To:	   VIRUS-L@LEHIGH.EDU
Subject:   VIRUS-L Digest V6 #99
--------
VIRUS-L Digest   Wednesday, 30 Jun 1993    Volume 6 : Issue 99

Today's Topics:

Looking for VirNet information
Re: More fun and games from Central Point....
FORM Virus (PC)
Monkey Virus info (PC)
Bad advice from MSAV (PC)
Re: Integrity Master 1.51b for the archives (PC)
HELP.. my B: drive is dead ??? (PC)
ANSI bombs prevention/ Summer '93 "2600" article (PC)
keyboard locked up (PC)
Anti-Virus Techniques and direct Port Writes (PC)
F-prot false idetification (PC)
Tremor (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform - diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CERT.org or upon request.)  Please sign submissions
with your real name; anonymous postings will not be accepted.
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list.  A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on CERT.org (192.88.209.5).

Administrative mail (e.g., comments, suggestions, beer recipes)
should be sent to me at: krvw@AGARNE.IMS.DISA.MIL.

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Ken van Wyk

----------------------------------------------------------------------

Date:    Sun, 27 Jun 93 16:55:47 -0400
From:    hans@CAM.ORG (Jean-Francois Vaillancourt)
Subject: Looking for VirNet information

I have been looking without success for information about VirNet. Of
specific interest are how one goes about becoming a node, and the
file distribution system.
 
Thanks,
 
Jean-Francois Vaillancourt
hans@cam.org
Fido 1:167/109 [Stat! Medical BBS]

------------------------------

Date:    Tue, 29 Jun 93 07:31:20 -0400
From:    "William H. Lambdin" <73044.2573@compuserve.com>
Subject: Re: More fun and games from Central Point....

From:    gary@sci34hub.sci.com (Gary Heston)

>  I wonder if Ms. Case realizes that this would make it illegal for
>a person to send them a sample ("intentionally distributing") of
>an infected program for analysis (not to mention sending one to
>other companies as well). Not real good for business, IMHO.

A prime example of not seeing the forest for the trees.

This type of reasoning is why I left the PC-Virus Research Foundation.
I had the viruses that scanners failed to detect, and I had the
address for the company, and the name of the developer. But I wan't
permitted to send viruses to the companies and developers that needed
the specimens because of a non-disclosure agreement with PCVRF.

To me it is extremely funny the PCVRF trusted me with virus specimens,
but didn't trust me enough to send the viruses to the companies that
needed them.

Bill 

------------------------------

Date:    Sun, 27 Jun 93 18:59:39 -0400
From:    riedrich@socrates.umd.edu (Yves Riedrich)
Subject: FORM Virus (PC)

While using the McAfee virus scanner, I discovered the "form" virus
in my boot sector.

I tried to clean this virus off the hard drive...and got
the message "Virus can not be safely removed from boot sector"

If this has happened to you before or if you have any ideas
how to remove this from my hard drive...please send me e-mail

Thanks in advance     Yves Riedrich

------------------------------

Date:    Mon, 28 Jun 93 00:20:49 -0400
From:    teera@emunix.emich.edu
Subject: Monkey Virus info (PC)

After trying to get some info on monkey virus for a few months, here what I
have recieved from Jeremy.  Thanks again Jeremy.

Note: Killmonk.exe by Martin from U of Alberta will kill the virus
also.  To my knowledge, CPAV 2.0 CANNOT detect or kill it (I have 1.4
with May sig updated and it can't detect it.  CPAV guy who I talked to
said that it isn't in the 2.0 and they still have "time window" left
as it hasn't hit USA hard!  I have been very disappointed to say the
least!

- --------------------------------------------------------------------------
>From jbuhler@owlnet.rice.edu Sat Jun 26 23:13:21 1993

Hi.  I saw you post in comp.sys.ibm.pc.hardware Re: the monkey virus. Here
is the info from Patricia Hoffman's VSUMX304 virus database:

Virus Name:  Monkey
V Status:    Rare
Discovered:  October, 1992
Symptoms:    BSC; master boot sector altered; decrease in total system &
             available free memory; possible diskette directory corruption;
             "Invalid drive specification" on C: drive after boot from
             system diskette
Origin:      Unknown
Eff Length:  N/A
Type Code:   BRtX - Resident Boot Sector & Master Boot Sector Infector
Detection Method:  ViruScan, VET, UTScan, F-Prot, VNet, Sweep 2.43a+,
                   VBuster 3.93+, AVTK 6.04+, NAV 2.1.4+, Vi-Spy
Removal Instructions:  Norton Disk Doctor on hard disk, DOS SYS on system
             diskettes
General Comments:
      The Monkey virus was submitted in October, 1992.  Monkey is a memory
      resident infector of the hard disk master boot sector (partition
      table) and the boot sector of diskettes.  It is a stealth virus,
      hiding the infection of the hard disk and diskettes when it is memory
      resident.

      The first time the system is booted with a diskette infected with the
      Monkey virus, the Monkey virus will become memory resident and also
      infect the system hard disk's master boot sector.  Total system and
      available free memory, as indicated by the DOS CHKDSK program, will
      have decreased by 1,024 bytes.  The virus moves interrupt 12's return
      to 9FC0.  On the system hard disk, the virus will write one sector of
      viral code at Side 0, Cylinder 0, Sector 3, and then alter the master
      boot sector to point to this sector.

      Once the Monkey virus is memory resident, it will infect non-write
      protected diskettes when they are accessed on the system.  On 360K
      5.25" diskettes, the virus will write a sector of code at Sector 11,
      the last sector of the root directory, and then alter the boot sector.
      On 1.2M 5.25" diskettes, the sector of viral code is at sector 28 (also
      the last sector of the root directory).  If directory entries were
      originally located in the directory sectors overwritten, the
      corresponding files will become inaccessible.

      Monkey is a stealth virus, and cannot be detected on either the system
      hard disk or diskettes when it is memory resident. Disinfection is
      hampered further in that the system hard disk will be inaccessible
      following booting the system from a clean write protected system
      diskette, resulting in an "Invalid drive specification" message.
      Norton Disk Doctor can be used to remove the Monkey virus from the
      system hard disk by rebuilding the master boot sector.  The DOS SYS
      command can be used to replace the boot sector on infected system
      diskettes.

You can get VirusScan by anonymous FTP to mcafee.com.  The latest version
is 106 (ignore the login banner on mcafee.com) in the pub/antivirus directory.
You'll need clean106.zip to remove the virus and scanv106.zip to check for it.
								Jeremy

- -- 
___________________________________________________________________
   Teerawat Pawittranon (Tee) 	|	Internet Address:
       107-B Owen Bldg.		|	-----------------
    Learning Technologies	|    teera@emunix.emich.edu
  Eastern Michigan University	|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

------------------------------

Date:    Mon, 28 Jun 93 04:55:42 -0400
From:    bernward@dnsserv.go.dlr.de
Subject: Bad advice from MSAV (PC)

I just scanned a floopy disk in drive A: with MSAV from MS-DOS 6.0
(german version).  It found the Telecom PT1 Virus on the disk. I
didn't try to remove this virus.  When I tried to leave MSAV, it gave
me the advice to restart the PC, because a virus was found. In the
dialog box, there was a button to restart the computer at once. Now
guess what would happen if you click this button with an infected
diskette still in drive A:? It would infect your harddisk with this
virus, so you would have a real problem.

Bernward

------------------------------

Date:    Fri, 25 Jun 93 18:00:28 -0500
From:    HAYES@urvax.urich.edu
Subject: Re: Integrity Master 1.51b for the archives (PC)

Site:       urvax.urich.edu,  [141.166.36.6]    (VAX/VMS using Multinet)
Directory:  [anonymous.msdos.antivirus]

FTP to urvax.urich.edu with username anonymous and your email address
as password.  You are in the [anonymous] directory when you connect.
cd msdos.antivirus, and remember to use binary mode for the zip files.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Claude Bersano-Hayes     HAYES @ URVAX                 (Vanilla BITNET)
University of Richmond   hayes@urvax.urich.edu     (Bitnet or Internet)
Richmond, VA  23173

------------------------------

Date:    Fri, 25 Jun 93 12:04:00 +0200
From:    Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv)
Subject: HELP.. my B: drive is dead ??? (PC)

korpela@sdp1.cea.berkeley.edu (Eric J. Korpela) and
UC532838@mizzou1.missouri.edu (handy) asks:

 >>Help...
 >>my B: drive (1.44) is not working anymore.. a couple of days ago
 >>it was fine.. now that I needed to retrieve some files from floppy
 >>it's dead. I checked & run CMOS set up & CMOS diagnostics, & all
 >>CMOS data looks OK to me.. I also cleaned that drive w/ cleaner disk
 >>'cos I thought there was some dust in the way.. but it didnt help..
 >>Please anybody help..
 >>What might cause this.. & how to fix it ?
 >> I've tried a dozen of disks & it still gave me General Failure Error..

Boot the PC from a clean DOS floppy. If there is still no
access to drive B:, there is a hardware problem. (Try it also with an old DOS 
version).

Usually, if the drive is not available then drive A: will be assigned 2 names: 
'A:' and 'B:'.

Try also to exchange the drives (i.e. switch the cables) this will tell you if 
the problem is in the drive itself!

So if that still is not the case it means the drive is present but does not 
function. I'd look for the problem in the drive's hardware!

Regards

* Amir Netiv. V-CARE Anti Virus, head team *

- ---
 * Origin: <<< NSE Software >>> Israel (9:9721/120)

------------------------------

Date:    Mon, 28 Jun 93 23:30:29 -0400
From:    hank@netcom.com (Hank Roberts)
Subject: ANSI bombs prevention/ Summer '93 "2600" article (PC)

The Summer '93 "2600" magazine includes a cautionary article about
key redefinition and mentions three programs:
PKSFAN11 (which I've found) just blocks key redefinition

ANSICHEK and ACHKFILE (which I"m looking for, 'Archie' doesn't know them)
  locate key redefinition files in non-executable directories.

------------------------------

Date:    Tue, 29 Jun 93 17:36:08 -0400
From:    yeh@netix.com (Mr Shannon Yeh)
Subject: keyboard locked up (PC)

Hi, I understand that there are many programs which can scan the
abnormal computing problems (some people call this as virus).  But is
there any program which can effectively kill the virus?  Here are the
troubles I met recently:

in my local network, I set up a Sun workstation as a server (file
server and connectivity servers), and some 10 PCs as the clients.
About 3 weeks agao, my Sun keyboard was broken (even the "L1-a"
command cannot be issued).  Very recently, my PC (486) keyboard became
problem-some.  The problem is: when I try to type something, it
appended "........." after my type-in.

I am not sure if anyone out there met the similar trouble as I did.
If so, please let me know how you get the problems fixed.  I will
appreciate it.

Best,

shannon

------------------------------

Date:    Mon, 21 Jun 93 05:16:00 +0200
From:    Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz)
Subject: Anti-Virus Techniques and direct Port Writes (PC)

padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) writes:

<Excellent description of QEMM's Stealth mode>

 > Inbar's INs and OUTs would be immune of course since these do not
 > involve any code in segment F000h but the problem is still how to know
 > *when* to do those INs and OUTs. For this reason the technique is
 > useful for user- initiated actions such as data recovery and not much
 > use by themselves to a virus writer 8*).

I'm sorry, but I have to disagree with you.

The direct negotiation with the drive does not take anything. All you need 
know is the right ports, and the right commands. You are capable of doing 
whatever's on your mind using port writes, even if the makers of DOS/ WD never 
thought such a thing could be possible.

Just as an example, Chief Data Recovery has, for internal use strictly, a 
Physical Sector disk editor, that implements the port-write techniques, thus 
enabling the editor to go to undocumented areas on the harddisk, which I am 
abstained from detailing. There are no software/hardware requirements of any 
kind, such as you are implying. The matter of timing is really non-existant. 
Before you issue the drive COMMAND, you simply check if the drive is busy, and 
if so, you wait until it's done, and with all due respect, that doesn't take 
long. The moment you have the drive free, off you go.

 >                                          In particular, heuristic
 > scanners might find it a good idea to scan for INs and OUTs since few
 > programs would have any to use them.

Ofcourse. This goes without saying. However, it would be wise to assume that a 
virus that implements such code will almost certainly have it concealed in 
some manner.

Inbar Raz
Chief Data Recovery
- - --
Inbar Raz                 5 Henegev, Yavne 70600, ISRAEL. Phone: +972-8-438660
Chief Data Recovery, 15 Habanim, Nes-Ziona 70400, ISRAEL. Phone: +972-8-400070
Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210            Fax:   +972-8-403295

- --- FMail 0.94
 * Origin: Inbar's Point - Home of the first UnTinyProg. (9:9721/210)

------------------------------

Date:    Wed, 23 Jun 93 19:25:00 +0200
From:    Arie_Zilberstein@f0.n462.z9.virnet.bad.se (Arie Zilberstein)
Subject: F-prot false idetification (PC)

Y'hello All!

F-Prot 2.08 reported this on my C:\UTILS\ directory...

Virus scanning report  -  23. June 1993   19:18

F-PROT 2.08 created 21. April 1993
Virus signatures created 21. April 1993

Method: Heuristics
Search: C:\UTILS
Action: Report only
Targets: Boot/File
Files: Standard executables

Scanning boot sector C:
C:\UTILS\SMOOTH.COM seems to be infected with an unknown virus.
Please contact Frisk Software International or send us a copy for analysis.

Results of virus scanning:

Files: 122  (2.1 MB)
Scanned: 87  (1.9 MB)
Infected: 1
Suspicious: 0
Disinfected: 0
Deleted: 0
Renamed: 0

MBR's: 1
DOS boot sectors: 1
Infected: 0
Suspicious: 0
Disinfected: 0

Time: 0:11

The file SMOOTH.COM is a PC-Magazine program that displays text files
smoothly and I don't think it is infected by anything.

Bye
AZ

... Nothing is impossible for the man who doesn't have to do it himself.
- --- FMail 0.95a4 beta+ 
 * Origin: Beyond Tomorrow * 972-3-544-4488/3746 * 24h * 14Kbps (9:9721/202.0)

------------------------------

Date:    Fri, 18 Jun 93 17:02:03 +0200
From:    Olaf.Greve@p1500.f26.n318.z9.virnet.bad.se (Olaf Greve)
Subject: Tremor (PC)

In a message to Dr. Martin Erdelen <05 Jun 93 09:16> Pedro Lima blurred out:

 PL> I believe it also shows sometimes a message in the screen. It seems
 PL> there is no destructive payload in Tremor, but it isn't my analysis, so
 PL> I really don't know.

Tremor, Tremor, Tremor...

I keep on reading that name in the virus areas, apparently this virus
is mighty interesting, now we all know that the VSUM descriptions
aren't very accurate, so could someone please post a good (tech)
description of Tremor???  I'm really interested in what this virus
does, so please Vesselin Bontchev???, Fridrik Skulasson???, Robert
Hoerner???, Anyone Else???

So until the next time,
Have a good sin...
Grtnx, Olaf

- --- GEcho 1.00+
 * Origin: Big Hole +31-53-773628/770281 [HST/DS] (9:318/26)

------------------------------

End of VIRUS-L Digest [Volume 6 Issue 99]
*****************************************
