To:	   VIRUS-L@LEHIGH.EDU
Subject:   VIRUS-L Digest V6 #102
--------
VIRUS-L Digest   Friday, 16 Jul 1993    Volume 6 : Issue 102

Today's Topics:

Integrity Checking for Anti-Viral Purposes [and MSAV paper]
Virus Calendar
Info needed about gulf war virus - help!
Unix Scanners (UNIX)
Re: FORM virus (PC)
FORM Virus (PC)
Re: Arj-virus? (PC)
how to kill virus in boot sector ? (PC)
FORM Virus (PC)
Please help! (Removing Generic Boot Virus) (PC)
July 1993 LAT
Disinfection (CVP)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform - diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CERT.org or upon request.)  Please sign submissions
with your real name; anonymous postings will not be accepted.
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list.  A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on CERT.org (192.88.209.5).

Administrative mail (e.g., comments, suggestions, beer recipes)
should be sent to me at: krvw@AGARNE.IMS.DISA.MIL.

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Ken van Wyk

----------------------------------------------------------------------

Date:    Fri, 09 Jul 93 12:15:46 -0400
From:    <RADAI@vms.huji.ac.il>
Subject: Integrity Checking for Anti-Viral Purposes [and MSAV paper]

  Two years ago I presented a paper (at the first Virus Bulletin
Conference) on checksumming techniques for anti-viral purposes, which
Vesselin has mentioned in this forum several times.  I intended to
make it available to anyone who's interested ... but only after I got
through revising it.  Well, it's now ready (33 pages long).

  To a large extent it's a tutorial ("everything you always wanted to
know about integrity checking but were afraid to ask"), but it also
defends a certain controversial position (CRC is as secure as a cryp-
tographic algorithm for anti-viral purposes if certain conditions are
satisfied).  The article is also a bit unusual in that some sections
are on a very practical level while others are theoretical.

  Mainly because of the mathematical symbols in some of the sections,
the article is not available as an ordinary text file.  In fact, it's
available only in PostScript form or as a uuencoded DVI file.  Let me
know which you prefer and I'll e-mail it to you.  (If you have absolu-
tely no way of printing such files, I could send a very abbreviated
version (containing about 1/4 of the content) as an ordinary text
file, but you'll be missing a lot.)

                                     Y. Radai
                                     Hebrew Univ. of Jerusalem, Israel
                                     RADAI@HUJIVMS.BITNET
                                     RADAI@VMS.HUJI.AC.IL

[Moderator's note: Yisrael also sent me a revised copy of his review
on the Microsoft Anti-Virus package.  That paper is available with the
rest of the product reviews on
cert.org:/pub/virus-l/docs/reviews/pc/radai.msav.  The IP number for
cert.org is 192.88.209.5.  Thanks for your work, Yisrael!]

------------------------------

Date:    Tue, 13 Jul 93 16:55:02 -0400
From:    axtlp@acad2.alaska.edu
Subject: Virus Calendar 

I'm looking either to find/purchase a calender of viruses attack dates
(ie: when to watch out for them more so than normal) or to create one.
So if anyone knows of either an existing calendar or the dates a virus
will attack to go on a calender would you please email me.  Thank you
in advance.
					Tam Pikey
					axtlp@acad2.alaska.edu
					axtlp@alaska (for bitnet)
					axhelp@acad2.alaska.edu


------------------------------

Date:    Mon, 12 Jul 93 19:50:01 -0400
From:    henrya@UCS.ORST.EDU ( )
Subject: Info needed about gulf war virus - help!

I'm doing a presentation on computer viruses this thursday (07/15/93)
and would like to include some information about a supposed computer
virus inserted into the Iraqi computer systems by the coalition
forces, or the U.S.  This virus (I've heard) blanked out iraqi
computer screens (like a screen blanker) making it impossible to see
information printed thereon.  If ANYBODY has any info about this at
all (whether the virus was real, how effective, or even if this rumor
is true!) please e-mail me at: HENRYA@UCS.ORST.EDU!!

Any help is much appreciated!!  Thanks to all respondents in advance!!

- --
- ------------------------------------------------------------------------------
Had this been an actual emergency....
 =)
- ------------------------------------------------------------------------------

------------------------------

Date:    Thu, 15 Jul 93 05:45:39 -0400
From:    Martin@salig.demon.co.uk (Martin Overton)
Subject: Unix Scanners (UNIX)

A couple of questions regarding UNIX.

1. Are there any UNIX viruses in the wild?

I have heard rumours of 'research viruses' writen for UNIX,if this is
true and the situation develops in a similar fashion to the DOS virus
arena then sooner or later some of theses 'research viruses' will be
found in the wild.

2. Are there any virus scanners available for UNIX?

Thanks in advance.

- --+
 Martin Overton                  |Compuserve: 100063,1161
 PC Technical Specialist         |Internet  : Martin@Salig.Demon.Co.Uk
 Tel: +44 (403) 231937           |"Beam me up,Sooty!"


------------------------------

Date:    Fri, 09 Jul 93 11:17:27 -0400
From:    "David M. Chess" <chess@watson.ibm.com>
Subject: Re: FORM virus (PC)

> From:    Brian Seborg <seborg@csrc.ncsl.nist.gov>

> I replace the
> erased programs from originals or clean back-ups and I'm done.  I
> don't care if the virus is MtE, TPE, Phoenix or King Kong's
> Illegitimate Love Child, it's dead, gone, kaput!  No doubt, and no
> cleaning software.

Two points here that I'd like to illuminate:

   - You don't need cleaning software, you can just restore from
     originals.  I personally agree with this, and it's definitely
     what *I* would do if I got infected.  But large organizations
     would much prefer an automatic and reliable cleanup program over
     having Z different end users per month trying to figure out what
     needs to be replaced, and from where, on their systems.  I can
     understand that, I think!  *8)   The key is that the cleanup has
     to be reliable: it should either do the job right, or warn you
     that it couldn't and you need expert assistance.  (Also, things
     aren't always as easy as you make out; using FDISK /MBR on a
     Monkey-infected system creates something that would take even
     a guru a bit of work to fix.)

   - You don't need to know which virus you had.  Yes, you do!  Once
     you've replaced the changed files with originals, wouldn't
     you also like to be sure that (for instance) the virus hasn't
     while it was there riffled through all your text files, and
     inserted little "the boss is a jerk" notices here and there?
     I certainly would...

- - -- -
David M. Chess                    \      Nothing moves;
High Integrity Computing Lab      \         where would it go?
IBM Watson Research               \

------------------------------

Date:    Fri, 02 Jul 93 15:38:01 +0200
From:    Rinse_Balk@f7.n316.z9.virnet.bad.se (Rinse Balk)
Subject: FORM Virus (PC)

* In a message originally to All, Yves Riedrich said:

 > From: riedrich@socrates.umd.edu (Yves Riedrich)

 > While using the McAfee virus scanner, I discovered the "form"
 > virus
 > in my boot sector.
 > I tried to clean this virus off the hard drive...and got
 > the message "Virus can not be safely removed from boot
 > sector"

 The Form Virus is a nasty virus indead...

 > If this has happened to you before or if you have any ideas
 > how to remove this from my hard drive...please send me e-mail

  McAfee has a special program for boot virusses! If you look in the Virlist.
txt you can find by some virusses M-Disk. I think you need that programm to 
remove the form virus safely. I'm not sure, but i think there's a 
documentation by M-Disk that will tell you more...


 > Thanks in advance

  With pleasure, and good luck


Yves Riedrich

Greetings,

Rinse Balk

P.S. Let me know how you're doing...

bye bye


- --- FMail 0.92
 * Origin: All Or Nothing BBS -= Za & Zo 10:00-18:00 =- +31-5126-2412 (9:316/7)

------------------------------

Date:    Sat, 10 Jul 93 08:49:48 -0400
From:    "William H. Lambdin" <73044.2573@compuserve.com>
Subject: Re: Arj-virus? (PC)

>Hi! I use Arj verision 2.41 (The best). Well, i have a memory-resident
>program, that says if files are being changed. Everytime i access .exe
>files that belong to arj the program warns me that the file has
>changed.  Has this happened to you? Will you test the problem?

I'm using ARJ 2.41 with no difficulty. I use three anti-viral systems.
 
F-Prot
Integrity Master
my routine thay detects file infectors

All three routines report that my system is all clean.

If you have a virus, you got the virus  somewhere else, or you have a copy 
of ARJ 2.41 that has been tampered with.

Bill



------------------------------

Date:    Sat, 10 Jul 93 11:14:38 -0400
From:    Dong LI <U53077@uicvm.uic.edu>
Subject: how to kill virus in boot sector ? (PC)

Dear netters,

I have a IBM compatible PC with DOS 6 and windows 3.1.
My scanning-only anti-virus software found recently a virus named Michelongelo
in the boot sector on my hard drive D. I tried to use other antivirus
softwares to kill it but failed, because they cannot even find the virus
in the boot sector !

Could someone tell me where to get software to kill above virus in boot sector?

Thank you in advance.

Dong LI
*************************************************************************
With malice toward none, with charity for all..........  Abraham Lincoln
- -------------------------------------------------------------------------
        Dong Li   Telephone: (312) 996-0509(Lab)   (312) 413-1308(Off)
                  Fax:       (312) 413-2435
     Internet: u53077@uicvm.uic.edu     Bitnet: u53077@uicvm.bitnet
Dept. Biological Sciences, Univ. Illinois at Chicago, Chicago, IL 60607
*************************************************************************

------------------------------

Date:    Fri, 09 Jul 93 07:42:00 +0200
From:    Christian_Koelliker@f403.n412.z9.virnet.bad.se (Christian Koelliker)
Subject: FORM Virus (PC)

 >   McAfee has a special program for boot virusses! If you look in the
 > Virlist.txt you can find by some virusses M-Disk. I think you need
 > that programm to remove the form virus safely. I'm not sure, but i
 > think there's a documentation by M-Disk that will tell you more...

There is a mouch easier way to remove a FORM virus from your HD, and it can be 
done (surprise) by naked DOS.
All you need is a clean boot-floppy with the sys-command on it. Boot up your 
Computer from this floppy and run the sys command and you will see that the 
FORM has disappeared from HD.


Cheers

       Christian

- ---
 * Origin: HighWater Datamanager Langenthal (Switzerland) (9:412/403)

------------------------------

Date:    Fri, 16 Jul 93 02:41:26 -0400
From:    sbuffler@cs.uct.ac.za (Simon Buffler)
Subject: Please help! (Removing Generic Boot Virus) (PC)

Hi there

A friend's computer was recently infected by the Generic Boot Virus.
I gave him a copy of Clean106 which is supposed to remove [Genb].
When booting from a clean system disk and running Clean (from floppy)
on his hard- drive, he receives a "No viruses detected" message.
However, [Genb] IS still sitting on his hard-drive, as when he
reboots, the virus is loaded into memory ...and Clean picks up a
"critical virus" when scanning RAM.

Any ideas or suggestions?           

Thanks

Simon 


------------------------------

Date:    Thu, 15 Jul 93 15:48:07 -0400
From:    "William H. Lambdin" <73044.2573@compuserve.com>
Subject: July 1993 LAT

Here is the July LAT. I hope that it is of use to someone. There are now
three tests instead of one. 

Bill
- --------------------------------------------------------------------------
                                  LAT 9307

 +-------------------------+----------+---------+-----------+-----+
 | SCANNER                 |  COMMON  |  POLY-  |    ZOO    |FLAGS|
 |                         |          | MORPHIC |           |     |
 |                         |          |         |           |     |
 |                         |32        |56       |1335   1303|     |
 +-------------------------+----------+---------+-----------+-----+
 | F-Prot 2.08a            |31   96.9%|55  98.2%|1332  99.8%| S   |
 | Virus Alert 2.08a       |31   96.9%|55  98.2%|1332  99.8%| C   |
 | Integrity Master-151b   |30   93.8%|54  96.4%|1310  98.1%| GS  |
 |                         |          |         |           |     |
 | TBAV 603                |32   100% |55  98.2%|1307  97.9%| GS  |
 | Scan 106                |31   96.9%|52  92.9%|1275  95.5 | S   |
 | Dr Sol A-V toolkit 6.18 |30   93.8%|29  51.8%|1243  93.1%| C   |
 |                         |          |         |           |     |
 | VIRx 2.9                |30   93.8%|34  60.1%|1231  92.2%| S   |
 | UT Scan 25.1 June 1993  |25   78.1%|33  58.9%|1075  82.5%| CDG |
 | CPAV SW 04/93 signature |26   81.3%|26  46.4%|1079  80.1%| C   |
 |                         |          |         |           |     |
 | NAV 2.1 June 1993       |25   78.1%|24  42.9%|1026  76.9%| C   |
 | HT Scan 1.20 VSIG 9305  |28   87.5%|34  60.1%|1016  76.1%| S   |
 | MSAV w/DOS 6.0          |24   75.0%|17  30.4%| 975  74.8%| D   |
 +-------------------------+----------+---------+-----------+-----+

      C- Commercial software

      D- This product does not scan for boot sector viruses inside
         droppers. This is why scanners that detect droppers were tested
         against 1335 viruses. Scanners that fail to detect droppers were
         tested against 1303 viruses. I tried to be fair.

      G- Generic Virus detector. The other utilities with this product may
         detect viruses that this scanner misses, so don't judge this
         product too harshly because the scanner isn't as effective as you
         would like.

      S- Share Ware or Free Ware procuct.

      F-Prot 2.09 should be released soon.This is why I tested the old       2.
08a release.

      Virus Alert appears to use the F-Prot 2.08a engine from Frisk
      Software International.

      I will be adding more specimens to the Commom virus test in August.
      I ran out of time.
 
========================================================================
      I have tested the following generic products, and
      recommend them.

                                                      FLAGS
                                                     +------+
      F-Prot Professional (Command Software Systems) | IV   |
      Integrity Master (Stiller Research)            |*ISV  |
      PC-cillin (Trend Micro Devices)                | ASV  |
      PC-Rx (Trend Micro Devices)                    | ASV  |
      TBAV (Thunderbyte)                             |*ISV  |
      Untouchable (Fifth Generation Systems)         | ISV  |
      Victor Charlie (Bangkok Security Associates)   |*BEISV|
                                                     +------+
             *-Share ware product
             A-Activity Monitor
             B-Uses Bait files that try to get infected by unknown viruses
             E-extract the signatures for unknown viruses
             I-uses integrity checking
             S-Stores System areas. Boot sector, and Partition table
             V-comes with a Virus scanner.

      I placed the generic virus detectors in alphabetical order. I do not
      recommend one product over another. All of them work differently and
      may not fit the way you use a computer, so request information on
      several before you decide.
 
========================================================================
      I would like to thank most of these companies for providing me with
      evaluation copies of their software to test.

      If your company produces anti-viral software, and would like for me
      to test it in LAT, contact me at either of the addresses below.
 
========================================================================
      These tests were performed on a 33 MHZ 486

                        Bill Lambdin
                        102 Jones Lane
                        P.O. Box 577
                        East Bernstadt, Ky. 40729

                 Internet address> 73044.2573@compuserve.com
                    Compuserve ID> 73044,2573



------------------------------

Date:    Fri, 09 Jul 93 15:01:18 -0400
From:    "Rob Slade" <roberts@decus.ca>
Subject: Disinfection (CVP)

PRTAVSG.CVP   930625
 
                           Disinfection
 
A strong, albeit non-technical, reason why scanners are so popular
is the specific identification of the particular virus responsible
for an infection.  Rather than telling you merely that something is
amiss, a scanner gives you a name.  More than that, scanner authors,
given the necessity to know the specifics of a virus in order to
identify it, had an advantage in finding out how a virus infected a
file, and therefore how it could be removed.  Scanning software was,
therefore, the first to offer "disinfection" of viral infections,
either as a feature or in an adjunct program.
 
This would seem to be, and likely is, another reason to prefer
"scanning" antiviral software.  However, beware.  Disinfection is by
no means the optimum way to deal with viral infections.  The best
solution is to delete (and, preferably, overwrite) the affected file
or area, and restore programs from original sources.  "Boot sector
infectors" affect a whole disk, and therefore present greater
problems, but in most cases material can be recovered from infected
disks, and the disks themselves "cleansed" in various ways.  There
comes a point at which the trade-off between security and
convenience tips the scales in favour of disinfection, but be aware
of the dangers.
 
In many cases, disinfection is simply not possible.  An overwriting
virus, for example, will not keep any track of the material it
destroys when it dumps itself into a file.  Many viri contain bugs
which prevent the recovery of the original file.  Also, sadly,
disinfection software has been known to contain bugs which left the
situation worse after the attempted "cleanup" than after the
infection.
 
Generally speaking, disinfecting software will contain a
"description" of the specific viral operation of a given viral
program, so that the infection process can be reversed.  However,
virus removal is no longer the exclusive province of scanning
software.  Two types of "generic" disinfection now exist.  Some
change detection programs now store sufficient information about the
file to make an attempt to restore it if the damage is not too
severe or complicated.  Also, "heuristic" scanning is being used to
"trace and remove" viral infections.  So far testing has revealed
serious drawbacks to both of these applications, but the technology
is still in its infancy, and shows promise for the future.
 
copyright Robert M. Slade, 1993   PRTAVSG.CVP   930625
 
============= 
Vancouver      ROBERTS@decus.ca         | "Kill all: God will know his own."
Institute for  Robert_Slade@sfu.ca      |       - originally spoken by Papal
Research into  rslade@cue.bc.ca         |         Legate Bishop Arnald-Amalric
User           p1@CyberStore.ca         |         of Citeaux, at the siege of
Security       Canada V7K 2G6           |         Beziers, 1209 AD
============= for back issues:
Contacts list: cert.org, /pub/virus-l/docs/reviews
Reviews: cert.org, /pub/virus-l/docs/reviews/pc
Column: cert.org, /pub/virus-l/docs/slade.cvp.articles
           For those without ftp, see Jim Wright's posting, or use Cyberstore. 
           Also FREQ from 1:153/733 The Cage 604-261-2347.

------------------------------

End of VIRUS-L Digest [Volume 6 Issue 102]
******************************************
