Fridrik Skulason
frisk@complex.is


------------------------------

Date:    Tue, 20 Apr 93 15:45:55 -0400
From:    mdallin@lamar.ColoState.EDU (MDallin)
Subject: Survey Results

Ok, here are the results of my recent virus survey.  Thanks to all who
replied.  Enjoy!


The Results:

First, a note... keep in mind that not everyone answered all the questions,
and in several cases, I had to throw out vague or confusing answers (only
once or twice, however).  Also, keep in mind that I know very little about
Mac and Atari viruses/scanners, so forgive me if I mistype any names...

32 people responded, 2 of which used Atari ST's, and 6 of which used Macs.
Note that some people used more than one type of computer (ie, they 
responded with what they use for their Mac and their PC).

On PC's, F-Prot was the most used scanner... 22 people used it.  8 people
used McAfee products (Scan, etc).

On Macs, Disinfectant was used by 5 people, SAM by 1 person.

On Atari, Virendetektor was used by 1 person.

Of those polled, 8 have never been infected by a virus, 14 had been infected
once, 2 had been infected twice, 1 person had been infected three times, 1
person infected four times, 2 people infected 5 times, and two people
infected 7 times (and several that responed were unsure, ie 'A dozen or
so times').

Of Dos viruses, 7 of the infections were from Stoned, 6 were by Jerusalem,
3 were by Form, and 2 were by Not-int, Cascade, Yankee Doodle, 
Michaelangelo, and Brain.  About a dozen other viruses infected only one 
person, too many to list here.

Of Mac viruses, 3 infections were by nVIR A, and 1 infection by nVIR B,
WDEF and MDEF.

Here is how the virus danger was rated by those polled:

                Rating     # People Who Chose It
                  1                1     
                  2                2
                  3                5
                  4                5
                  5                5
                  6                5
                  7                6
                  8                3
                  9                0
                 10                0

17 people said the media over-hypes viruses, while 9 said they do not.
5 people replied, "Yes, and No."

29 people said that no countries write viruses to "punish" computer hackers,
while 1 said yes and 1 said for the most part, no.

10 people said that some countries write viruses meant to infiltrate 
computers in other countries, while 22 said they do not.

14 people predicted useful applications of viruses in the future, 17 said
they saw no useful applications.  1 said they saw useful applications,
but not until the distant future.  1 said worms had useful applications,
while viruses did not.

2 people said the law enforcement community was properly trained to deal with
viruses, while 27 said that they were not.  1 person replied, "Yes, and No."

5 people said it is possible for a virus to cause hardware damage, while
13 said no.  12 people said it is possible on old/buggy hardware, but not
at all on new hardware.

28 people said that viral code should be available to those who would use
it responsibly, while 2 said it should not.

14 people said it is or will be possible for a virus to work on machines
with different operating systems, while 8 said it is not.  10 others said
it is possible, but not probable.



Mdd            
- --

"Ah, Ah, Ah, Ah, AAAAAAAAAAAH!!!!"            mdallin@lamar.colostate.edu
 -- Queen, Ogre Battle                        dallin@beethoven.colostate.edu


------------------------------

End of VIRUS-L Digest [Volume 6 Issue 69]
*****************************************
