To:	   VIRUS-L@LEHIGH.EDU
Subject:   VIRUS-L Digest V6 #96
--------
VIRUS-L Digest   Tuesday, 22 Jun 1993    Volume 6 : Issue 96

Today's Topics:

Digital Enterprises $5,000 challenge! $$$ $$$
How do we explain this?
Question of UNIX Viruses (UNIX)
Viruses that cost $$$ (PC)
Misidentification by F-Prot 2.08a (PC)
Viruses that cost $$$ (PC)
How a floppy is accessed (was "DIR" infection) (PC)
Non-FTP Source for F-Prot? (PC)
dual boot (PC)
cmpromise in PC protection. (was CPAV updates? (PC))
Removal of Whale possible? (PC)
Virus alert (Predator 2) (PC)
New virus in Telemate 4.11 (PC)
Re: Writing virus protection into software (PC)
Filler virus (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform - diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on cert.org or upon request.)  Please sign submissions
with your real name; anonymous postings will not be accepted.
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list.  A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on CERT.org (192.88.209.5).

Administrative mail (e.g., comments, suggestions, beer recipes)
should be sent to me at: krvw@AGARNE.IMS.DISA.MIL.

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Ken van Wyk

----------------------------------------------------------------------

Date:    Thu, 10 Jun 93 12:46:02 +0200
From:    Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz)
Subject: Digital Enterprises $5,000 challenge! $$$ $$$

bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev) wrote:

 >>        The Gaithersburg, Md-based company says virus experts
 >>     have tried unsuccessfully for more than 2 years to defeat
 >>     its V-Card Anti-Virus System.

 > Huh? Any virus experts out there who have spent the last 2 years of
 > their life trying (unsuccessfully, of course) to break that famous
 > V-Card? At least I have not even heard about it. My guess is that it
 > is either breakable (at least in some streched conditions) or makes
 > the computer it is installed on unusable.

Come on, Vesselin. Do you really believe that paragraph? I mean, for God's 
Sake! Even if you came to Dark Avenger, I am confident he wouldn't waste his 
valuable time and invaluable mind on such a stupid thing...

I believe that 'virus experts' are actually virus samples collected from all 
over the globe, and tested against the aledged defence.

 > Funny, the card seems to protect from the damages; it doesn't seem to
 > try to prevent the viruses from spreading - only from damaging files.
 > Then, why are Trojan horses excluded? If it is possible to write a
 > Trojan horse that would be able to bypass the protection provided by
 > the card, it should be more than trivial to attach it to a simple
 > virus, e.g. a Burger or a Vienna variant.

It is possible, for example, that they assume that all viruses go resident. We 
all know this is not so. Thus, they could immediately disqualify any non- 
resident virus under the classification of a Trojan... Legal stuff :-)

 >>        The company will reward the triumphant hacker with $5000.

 > I am not able to go there and try it, but here are some hints to those
 > who decide to take the challenge:

 > 1) The conditions say that "files must be non-recoverable". They don't
 > specify that the files must be those on the hard disk. In the same

If you connect the card before whatever interface/controller and the drive,
and I've seen cards for both floppy and fixed, you really can't cause any
harm. It would be wise to suspect they protect both. Then again, one can never 
know...

 > 2) In order to make the computer non-bootable, one must damage one of
 > the following: the CMOS, the MBR, the DBS, any of the two hidded DOS

Now THERE's a strong point. The CMOS. This is an interesting idea. I wonder if 
there is an existing card that will, by the selection of the user (probably an 
external switch?), prohibit changes to the CMOS memory.

 > 3) It is possible to change the logical contents of a file by just
 > manipulating the FAT and/or the directory entries. However, a

Here rises the Hardware problem again. If they intercept write commands, you 
really get left with the CMOS option solely.

 > 4) There is a remote possibility that the card requires some kind of
 > TSR program to be present - for instance to display messages, to

I really don't believe that such a card will NOT have a software interface. 
Even Hardware Debugging boards do, and that, as you so smartly noticed, is a 
drawback that must be taken into account.

Inbar Raz
Chief Data Recovery
- - --
Inbar Raz                 5 Henegev, Yavne 70600, ISRAEL. Phone: +972-8-438660
Chief Data Recovery, 15 Habanim, Nes-Ziona 70400, ISRAEL. Phone: +972-8-400070
Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210            Fax:   +972-8-403295

- --- FMail 0.94
 * Origin: Inbar's Point - Home of the first UnTinyProg. (9:9721/210)

------------------------------

Date:    Mon, 21 Jun 93 11:58:13 -0400
From:    dames@claude.ma30.bull.com (David Ames)
Subject: How do we explain this?

I Was using McAfee software this weekend to "KILL".  (If I knew who
wrote STONE, YALE and or FORM I just might have)
 
A Not quite poor but not to far from it family bought a PC.  They
tried to get the best for the little money they could spend.  They
know the value of an education.  They got the machine so their kids
can turn in homework at the same level as the kids who have "MONEY".
They plan to use mostly share ware programs.
 
I was giving them the benefits of my 20 years in computers (10 on
PCs).  Was showing them how to use the simple stuff like "CHKDSK".
Only found 635K (expected 640K).  They are a good church going family
so I kept my comments to "OH NOOOOOOO!"
 
On the 15 diskettes they had gotten from friends we found STONE, YALE
and FORM.  How does one explain to kids that some people are so mean
that they cause damage to people they will never meet?
 
I will soon send Mr McAfee a check to cover my friends and myself for
SCAN V 104 and CLEAN V 104 for the next year.  I can afford it but how
do I explain that we have to pay virus insurance?

------------------------------

Date:    Tue, 22 Jun 93 02:43:44 -0400
From:    hqdoxs1@ramstein.af.mil (HQ USAFE/DOXS-TEMPEST;480-7984)
Subject: Question of UNIX Viruses (UNIX)

Hi,
 
I'm new to the group and would like to find out if there have been any
sightings of viruses on any UNIX or UNIX-like platform.  I remember
one of my colleagues in Texas telling me that there is no such thing
as a UNIX virus because UNIX programmers have better things to do.
True or not?
 
I'll take answers directly to me (and post a compilation).  E-mail to:
hqdoxs1@ramstein.af.mil.
 
Thanks.
 
Dennis Hernit (hqdoxs1@ramstein.af.mil)
 
P.S.  If there have been sightings, how were they eradicated/removed?

[Moderator's note: See the Frequently Asked Questions (FAQ) sheet,
question C7); a copy of the FAQ is available by anonymous FTP from
cert.org:/pub/virus-l/FAQ.virus-l or via e-mail by sending an e-mail
message stating "INFO VIRUS-L" to listserv@lehigh.edu.]

------------------------------

Date:    Thu, 10 Jun 93 13:02:04 +0200
From:    Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz)
Subject: Viruses that cost $$$ (PC)

FESQUIVE@ucrvm2.bitnet (Fabio Esquivel) wrote:

 > I just have curiousity in knowing if you are convinced that it is
 > perfectly possible to destroy hardware by software...

Rest assured, it is possible.

You might do that by tampering with monitors' Scan Rate signals. I can
do that by directly negotiating with the IDE interface, and telling it
to do things it wasn't ment to do, or wasn't allowed to.

Inbar Raz
Chief Data Recovery
- - --
Inbar Raz                 5 Henegev, Yavne 70600, ISRAEL. Phone: +972-8-438660
Chief Data Recovery, 15 Habanim, Nes-Ziona 70400, ISRAEL. Phone: +972-8-400070
Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210            Fax:   +972-8-403295

- --- FMail 0.94
 * Origin: Inbar's Point - Home of the first UnTinyProg. (9:9721/210)

------------------------------

Date:    Tue, 08 Jun 93 07:18:01 +0200
From:    Pedro_Lima@f0.n462.z9.virnet.bad.se (Pedro Lima)
Subject: Misidentification by F-Prot 2.08a (PC)

 Hi, Vesselin!

 VB> Your computer is infected with one particular virus, the standard CARO
 VB> name of which is Screaming_Fist.Nu-Way.

 I've been searching for the CARO listing for quite some time now. I
 knew that F-Prot closely follows this naming standard, so I've been
 using it to classify my virus collection, but:

 VB> F-Prot does not distinguish
 VB> between some closely related variants, but only if they can be
 VB> disinfected using one and the same algorithm.

 This is indeed a pity for me, I had noticed this already.

 My question is: How can I correctly classify my collection? How can I
 get a copy of the CARO listing and preferably its periodic upgrades? Is
 there a scanner/combination of scanners that I can use to correctly
 identify a virus strain, according to the CARO standards? I have a lot
 of 'New or modified variant of' and 'Modified (x extra bytes)' samples,
 and I really would like to identify them correctly, if possible.

 FWIW, I can't ftp the CARO listing, I'm only a VirNet/Fido node...

 Thanks in advance for any help,

 Pedro Lima

- --- FMail 0.94
 * Origin: Kaos BBS * Lisboa, Portugal * +351-1-8869085 (9:3511/104.0)

------------------------------

Date:    Mon, 14 Jun 93 09:57:01 +0200
From:    Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz)
Subject: Viruses that cost $$$ (PC)

Malte Eppert writes:

 > I guess that's all :-) What does your program try to do? We had more
 > postulations in the past like this one. But still no one sent any
 > program being able to kill hardware in other ways then described above.
 > You do?

It just so happens that I have a book here called

' ## 1992 DEVICES
  ##
  ## Systems Logic
  ##
  ## Imaging
  ##
  ## Storage ', by Western Digital,

which literally discets every hardware component by WD.

Just for the sake of the example, in that book, which also covers every
possible way to talk with drives through ports, there is a small part there
that says 'When your drive is in ____, NEVER, but NEVER try to _____'.

That's just an example. If I could afford to try, I would and tell you if it 
worked, but there are other ways to defect a drive. I can personally cause an 
WD IDE drive to cease working, and make him know nothing about who he is, what 
he is and what he is supposed to do.

Inbar Raz
Chief Data Recovery
- - --
Inbar Raz                 5 Henegev, Yavne 70600, ISRAEL. Phone: +972-8-438660
Chief Data Recovery, 15 Habanim, Nes-Ziona 70400, ISRAEL. Phone: +972-8-400070
Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210            Fax:   +972-8-403295

- --- FMail 0.94
 * Origin: Inbar's Point - Home of the first UnTinyProg. (9:9721/210)

------------------------------

Date:    Tue, 15 Jun 93 13:06:00 +0200
From:    Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv)
Subject: How a floppy is accessed (was "DIR" infection) (PC)

riordan@tmxmelb.mhs.oz.au (Roger Riordan) writes to Amir Netiv:

 > when I did a DIR, after changing a floppy, the sequence of calls
 > to Int 13 (for DOS 5) was:

 >      Read door status
 >      Read sect 1
 >      Reset drive
 >      Read sects 1, 6, 7, 8, 2, 1, 6, 7, 8, 6, 7, 8, 1

Its Boot-Secotr(1), root-dir(6,7,8), FAT(2),
    Boot-sector(1), Root-dir(6,7,8), Root-dir (6,7,8), Boot-sector(1)

 > "Volume in drive A has no label"
 >      Read door status (Three times!)
 >  "1 file(s), XXX bytes"
 >      Read door status
 >      Read Sect 3
 > "   XXX bytes free."

 > For a second DIR the sequence was simply

 >      Read door status
 >      Read sect 1
 >      Read door status

 > Amir comments one of my statements makes no sense, but
 > if he can give any logical explanation for the sequence above he
 > is doing better than me!
Well, you've got me here no doubt.
The above sequence really doesn't make
too much sense (except here and there some lines).
Maybe some of the repetitions were due to your program in memory, consuming 
time and causing the drive to wait ???
Anyway I think an attempt to explain the above will start a
long unnecesaary debate on the issue so let's just leave it
like this. However my comment on the sense of things wat on
the issue of reading the FAT first, and you've agreed with me
after all ;-)

 > My resident scanner VET_RES relies on the fact that DOS will
 > read the boot sector of every new disk.

That's logical. It must read it at least one time on each
new floppy!

 > During testing I observed that if, for example, I accessed a
 > disk, so DOS read the boot sector, and then replaced the boot
 > sector with an infected one, I could do whatever I liked to the
 > disk without the infection being detected.

You got me a little confused here, do you mean that after the
floppy is inside and has been accessed once, you run some program from the 
disk that replaces the Boor-Sector?

 > I could list the directory, run programs, edit files, anything
 > I wanted to.
 > I never thought to try DIR, or even realised that I had
 > not. If I had I would have discovered, as Amir evidently has,
 > that for some reason unknown it always reads the boot sector.

If what I think you meant in the previous paragraph is true, then there is no 
surprise about that, not every access  to the floppy reads the Boot-Sector, (
if it would the floppy access will be tyring as you said about the stone-age). 
But som type of floppy access does read it and such is the DIR command. (BTW 
just to add to the confusion: not always!)

warmly

* Amir Netiv. V-CARE Anti-Virus, head team *

- ---
 * Origin: <<< NSE Software >>> Israel (9:9721/120)

------------------------------

Date:    Tue, 15 Jun 93 12:55:00 +0200
From:    Nemrod_Kedem@f101.n9721.z9.virnet.bad.se (Nemrod Kedem)
Subject: Non-FTP Source for F-Prot? (PC)

 > For those of us who don't have ftp access, is there any reliable
 > source to get F-Prot?

F-Prot should be available in all VirNet sites.
Check for a VirNet BBS near you.

     Regards,
     Rudy.

- --- FastEcho/386 B0614/Real! (Beta)
 * Origin: <Rudy's Place - VirNet, Israel> Make Safe Hex! (9:9721/101)

------------------------------

Date:    Tue, 15 Jun 93 12:36:00 +0200
From:    Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv)
Subject: dual boot (PC)

A. Padgett Peterson answers on the issue of:
is FDISK /MBR hamfull to double-boot partitions
(like OS/2+DOS or Unix+DOS etc...)?

Veselline clamed it probably safe, I said on the other hand it might not be !!!

Padgett:
 > here I must agree with Vesselin.

 > FDISK/MBR does nothing to a valid partition table and
 > neither "dual boot" method used by OS/2 changes anything else
 > (that I am aware of - hedge 8*).
Maybe to OS/2 partition's case but most certainly to many other double-boot 
partition, definitelly ! FDISK does not touch the patrition table block (
offset 446 and above of the MBR) but replaces the loader (which unfortunatelly 
might be the small program that lets you deside which partition will boot).

 > OS/2 uses two methods to provide dual boot - if you
 > boot from DOS a DOS program can change the active partition (two byte
 > change to the P-Table) and the same from OS/2. A reboot is then necessary.
 > Alternatively the "active partiton" can point to a selection sector that
 > will continue the boot with a user selection. Neither is a function of
 > the MBR code.
Then again in the case you've showed here the method used is the one in which 
a program modifies the partition table and reboots the system. In this way you 
allways have to boot the whole way to be able to run the selection program (
obviously you might load it during boot time as your programs does, and 
shorten the process), and it envolves another full boot. In the other way (the 
one I've mentioned) the same boot process only waites for a secont for the 
user to deside which partition to load, without any modification whatsoever to 
the partition table. Read Paul Duckin's (hope I got the name right) 
clarification to my previouse article.

I think this is also the best time to say that FDISK /MBR might (usually will) 
destroy password control systems that works on the pronciple of replacing the 
MBR... Be warned! ;-)

warmly (last few days were 30 deg[c] in the shadow)...

* Amir Netiv. V-CARE Anti Virus, head team *

- ---
 * Origin: <<< NSE Software >>> Israel (9:9721/120)

------------------------------

Date:    Mon, 14 Jun 93 14:32:00 +0200
From:    Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv)
Subject: cmpromise in PC protection. (was CPAV updates? (PC))

Inbar Raz writes:

 > I am not justifying __Safe, but you must make some
 > kind of compromise if you want this kind of on-line
 > protection.
True. Life is a one big compromise all together, but still there are 
compromises and there are COMPROMISES... I mean you don't have to swallow an 
aspirin every hour all your life due to a toothache just to keep your teeth in 
place, sometimes a simple treatment will solve the problem for good. In other 
words: There are MUCH better choices the ?safe to protect your PC and stay 
alive.

?safe is your everyday pill to my opinion. I'd much better recommend any other 
TSR then this including Vshield. The reason is that ?safe chains to the timer 
interrupt and preforms a periodic test. This is an intersting idea, but also a 
harmfull one.

 > Some even go as far as hardware components
 > intercepting the write commands to the drives. This is
 > probably the most efficient protection, but I doubt
 > that the non-expert user knows when a write command is
 > due and when is not.
True again. That is whay some "generic" TSRs are more dangorous the others. If 
you choose the wrong answer you sometimes do not know what will be the result.

 > To my opinion, if you keep yourself a rescue diskette
 > with, say, your MBR, Boot Sector and other important
 > stuff, you may as well skip BootSafe,
...
And a frequent backup, and all other things that people usually do not do!
However I was not talking about Bootsafe but rather Tsafe or Vsafe!

 > However, you might want to use TSR
 > such as Vshield, that intercept the execution of
 > infected programs. This WILL slow down your computer,
 > but, like I said, you have to make some kind of
 > compromise.
No it won't! if you chain to int 21h and check programs before they are 
executed (4Bh etc...) it will increase the response time (from request to 
execution) of the program but not the overall performance of the PC.

* Amir Netiv. V-CARE Anti Virus, head team *

- ---
 * Origin: <<< NSE Software >>> Israel (9:9721/120)

------------------------------

Date:    Mon, 21 Jun 93 16:28:11 -0400
From:    arm@helix.nih.gov (Andrew Mitz)
Subject: Removal of Whale possible? (PC)

I was just contacted by a friend who has more than one
machine infected with Whale virus.  Is there a standard
removal process, or should she just trash all .exe and
com files that are infected?

- --
- ----------------------------------------------------------------------------
Andrew Mitz, Biomedical Eng., Nationl Institutes  | Opinions are mine alone 
of Health Animal Center, Poolesville, MD          | arm@helix.nih.gov       
- ----------------------------------------------------------------------------

------------------------------

Date:    Mon, 21 Jun 93 23:36:56 -0400
From:    fergp@sytex.com (Paul Ferguson)
Subject: Virus alert (Predator 2) (PC)

Virus Alert:
 
It appears that at least someone within the Phalcon/Skism group has
developed something closely resembling talent.
 
Within the past few days, a couple of new viruses have surfaced which
go far beyond the crude, overwriting viruses normally attributed to
the normal P/S diatribes. Among them, the "Predator 2" virus, is a
semi-stealth, multipartite virus which I can foresee spreading quite
quickly without quick intervention from the antivirus producers.
 
The Predator 2 virus is a memory resident, semi-stealth .EXE and
COM infector, including COMMAND.COM. It easily resets file attributes
and automatically infects COMMAND.COM upon execution, as well as
altering the MBR. The FDISK /MBR option will not eradicate this virus
as it does not re-utilize that particular portion of code. However,
Norton's DISK DOCTOR will notice that the MBR is invalid and write a
generic MBR well enough to eradicate the "jump" code.
 
Both F-PROT v2.08a and ThunderByte Scan v3.06 do not alarm on this
virus in heuristics, however, I'm sure that a revision is in the
works. :-) Additional note: Veldman's TBScan will detect an anomaly if
the -hr switch is used (enable heusristics) after the MBR has been
altered. This can be deceiving, especially when the code altered is so
nominal.
 
While this virus does use a crude encryption mechanism to hide itself,
a preliminary wildcard search string that I've found to identify it
follows. Note: This is purely "stop-gap;" it will work, but it can be
improved upon.
 
"0E 1F BF ? ? ? ? ? B9 BD 04 49 78 08" Predator 2 Virus
 
Each "?" equates one byte.
 
It appears that the virus uses an INT 13h, AX 50FDh as an "are you
there" call. (More later.)
 
Also, the following text is encrypted in infected files:
 
"Predator virus #2  (c) 1993  Priest - Phalcon/Skism"
 
I find this virus an interesting milestone. Whereas crude,
over-writing viruses were normally the grist for the P/S crowd, we are
now seeing a second generation of _real_ viruses that pose _real_
threats. In the past, IMO, the "kit" viruses generally posed little
threat, in this sense.
 
This virus has the potential to spread far and wide, if antivirus
developers do not act quickly enough.
 
Caveat: All detection is based upon checking in a clean environment,
i.e. the altruistic known clean, boot diskette. Otherwise, it'll slip
past you like a slick pig.
 

Paul Ferguson               |  The future is now.
Network Integrator          |  History will tell the tale;
Centreville, Virginia USA   |  We must endure and struggle
fergp@sytex.com             |  to shape it.
 
          Stop the Wiretap (Clipper/Capstone) Chip.

------------------------------

Date:    Tue, 22 Jun 93 02:55:51 -0400
From:    Tapio Keih{nen <tapio@nic.funet.fi>
Subject: New virus in Telemate 4.11 (PC)

New version of the terminal program Telemate was released last
week. The last of the distribution zips, TM411-4.ZIP, contained
a new virus. The virus had infected two files, 37VESA.COM and
67VESA.COM included in a self-extracting VESA.EXE lha archive.
 
Virus is 302 bytes long and uses direct-action methods. It only
infects files in the current directory. Virus contains a string
"Goddamn Butterflies". SCAN 105 and F-PROT 2.08 do not normally
detect this virus, but F-PROT can detect it in Heuristic and
Quick scan modes.

Since this infected Telemate has been distributed world-wide, this
virus is definitely in the wild now.

- -- 
Tapio Keihanen - tapio@nic.funet.fi - PGP public key available by finger
"It's always a mystery, not what it seems to be." -Ronnie James Dio 1984

------------------------------

Date:    Tue, 22 Jun 93 05:49:32 -0400
From:    v922340@lennep.si.hhs.nl (Snaaijer)
Subject: Re: Writing virus protection into software (PC)

vacante@CS.ColoState.EDU (robert chris vacante) writes:
|> I am in the process of writing a piece of utility software for the pc,
|> and would like to include automatic virus scanning whenever an
|> operation requiring a complete read of a diskette is performed. (ie
|> disk copy etc.)  Is there a library which I can link into my code? Has
|> anybody out there done anything similar? If I must write the whole
|> thing, where do I begin?  Can I legally use somebody elses virus
|> definition library?

The best way for me is a program in witch you can use your own
scanner.  e.g. a configuration file that states witch scanner to
activate.

#VirusScanner
c:\av\tbscan hr lo %%filename
^^^^^^^^^^^^ ^^|^^ ^^^^^^^^^^
the scanner    |   an identifier of your program.
             options

or any other scanner that can be used interactivly (F-prot, Scan ... )

|> Any help would be greatly appreciated.

Hope So.

|> Robert
Ivar.

- -----------------------------------------------------------------------------
Rule one in program optimization : Don't do it.
Rule two in program optimization (for experts only) : Don't do it yet.
Rule three in program optimization (for athlets only) : Just do it.
- -- 
E-mail : v922340@si.hhs.nl    ... i can't help it, i'm born this way ...
- -----------------------------------------------------------------------------

------------------------------

Date:    Tue, 22 Jun 93 00:03:24 -0400
From:    WBWQC%CUNYVM.BITNET@mitvma.mit.edu
Subject: Filler virus (PC)

Macafee v105, SCANning hi, reports the [Filler] virus.  Several commercial
and shareware cleaners don't seem to clean it out of our 386s.  One of our
technicians reports that only m-disk could do it, but m-disk is still not
usable on MSDOS higher than v4.01 (we use DOS 5.0).  Does anyone have any
experience with Filler?  Thanks in advance.
wbwqc@cunyvm.bitnet

------------------------------

End of VIRUS-L Digest [Volume 6 Issue 96]
*****************************************
