To:	   VIRUS-L@LEHIGH.EDU
Subject:   VIRUS-L Digest V6 #100
--------
VIRUS-L Digest   Tuesday,  6 Jul 1993    Volume 6 : Issue 100

Today's Topics:

New Virus Alert (PC)
Re: Information about VirNet
Re: Looking for VirNet information
Steroid Trojan Horse (Mac)
Re: Steroid Trojan Horse (Mac)
had a look at OS2SCAN V106 (OS/2)
Anti-Virus Techniques and direct Port Writes (PC)
Re: F-prot false idetification (PC)
Questionable ethics? (Was: Philosophy) (PC)
Re: FORM Virus (PC)
Re: Anti-Virus Techniques and direct Port Writes (PC)
Re: Tremor (PC)
virus on data files? (PC)
My routine to detect most if not all file infectors (PC)
Re: f-prot updates (PC)
Viruses that cost $$$ (PC)
Need help for possible virus! (PC)
Re: CPAV updates? (PC)
Scanv106 now available by e-mail (PC)
Evaluating Scanners (CVP)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform - diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CERT.org or upon request.)  Please sign submissions
with your real name; anonymous postings will not be accepted.
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list.  A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on CERT.org (192.88.209.5).

Administrative mail (e.g., comments, suggestions, beer recipes)
should be sent to me at: krvw@AGARNE.IMS.DISA.MIL.

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Ken van Wyk

----------------------------------------------------------------------

Date:    Mon, 05 Jul 93 02:56:32 -0700
From:    aryeh@mcafee.com (McAfee Associates)
Subject: New Virus Alert (PC)

Hello,
 
Listed below are signatures for updating VIRUSCAN to detect two new
viruses which have been reported at multiple sites since V106 was
released.  To use them, create an ASCII text file with one signature
to a line, save it to a file with a name like NEWVIR.TXT, and then
run VIRUSCAN with the /EXT option as follows: 

	SCAN path /EXT NEWVIR.TXT

Where "path" is the name of the drive, directory, or file to scan.

 
#Parity Boot 2 virus is a boot sector infector
"A3 13 04 B1 06 D3 E0 2D C0 07 A3 4E" Parity Boot 2
#Butterfly is a simple .COM file infector about 300 bytes long
#and recently became widespread accidentally
"B4 4E 8D B6 50 02 8D 96 2C 02 52 EB 3C" Butterfly
 
For more information on using the /EXT option, please refer to Appendix
A of the VIRUSCAN documentation.
 
Regards,
 
Aryeh Goretsky
McAfee Associates Technical Support

- -- 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
McAfee Associates, Inc.  | Voice (408) 988-3832 | INTERNET: aryeh@mcafee.COM
2710 Walsh Ave, 2nd Floor| FAX   (408) 970-9727 | IP# 192.187.128.1
Santa Clara, California  | BBS   (408) 988-4004 | CompuServe ID: 76702,1714
95051-      USA          | USR HST Courier DS   | America Online: McAfee

------------------------------

Date:    Wed, 30 Jun 93 08:43:28 -0400
From:    Mikael Larsson <mikael@vhc.se>
Subject: Re: Information about VirNet

hans@CAM.ORG (Jean-Francois Vaillancourt) wrote:

> I have been looking without success for information about VirNet. Of
> specific interest are how one goes about becoming a node, and the
> file distribution system.

Hello Jean-Francois,

I maybe can help you.. I am the one who started VirNet a few years ago,
nowadays is also exported to USA via Sara Gordon. You can contact her
or some of the other hosts in USA for more info on how you applicate.

Contact one of the following people within USA:

Sara Gordon             1:227/190               (219) 273-2431
Pam Trexler             1:15/20                 (505) 662-0659
Troy D. Helms           1:280/69                (816) 887-3451
Leon Lynch              1:129/149               (304) 258-5480
Bill Dirks              1:385/17                (405) 248-0528
Douglas Luurs           1:228/52                (616) 245-4745
Gary Reardon            1:321/131               (413) 967-8101
Bob Miedema             1:275/77                (804) 422-1540

Otherwhise, you can contact me again.

Mikael Larsson          2:205/204               +46 26 275740

Best regards,

Mikael

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Virus Help Centre     Phone:  +46-26 275740   Email: mikael@vhc.se
Box 7018              Fax:    +46-26 275720   or   : mikael@abacus.hgs.se
S-811 07  Sandviken   BBS #1: +46-26 275710   Fido : 2:205/204 & 2:205/234
Sweden                BBS #2: +46-26 275715   Authorized McAfee Agent!

------------------------------

Date:    Fri, 02 Jul 93 00:21:07 -0400
From:    vfr@netcom.com (sOciaLly AdePt)
Subject: Re: Looking for VirNet information

hans@CAM.ORG (Jean-Francois Vaillancourt) writes:

>I have been looking without success for information about VirNet. Of
>specific interest are how one goes about becoming a node, and the
>file distribution system.

well, as north american resource coordinator for VirNet, maybe i can
help you :) anyone wishing to request a VirNet node number, or, to
become a Host system, can call (via modem) 304-258-5480, and request
an information package from the sysop there. His name is Leon Lynch,
and he manages the incoming requests.  If you like, you can also d/l
the request from 219-273-2431, but you will need to leave the
completed form with Leon, who is also FidoNet node 1:262/3 :)

The file distribution system is set up so that incoming files, from
the authors, are distributed to the Host systems, who in turn pass
them along to their nodes. We have a good 'turn-around' time, too.
Often the files are available on the same day of release.

if there are any questions, or problems, anyone can contact me
concerning VirNet, or pass them along to the appropriate person. You
can contact me as follows: Internet: vfr@netcom.com or
SGordon@Dockmaster.ncsc.mil FidoNet: 1:227/190

- -hope this helps

------------------------------

Date:    Thu, 01 Jul 93 19:26:54 -0400
From:    mpye@netcom.com (Michael Pye)
Subject: Steroid Trojan Horse (Mac)

Does anyone have any information on the Steroid Trojan Horse?
Specifically, what it claims to be, who discovered it, etc.  I've
checked the MACVIR.791 file and it was missing that information.
Can't seem to find anything anywhere else either.

I realize that information might be scant since it's been a couple
years since this came out, but thought I'd ask anyway.

Thanks for any info!

Michael

------------------------------

Date:    Tue, 06 Jul 93 09:50:04 -0400
From:    Ephraim Vishniac <ephraim@Think.COM>
Subject: Re: Steroid Trojan Horse (Mac)

The most extensive description of the Steroid INIT which I can find
appeared in TidBITS #7. Here it is:

TidBITS electronic magazine for the Macintosh
Copyright 1990-1992 Adam & Tonya Engst. Non-profit, non-commercial
publications may reprint articles if full credit is given.

TidBITS#07: STEROID Warning!

- ----------------
  An INIT called STEROID has been discovered to be a Trojan Horse.
  It falsely claims to accelerate QuickDraw on 9" monitors but in
  fact contains a time bomb that will erase all mounted volumes
  (floppies and hard disks) on July 1st, 1990. Apparently erased
  files can be recovered with SUM II (Symantec Utilities for
  Macintosh) and probably with other file recovery utilities.
  Needless to say, disable this INIT immediately and do not depend
  on one of the file recovery utilities. Strangely enough, having
  the Communication Toolbox installed seems to prevent STEROID from
  working.
 
  The details of STEROID's identity are as follows:
 
    TYPE              : INIT
    CREATOR           : qdac
    CODE SIZE         : 1080
    DATA SIZE         : 267
    ID                : 148
    INIT Resource Name: QuickDraw Accelerator
    File Name        : "  Steroid" (First 2 characters are ASCII 1)
    Created           : June 2, 1990, 11:24 AM
    Version           : Steroid 1.1
 
  Note the two invisible characters in front of the file name. They
  ensure that STEROID will load before SAM and other virus
  prevention utilities that might stop STEROID. Paul Cozza, author
  of SAM (Symantec AntiVirus for Macintosh) says that SAM would flag
  STEROID if and only if SAM loads before STEROID, which does not
  happen currently due to the two invisible characters before
  STEROID's name. No unknown INITs should ever be allowed to run
  before SAM for just this reason.
 
  If you use SAM, you can enter the following virus definition in
  Virus Clinic to allow both SAM Intercept and Virus Clinic to
  detect this Trojan during scans.
 
    Virus Name:    Steroid Trojan
    Resource Type: INIT
    Resource ID:   148
    Resource Size: 1080 Search String: ADE9 343C 000A 4EFA FFF2
                                       4A78 (hex)
    String Offset: 96
 
  If you use Virus Detective 4.x, you can enter the following search
  string to find STEROID.
 
  Resource INIT & Size<1200 & WData FE680C6E#E4EBA#F60 ; For finding
  Steroid Trojan
 
  Information from:
    Chuq Von Rospach -- chuq@Apple.COM
    Joel B. Levin -- levin@BBN.COM
    Paul Cozza -- SAM Author

------------------------------

Date:    Mon, 05 Jul 93 02:01:53 -0400
From:    KARGRA@GBA930.ZAMG.AC.AT
Subject: had a look at OS2SCAN V106 (OS/2)

Hi all,

last weekend, once again I took a close look at the improved version
106 of McAfee's antivirals.  I can not test if it is effective against
viruses, as I don't have any in my system, however I can check, if the
functions at least seem to work the way they are supposed to.  The
system, where I tested it is noname 486DX/33 16MB with 2 HPFS HDs and
OS2 2.1 dec.beta loaded. Though I'll upgrade soon, I do not expect any
changes in results of softwarefunctions. Should there appear changes,
I'll post them.

OS2VAL V0.5:

'OS2VAL *' is still not working.  A new idea of improvement: let
OS2VAL compare it's computed checksums with checksums in a textfile
which can be downloaded separately.  Putting the checksums in a
ZIP-package does not make much sense.  Anyone can modify OS2SCAN, let
OS2VAL recompute the checksum with the original OS2VAL and alter the
entries in the docs.  Another way to improve security is, to put
PKUNZIP 1.10 in the download- area, so everyone can unzip the files
and get autheticity-verfication. IMHO it is a strange policy, to urge
people always to use the very latest software, and on the other hand,
tell them to use a pretty outdated version
 of a decompression-utility.  The latest version of PKUNZIP I've come
across is 2.04g, but it does not provide authenticity-information.
However, I'm not shure about license-policies of PKWARE.

OS2SCAN V106:

Scanning 237 files out of 1239 takes now 56 seconds.  Still not a
highspeed scanner, but well improved since OS2SCAN V104.  There is an
interesting inconsistency in behaviour: scanning a single drive
without any options returns to the commandline.  Scanning drives c:
and d:, no difference between "C: D:" and "/AD" brings up the final
textscreen, asks for more?  and if you tell it "n", the text is
brought up a second time and away scrolls all info about what was
found and done. The workaround I found is to simply hit ENTER 1 to 3
times. (depending on what options you were using) This will only waste
the topmost 3 lines where no valuable information is lost. But the
helpline only tells you about "N" or "Q".  Another possibility is to
always use "/nopause"(preferably in the *INI).  Finally the
programmers fixed it: /AF and /CF now really work.  Still an
interesting feature:

first I added the checksums (/AF desc.crc) for file "t2.exe". Then I
modified the file using /AG. My next step was to check with "/CF
t2.crc". No modification detected. Then I created a new crc from the
modified file.  (/AF t2g.crc). Removing the 52 bytes did not trigger a
message, neither /CF t2.crc nor /CF t2g.crc found a change in the
file. This means, that a checksummed file may be modified in a certain
way, without triggering an alert. Maybe a way for a directed attack.
Any comments from the community ?  However there is a small feature in
/RG. It does not remove the hidden SCANVAL.VAL file, as stated in the
docs. (might be due to the fact, that SCANVAL.VAL is needed for /DATE
to keep the last scanningdate) An improvement might be, to notify the
user, that there are no checksums and that SCANVAL.VAL is missing if
he uses /CG without any checksum present.  Yes, I found, that there is
an option CERTIFY, but why do I need an additional option for this
important information. A virus might have removed it, and unless the
user asks specifically for it, he will never know. So: put it in the
*INI or better yet, make it a default next time.  The problem that the
user is not notified of his error about the kind of checksum he is
using remains. The user still can use /CV with checksums from /AG and
viceversa. Even with /certify he is not told about his error.  This
may result in a false sense of security, as generic cleaning might
fail.  The feature, that /RG does the same as /RV remained. O.k. So
why not reduce the number of options by one and simply call it "/R" ?
Somehow I feel the way that /AV and /AG interact confusing, though not
impractical: append a checksum with /AV and check with /CG will tell
you about modified files or viruses, which I feel is a fine behaviour,
but I'd like to know about my error.  An interesting point in
security: I found nowhere in the docs mentioned, that OS2SCAN uses an
appended CRC if present, no matter if /CG or /CV are given on the
commandline. I proved this in the following way: First I added a
crc(/AG) to crap\t2.exe. Then I modified it, so /CG would give a
warning.  Next thing I did, was to create a crc-file (/AF crap.crc)
for all files in the crap-directory. During scanning I was notified
about the modified t2.exe. The commandline looked like this: "OS2SCAN
crap /AF crap.crc".  Obviously OS2SCAN does what all users of stored
CRCs are supposed to do prior to creating them: verify, if their data
are o.k.  A thing about the docs: One questions arises from the
following part: The recovery information for the partition table, boot
sector, COMMAND.COM and system files is stored separately in a hidden
file called SCANVAL.VAL in the root directory of the drive being
scanned.  {filename} is an optional ASCII text file. What about
CMD.EXE ?  Is it modified ?  I hope not, as it is the OS2 command-
interpreter.  Nice to hear, that the DOS-emulator is not modified. And
BTW: What if I use 4OS2 and 4DOS ?  Would these be modified ?  Or will
OS2SCAN look up the actual commandinterpreter in the config.sys ?
/DATE: this switch still does not seem to do what the docs say.
Running "OS2SCAN C: D: /DATE" should result in two hidden, 0 byte
SCANVAL.VAL files in the current directories with the actual dates.
The drives were scanned, but no files created. Even if it is only one
file, there remains a problem.  Running "OS2SCAN d: /SHOWDATE" should
tell me when the drive was scanned.  All I get is the information,
that drive d: has not been scanned, yet. :( At least I got it to work,
if SCANVAL.VAL was created by "OS2SCAN \ /AG".  So the conclusion is,
that is has been improved, but not fixed completely.  /fast: it speeds
up things only a little. A regular scan of drive c: takes 56 seconds,
a "fast" scan takes 49 seconds. This is about 12% less time.  Not
enough to take the risk of less security, IMHO.  /NOBREAK: stops users
from using ^C or ^BREAK, but not from closing the entire session. I
admit, a bit unfair, but a way which should be mentioned in the docs.
/RF: seems to work now. Even with /certify. The crc for a single file
can be removed.  /SAVE: still an unexperienced user can save /AV, /AG
and /AF to the *INI, which does not make sense, as it does not seem to
overwrite existing crc-data. Even /RV /RG and /RF can be saved. I
can't imagine the use of this. However, maybe it is due to my lack of
fantasy, but OS2SCAN does not check if the options to be saved are
logical. The user can save /AF without a filename (the same applies to
/RF). In this configuration OS2SCAN always stops with an error
saying:"Sorry,the /AF option needs to be followed by a file name.")
One of the absolute highlights of promotion is the following
(screencopy): Nothing but copyrightmessages .....

[D:\os2\neu\mcafee\scan]os2scan /save
OS2SCAN 9.17 V106 Copyright 1989-93 by McAfee Associates.  (408) 988-3832

OS2SCAN 9.17 V106 Copyright 1989-93 by McAfee Associates.  (408) 988-3832

     This McAFEE(TM) software  may  not be used by a business, government
     agency or institution without  payment of  a negotiated license fee.
     To negotiate a license fee contact McAfee Associates (408) 988-3832.
     All use of  this software  is  conditioned upon  compliance with the
     license terms set forth in the LICENSE.DOC file.

      Copyright (c) McAfee Associates 1989-1993. All Rights Reserved.

[D:\os2\neu\mcafee\scan]
A bug seems to be with the foreign languages:
[D:\os2\neu\mcafee\scan]OS2SCAN C: D: /A /FR
OS2SCAN 9.17 V106 Copyright 1989-93 by McAfee Associates.  (408) 988-3832

Sorry,I don't understand "/FR".
For help type "SCAN /help".

OS2SCAN 9.17 V106 Copyright 1989-93 by McAfee Associates.  (408) 988-3832

     This McAFEE(TM) software  may  not be used by a business, government
     agency or institution without  payment of  a negotiated license fee.
     To negotiate a license fee contact McAfee Associates (408) 988-3832.
     All use of  this software  is  conditioned upon  compliance with the
     license terms set forth in the LICENSE.DOC file.

      Copyright (c) McAfee Associates 1989-1993. All Rights Reserved.

Once again half a screen full of promotion.
I copied the initial commandline from the docs as I was not shure whether I
was on error or not. But as the example given at line 795 of OSCN106.DOC
fails, there seems to be a bug. OS2SCAN /HELP does not show a way to get
foreign language messages, too. And OS2LANG.DOC can't tell more than the
correct checksums for french and spanish languagefiles. Nothing about the
usage.

OS2CLEAN: cleaning of CD-ROMs ??? Don't you think that checking a volume is
a job for OS2SCAN ???
Copy from the OCLN106.DOC:
/AD{x} - This option cleans all drives of viruses.
If /ADL is used, all local drives are checked, including compressed
drives and CD-ROM's.  If /ADN is used, all networked drives
/GRF: after creating a crc-file a change of the first word from MZ to ZM
could not be safely undone. OS2CLEAN asked if I wanted to overwrite the
file.
/Generic: same as /GRF. I remember, that V104 did at least partially a
better job. And a new question arises: Do you check the last modified date?
After I had undone the changes, OS2CLEAN still claimed, that the file has
been modified and asked if I wanted to wipe it!

Finally:
A last point of criticism: it is very important for McAfee to bring up over
and over a 12 line copyright and license message. This is almost half of
the usual 25 lines on the screen. Not very userfriendly, as more important
information is constantly scrolled away. You can fix the problem by piping
the output to "more", but this could be easily avoided, if McAfee would not
tell the user twice the phonenumber and the copyright at the end of each
scanning procedure. The first time you see it at the start ...
All major bugs seem to be fixed. Some minor ones were introduced, though.
One of OS2SCANs, and probably SCANs too, last problems is communication
with the user.  Too many impossible things are accepted and not done,
without telling the user.  Somehow it looks like McAfee is trying to do the
impossible.  :)  And if it was a bit snappier with a more friendly
userinterface, I would recommend it even to "Joe Everyone".

################################################################################
Alfred Jilka             #This place intentionally left blank. This place inteti
Geologic Survey, Austria #onally left blank. This place intentionally left blank
KARGRA@GBA930.ZAMG.AC.AT #. This place intentionally left blank. This place inte
################################################################################

------------------------------

Date:    Wed, 30 Jun 93 08:49:42 -0400
From:    padgett@tccslr.dnet.mmc.com (A. Padgett Peterson)
Subject: Anti-Virus Techniques and direct Port Writes (PC)

>From:    Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz)
>
>padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) writes:

> > Inbar's INs and OUTs would be immune of course since these do not
> > involve any code in segment F000h but the problem is still how to know
> > *when* to do those INs and OUTs. 

>I'm sorry, but I have to disagree with you.

Possibly this should go off-line but I feel Inbar is missing the point.
Viruses must propagate. To propagate there must be some means for the
virus code to be called at the appropriate time (why all common viruses
go memory resident). *THIS* is always detectable and has nothing to do
with the ability to bypass DOS and the BIOS completely with INs and OUTs
*after* the virus has been invoked.

> >                                          In particular, heuristic
> > scanners might find it a good idea to scan for INs and OUTs since few
> > programs would have any to use them.

>Ofcourse. This goes without saying. However, it would be wise to assume that a
 
>virus that implements such code will almost certainly have it concealed in 
>some manner.

This was a separate thought but I like layers of protection. Memory residence
can only detect problems *after* they occur and it would be nice to have a
"warm and fuzzy" before a new program is run. Unfortunately, since the PC
is a single state machine, there is no way to block an IN or OUT (Turing
Halting Problem). However a simple check for them will reveal the hoard
of "dumb" viruses and Trojans sure to ensure from this discussion.

			Damply (ducks have replaced the pigeons here today),
							Padgett

------------------------------

Date:    Wed, 30 Jun 93 09:50:28 -0400
From:    frisk@complex.is (Fridrik Skulason)
Subject: Re: F-prot false idetification (PC)

Arie_Zilberstein@f0.n462.z9.virnet.bad.se (Arie Zilberstein) writes:

>C:\UTILS\SMOOTH.COM seems to be infected with an unknown virus.
>Please contact Frisk Software International or send us a copy for analysis.
>
>The file SMOOTH.COM is a PC-Magazine program that displays text files
>smoothly and I don't think it is infected by anything.

Well, you are probably right.  In fact, as a general rule of thumb - If the
heuristics only report a single file as suspicious, it is almost always
a false alarm....if you had a new virus it would be found all over the machine.

I could probably fix this if I had a copy of the file in question.

- -fris
- -- 
Fridrik Skulason      Frisk Software International     phone: +354-1-617273
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-1-617274

------------------------------

Date:    Wed, 30 Jun 93 17:40:36 -0400
From:    fergp@sytex.com (Paul Ferguson)
Subject: Questionable ethics? (Was: Philosophy) (PC)

On Sat, 26 Jun 93 11:34:38 -0400,
 Padgett Peterson <padgett@tccslr.dnet.mmc.com> wrote -
 
>       Viruses and the art of Cybernetic Psychophysics
        
> Repeatedly  people  have  asked me about viral  source  code  and
> turned away churlishly when I suggest that they read the works of
> Ray  Duncan,  Leo Scanlon, Ralf Brown, Terry Dettmann,  and  Neil
> Colvin first.
        
> I do not take students but should this change, I would say "First
> write  a perfect MBR with the minimum number of  bytes  necessary
> for  use  with MS/PC-DOS 2.0-6.0 and useful with  both  8088  and
> Pentium CPUs. Explain."
        
 While you and I (among others like us) do not agree on topics such
 as the Clipper/Capstone/Skipjack iinitiative, we certainly share
 identical views regarding computer viruses. Now if I could only stir
 intelligent debate on comp.risks regarding the use and impact of
 anonymous e-mail ....
 
 Cheers from Washington, DC.
 

Paul Ferguson               |  "Confidence is the feeling you get
Network Integrator          |   just before you fully understand
Centreville, Virginia USA   |   the problem."
fergp@sytex.com             |      - Murphy's 7th Law of Computing
 
               Quis Custodiet Ipsos Custodes?

------------------------------

Date:    01 Jul 93 17:12:51 -0400
From:    "William H. Lambdin" <73044.2573@CompuServe.COM>
Subject: Re: FORM Virus (PC)

From:    riedrich@socrates.umd.edu (Yves Riedrich)

>If this has happened to you before or if you have any ideas
>how to remove this from my hard drive...please send me e-mail

Form resides in the boot sector of the hard drive instead of the partition 
table like Stoned, Michelangelo, NO Int, etc.

I'm not sure about this, so take it with a grain of salt.
 
Cold boot from a known clean bootable diskette, and SYS C:

If you don't have a known clean bootable diskette. SYS C: from the hard 
drive.

Since FORM is a resident virus, cold boot the computer after the SYS 
process is complete, or form may re-infect the hard drive almost 
immediately.
 
if this gets rid of the virus, be sure to format a bootable diskette, and 
write protect it.
 
FORMAT A: /S

or

FORMAT A:
SYS A:

I would recommend for you to copy several utilities to this diskette before 
you write protect it.
 
FORMAT.COM
SYS.COM
FDISK.EXE
DEBUG.EXE

Feel free to add any programs you feel are necessary.

Bill

 ------------------------------

Date:    Mon, 28 Jun 93 23:30:29 -0400
From:    hank@netcom.com (Hank Roberts)
Subject: ANSI bombs prevention/ Summer '93 "2600" article (PC)

>ANSICHEK and ACHKFILE (which I"m looking for, 'Archie' doesn't know them)
>  locate key redefinition files in non-executable directories.

Personally: I prefer ZANSI.SYS, or NANSI.SYS (version  3.1 or later)

Both of these are compatible with ANSI.SYS, but the added benefit is that 
screen writes will be much faster than ANSI.SYS.
 
ZANSI does not allow keyboard re-definitions at all.
NANSI with the /S parameter prevents keyboard re-definition.

Bill

 ------------------------------

Date:    Tue, 29 Jun 93 17:36:08 -0400
From:    yeh@netix.com (Mr Shannon Yeh)
Subject: keyboard locked up (PC)

>I am not sure if anyone out there met the similar trouble as I did.
>If so, please let me know how you get the problems fixed.  I will
>appreciate it.

I don't believe it is a virus. This is only my opinion.

To be sure, download one of the following scanners. All of them detect at 
least 95 percent of the viruses in my collection.

F-Prot 2.08a		FP-208A.ZIP
Integrity Master 1.51a	I-M151A.ZIP
Thunder Byte Anti-Virus	TBAV603.ZIP
Scan			ScanV105.ZIP. Have heard that  106 has been 
released.
VIRx			VIRX28.ZIP

All of them are share ware, so try one or more.
 
Hope this helps.

Bill

------------------------------

Date:    Fri, 02 Jul 93 09:56:29 -0400
From:    cornet@zen.et.tudelft.nl (Jan-Pieter Cornet)
Subject: Re: Anti-Virus Techniques and direct Port Writes (PC)

Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz) writes:

>padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) writes:

>The direct negotiation with the drive does not take anything. All you need 
>know is the right ports, and the right commands. You are capable of doing 
>whatever's on your mind using port writes, even if the makers of DOS/ WD never
 
>thought such a thing could be possible.

Unless the O/S forbids INs and OUTs. On 386+'s there's a simple way to make
any IN or OUT instruction in Virtual '86 mode trap to the O/S. The O/S can
then decide whether or not that particular port write is allowed. I believe
OS/2 does exactly this. (via IOPL)

Of course this doesn't help the average DOS user much...

> >                                          In particular, heuristic
> > scanners might find it a good idea to scan for INs and OUTs since few
> > programs would have any to use them.
>Ofcourse. This goes without saying. However, it would be wise to assume that a
 
>virus that implements such code will almost certainly have it concealed in 
>some manner.

Which is fairly easy, considering that most IN/OUT instructions don't contain
the port number that is written to/read from (This number is in the DX
register, which is usually loaded directly before the IN/OUT. But nothing
guarantees that it should be loaded directly before, so there's plenty of 
opportunity to hide it). Hard to scan for this reliably.

Unfortunately, there are quite some programs doing IN/OUTs, when trying to
identify the display adapter, so making IN/OUT instructions suspect will
trigger most graphical games :-). Not likely to be implemented either.

- -- 
- -- Jan-Pieter Cornet <cornet@duteca.et.tudelft.nl>
 "What? My 286 at home too slow compared to the 486 at work? No, luckily
  I run windows at work so I don't notice any performance difference."

------------------------------

Date:    Fri, 02 Jul 93 13:29:09 -0400
From:    al026@yfn.ysu.edu (Joe Norton)
Subject: Re: Tremor (PC)

OG>this virus is mighty interesting, now we all know that the
OG>VSUM descriptions aren't very accurate, so could someone
OG>please post a good (tech) description of Tremor???
 
  This isn't very technical, but here goes.
It's just another new virus as far as I can tell.  It likes to load
itself into high RAM.  This makes it crash & burn a lot on systems
using QEMM or Windows.  It's a polymorphic virus.  It's very slow in
changing itself though.  This is one reason that it's so hard to catch
all mutations of it.  This is why ScanV 105 had to be replaced with
ScanV 106 so quickly.  They found out that 105 didn't catch all Tremor
infections.  106 might....  F-Prot and ThunderByte don't seem to have
any problems detecting it, but I still haven't seen anything that can
clean it 100% of the time..  Tbclean can clean about 50% of the
infections and leave the fine intact, but that's it..
 
- -- 

------------------------------

Date:    Sun, 04 Jul 93 11:11:00 +0000
From:    ccarabi@vmsa.technion.ac.il
Subject: virus on data files? (PC)

Hello internets,
Can a virus spread through a diskette with data files?
The diskette contains no system or programs. 
Thanks, Rachel.

[Moderator's note: See question/answer E5 in the Frequently Asked
Questions (FAQ) document for more information.]

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|  Rachel Birman 	        Email:CCARABI@VMSA.TECHNION.AC.IL  |
|  Consultant                                                      |
|  Computer Center, Technion    Phone:(972)-4-293636               |
|  Haifa, Israel 32000          FAX:  (972)-4-236212               |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

------------------------------

Date:    Sun, 04 Jul 93 20:59:51 -0400
From:    "William H. Lambdin" <73044.2573@compuserve.com>
Subject: My routine to detect most if not all file infectors (PC)

I posted this routine once before. I have done further testing on this 
idea, and it does work. even on some stealth infectors without the 
necessity of booting clean from a bootable diskette.

I want to state up front, that this will not identify the virus, nor help 
you get rid of it. This is detection only, and should be considered as an 
enhancement to scanners, and integrity checking, and not be used to replace 
either.

This will detect most (if not all) file infectors that a scanner may miss.

This will act as an early warning system for people that use integrity 
checking software. namely limiting the number of infected files to a 
minimum.

This can detect many viruses without the need to boot clean prior to 
running the test.

If you wish to use my idea, you will need the following.
 
LHA. 	I use LHA 2.13
Archive your most common used files.
FC.EXE that comes with DOS 4.0 and above
The .BAT file below.

BAIT.BAT

@ECHO OFF
CLS
C:
CD\BAIT
DEL VIRUS.LZH
LHA A -A VIRUS \COMMAND.COM \DOS\CHKDSK.*
FC BAIT.LZH VIRUS.LZH
CD\

It would be a very good  idea to rename the utilties, and directory. to 
prevent a hacker from writing a virus that will delete or fool this 
routine.

You can archive as many files as you wish, but I would recommend a minimum 
of two files. 1.COM file, and one .EXE file. Currently; I am archiving 
eight files. six are DOS programs, and two of them are Windows programs. So 
I can detect either DOS or Windows viruses in one test that takes only a 
few seconds on my 486. Be sure to use the asterisk for the .EXE extension. 
This will make LHA add any companion infectors that are present.

Part of that .BAT file is complex, and it is vital that it be typed exactly 
as shown. So I should explain how it works in more detail.

DEL VIRUS.LZH

This deletes the previous test to give you a clean and fresh test every 
time.

LHA A -A VIRUS \COMMAND.COM \DOS\CHKDSK.*

In the command line above,  the first A instructs LHA to add the files to 
the archive.

The second paramater -A instructs LHA to add the file regardless of which 
atribute(s) are set. It works for all four atributes.
 
Hidden
System
Read only
Archive

I have been thouroughly testing this routine for weeks.

I have tested it against the following stealth viruses.

X = detected change.

	    active 	         inactive
Virus	  in memory    booting clean
SBC	       X                 X
FRODO          X                 X
TREMOR                          X

My routine should have detected SBC because it is not fully stealthed, and 
it doesn't disinfect the host file when the it is opened.

My routine should not have detected FRODO because it is fully stealthed, 
and does disinfect the host file on the fly when it is opened for any 
reason. FRODO sets the date stamp forward 100 years. This is how that Frodo 
Marks the files as infected. My routine detected the change to the date 
stamp even though Frodo had disinfected the host file when LHA archived the 
host file(s).

My routine is able to detect the following types of changes.

1. Change to files
2. change of file attributes
3. change of file time stamp
4. change of file date stamp

I release this routine to the public domain, and anyone may use it freely.

Bill Lambdin

------------------------------

Date:    Mon, 05 Jul 93 13:57:19 -0400
From:    "Eng,Hans-Martin " <X19@urz-mail.urz.uni-heidelberg.de>
Subject: Re: f-prot updates (PC)

> From:    martin@par.univie.ac.at (Martin Paul)
>
> Hello,
>
> As I don't have the time to test and use more then virus scanner, I
> decided (after reading this group) to use f-prot. I grabbed the newest
> (I think) version 208a. But now I have a problem. Every time I start
> f-prot or virstop I get the message the the program and the sign.def
> (?) file are old versions. They are dated May 15th, I believe.

??? I'm running f-prot 2.08a and I'm not getting any messages of the
kind  >> this program is rather old <<  check your sources

>
> How does f-prot decide if it is an old version ? Shall I just use the
> /OLD switch on the programs ? Is there an update to 208a yet ? Are the
> updates to the sign.def announced in comp.virus ?

just get the complete distribution (usually a ZIP-File) and UNZIP it

Gruss / Greetings    HME

------------------------------

Date:    Sun, 27 Jun 93 11:16:00 +0200
From:    Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz)
Subject: Viruses that cost $$$ (PC)

Hi Malte!

I wrote:

 >> That's just an example. If I could afford to try, I would and
 >> tell you if it worked, but there are other ways to defect a
 >> drive. I can personally cause an WD IDE drive to cease working,
 >> and make him know nothing about who he is, what he is and what
 >> he is supposed to do.

Malte Eppert replied:

 > You mean lowlevel-formatting? OK, that's a fine design-bug of older IDE
 > drives. Or do you mean there is a method you can kill any modern,
 > correctly configured WD IDE drive with, just by software? Do you have
 > evidence? I'd try it for you on some IDE around - well, I accept if you
 > don't give me that program code, as you don't know me personally as a
 > virus etc. researcher... Maybe you know NEMESIS from Robert Hoerner, a
 > great security watchdog. Robert _is_ a well-known german anti-virus
 > researcher. I guess he'll test it for you. Or even Frisk or Vess may,
 > because - if successful - it would be a great sensation :-)

No, Malte, I do not mean Low-Level-Format. As you say, this is a design bug, 
so to speak.

Yes, I can kill modern WD IDE drives. No, you can't try, because I can't give
you sources or executables to do that, for obvious reasons. It makes no 
difference wether you are a good guy or a bad guy, just like it doesn't matter 
of you are an American or an Iraqui when you have an A-bomb ready to go.

Inbar Raz
Chief Data Recovery
- - --
Inbar Raz                 5 Henegev, Yavne 70600, ISRAEL. Phone: +972-8-438660
Chief Data Recovery, 15 Habanim, Nes-Ziona 70400, ISRAEL. Phone: +972-8-400070
Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210            Fax:   +972-8-403295

- --- FMail 0.94
 * Origin: Inbar's Point - Home of the first UnTinyProg. (9:9721/210)

------------------------------

Date:    Fri, 02 Jul 93 19:06:13 +0100
From:    marks@mentor.cc.purdue.edu (deb marks)
Subject: Need help for possible virus! (PC)

  Here is what we know for sure.

1.  Only on machines running Dos 6
2.  Normal execution of programs except for slow run-time...gets slower 
  everytime a program is run.
3.  Filesize of program does not change.
4.  By dumping a file to debug we can compare uninfected against infected
  files and see that the first hundred bytes or so have been stripped.  Again,
  file execution isn't affected other than being slowed down and filesize 
  never alters. 
5.  We attempted to upload two files, one infected, one uninfected to to a BBS.
  When they got there, they were identical, even though we have the hardcopy 
  proof that one had been altered.
6.  Nothing shows on any virus detection program we run...we have tried vsafe,
  viruscan 106, and virex 2.8.
7.  Only goes after .exe and .com files, however, no changes have been made to 
  .com files...only attempts...the .exe files have been changed.  

 
Is it possible for a file to be changed in such a way that if viewed through
any Dos command it won't show up, but when dumped straight without going 
through Dos, the changes are detected.  We have the printouts as proof.  This
may be why no virus scan program can find it...if indeed it's a virus.  We 
still aren't 100% sure, but we are looking for answers.  

If you have any ideas, comments, flames, insights or cures, please send me 
e-mail at marks@sage.cc.purdue.edu or falky@delphi.com.  Or call me at
  Computer Solutions, in Myrtle Beach, SC.  (803)449-4355.

        Deb

------------------------------

Date:    Fri, 02 Jul 93 21:36:18 -0400
From:    lapse@sizone.jaywon.pci.on.ca (memory lapse)
Subject: Re: CPAV updates? (PC)

> just for information : tremor does not try to infect files with NE-header (
What is the format of the NewEXE header?  I have never heard or have 
encountered one of these files before.  What is the difference between a 
EXE file with an MZ (ZM) header and a Windows or OS/2 EXE file with the 
NE header?  Speedier execution?
> windows-files, OS/2-files and so on.).

------------------------------

Date:    Wed, 30 Jun 93 19:16:50 -0400
From:    jaf@jaflrn.linet.org (Jon Freivald)
Subject: Scanv106 now available by e-mail (PC)

Today I downloaded the following files from the McAfee BBS:

        scanv106.zip
        clean106.zip
        wscan106.zip
        vshld106.zip
        oscan106.zip
        ocln106.zip

They are now available via my mail-server.  The DOS/Windows files are in
dos/virus and the two OS/2 files are in os2/virus.

To obtain them, send e-mail to mail-server@jaflrn.linet.org containing
the text (not subject!) as follows:

        get dos/virus/scanv106.zip
        get dos/virus/clean106.zip
        get dos/virus/wscan106.zip
        get dos/virus/vshld106.zip
        get os2/virus/oscan106.zip
        get os2/virus/ocln106.zip

The mail-server will uuencode and e-mail each file you request.

I did just upgrade the mail-server, so if you experience any problems
with it, please e-mail me at jaf@jaflrn.linet.org and let me know what's
up.

Jon

=============================================================================
		     Jon Freivald ( jaf@jaflrn.linet.org )
	   22A829/40 DA 9E 8E C0 A1 59 B2  46 3B 73 81 2B 7B 83 1F
		    PGP V2 public key available on request
	 Nothing is impossible for the man who doesn't have to do it.
=============================================================================

------------------------------

Date:    Fri, 02 Jul 93 14:36:44 -0400
From:    Robert_Slade@sfu.ca
Subject: Evaluating Scanners (CVP)

PRTAVSF.CVP   930625
 
                        Evaluating Scanners
 
Scanning software should be able to identify the largest possible
number of viri, and should be able to identify variations on the
more important sections of code (that is, it should be able to
"accept" the removal of text strings and other simple modifications
that "bush league hackers" might make.)  Note, however, the proviso
that it is more important to identify some viral programs than
others.  For ease and speed of updating, the "signatures" should be
stored in a separate file or there should be a means for the
addition of new viral signatures to the file.  For security, both
scanning software program and signature files should be renameable.
 
Areas scanned should include not only the identifiable program
files, but all files, if necessary.  (This has become much more
important recently with the advent of successful Windows viri
coincident with the new Windows "imbedding" function.)  Scanners
should have the ability to search the more common archiving formats
as well, particularly those that support "self extraction"
functions.  Disk boot sector and hard disk partition boot records
should be scanned, as well (in this day of stealth viri) as memory.
 
Scanners, as noted above, are the easiest of antiviral programs to
"rank".  It is much more difficult to determine the utility of those
types of programs which purport to protect against unknown and
"future" viral programs.  It is, indeed, impossible to judge these
programs against any "absolute" standard: they will be judged by
future events, and the future isn't here yet.
 
Many future viral programs will follow the patterns of those from
the past.  Most "new" viral programs are very simple modifications
of existing ones.  However, while it may be possible to foresee some
of the potential "loopholes" that viral programs might use, it is
impossible to know which ones actually will be used.  It would also
be excessively difficult to protect against all of the myriad
potential means of attack.
 
(When all the viral programs we had seen were either boot sector
infectors, or prepending, appending or overwriting file infectors,
"companion" and "system" viri came as quite a shock to most.  While
I have some nifty ideas for new "hiding places", I will undoubtedly
be surprised by the new ones that, in reality, get released "into
the wild".  Fortunately, many of the virus authors must also be
surprised at how poorly their "new creations" do, but this doesn't
make the assessment of "generic" antiviral software any easier.)
 
copyright Robert M. Slade, 1993   PRTAVSF.CVP   930625

==============
Vancouver      p1@arkham.wimsey.bc.ca   | You realize, of
Institute for  Robert_Slade@sfu.ca      | course, that these
Research into  rslade@cue.bc.ca         | new facts do not 
User           p1@CyberStore.ca         | coincide with my
Security       Canada V7K 2G6           | preconceived ideas

------------------------------

End of VIRUS-L Digest [Volume 6 Issue 100]
******************************************
