To:	   VIRUS-L@LEHIGH.EDU
Subject:   VIRUS-L Digest V6 #97
--------
VIRUS-L Digest   Thursday, 24 Jun 1993    Volume 6 : Issue 97

Today's Topics:

Re: Computer Crimes Unit: Scotland Yard
Infomation
Re: Computer Crimes Unit: Scotland Yard
Re: UNIX viruses (UNIX)
Parity Check Virus outbreak (PC)
Comments on Exvira requested (PC)
missed samples in F-Prot 2.08 (PC)
Where are the newest NAV virus definitions? (PC)
MSDOS 6 Vsafe False Reports (PC)
STONE VIRUS: Need cleanup software (PC)
Reading the volume serial number from a disk (PC)
Virus that effects CHKDSK? (PC)
f-prot updates (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform - diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CERT.org or upon request.)  Please sign submissions
with your real name; anonymous postings will not be accepted.
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list.  A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on CERT.org (192.88.209.5).

Administrative mail (e.g., comments, suggestions, beer recipes)
should be sent to me at: krvw@AGARNE.IMS.DISA.MIL.

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Ken van Wyk

----------------------------------------------------------------------

Date:    Tue, 22 Jun 93 09:19:08 -0400
From:    Garry J Scobie Ext 3360 <GSCOBIE@ml0.ucs.edinburgh.ac.uk>
Subject: Re: Computer Crimes Unit: Scotland Yard

> Date:    Mon, 14 Jun 93 13:40:49 -0400
> From:    duck@nuustak.csir.co.za
> Subject: Re: Computer Crimes Unit: Scotland Yard
> 
> Thus spake S.M.Baines@sheffield.ac.uk:
> 
> >           It could help if with Anti Virus software there was a
> >mention of it in the documentation, and a DOS text file that can be
> >printed for the report form. If they made it clear that reports are
> >dealt with in strictest confidence, and that it can all help to build
> >up a case against people if they are ever caught, and that it IS a
> >crime that has been perpetrated against them, then maybe reports 
> >may be more frequently made.

The VIS Utilities written by Jim Bates has included just such a form 
as an acsii text file for sometime now. The docs for the program also 
highlight the issues you have raised.

Cheers

Garry Scobie LAN Support Officer, Edinburgh University Computing 
Services, Scotland e-mail: g.j.scobie@ed.ac.uk

------------------------------

Date:    Wed, 23 Jun 93 06:40:53 -0400
From:    M.Shaffer@city.ac.uk
Subject: Infomation

I was wondering if you have any other virus infomation, FAQ etc.. that you
can send me, and also any other mailing lists that have virus forums etc..

With thanks in advance

Marc Shaffer
============
				The Computer Unit
				City University Business School
(aka hotc - Monochrome)		Frobisher Crescent
				Barbican Centre
| |   sd389@city.ac.uk		London		Tel: 071 477 8187
|-|   hotc@cs.city.ac.uk	EC2Y 8HB	Fax: 071 477 8880
|0|-C -----------------------------------------------------------

------------------------------

Date:    Wed, 23 Jun 93 08:05:30 -0400
From:    Olivier MJ Crepin-Leblond <o.crepin-leblond@ic.ac.uk>
Subject: Re: Computer Crimes Unit: Scotland Yard

S.M.Baines@sheffield.ac.uk says:

>           It could help if with Anti Virus software there was a
>mention of it in the documentation, and a DOS text file that can be
>printed for the report form. If they made it clear that reports are
>dealt with in strictest confidence, and that it can all help to build
>up a case against people if they are ever caught, and that it IS a
>crime that has been perpetrated against them, then maybe reports may
>be more frequently made. Also, it may be worthwhile from time to time
>to put an advert in some of the computer press with details of what
>to do if you are infected and want to report it. What does anyone
>else think about this for an idea?

Yes, it would be very helpful. There is only one problem though:
Scotland Yard's Computer Crime Unit is heavily understaffed (last I
heard, they were only 5 people !), and heavily overworked already.
They have to collect much of the evidence to be brought forward in the
future trials of hackers that will take place soon. Because you have
to remember that they not only deal with Viruses, but also with any
other malicious use of computers.

If they had E-mail, can you imagine the flood of messages they'd get
per day ? I think that they will first have to expand before
considering having a connection to the net. If they advertised in
magazines, can you imagine the flood of calls they'd get. ( I'm told
that their lines seem to be always engaged anyway already...)

In short: they'll have to expand before offering such services.
Unfortunately, a lot of people that decide where the money is spent
believe that this computer crime is all too new, and that they have
time to implement something later. The idea is great, but the money
just isn't there.

- -- 
Olivier M.J. Crepin-Leblond, Digital Comms. Section, Elec. Eng. Department
 Imperial College of Science, Technology and Medicine, London SW7 2BT, UK
       Internet/Bitnet: <foobar@ic.ac.uk> - Janet: <foobar@uk.ac.ic>

------------------------------

Date:    Wed, 23 Jun 93 20:53:35 -0400
From:    radatti@cyber.com (Pete Radatti)
Subject: Re: UNIX viruses (UNIX)

>one of my colleagues in Texas telling me that there is no such thing
>as a UNIX virus because UNIX programmers have better things to do.
>True or not?

I like this explanation!  Your colleague must not subscribe to Hobbs.
There are some viruses that directly attack Unix system, however I
wouldn't worry about them.  They are still rare in the wild.  If you
use a Unix system that can execute MSDOS programs or you are using
the Liken Mac emulator then you may want to take precautions against
these types.

Pete Radatti

------------------------------

Date:    Tue, 22 Jun 93 08:37:10 -0400
From:    Martin Zejma <8326442@awiwuw11.bitnet>
Subject: Parity Check Virus outbreak (PC)

Dear researchers and non-researchers !

Last week I detected a new virus at our university. Several PC's
dedicated for student's use were infected. To my knowledge no damage
besid beside the usual time costs occured. Scan V 104 detected the
virus as Part B, f-prot 2.08 as Parity Check virus.  Clean was able to
remove the virus (as I'm not a member of the staff, the choose of
reaction wasn't within my competence, I'd prefer just FDISK /MBR).
The old fashioned 3-byte check was the clue of the detection, CHKDSK
with a resulting mem size lower than 655360 , and I already got
suspicious (Yes, I know that many BIOS's allow an extra stack space or
so at TOM, but who uses this feature ? ). the pure blue machines are
rare at our site, they

Technical details:
Parity is an BSI, it infects MBR's and floppies. infection occurs when
an unif uninfected Boot record is read, if I disassembled correctly on
all accessed disks (also 2nd drives). the keyboard int is also
trapped, via a random byte the computer may be halted, with 'PARITY
CHECK' in 40*25 b/w on the screen.  A warmboot is also simulated by
the virus, remaining resident. An attempt to read the MBR is trapped
and the original MBR is returned.

The only thing remarkable is the way it goes TSR, it just uses 5
commands, then forcing a reboot (get int 13h / int 09h, dec mem, copy
to TOM, set int 13h, reboot calling int 19h). The trapped int 13h then
redirects the read of the infected MBR to the original one, and the
system comes up.

                                                   Regards, Martin

+-----------------------------------------------------------------------+
| Martin Zejma                                  8326442@AWIWUW11.BITNET |
|                                            Martin.Zejma@wu-wien.ac.at |
|                                                                       |
| Wirtschaftsuniversitaet Wien  ---   Univ. of Economics Vienna/Austria |
+-----------------------------------------------------------------------+

------------------------------

Date:    Tue, 22 Jun 93 08:55:08 -0400
From:    Martin Zejma <8326442@awiwuw11.bitnet>
Subject: Comments on Exvira requested (PC)

Hello world !

A friend of mine got the offer to act as distributor in Austria for a
antivirus solution implemented in hardware. It is called Exvira , is
developed and produced in the former German Democratic Republic, now
part of Federal Germany. As far as I've read about this card, it traps
the write line of the HD-controller cable , keeps the names of the
protected files stored in its own memory and alarms the user if a
write attempt is made to them. It also stores the MBR / BR and
prevents any change of them. Disks and files can only be copied using
a special copy service (right after booting), trying to prevent slow
infectors, too. The only hole in the protection I can right now
imagine are companion and path companion viruses, and maybe
FAT-infectors like Dir II (please no flames 'bout that, I know that it
doesn't infect the FAT itself ...).  I can imagine that the restriced
copying may be a major inconvenience, but exce pt this :

Has anybody already used or tested this antivirus card ?
Are there any other obvious security holes ?

Please feel free to answer, via e-mail or the discussion list.
                                                Regards, Martin

+-----------------------------------------------------------------------+
| Martin Zejma                                  8326442@AWIWUW11.BITNET |
|                                            Martin.Zejma@wu-wien.ac.at |
|                                                                       |
| Wirtschaftsuniversitaet Wien  ---   Univ. of Economics Vienna/Austria |
+-----------------------------------------------------------------------+

------------------------------

Date:    Tue, 22 Jun 93 12:11:28 -0400
From:    Martin Zejma <8326442@awiwuw11.bitnet>
Subject: missed samples in F-Prot 2.08 (PC)

Hello Community !

As the older versions of fprot, the latest one still misses 2 samples
of my not-very-big collection of samples . The important thing is , it
misses them when used in Secure mode, in Quick mode it detects them,
and in Heuristic mode it yells 'A new unknown virus seesm to be found,
please inform ...'. The 1st skipped sample is WWT-01 an 'old'
overwriting tiny virus , just about 67 byte long. The other one is a
newer one, an Enemy / Screaming Fist variant called Stranger (
containig the text 'I'm a stranger in a strange land'). Quick scan
detects it as Enemy, as the other files infected with the same virus.
But among these are a few windows files, not only infected but
damaged, and these are detected in Quick mode (as Enemy) and not at
all in Secure mode. Maybe Frisk uses the filesize from the EXE-header
to compute the posotion to scan, and because all windows files seem to
contain a to small value as size, the virus overwrites the file and
leaves the windows part unusable. I detected this bug in fprot about a
year ago, have already mentioned it several times to Frisk via e-mail,
but he seems to busy to answer or correct the bug.  So I watched a few
versions of fprot come and go, and now I decided to report to Virus-L
, hoping Frisk or one of his programmers reads this discussion list
more frequently than his own reader files ;).

                                   Regards, Martin

+-----------------------------------------------------------------------+
| Martin Zejma                                  8326442@AWIWUW11.BITNET |
|                                            Martin.Zejma@wu-wien.ac.at |
|                                                                       |
| Wirtschaftsuniversitaet Wien  ---   Univ. of Economics Vienna/Austria |
+-----------------------------------------------------------------------+

------------------------------

Date:    22 Jun 93 20:51:34 -0300
From:    01lucas@ac.dal.ca
Subject: Where are the newest NAV virus definitions? (PC)

Basically, I want to know where I can find the newest virus
definitions for Norton Antivirus.  I used to get them from Compuserve,
but it costs too much.

Thanks!

Lucas Dambergs
01Lucas@ac.dal.ca
Haliax, Nova Scotia, CANADA

------------------------------

Date:    Wed, 23 Jun 93 08:01:07 -0400
From:    q8520533@helios.usq.edu.au (kevin davies)
Subject: MSDOS 6 Vsafe False Reports (PC)

I have a friend who installed MSDOS 6.0 on his computer and we ended
up with Vsafe giving SCAN 104 false virus detection in the top of 1MB
memory.  When we changed the options in VSafe the virus type changed
as well.  Interesting.... The virus was reported in the 1088 KB region
of memory.

Unfortunately we thought we may have had a partition virus and
Formatted Drive C: . Only later did we realise that the software was
at fault.

My question is has anybody else encountered this problem yet. I am
relatively new to NN and so far have not seen any reports of it...
Maybe you've already covered this ground. In any case could someone
please fill me in.

Thanx
Kevin :-)

------------------------------

Date:    Wed, 23 Jun 93 18:08:14 -0400
From:    bilge@maxim.com (Filippo Morelli)
Subject: STONE VIRUS: Need cleanup software (PC)

I have a 286 PC which has the stone virus on the hard drive.  Does
anyone know of software which is non-windows based which might cleanup
the hard drive. Boy would I appreciate an answer!

Please respond through e-mail. 

Thanx

Filippo
bilge@maxim.com

------------------------------

Date:    Thu, 24 Jun 93 00:00:07 -0400
From:    chowes@sfu.ca (Charles Howes)
Subject: Reading the volume serial number from a disk (PC)

Does anybody know of a dos call that returns the volume serial number from
a floppy or hard disk?  Or has another way to do it?

Since my program will be written in VBasic, calling INT 25 appears to be out;
the stack is garbled.  INT 13 seems to be the only way, but calculating the
correct numbers seems rather hard.  Can anyone help?

Thanks!

Charles Howes -- chowes@sfu.ca

------------------------------

Date:    Thu, 24 Jun 93 01:28:31 -0400
From:    ebingha@eis.calstate.edu (Eli S Bingham)
Subject: Virus that effects CHKDSK? (PC)

While diagnosing a hardware problem on a friend's computer, I noticed
that when I would run CHKDSK on Monday's (the copy of CHKDSK on his
hard disk), a line of text would pop up before CHKDSK's info screen
that said:

Welcome to the I-Hate-Monday's CHKDSK Disk-Scanning program

Does anyone out there know of virus that would cause this behaivor?
Post a reply or send email to ebingha@eis.calstate.edu.

------------------------------

Date:    Thu, 24 Jun 93 04:32:32 -0400
From:    martin@par.univie.ac.at (Martin Paul)
Subject: f-prot updates (PC)

Hello,

As I don't have the time to test and use more then virus scanner, I
decided (after reading this group) to use f-prot. I grabbed the newest
(I think) version 208a. But now I have a problem. Every time I start
f-prot or virstop I get the message the the program and the sign.def
(?) file are old versions. They are dated May 15th, I believe.

How does f-prot decide if it is an old version ? Shall I just use the
/OLD switch on the programs ? Is there an update to 208a yet ? Are the
updates to the sign.def announced in comp.virus ?

I have read the FAQ but couldn't find an answer to my problems.

- -- 
Martin Paul

University of Vienna, Austria (EUROPE)
Department for software technology and parallel systems

email: martin@par.univie.ac.at

------------------------------

End of VIRUS-L Digest [Volume 6 Issue 97]
*****************************************
