To:	   VIRUS-L@LEHIGH.EDU
Subject:   VIRUS-L Digest V6 #74
--------
VIRUS-L Digest   Wednesday,  5 May 1993    Volume 6 : Issue 74

Today's Topics:

Re: Request for CRC checking info
Sharing info
Re: Sending viruses over Internet
Antivirus Software Distribution
Re: Detecting Mutations
Re: Scanners getting bigger and slower
unix viruses? (UNIX)
CyberSoft UNIX scanner (UNIX)
MSAV and text-files (PC)
info about new virus (PC)
Need help on tremor virus (PC)
Re: Copyright of Virus Signatures (PC)
Re: ??Hidden file: 386spart.par?? What is this? (PC)
F-Prot 2.08 (PC)
Re: Copyright of Virus Signatures (PC)
RE the stoned virus and 3.5" floppies (PC)
New variety of Stoned virus? (PC)
Novell NLM Viruses (PC-servers)
F-PROT v2.08 (PC)
thanks re 386spart.par (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed.  Contributions should be relevant, concise,
polite, etc.  (The complete set of posting guidelines is available by
FTP on cert.org or upon request.) Please sign submissions with your
real name.  Send contributions to VIRUS-L@LEHIGH.EDU.  Information on
accessing anti-virus, documentation, and back-issue archives is
distributed periodically on the list.  A FAQ (Frequently Asked
Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5).  Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<krvw@FIRST.ORG>.

   Ken van Wyk, krvw@first.org

----------------------------------------------------------------------

Date:    Tue, 04 May 93 06:21:31 -0400
From:    "John Kida (jhk) (Vienna)" <jhk@washington.ssds.COM>
Subject: Re: Request for CRC checking info

YUE
	checkout the NIST BBS  at 1-301-948-5717 max baud 14,4kps .

They have a collection of Anti-virus Evals and Technical reports.


John Kida
SSDS, Inc.
Ft. Bragg, Nc.




------------------------------

Date:    Wed, 05 May 93 09:43:14 -0400
From:    rreymond@vnet.IBM.COM
Subject: Sharing info

Vesselin wrotes:

>The point is that just because something is allowed in your country,
>you shouldn't assume that it is also allowed everywhere else and that
>it is OK to do it everywhere else. In fact, if you are a responsible
>person, you must actually check whether it is permitted in all places
>where you intend to promote it. Never forget - the net is
>international.

Ok, but, please, consider that: as yourself state, the net is
international, and so it's quite difficult to 'censor' the info
sharing, minding at those country where some tricks/things are
forbidden. For example, the Great Britain: since the net is accessible
from UK, then I must be very careful to not post here anything is
forbidden in UK, isn't?  But, so this forum will be useless... there
will be room only for obvious and well-known arguments, not good
technical hints. I think, in this peculiar scenario, the
responsability will be of who *receives* the info. If I was British, I
was aware that it's illegal for me to write a virus, so if here
somebody shows some virus code, or point out where get a copy of
40-Hex, I simply ignore those info. If not, I'll be resposible for
that. 'Cause I wasn't forced to traduce the code into a functional
virus, almost I wasn't forced by this forum. It's quite like the
X-rated movies, nobody is forced to enter in a red-lights cinema, and
you are aware at the entrance about the kind of movies there are: at
you the decision.  But since the international community doesn't
forbid and/or consider illegal this kind of info share (we are not
able to match a single judgement here, between us, figure yourself at
which point will be the legislators), I wouldn't be on the censors
side.

..............................................Bye|
...................................................Roberto
- -----------------------------------------------------------------------
*  All the above are my own opinions, not necessarily shared by IBM   *
***********************************************************************
Roberto Reymond            IBM C.E.R.T. Italy              via Lecco 61
- ---------------                                    20059 Vimercate (MI)
RREYMOND@vnet.ibm.com                              Italy     MI VIM 491
..........Phone +39.39.600.6873        Fax +39.39.600.5015............
***********************************************************************
*      " Another one bites the dust| " , Queen (The Game, 1980)       *
***********************************************************************


------------------------------

Date:    Wed, 05 May 93 10:23:26 -0400
From:    mha@baka.ithaca.ny.us (Mark Anbinder)
Subject: Re: Sending viruses over Internet

Tox says...

> My point being, virus magazines listing source code are no more
> responsible for the spread of virii than cooking magazines are for the
> spread of salmonella.

Those are not analogous, unless the cooking magazines you're referring to
actually have recipes for salmonella.  (There are publications containing
instructions for using a variety of poisons, and THOSE are analogous to
virus magazines.)

The issue at hand is whether publications containing virus code and other
details provides potential virus authors with the materiel they need to
create viruses that can cause problems for other computer users.  They do. 
If a virus author uses information gleaned from such a magazine to create a
virus, then that magazine is responsible, to some extent, for the result.  I
don't intend the word "responsible" here to indicate legal culpability; I'll
leave that issue to the lawyers.  There's definitely a causal relationship,
though.


- -------------------------------------------------------------------------
 Mark H. Anbinder                  |       Technical Support Coordinator
 BAKA Computers Inc.               |               mha@baka.ithaca.ny.us
 200 Pleasant Grove Road           |                (or) mha@tidbits.com
 Ithaca, New York 14850 USA        |    Phone 607-257-2070  Fax 257-2657
- -------------------------------------------------------------------------
 BAKA Technical Support e-mail "hotline": tech_support@baka.ithaca.ny.us
- -------------------------------------------------------------------------


------------------------------

Date:    Wed, 05 May 93 10:26:30 -0400
From:    millar@a1.relay.upenn.edu (David Millar)
Subject: Antivirus Software Distribution

Can anyone point me to procedures for safe distribution of antiviral
sofware - addressing use of FTP as well as diskettes?

Thanks
Dave Millar
Univ. of Pennsylvania
millar@A1.relay.upenn.edu


------------------------------

Date:    Wed, 05 May 93 11:05:55 -0400
From:    frisk@complex.is (Fridrik Skulason)
Subject: Re: Detecting Mutations

Peters@DOCKMASTER.NCSC.MIL (Donald G Peters) writes:

>We all know that Antivirus programs distribute "updates" which consist
>of strings (probably encoded?) which allow your antivirus software to
>detect the latest viruses.

>But with the self-modifying viruses, this doesn't make sense to me. What
>would have to be distributed would probably be *code* not *data*.

Yes and no..."data" does not mean just search strings. In my case (F-PROT)
I detect *most* viruses with search patterns, or other data entries - there are
only a few cases where I have to use actual C code to detect a particular
virus....MtE, V2P6, Whale, Starship and a few other cases.

>Code updates seem to be the only way to approach viruses which are now taking
>anti-virus products into consideration! Have any antivirus programmers
>considered this possibility/probability/inevitibability?

Yes, and that is indeed what I have to do today.  When a new virus appears
that cannot be detected with a search pattern or any of my database-driven
methods, I have to release a code update - that is, I have to make a change
to my C code, instead of my signature files.

But so what ?

A change is a change - and to me it does not matter what I have to change to
detect the virus - as long as it gets detected :-)

>are any companies which still use copy protection but are also in the
>anti-virus business.

Well, there was one anti-virus package some months ago, which Virus Bulletin
refused to review as it was copy-protected, but I think they have now dropped
the copy-protection.

- -frisk
 
- -- 
Fridrik Skulason      Frisk Software International     phone: +354-1-694749
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-1-28801


------------------------------

Date:    Wed, 05 May 93 11:13:07 -0400
From:    frisk@complex.is (Fridrik Skulason)
Subject: Re: Scanners getting bigger and slower

pjj@cs.man.ac.uk (Pete Jinks) writes:

>frisk@complex.is (Fridrik Skulason) writes:
>>the more viruses there are, the more time you'll have to spend
>>searching, or, to put it in other words, there are more things to search for
>>in every scanned file, that is, exclusive of various 'Turbo Scanning'
>>techniques...)

I didn't write this...and anyhow, it is nonsense - the speed of any decent
scanner does not depend significantly on the number of viruses.

- -frisk

- -- 
Fridrik Skulason      Frisk Software International     phone: +354-1-694749
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-1-28801


------------------------------

Date:    Tue, 04 May 93 13:16:10 +0000
From:    schardt@acc.vf.ge.com (James A. Schardt)
Subject: unix viruses? (UNIX)

I have been told that there are UNIX viruses (not talking about
worms or Trojan horses).  Is there a place on the net where
UNIX viruses are documented?

Is it true that a virus would find the UNIX environment very
inhospitable because of the protection the OS puts around its
own memory space and the confinment of the users memory space.

Thanks in advance.
			--jas

Advanced Concepts Center of Martin Marietta
email: schardt@acc.vf.ge.com
phone: +1 215 992-6243
smail: P.O. Box 1561, King of Prussia, PA 19406  USA
The opinions expressed by me are not necessarily those of the ACC.


------------------------------

Date:    Mon, 03 May 93 21:25:56 -0400
From:    radatti@cyber.com (Pete Radatti)
Subject: CyberSoft UNIX scanner (UNIX)

CyberSoft, Inc is a company that produces virus scanners for Unix and
other operating systems.  It uses its own parsing language called
CVDL.  CVDL is copyright and published for use by end users of
CyberSoft's VFind product.

We are currently researching writing a generic purpose editor that can
be used for disinfection of viruses.  Since VFind scans for MS-DOS,
Apple Mac, Amiga and Unix attach software in one pass, (Useful for
networks of heterogeneous computers) the editor must be capable of
editing executables from these systems in addition to yet-to-come
systems.

We are inviting comments, sugestions and flames :-]  
Send to research@cyber.com

Nasty flames should be sent to devnull@cyber.com  
(Yes, it will go to /dev/null )     :-,

------------------------------

Date:    Tue, 04 May 93 06:18:37 -0400
From:    v922340@herzberg.si.hhs.nl (Ivar Snaaijer)
Subject: MSAV and text-files (PC)

Hello,

I was reading in the book : Take a road trip with the MS-DOS 6 Upgrade.
this book comes with this version of DOS.

It says on page 79 something about a virus that is known to infect datafiles.

infect a datafile ? , don't they mean that there is some code that could be
a firus that is stored in a file witch is not executable ?

How can a non-exacutable be a threath to you ?

an other thin about MS (CP) AV is that it default scans ALL files on disk.
(this takes a lot of time on a 213Mb HDD). Is this realy neccesery or
is huristic scanning stupid ? ....

(strange thougts)

- -----------------------------------------------------------------------------
Rule one in program optimization : Don't do it.
Rule two in program optimization (for experts only) : Don't do it yet.
Rule three in program optimization (for athlets only) : Just do it.
- -- 
E-mail : v922340@si.hhs.nl    ... i can't help it, i'm born this way ...
- -----------------------------------------------------------------------------


------------------------------

Date:    Tue, 04 May 93 06:53:33 -0400
From:    max mazzucchi <mazzucch@ghost.dsi.unimi.it>
Subject: info about new virus (PC)

i am MAx form Milan Italy,

i have read if has been discovered a new virus EXEBUG-II

have you information about it?

Thanks and bye

- -------------------------------------------------------------------------------
!  Massimo Mazzucchi, student               E-mail:                           !
!  University of State                       mazzucch@ghost.dsi.unimi.it      !
!  Computer Science Departement             internet:                         !
!  Via Comelico, 41 -  20133 MILAN ITALY     149.132.2.1                      !
- -------------------------------------------------------------------------------


------------------------------

Date:    Tue, 04 May 93 07:25:02 -0400
From:    zut@rz.uni-jena.de (Udo Toedter)
Subject: Need help on tremor virus (PC)

Last day, a computer in our university was infected by the tremor
virus. It was found by FPROT 208, it seems, that FPROT is not able to
remove this viral code.  Has anybody in this galaxy solved this
problem ?. Any hints is welcome.

Thanks in advance

Udo


**************************************************************************
** zut@rz.uni-jena.de    | Udo Toedter Rechenzentrum FSU Jena (zwischen **
**                       | Nervenklinik und Friedhof ;-))))             ** 
** ----------------------|--------------------------------------------- **
** Zu Risiken und Nebenwirkungen lesen Sie bitte das Strafgesetzbuch    **
** oder fragen Sie Ihren Bewaehrungshelfer  8-)                         **
**************************************************************************




------------------------------

Date:    Tue, 04 May 93 13:47:38 +0000
From:    skank@leland.Stanford.EDU (Forked Tongue Redlich)
Subject: Re: Copyright of Virus Signatures (PC)

CS193560223@lusta.latrobe.edu.au (ENRIQUEZ,L) writes:
>
>	When a virus is found, it does not usually contain a copyright, because
>as far as I can tell, to claim copyright your real name must appear with it.  
>Obviously, most virus writers dont want to do this. However, if sometime did
>extract a piece of code (signature) from the virus, and included it in their
>virus scanner, and recieved a fanancial advantage from this inclusion, and the
>author came forth to claim copyright, would such a case be legal?
>
>Please remember I am no lawyer..:)

Well, I'm only a law student, but . . .
Probably not.  Copyright protects expression of ideas, not the ideas.
Thus, you couldn't copyright E=MC^2, though you could copyright
a book explaining it.
Also, generally speaking, the shorter the expression, the harder it is
to copyright.  If you tried to copyright the  letter A, you'd lose, 
because others are going to need to use it.

The scanner would probably be copyrightable like any other software,
regardless of the inclusion of that one virus sig.

Warren


------------------------------

Date:    Tue, 04 May 93 09:54:08 -0400
From:    ghansen@silver.sdsmt.edu (Gary Hansen)
Subject: Re: ??Hidden file: 386spart.par?? What is this? (PC)

skank@leland.Stanford.EDU (Forked Tongue Redlich) writes:
 
>I noticed this while playing solitaire on my PC (a 386).
>Nothing else was running, and I noticed that my hard disk had
>started doing something - I heard the noise it makes and saw
>the light buzzing.
 
>Since I found this unusual, I ran a virus check.  Found nothing.
>Except there was a new hidden file - in the root directory - 386spart.par
>I did a binary file edit but found mostly text and junk.  I couldn't
>find anything that hinted at a virus hidden in this 10 megabyte
>file.  I wonder if it may just be a dump from shutting off the
>computer in haste and having some program backup what's on - but
>why a hidden file in the root directory.
 
>Any help would be appreciated.
 
To be precise, 386spart.par is actually a hidden, _system_ file.  
It is the permanent swap file that Windows creates for use as
virtual memory when running in 386 Enhanced Mode.  If you don't
like it being there when you exit windows, you can switch to 
using a temporary swap file (refer to your Window's User's 
Guide), but your performance will suffer.

As for the disk drive running while you are doing nothing disk
related in windows -- get use to it.  It's the nature of the
beast.

Gary Hansen
SD School of Mines & Technology
ghansen@silver.sdsmt.edu 

------------------------------

Date:    Tue, 04 May 93 16:57:10 -0400
From:    (georgia deakin) <gj9@prism.gatech.edu>
Subject: F-Prot 2.08 (PC)

I just obtained a copy of F-prot 2.08 and started to install it on one 
machine here.  Seems this computer is infected with the Stoned virus.  This
is the one virus we seem to have problems with here - I have been told by
campus technicians that it floats around on our net.  Anyway, I tried to 
clean it off with F-prot 2.08 and got a message that Stoned could not be
removed with this version.  Can anyone help me?

Georgia Deakin
Director of Technology Training and Services
Georgia Tech Alumni Association
853-0751


------------------------------

Date:    Tue, 04 May 93 19:52:30 -0400
From:    dudleyh@redgum.ucnv.edu.au (Dudley Horque)
Subject: Re: Copyright of Virus Signatures (PC)

CS193560223@lusta.latrobe.edu.au (ENRIQUEZ,L) writes:
>	When a virus is found, it does not usually contain a copyright, because
>as far as I can tell, to claim copyright your real name must appear with it.  
>Obviously, most virus writers dont want to do this. However, if sometime did
>extract a piece of code (signature) from the virus, and included it in their
>virus scanner, and recieved a fanancial advantage from this inclusion, and the
>author came forth to claim copyright, would such a case be legal?

Well... the inclusion of the copyright owner's name (and the year of
copyright) is only necessary in the U.S. of A. (where they're backward
enough not to have fully adopted the internationally recognised
copyright laws devised at the Bourne convention).

Secondly, if the virus author could prove that (s)he wrote the virus,
AND the virus scanner contained a substantial piece of the author's
creative effort, then the author WOULD (not could) claim copyright if
(s)he so wished. (S)he could then attempt to sue the trousers off the
parties who infringed their copyright. In the process, however, I would
hope that the author also had their lower garments sued off them for the
grief that the virus caused, AND had the potential to cause.
- -- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Ciao4niao                                 My philosophy on life is far too deep
Dudley Arthur Horque                   to fit into two lines... I'd need three.


------------------------------

Date:    Wed, 05 May 93 09:09:54 -0400
From:    s926191@yallara.cs.rmit.OZ.AU (Donald Gingrich)
Subject: RE the stoned virus and 3.5" floppies (PC)

Don't believe that the stoned virus can only occur on 5.25 floppies.
The reason this misinformation developed is that the original virus
would only infect the disk in A: drive.  Normally the drive that is A:
will not change over the life of the machine. Thus since stoned was
initially released on 5.25 floppies it was (mistakenly) assumed that
it could not spread to 3.5".

There is, however, a scenario which I reported to Dr Solomon in 1990 in
which a 3.5" floppy can become infected.  A friend bought a Toshiba
(brand is unimportant, I think) laptop with an external 5.25" drive
and an internal 3.5" drive.  Interestingly enough, when the external 
drive was attached *it* was A: drive.  But, when the external drive
was absent the *internal* *3.5"* drive was A: drive.

Infected floppy in 5.25" boots up, virus moves to internal hard disk,
next time a 3.5" floppy is in machine with no external drive *it* is in
A: drive, and thus infected.  I have seen this happen.  Further I 
presented Dr Solomon with an infected 3.5" floppy at a seminar in 
Australia immediately after he had said that stoned didn't come on
3.5" disks.  I have since noticed that his comments have been modified.
It is gratifying to see a scientist who recognises a fact even if it 
doesn't fit his theories.

***************************************************************************
*  Don Gingrich                   *           Gingrich's Law              *
*  2nd Year Grad. Dip. In CS      *  Software expands to fill the space   *
*  R.M.I.T.                       *     available to it -- plus 10%       *
*  Melbourne Australia            *    I'm an optimist, alright? :-)      *
*  s926191@yallara.cs.rmit.OZ.AU  *  #include <std_disclaim.h>            *
***************************************************************************


------------------------------

Date:    Wed, 05 May 93 13:21:52 +0000
From:    sph0301@utsph.sph.uth.tmc.edu (Kate Wilson)
Subject: New variety of Stoned virus? (PC)

Yesterday we had (yet another!) hit from the Stoned virus.  Surprisingly,
the latest version (2.08) of F-Prot wouldn't clean it, although an older
copy of MacAfee's Scan (version 97, I think) removed it.

Both floppy drives stopped reading high-density diskettes at the same 
time the PC was infected although I suspect that was coincidence and not 
virus-related... 

kate wilson
UT Health Science Center, Houston

------------------------------

Date:    Wed, 05 May 93 09:58:11 -0400
From:    padgett@tccslr.dnet.mmc.com (A. PADGETT PETERSON, P.E., INFORMATION SE
	  CURITY (407)826-1101)
Subject: Novell NLM Viruses (PC-servers)

	This point has come up before but I do not know of any and
while an NLM virus could be written, it would be relatively difficult
to introduce into a system given the dual state nature of a Novell
client-server relationship (3.11 or above).

	True, a malicious person with physical (boot) access to the server
might be able to introduce an NLM trojan into the system (a virus would
be pointless at the moment) that would act as a "dropper" onto the clients.

	Now earlier versions and all "peer-peer" networks have much
different vulnerability levels since these machines can be operated
as combination workstations/servers & this removes the "dual-state"
protection inherant in a dedicated server. 

	For instance, I like LANTASTIC very much as a simple and effective 
networking system. However, as a "trusted" system it has three major
vulnerabilities:
1: LANTASTIC runs under DOS & uses DOS interrupts
2: The server is also a workstation (yes, I know about "ALONE")
3: There is no provision for login scripting

(Note: I am not picking on LANTASTIC, I have yet to see a peer-peer LAN
 that does not have these characteristics but have used LANTASTIC AI and
 have purchased LANTASTIC-Z which makes an effective teaching tool. - 
 Further the problems I note are correctable if login scripting were 
 possible.)

	However, for the moment I would not be concerned about a NLM
virus provided that the physical security of the server is maintained.
To become active, a virus must be executed. To spread a virus must
have access to many different machines and neither is much of a risk on
a weel-maintained, dedicated Novell server.

					Warmly,
							Padgett

disclaimer - personal opinions only & If in error, am sure to be corrected.

ps Does anyone know what the different drive light blink codes used by a 
   MiniScribe (now Maxtor) 3650 drive are ? All the manufacturer would tell 
   me was that they are error codes but they do not support those drives 
   anymore 8*(. What I am getting is on steady for a second, off for a second,
   fast pulse for a second, off for a second & repeat. - app



------------------------------

Date:    Wed, 05 May 93 10:02:14 -0400
From:    caryjm@marta.uncg.edu (John Cary)
Subject: F-PROT v2.08 (PC)

Our site has a site-license for f-prot.  I downloaded 2.08 from wuarchive a 
couple of days ago.  We have had a problem with it.

It discovered the Stoned virus with no problem, however, it was unable to 
dis-infect the virus.  2.07 worked just fine, and we went back to that 
version to get rid of the virus.

Any one else have this problem?

John Cary, UNCG.  caryjm@marta.uncg.edu

- ------------
John Cary, Systems Programmer
UNC Greensboro Dept of Systems and Networks
Greensboro, North Carolina
john_cary@uncg.edu


------------------------------

Date:    Wed, 05 May 93 17:01:22 +0000
From:    skank@leland.Stanford.EDU (Forked Tongue Redlich)
Subject: thanks re 386spart.par (PC)

I just wanted to thank everyone who responded to my query about the
hidden file 386spart.par.  For those who did not see the answer, it is
the Windows permanent swap file, and is mentioned in the Manual (I did
check). Thanks again. -Warren Redlich skank@leland.stanford.edu


------------------------------

End of VIRUS-L Digest [Volume 6 Issue 74]
*****************************************
