To:	   VIRUS-L@LEHIGH.EDU
Subject:   VIRUS-L Digest V6 #80
--------
VIRUS-L Digest   Wednesday, 19 May 1993    Volume 6 : Issue 80

Today's Topics:

Index of archives??
Write Protecting Harddrives (add on HW/SW)
Human factor in infections
Scanners getting bigger and slower
Virus on OTC 850XL Printer????????
Hacker Executed
Follow-up on UNIX viruses (UNIX)
Had a look at OS2SCAN 104 etc. (OS/2)
TREMOR and data-tv in german-channel PRO7 !!! (PC)
Need help on tremor virus (PC)
??Hidden file: 386spart.par?? What is this? (PC)
F-Prot 2.08 (PC)
MSAV and text-files (PC)
FLIP (PC)
Blah Blah Mich on Sun (PC)
McAfee Scan false alarm (PC)
Re: Generic Stealth Detector (PC)
Re: MtE anti-viruses (PC)
McAfee's Scan and Compressors (PC)
Re: Viruses which cost $$$ (PC)
F-Prot 2.07 (PC)
FORM virus (PC)
Window's Graphics/memory Virus??? (PC)
TBAV v6.01 anti-virus and new signatures uploaded to SIMTEL20 (PC)
FP-208A.ZIP - F-PROT 2.08a: Virus detection/removal software (PC)
New files on risc (PC)
Encryption (CVP)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed.  Contributions should be relevant, concise,
polite, etc.  (The complete set of posting guidelines is available by
FTP on cert.org or upon request.) Please sign submissions with your
real name.  Send contributions to VIRUS-L@LEHIGH.EDU.  Information on
accessing anti-virus, documentation, and back-issue archives is
distributed periodically on the list.  A FAQ (Frequently Asked
Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5).  Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<krvw@FIRST.ORG>.

   Ken van Wyk, krvw@first.org

----------------------------------------------------------------------

Date:    Sat, 15 May 93 12:42:15 -0400
From:    Albert-Lunde@nwu.edu (Albert Lunde)
Subject: Index of archives??

Is anyone in a position to build something like a WAIS index of comp.virus/
VIRUS-L archives? It seems like this could help with some kinds of
recurring questions,

[Moderator's note: People have approached me about this, and I believe
that there's at least one effort to put up a gopher server, but no
WAIS servers are yet in place.  If anyone is interested in setting up
a WAIS, gopher, etc., to access the VIRUS-L/comp.virus archives, I'd
be more than happy to discuss it with him or her.]

- -- 
    Albert Lunde                      Albert-Lunde@nwu.edu

------------------------------

Date:    Sun, 16 May 93 22:06:50 -0400
From:    "Roger Riordan" <riordan@tmxmelb.mhs.oz.au>
Subject: Write Protecting Harddrives (add on HW/SW)

mark@CS.MsState.EDU (Mark Rauschkolb) asks

>     I have been asked to investigate the "state of the art" in 
>write protecting old harddrives (ones without a write protect switch).

How old is "old"?  If you mean slightly old, like IDE drives, 
then hardware protection is complex.  None of the hardware cards 
meets my needs, as you can't just switche write protect off or on 
at will.  

However if you mean really old, as in ST605(?) it's easy; just 
get a DPDT (double pole double throw) toggle switch, carefully 
cut lines 6 & 12 (Write & Error) in the drive cable, and connect 
as shown below.  You need a soldering iron, a steady hand & some 
experience, so ask your technician if lacking these.  

Most clones sense the error so you get a critical error message 
when anything tries to write to  drive C.  (Many viruses don't 
think a write error is possible on drive C, so don't trap crit 
errors when they try to infect BS, command.com, etc.)  Hoever 
early IBM XTs & exact copies don't check the error line, so you 
can happily write to drive C, unaware that nothing is being 
written.  We have this problem, & frequently panick when someone 
tries to install VET with drive write protected, & it appears to 
crash, or we clean up an infected BS, & reboot, only to have the 
virus reappear.

             6 ------o   o------->    
                       \
    From controller      o--     to ST605 drive
                            |
            12 ------o   o--|---->
                       \    |        Switch:  Up   Normal
                         o--                  Down Wrt prot

Roger Riordan                 Author of the VET Anti-Viral Software.
riordan.cybec@tmxmelb.mhs.oz.au

CYBEC Pty Ltd.                                 Tel: +613 521 0655
PO Box 205, Hampton Vic 3188   AUSTRALIA       Fax: +613 521 0727

------------------------------

Date:    Mon, 10 May 93 09:26:05 +0200
From:    Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz)
Subject: Human factor in infections

 > From: frisk@complex.is (Fridrik Skulason)

IR: I said I considered chances of infection of big companies were small.

FS:

 > Depends on what you mean - most big companies get isolated cases
 > every now and then...for example if an employee brings an infected disk

The question is here wether:

1. The work is home-able, meaning it's possible to continue working at home.
   Same goes when your WORK computer is a notebook.

2. Employees are allowed/checked for bringing home-made disks.

If the answer to either of the questions is true, an infection is possible,
and likely to happen sometime.

 > from home, but cases of massive, company-wide infection are
 > rare....still,
 > they happen occasionally - the worst I have seen was somewhere around
 > 20.000
 > machines infected in a single company.

Would I be mistaken if I assumed that those companies weren't adequately
protected, or was it a new variant?

Inbar Raz
Chief Data Recovery
- - --
Inbar Raz                 5 Henegev, Yavne 70600, ISRAEL. Phone: +972-8-438660
Chief Data Recovery, 15 Habanim, Nes-Ziona 70400, ISRAEL. Phone: +972-8-400070
Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il

- --- FMail 0.94
 * Origin: Inbar's Point - Home of the first UnTinyProg. (9:9721/210)

------------------------------

Date:    Mon, 10 May 93 09:28:06 +0200
From:    Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz)
Subject: Scanners getting bigger and slower

 > From: frisk@complex.is (Fridrik Skulason)

 > Generic disinfectors exist...

 > Well, they fall into two categories:

 >     1) CRC+database-based disinfectors, such as those in Untouchable and
 >        F-PROT Professional.  Basically they only work if you ran the
 >        integrity
 >        program before the files got infectred, and stored the right
 >        that is needed to disinfect.  Those disinfectors never make
 >        mistakes,
 >        but may not be able to disinfect all viruses.

I've heard of those. I'm working on/with one.

 >     2) Emulation/single-stepping disinfectors.  Basically, the idea here
 >        is
 >        to trace through the virus code until it has restored the
 >        original
 >        program and transfers control back to it.  Those disinfectors are
 >        interesting, but are still in the experimental stage.

But tracing the source UNTIL THE ORIGINAL PROGRAM will load the virus
resident, wouldn't it? Unless you only VIEW, not EXECUTE. But then again, you
sometimes MUST execute, otherwise relocational jumps won't work.

Inbar Raz
Chief Data Recovery
- - --
Inbar Raz                 5 Henegev, Yavne 70600, ISRAEL. Phone: +972-8-438660
Chief Data Recovery, 15 Habanim, Nes-Ziona 70400, ISRAEL. Phone: +972-8-400070
Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il

- --- FMail 0.94
 * Origin: Inbar's Point - Home of the first UnTinyProg. (9:9721/210)

------------------------------

Date:    Tue, 18 May 93 10:02:58 -0400
From:    CS003@ukanvm.bitnet
Subject: Virus on OTC 850XL Printer????????

I have an OTC 850XL Printer connected to a Zenith 386/16 running
DOS-based applications. Apparently, I have some kind of virus which
causes the following to print endlessly on my printer.

"HOZN AUTO & SOFT CO., LTD. TEL: (02) 551-9074 TAIPEI TAIWAN R.O.C. PB-256-2
V1.7 WRITED BY: JAMES YOWREN CHEN FEB. 7, 1987 I AM VERY STUPID!"

In October of 1991, it printed this for the first time. Then, it
hadn't printed it until this month. This month, it has done it three
times. I have to shut off the printer to get it to stop. I am using
the same software and can't find any consistency in what sets it off.
I have run the McAfee Virus checker and DOS 6.0 virus checker without
any luck. Also, I called the printer company because I thought maybe
the virus was in the ROM chip of the printer, but they informed me
that this was not possible.

Please help! Any information would be greatly appreciated. Please
respond directly to my Bitnet mail because I have sent this note out
to many lists, some of which I am not subscribed to. Thanks in advance
for any help.

P. A. Crowell                 BITNET: cs003@ukanvm
KU School of Medicine       INTERNET: cs003@ukanvm.cc.ukans.edu
The important thing is not to know more than all men, but to
know more at each moment than any particular man. -von Goeth

------------------------------

Date:    Tue, 18 May 93 15:38:32 -0400
From:    Donald G Peters <Peters@DOCKMASTER.NCSC.MIL>
Subject: Hacker Executed

Found in INFORMATIONWEEK, May 17, 1993

"According to news reports from China, Shi Biao, a computer hacker,
has been executed as a warning to others contemplating computer crime.
In 1991, Biao defrauded the Agricultural Bank of China around $200,000
through money transfers."

Despite the temptation to make moral judgements here, I will simply
observe that the hacker was executed because his code was executed.

------------------------------

Date:    Sun, 16 May 93 17:45:42 -0400
From:    radatti@cyber.com (Pete Radatti)
Subject: Follow-up on UNIX viruses (UNIX)

>Re:  VIRUS-L Digest V6 #75 David M. Chess said...
>There are no UNIX viruses known to be in the wild at present.

That depends on what you consider "wild".  My company tracks Unix
attacks and provides generic information on such.  Last year there
were at least 2 attacks of which I was directly aware.  So far this
year, there was one attack of which I received 2ed hand information
from a reliable source.  This does not yet pose a significant threat
and I would not recommend that anyone run out and purchase VFind, (my
product) if their only reason was for protection against Unix viruses.
The problem of Heterogeneous Computer Viruses In A Netwoked Unix
Environment and the need for a general purpose pattern matching
language along with protection from Unix viruses, Trojans, etc and the
ability to provide file signature generation is a much better reason.
It is the primary reason that we state, however we will do limit fokes
from other reasons for desiring this type of protection.  All products
of these types are like life insurance, you only really need to buy
them if you die, however then it's too late.  Pete Radatti
radatti@cyber.com

------------------------------

Date:    Tue, 18 May 93 07:23:23 -0400
From:    A.Jilka <jilka@GBAWS4.ZAMG.AC.AT>
Subject: Had a look at OS2SCAN 104 etc. (OS/2)

Hi all,
during the last days I had an intensive look at McAfee's latest release of
OS2SCAN, OS2CLEAN and OS2VAL. As the report got somehow long, I won't post
to the list unless there are more than 15 persons interested. I'll mail it
to every inested reader of this digest. One copy already has gone to
Aryeh. So if you are interested, drop me a line and I'll return my long 
letter.
Greetings from sunny Austria, Alfred (J.Quack)
- --
###############################################################################
Alfred JILKA                # This place intentionally left blank! This place i
Geological Survey, Austria  # ntentionally left blank! This place intentionally
KARGRA@GBA930.ZAMG.AC.AT    # left blank! This place intentionally left blank!
JILKA@GBAWS4.ZAMG.AC.AT     # This place intentionally left blank! This place i
#################Don't cut here, you'll damage the screen !####################

------------------------------

Date:    Tue, 18 May 93 08:14:58 -0400
From:    arnd@rea.informatik.rwth-aachen.de (Arnd Gehrmann)
Subject: TREMOR and data-tv in german-channel PRO7 !!! (PC)

Just a few minutes ago, in WDR2, a local broadcast-station, the following
warning was announced:

In the VideoDat-service of the komm. german tv-channel PRO7 on friday, the
14. of may at 2.05 mp was send a program infected with TREMOR!!!!!!!!!!!!!
At 3.0 pm the infection was detected and at 4 pm the station send the
correct version. All people, who stopped thransfering programs before
4 pm, have an infected version of PKUNZIP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

- ---(german text)----------------------------------------------------------
Vor ein paar Minuten wurde im WDR2 folgende Warnung durchgegeben:

Im VideoDat-service des deutschen, kommerziellen tv-Kanals PRO7 wurde am
Freitag, dem 14. Mai um 14:05 ein mit dem TREMOR verseuchtes Programm
ausgestrahlt. Um 15 Uhr wurde die Infektion bemerkt und gegen 16 Uhr
sendete die Station die virenfreie Version. Alle Personen, die die Ueber-
tragung vor 16 Uhr eingestellt haben, haben eine infizierte Version
des PKUNZIP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
- ---------------------------------------------------------------------------

- -- 
Arnd Gehrmann
(arnd@zeus.informatik.rwth-aachen.de)

------------------------------

Date:    Mon, 10 May 93 15:43:17 +0200
From:    Malte_Eppert@f6051.n491.z9.virnet.bad.se (Malte Eppert)
Subject: Need help on tremor virus (PC)

Hi Udo!

 > Last day, a computer in our university was infected by the
 > tremor
 > virus. It was found by FPROT 208, it seems, that FPROT is not
 > able to
 > remove this viral code.  Has anybody in this galaxy solved this
 > problem ?. Any hints is welcome.

TREMOR is very nasty: polymorph, stealth, tunneling and directly attacking 
some anti-virus software.

Check out TBCLEAN, it works (you must boot clean before). You also can request 
ANTISER from Robert Hoerner's VIRNET or FIDO-Node (or from mine) if you have 
access to it. This program is a vaccine and a disinfector for TREMOR and some 
other viruses.

cu!
eppi

- --- GEcho 1.00
 * Origin: No Point for Viruses - Eppi's Point (9:491/6051)

------------------------------

Date:    Mon, 10 May 93 15:37:16 +0200
From:    Malte_Eppert@f6051.n491.z9.virnet.bad.se (Malte Eppert)
Subject: ??Hidden file: 386spart.par?? What is this? (PC)

Hi Anthony!

 > Many hard drives also move the heads occasionally to prevent 'hot spots',
 > which can heat and damage the disk surface.

?? What's that? A powered-on harddisk spins with a constant speed, it is not 
touched by the R/W head, so there can't be any "hot spots".
Please explain further if you're sure about that...

cu!
eppi

- --- GEcho 1.00
 * Origin: No Point for Viruses - Eppi's Point (9:491/6051)

------------------------------

Date:    Mon, 10 May 93 15:48:18 +0200
From:    Malte_Eppert@f6051.n491.z9.virnet.bad.se (Malte Eppert)
Subject: F-Prot 2.08 (PC)

Hi Georgia!

 > Seems this computer is infected with the Stoned virus.  This
 > is the one virus we seem to have problems with here - I have
 > been told by campus technicians that it floats around on our net.

STONED is a MBR-infector and cannot spread via nets(!). To kill it off a hard 
disk and from memory, boot from a DOS 5-(or later)disk with FDISK.EXE on it 
and issue "FDISK /MBR". This rewrites the MBR sector on hard disk, and you 
boot clean off the hard disk next time. Don't forget to use e.g. F-PROT to 
clean all diskettes!
If your version shows problems, copy all files away from all disks, format 
them and copy all files back. This also kills Stoned.

About F-PROT: There is an update available, 2.08A - the bug that some boot 
infectors could not be killed is fixed. Thanx, Frisk!

cu!
eppi

- --- GEcho 1.00
 * Origin: No Point for Viruses - Eppi's Point (9:491/6051)

------------------------------

Date:    Mon, 10 May 93 17:57:00 +0200
From:    Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv)
Subject: MSAV and text-files (PC)

From: v922340@herzberg.si.hhs.nl (Ivar Snaaijer) writes:

 > How can a non-exacutable be a threath to you ?
Its like this: Most DATA files are no threat to you, even if you take them to 
another (non infected) computer, they are (at most cases) simply corrupted. 
However some "DATA" files are not what they seem, for example LOTUS 
spreadsheets are practically a kind of overlay thet LOTUS loads and executes.
So (as the 100-Years (=4096=Frodo) virus successfully demonstarated) it is 
possible to take an innocent "DATA" file to a clean machine and get infected.
Generally there are not many viruses that do it, but they exist.

 > an other thin about MS (CP) AV is that it default
 > scans ALL files on disk. (this takes a lot of time on a
 > 213Mb HDD).
But usually it is for the best. MSAV is a bit slow, but if the program will 
try to identify each file and determine its true type (instead of relying on 
the extention) it will distinguish data files from executable ones (as V-CARE 
does) and run much faster on the non executables.
We had an interesting experiance with several costomers that had a programmer 
that used a batch file to rename his compiler and development kit files to a 
nonexecutable extention. So No anti virus (reasonably anough used with the 
default switch of checking only EXE COM etc', was able to detect a virus that 
was in some of these files and it took a lot of time just to think of the 
possibility.

> Is this realy neccesery or is huristic scanning stupid ? ....

I don't get your meaning, how does this relate to the other topics?

Regards

* Amir Netiv. V-CARE Anti-Virus, head team *

- ---
 * Origin: <<< NSE Software >>> Israel (9:9721/120)

------------------------------

Date:    Fri, 14 May 93 17:22:14 -0400
From:    Mike_Dunn@mindlink.bc.ca (Mike Dunn)
Subject: FLIP (PC)

A bbs in Vancouver, Canada running ROBOBOARD, has recently been attacked by
the FLIP virus.  The entire computer was checked for viruses at 2pm. Between
2pm and 2:38pm at hacker broke into the system and inserted the virus, which
came into effect at 2:38pm.  NOTE:  This was a hacker's work, not an uploaded
file.  Unfortunatly the FLIP virus virtually destryed most of his hard drive.
I believed it attacked the FAT, destroying almost all data.  Some files were
recovered.  Some of the bbs, and one on-line game were rescued.  All
downloadable files were wiped out.  The virus was cleaned out using MCAFFEE
CLEAN.  The user log was wiped out, so we do not know who committed this
hanous crime.

Does anyone have any information about FLIP?  Can anyone tell us what it
does, exactly.  All I have is McAffee's data on it.

Taken from the file VIRLIST.TXT, givin out by McAffee

>                         VIRUS CHARACTERISTICS LIST V100
>                    Copyright 1989-1993 by McAfee Associates
>                            Updated by Brian Thomas
>                              All Rights Reserved.
>                              TEL (408) 988-3832
>
> ==========================================================================
> A Infects Fixed Disk Partition Table-A-------------------+
> 9 Infects Fixed Disk Boot Sector-----9-----------------+ |
> 8 Infects Floppy Diskette Boot-------8---------------+ | |
> 7 Infects Overlay Files--------------7-------------+ | | |
> 6 Infects EXE Files------------------6-----------+ | | | |
> 5 Infects COM files------------------5---------+ | | | | |
> 4 Infects COMMAND.COM----------------4-------+ | | | | | |
> 3 Virus Installs Self in Memory------3-----+ | | | | | | |
> 2 Virus Uses Self-Encryption---------2---+ | | | | | | | |
> 1 Virus Uses STEALTH Techniques------1-+ | | | | | | | | |
>                                        | | | | | | | | | | Increase in
>                                        | | | | | | | | | |  Infected
>                                        | | | | | | | | | |  Program's
>                                        | | | | | | | | | |    Size
>                                        1 2 3 4 5 6 7 8 9 A      |
>                                        | | | | | | | | | |      |
> Virus                   Disinfector    V V V V V V V V V V      V   Damage
> --------------------------------------------------------------------------
> Flip (5) [Flip]            Clean-Up    . x x x x x x . . .    2343  O P D L
>
>
> LEGEND:
> O - Affects system run-time operation
> P - Corrupts program or overlay files
> D - Corrupts data files
> L - Directly or indirectly corrupts file linkage

Again, does anyone have any information about FLIP, or how something like
this could be prevented in the future?

                                                        MIKE DUNN

------------------------------

Date:    Sun, 16 May 93 08:08:14 -0400
From:    Javier Fernandez Baldomero <jfernandez@ugr.es>
Subject: Blah Blah Mich on Sun (PC)

	Well, I should improve my English understanding. I still understand
as contradictory the terms "this already happened" and "it will have NO
effect". It seems it coincided the mounting of the diskette with the
scrambling of the local disks, but for a totally unrelated reason.

	BTW, now I wonder wether that "SOFT-PC" could even
emulate Port access to disks!

	Here is the summary on sun-managers about the previous question.
======================================================
> From:              <sun-managers-relay@ra.mcs.anl.gov>
> Subject:           SUMMARY: PC Virus on Sun
> >X-Envelope-to: jfernandez@ugr.es
>
> Original Posting:
>
> What affect (if any) would a PC floppy infected with 
> Michaelangelo virus have on a Sun if it was inserted in
> a Floppy drive and mounted as a PCFS file system?
>
> I think that since the virus is said to affect the boot block(s)
> of PC disks,  the disk probably would not be readable by the
> Sun since it is somewhat corrupt, but maybe not.  
>
> If it fooled my SPARC 10 and mounted correctly would the virus be 
> able to harm any of my local SPARC disks or files ?
>
> ( These are not really hypothetical questions, this already happened. )
>
> -----------------------------------------------------------------
>
> SUMMARY:   As expected, it will have NO affect.  The virus is written
>            in Intel code and cannot possibly execute on a SPARC without
>            the aid of an interpreter such as SOFT-PC, in which case
>            it would still only affect the simulated DOS file systems.
>
>            ( This was really more of a curiosity question,  I apologize
>            it I wasted bandwidth. )
>
> ------------------------------------------------------------------
> THANKS TO:
> cps.msu.edu!vuppala
> emcgon@ca.dcu.ie
> inel.gov!cdm
> glr@cs.unh.edu
> slezak@llnl.gov
> apple.com!richardt
> ews7.dseg.ti.com!danny
> poffen@sj.ate.slb.com
> lem@usb.ve
> cal012.bprc.ab.ca!glaqua
> mulga.awadi.com.AU!blymn
> fetrow@biostat.washington.edu
> fwi.uva.nl!casper
> rauls@usb.ve
> sunne.East.Sun.COM!stern
> kjv@tre-vta.valmet.com
> rug@basis.ffi.no
==================================================================

	Don't know if someone of these was someone of you, but
just in case...Thanx!

------------------------------

Date:    Sun, 16 May 93 21:06:36 -0400
From:    "Roger Riordan" <riordan@tmxmelb.mhs.oz.au>
Subject: McAfee Scan false alarm (PC)

A firm was having trouble with a PC; files mysteriously 
corrupted, etc, etc.  Software suppliers said hardware, & vice 
versa.  Standoff till someone ran Scan /A, which reported "Slovak 
virus" in two data base files.  Chorus of "There's the answer!"  
Only problem; Clean wouldn't remove it, all backups were also 
"corrupted", and the files contained vital data.

We checked one of the files.  It consisted exclusively of 14 byte 
fields.  The first 8 bytes were ASCII names, then a two or three 
byte numeric field, and finally two or three bytes of hex zeroes.  
There was nothing remotely resembling code anywhere on the file.

Out of curiosity I repeatedly chopped file in two.  Stopped at 
78 bytes, still "infected".  Hex dump appears below.

Scan 100, 102, 104 all reported "Slovak" virus.

0000  80 01 11 7E 93 02 00 00-57 4F 4F 44 30 32 80 01   ...~....WOOD02..
0010  11 BE 95 02 00 00 57 4F-4F 44 30 32 80 01 11 BE   ......WOOD02....
0020  9E 03 00 00 57 4F 4F 44-30 32 80 01 11 EC BE 03   ....WOOD02......
0030  00 00 57 4F 4F 44 30 32-80 01 11 EC BB 03 00 00   ..WOOD02........
0040  57 4F 4F 44 30 32 80 01-11 F6 C0 03 00 00 00      WOOD02.........

Roger Riordan                 Author of the VET Anti-Viral Software.
riordan.cybec@tmxmelb.mhs.oz.au

CYBEC Pty Ltd.                                 Tel: +613 521 0655
PO Box 205, Hampton Vic 3188   AUSTRALIA       Fax: +613 521 0727

------------------------------

Date:    Mon, 17 May 93 04:42:19 -0400
From:    duck@nuustak.csir.co.za
Subject: Re: Generic Stealth Detector (PC)

Thus spake trimm@netcom.com (Trimm Industries):
> 
>Summary: a typical stealth virus, if present and active in RAM, atttempts
>to evade detection by av software by intercepting int 21 or int 13 file 
>open or block read services, and presenting the requestor with the simulated
>image of an uninfected file or block.  The routine proposed below attempts
>to take advantage of this fact to expose the virus.

But don't forget that there is an essentially foolproof way to "expose"
stealth viruses without heavy-duty programming tricks, or add-in hardware.
It involves *booting from a clean DOS disc*. One problem with featuritis
in anti-virus software is that it seem to lure users into the belief that
ever more complex a-v technology makes common sense ever less necessary.

For every super-duper anti-virus trick, there's usually a dead-basic way
to achieve the same result. 

Paul

    /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
    \  Paul Ducklin                         duck@nuustak.csir.co.za  /
    /  CSIR Computer Virus Lab + Box 395 + Pretoria + 0001 S Africa  \
    \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

------------------------------

Date:    Mon, 17 May 93 11:48:07 -0400
From:    "Michal Weis or INFI" <WEIS@cc.elf.stuba.cs>
Subject: Re: MtE anti-viruses (PC)

bontchev in VIRUS-L#6-77 writes:

VB> 1) TvClean from the TBAV package
 o.k. I know them, but it've several problems (crash on 30%, fail on 20%,
so remove about 40% (maybe, I don't tested it alot)

VB> 2) CPAV 1.4 and MSAV     'sometimes'
 'sometimes' meens when not-encrypted? That is so easy (and does not touch
MtE-encryptor problem)

VB> 3) A German anti-virus product, called AntiVir IV.
 What is it? I've never heard about it. How it works? (heuresic like
TbClean or ???)
                                            Regards
                                                mike

- - This is not a trick, this is -- _ --------------------------------------
                     ,     _  _  | )   ,
                    /|    / )/ ) |/   /|
                   / |   /  /  / /---' |
                  '   \_/  /  (_/|\     \_/
- -------------------------------- |_) ---- Origin: weis@cc.elf.stuba.cs ---

------------------------------

Date:    Mon, 17 May 93 18:50:20 -0400
From:    Fabio Esquivel <FESQUIVE@ucrvm2.bitnet>
Subject: McAfee's Scan and Compressors (PC)

Yesterday I got a DIETed file internally infected with Dark Avenger,
according F-Prot 2.08a, but Scan V104 didn't find anything.

Aryeh:  Does McAfee plan to scan inside DIETed files?
        What about other compressors?

I assume that if McAfee's software is PkLited, then it should be able
to scan inside pklited files too, but I don't have PkLite to check it.

Just a doubt 8-,
;- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Data SEGMENT PARA PUBLIC
      name DB 'Fabio Esquivel Chacon'    ; That's me... 8^)
       job DB 'Computer Science student' ; But I'll graduate soon
      site DB 'University of Costa Rica' ;
    bitnet DB 'fesquive@ucrvm2.bitnet'   ; Office hours, please.
  internet DB 'fesquive@ucrvm2.ucr.cr'   ;
Data ENDS

------------------------------

Date:    15 May 93 23:50:48 -0300
From:    haymoree@quack.kfu.com (Ed Haymore)
Subject: Re: Viruses which cost $$$ (PC)

Vesselin Bontchev (bontchev@fbihh.informatik.uni-hamburg.de) wrote:
: way". Sorry, but I don't believe that. Just as I don't believe that a
: particular virus exists until I have a copy of it, I won't believe
: that it is possible to destroy hardware (I mean a contemporary,
: working hardware, not ancient buggy one) in software. If anybody wants
: to convince me in the opposite, they must send me a particular program
: that does it. We have enough test systems here, so we'll be able to
: try it. Until I see such a program (and that it actually works), I'll
: continue to claim that hardware damage in software is not possible.

There's a free version of XWindows for the PC called XFree that apparently
is capable of destroying the monitor if you try to exceed the monitor's
specifications.  I.e., contemporary, working VGA monitors.  It hasn't
happened to me, but I'm sure you could find "victims" in comp.os.linux
or comp.windows.x.i386unix .  Or, if you have time on your hands, you
could ftp and install Linux and try it out (it needs 90+ megs of
disk space for the complete installation with X-windows).

There's been a lot of discussion in these groups recently about making
XFree safer.  Nothing resolved, though.

- -- 
Ed Haymore
haymoree@quack.kfu.com

------------------------------

Date:    Mon, 10 May 93 09:36:08 +0200
From:    Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz)
Subject: F-Prot 2.07 (PC)

 > From: frisk@complex.is (Fridrik Skulason)

 >>found out that F-PROT.EXE was compressed.

 > True.  There are two main reasons:

 >    2) I am trying to make life just a little bit more difficult for
 >       anybody
 >       who might want to try to disassemble my program or subvert it
 >       somehow.
 >       I am not saying it cannot be done...given enough effort, it would
 >       be
 >       possible, but if I stop 95% of the potential attackers, I am
 >       happy.

Hmm. Since, I must say, this is my expertise, I could, if you wanted me to, to
go over it, and see what needs to be modified in order for it to be tougher.

Normally, I wouldn't allow it to remain compressed. First, I would extract
it, then I would go through the file, searching for the <possible> CRC-check.
I did that when I was given FastEcho to try. Same story.

You might want to take a look at my article, Anti Debugging Tricks. Most of
them are trivial, but they still delay.

 > In other words - I don't want to have to "skip" version numbers, because
 > somebody released a trojanized version of my program, and I just try to
 > make
 > doing that as difficult as possible.

Basically, if someone wrote a trojan that employs stealth-virus-techniques,
you wouldn't know, would you?

Inbar Raz
Chief Data Recovery
- - --
Inbar Raz                 5 Henegev, Yavne 70600, ISRAEL. Phone: +972-8-438660
Chief Data Recovery, 15 Habanim, Nes-Ziona 70400, ISRAEL. Phone: +972-8-400070
Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il

- --- FMail 0.94
 * Origin: Inbar's Point - Home of the first UnTinyProg. (9:9721/210)

------------------------------

Date:    17 May 93 12:45:03 +0000
From:    kh11@prism.gatech.edu (Ken Hall)
Subject: FORM virus (PC)

We have a small infection of the FORM virus.  Can anybody tell me what
this virus does to an infected machine?  Any other helpful information
would be greatly appreciated.

Ken Hall
- -- 
Ken Hall - Department Manager|Voice: 404 894 5559|Internet:
Ga Tech                      |Beeper:404 651 0362|ken.hall@business.gatech.edu 
Financial Data Technology    |FAX:   404 894 5520

------------------------------

Date:    Tue, 18 May 93 18:08:43 +0000
From:    Graham Thomas Charles Wheeler <wheegr@saturn.wwc.edu>
Subject: Window's Graphics/memory Virus??? (PC)

Has anyone heard of a window's virus???  
Let me discrib my problems.

First my system:
  486DX2 EISA 66
  535 Meg HD (10,000+ files, 540+ Dirs )
  Diamond Speed Star 24x

I've never had and Dos problems, but then I don't rund dos apps much, mostly 
as tasks under windows.

Now my system has crashed under windows consistantly when I fire up WP load 
and save a DOC, quit, then  fire up Excel, load and save and quit, and then 
try to load up WP.  Then my system simply crashes.  If my final step is to 
try loading up Excel I'll sometimes report insufficent memory quit other 
apps.  & I've got 8 Meg's and nothing loaded but win31.  What's the deal???

When it crashes( Drops from win) or reports insufficent mem ( I can drop 
from windows),  There is a 'blotch' on my graphics screen in the lower left 
quadrant of my screen)  This blotch was in the same place every time untill 
I swaped my SIMMS chips then it had a different position.

Does this sound like potential virus or just some crappy simms?

Thank's 

Graham Wheeler

wheegr@saturn.wwc.edu

------------------------------

Date:    Sun, 02 May 93 07:34:00 +0200
From:    Piet_De_Bondt@f0.n462.z9.virnet.bad.se (Piet De Bondt)
Subject: TBAV v6.01 anti-virus and new signatures uploaded to SIMTEL20 (PC)

I have uploaded to WSMR-SIMTEL20.Army.Mil and OAK.Oakland.Edu:

pd1:<msdos.virus>
TBAV601.ZIP     TBAV anti-virus software (complete pkg v6.01)
TBAVX601.ZIP    TBAV anti-virus - processor optimized versions
TBSG601A.ZIP    TBAV anti-virus new signatures. Adds to v6.01

Replaces:
pd1:<msdos.virus>
TBAV600.ZIP
TBAVX600.ZIP

Greetings,

Piet de Bondt                   E-mail: bondt@dutiws.twi.tudelft.nl
===================================================================
FTP-Admin for the MSDOS Anti-virus software, @dutiws.twi.tudelft.nl
- --- OD 0.0.1
 * Origin: C.C.C. (9:462/121.0@VirNet)

====> OverDose Gateway Notice <====
Message is actually from bondt@dutiws.TWI.TUDelft.NL
Reply to 9:462/121.0 Internet Gateway with first line of message body beeing:
TO: bondt@dutiws.TWI.TUDelft.NL

------------------------------

Date:    Sat, 08 May 93 22:51:00 +0200
From:    Fridrik_Skulason@complex.is (Fridrik Skulason)
Subject: FP-208A.ZIP - F-PROT 2.08a: Virus detection/removal software (PC)

I have uploaded to WSMR-SIMTEL20.Army.Mil and OAK.Oakland.Edu:

pd1:<msdos.virus>
FP-208A.ZIP     F-PROT 2.08a: Virus detection/removal software

This version, (2.08a) corrects one significant problem with 2.08 as well
as two minor ones.

 - Version 2.08 was not always able to disinfect boot sector viruses that
   2.07 could handle without problems

 - Not all samples of the Azusa virus were identified properly - some were
   identified as "new or modified variant of Stoned".

 - One false alarm in a file named DOS400.TSG

I apologize for any inconvenience caused by this.

frisk
- - - -
Fridrik Skulason
frisk@complex.is
- --- OD 0.0.1
 * Origin: C.C.C. (9:462/121.0@VirNet)

====> OverDose Gateway Notice <====
Message is actually from frisk@complex.is
Reply to 9:462/121.0 Internet Gateway with first line of message body beeing:
TO: frisk@complex.is

------------------------------

Date:    Tue, 18 May 93 13:04:00 -0400
From:    James Ford <JFORD@UA1VM.UA.EDU>
Subject: New files on risc (PC)

Several files have been placed on risc.ua.edu (130.160.4.7) for anonymous
FTP in the directory /pub/ibm-antivirus.  They are:

                McAfee's *104 files (scanv104, clean104, etc)
                fp-208a.zip  - FProt v2.08a
                tbav602.ZIP   Thunderbyte Antivirus utilites
                tbavx602.ZIP
                tbavu602.ZIP

Below is a brief description of the Thunderbyte files.

- ---------------------------------------------------------------
I've uploaded yet another new version of TBAV; this to replace
the previous *601 version (including the intermediate TBSG601A,
for which a new .SIG is included in the new *602 .zips). This
time there is again a small "upgrade" file:
///
To minimize download costs there will also be upgrade archives
which contain files that have been changed since the previous
official release. They will have a 'U' in their name:  TBAVUxxx.ZIP.
\\\
I haven't really checked into this upgrade thing, although a
quick compare showed that some more files have changed than were
included in it ... tbcheck/tbclean/tbdisk/tbdriver among them ...
now these may be minor/cosmetic changes only, but I think I'd
prefer the full version myself (except perhaps at 2400bps speed).
- ------------------------------------------------------------------

Sorry it took so long to get the McAfee files updated........
- ----------
Absence makes the heart go wander.
- ----------
James Ford -  Consultant II, Seebeck Computer Center
              The University of Alabama (in Tuscaloosa, Alabama)
              jford@ua1vm.ua.edu, jford@seebeck.ua.edu
              Work (205)348-3968  fax (205)348-3993

------------------------------

Date:    Mon, 17 May 93 17:16:28 -0400
From:    "Rob Slade, DECrypt Editor, VARUG NLC rep, 604-984-4067" <roberts@decu
	  s.arc.ab.ca>
Subject: Encryption (CVP)

PRTAVS8.CVP   930517
 
                            Encryption
 
I rather suspect that, by the time I get finished this, I am going
to agree with Vesselin that there are only three really basic types
of antiviral software.  So let's get one out the way right off the
top.
 
As I mentioned earlier, the first commercially released antiviral
software was primarily dependent upon encryption.  I suspect that
this is because much of the security "world" is concerned with
confidentiality of data.  The earliest companies to release
commercial antiviral programs likely had strong backgrounds in
mainframe and corporate security systems.  Therefore, they
automatically turned to encryption for an answer to this new
security problem.
 
(I deliberately stress "commercial" here.  A number of good
shareware and even freeware antiviral programs were available as
early as the summer of 1988.  Many of those were far superior to the
commercial products, as evidenced by the fact that some of the
shareware programs still exist while few of the commercial products
do.)
 
As well as the general bias towards encryption of the corporate
security types, there were some indications that encryption might do
a good job.  For one thing, viral programs require a "stable"
computing environment as much as any other program: perhaps more so. 
Any change to the environment might stop a virus from functioning
properly.  The primary expectation was that if all programs were run
through a decrypting filter before control was passed to them, then
any virus that did attach to them would be "decrypted" into garbage
at best, and therefore the worst that could happen was that an
infected program would fail, rather than causing further infections.
 
This theory still gets voiced from time to time.  The most recent
version of it is to use PKLite, or other programs which create
"compressed executables", to protect your programs.
 
Unfortunately, there are a number of problems with the theory.  For
one thing, it doesn't address the issue of boot sector infectors,
generally the most successful of all viri.  For another, if an
infection is "allowed" into the system, it is possible for it to use
the encryption mechanism itself in order to infect the encrypted
files.  Also, if an infected file is introduced into the system and
encrypted, it may escape detection by other means, such as signature
scanners.  ("Compressed executables", for example, may be infected
either "internally" or "externally": internal infections may be very
difficult to detect.)  Finally, encryption adds another layer of
operation to the system, with all of the attendant problems of
computer speed and power, as well as the possibilities of conflicts
and crashes.
 
copyright Robert M. Slade, 1993   PRTAVS8.CVP   930517

==============
Vancouver      ROBERTS@decus.ca         | "My son, beware ... of the
Institute for  Robert_Slade@sfu.ca      |  making of books there is
Research into  rslade@cue.bc.ca         |  no end, and much study is
User           p1@CyberStore.ca         |  a weariness of the flesh."
Security       Canada V7K 2G6           |          Ecclesiastes 12:12

------------------------------

End of VIRUS-L Digest [Volume 6 Issue 80]
*****************************************
