To:	   VIRUS-L@LEHIGH.EDU
Subject:   VIRUS-L Digest V6 #103
--------
VIRUS-L Digest   Monday, 19 Jul 1993    Volume 6 : Issue 103

Today's Topics:

WARNING: Stoned/Dir-2 infection in Israel (PC)
Re: Virus Calendar
Info needed about gulf war virus - help!
_Wired_ and the Dark Avenger
Are a-v products "boot-manager"-aware? (PC - OS/2,UNIX)
Re: Unix Scanners (UNIX)
Re: Unix Scanners (UNIX)
re: how to kill virus in boot sector ? (PC)
Joshi Virus (PC)
MTE virus was not recognized by scan106. (PC)
NAV virus definition file wanted (PC)
Other viral vectors (CVP)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform - diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CERT.org or upon request.)  Please sign submissions
with your real name; anonymous postings will not be accepted.
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list.  A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on CERT.org (192.88.209.5).

Administrative mail (e.g., comments, suggestions, beer recipes)
should be sent to me at: krvw@AGARNE.IMS.DISA.MIL.

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Ken van Wyk

----------------------------------------------------------------------

Date:    Sat, 17 Jul 93 15:09:58 -0400
From:    hjstein@sunrise.huji.ac.il (Harvey J. Stein)
Subject: WARNING: Stoned/Dir-2 infection in Israel (PC)

                   ***  W A R N I N G !!!  ***

The Co-op Supermarket of Israel has been distributing a virus infected
computer game called ZOOM.  DO NOT USE THIS DISK!!!  It is infected
with both the STONED virus and the DIR-2 virus.  The STONED virus
causes infected computers to periodically display the message "This
computer is stoned", and then to crash, thus causing the loss of
unsaved data.  The DIR 2 virus corrupts programs.

The game is being distributed as a promotional give-away with each
purchase of Scott Tissue toilet paper.  My wife was given the diskette
last Wednesday at the Co-op Supermarket on Shai Agnon.  According to
McAfee Associates' VIRUSCAN program (Version 9.17V106), the boot
sector of the ZOOM program diskette is infected with the STONED virus,
and two of the executable files (bug.exe and scottex.exe) are infected
with the DIR 2 virus.

Please alert all acquaintances as to the dangers of this diskette.
This is an *extremely* dangerous situation since the program is being
distributed on such a large scale.  If only the Shai Agnon Co-op is
distributing this diskette then this is a bad situation.  It is many
times worse if *all* co-ops in Israel are distributing this diskette.

I apologize for the taking so long to notify people about this
problem, but I didn't determine that the disk was infected until
moments before Shabbot on Friday, and thus wasn't able to post a
report.

Harvey Stein
Department of Mathematics
Hebrew University
hjstein@math.huji.ac.il

------------------------------

Date:    Fri, 16 Jul 93 18:14:49 -0400
From:    "William H. Lambdin" <73044.2573@compuserve.com>
Subject: Re: Virus Calendar 

From:    axtlp@acad2.alaska.edu

> I'm looking either to find/purchase a calender of viruses attack dates
> (ie: when to watch out for them more so than normal) or to create one.
> So if anyone knows of either an existing calendar or the dates a virus

I have seen several calendars for virus attack dates. Info Security News 
(Bi-monthly magazine) published a virus attack calendar for the upcoming 
two months, is the most complete calendar that I have found.

Contact them at the address below.

Info Security News
P.O. Bx 101
Winchester, MA 01890-0101

Hope this helps

Bill

------------------------------

Date:    Sun, 18 Jul 93 16:26:32 -0400
From:    amn@ubik.demon.co.uk (Anthony Naggs)
Subject: Info needed about gulf war virus - help!

henrya@UCS.ORST.EDU writes:

> I'm doing a presentation on computer viruses this thursday (07/15/93)

Sorry this is a little late.

> and would like to include some information about a supposed computer
> virus inserted into the Iraqi computer systems by the coalition
> forces, or the U.S.  This virus (I've heard) blanked out iraqi
> computer screens (like a screen blanker) making it impossible to see
> information printed thereon.  ...

This is another example of the US military disinformation (propaganda)
campaign, that inevitably accompanies military actions.  The story is
unsubstantiated and extremely unlikely.

Other examples from the Gulf war:
*   That the Patroit missiles were effective.  This was supported by
    tv footage of the missiles being launched, followed by aerial
    explosions.  I think it was a US Congress committee that investigated,
    and disclosed that the film showed the Iraqi Scud missiles correctly
    detonating above the ground - in order to spread their blast over a
    wide area.
*   The tv footage of sea birds on the gulf covered in oil.  The huge
    number of oil tankers in the area cause a number of small oil slicks.
    During the period of the war there was far less oil found on the beaches
    and less affected wild life reported, than in the corresponding period
    of preceding years.


There are a number of reasons why disinformation is used:
*   first impressions count; whether you are winning or loosing it is
    vitally important to maintain the morale of politicians and the public.
*   journalists (and the public) are interested to know what is going on,
    and it easier to provide 'information' than cope with journalists
    trying to investigate the real facts.
*   'the enemy' certainly monitors public broadcasts, and it is vital not
    to disclose too much of the real strategy that is being planned.
    Disinformation works in two ways: to mislead the enemy, and distract
    his attention from strategic information that becomes publicly known.

Hope this is of interest,
Anthony Naggs                 Email:                  Paper mail:
 Software/Electronics Engineer amn@ubik.demon.co.uk    P O Box 1080, Peacehaven
 & Computer Virus Researcher   [or xa329@city.ac.uk]   East Sussex  BN10 8PZ
 Phone: +44 273 589701                                 Great Britain

------------------------------

Date:    Sat, 17 Jul 93 23:44:39 +0000
From:    atman@rahul.net (Visceral Clamping Mechanism)
Subject: _Wired_ and the Dark Avenger

_Wired_ magazine wants me to do an interview, preferably face-to-face
with the Dark Avenger.  I have been unable to contact him despite quite
a bit of effort on my part.  If anyone knows of an address for him on
any network or a board that he frequents, could you please get in 
touch with me?

Thanks,

Shaun.

Oh, this interview will not be a technthriller, hysteria-inducer, or
a glorification of intrusion or computer abuse.  It will be a look
at the social structure of the underground and an exploration of the
technical possibilities and limitations of viruses and worms under
various conditions, including government-sponsored research.

And no, I'm not interested in trading viruses or source code, so 
please don't ask.
- -- 
atman@rahul.net  ||  "Burn hollywood burn!"  ||  Finger for pgp public key

"I hanker for a hunk of cheese."

------------------------------

Date:    Sun, 18 Jul 93 22:20:40 -0000
From:    phys169@cantva.canterbury.ac.nz
Subject: Are a-v products "boot-manager"-aware? (PC - OS/2,UNIX)

With the increased use of "dual boot"-type menus on PC's, is it
possible that virus removal programs will have difficulty? The
conventional PC's hard disk goes through two "boot" sectors - the MBR,
then the DOS boot sector. With a boot manager, there are at least 3
boot sectors - perhaps disinfectors have difficulty going to the third
level? (I don't want to use my system as a guinea pig to find out!).
Also, the OS/2 boot manager changes the partition types of the boot
sectors to some high number when they aren't being used, and DRDOS's
security option also changes the partition type - perhaps some
programs will think they are partitions not worth scanning, let alone
attempt to disinfect?

Would a-v authors care to comment?

Mark Aitchison

------------------------------

Date:    Sun, 18 Jul 93 13:58:24 -0000
From:    gw@startech.demon.co.uk (Greg Watson)
Subject: Re: Unix Scanners (UNIX)

Martin@salig.demon.co.uk writes:

>A couple of questions regarding UNIX.
>
>1. Are there any UNIX viruses in the wild?
>
>I have heard rumours of 'research viruses' writen for UNIX,if this is
>true and the situation develops in a similar fashion to the DOS virus
>arena then sooner or later some of theses 'research viruses' will be
>found in the wild.
>
>2. Are there any virus scanners available for UNIX?

I understand that there are UNIX-specific viruses such as the AT&T
attack virus, but details are kept scarce in order to avoid
encouraging people. I must admit I am surprised (but very relieved) at
the lack of UNIX-specific viruses around.. I suppose eventually we'll
suffer just as badly as DOS users. :-(

Intel-based UNIX platforms are vulnerable to ordinary DOS boot-sector
viruses, however, and UNIX systems which are used as DOS file servers
can store executable-based viruses just as well as a normal DOS disk.

Normal DOS virus scanners will take care of the latter.  To deal with
the former, STAR Technologies have just released a boot sector virus
checker for SCO XENIX, UNIX, ODT and the Open Desktop/ Server
releases. This will check the boot sector for infection and allow it
to be recreated if a virus is found.

For further details about STAR's virus checker feel free to contact
us.  U.S. enquiries should be addressed to Leigh Hughes
(leigh@startech.com).
- --
+------------------------------------+----------------------------------+
| Greg Watson                        |    Star Technologies (UK) Ltd    |
|                                    |   Passfield Enterprise Centre    |
| Internet : gw@startech.demon.co.uk |            Liphook               |
| Voice    : 0428 751091             |             Hants                |
| Fax      : 0428 751117             |           GU30 7SB               |
+------------------------------------+----------------------------------+

------------------------------

Date:    Mon, 19 Jul 93 06:09:20 -0400
From:    frisk@complex.is (Fridrik Skulason)
Subject: Re: Unix Scanners (UNIX)

Martin@salig.demon.co.uk (Martin Overton) writes:

>1. Are there any UNIX viruses in the wild?

Define "In the wild".....

Source code to various UNIX viruses is indeed floating around...I have two or
three different ones somewhere, so they exist, but "in the wild" ... well,
very isolated instances, but almost always just on a single machine.

>2. Are there any virus scanners available for UNIX?

There are several, but many of them only scan Unix File servers for PC 
viruses.  Those that attempt to scan for UNIX viruses are much better at
finding "suspicious things" in general, than in finding the above "research"
viruses ... in fact, they may totally miss them.

- -frisk

------------------------------

Date:    Fri, 16 Jul 93 09:47:30 -0400
From:    "David M. Chess" <chess@watson.ibm.com>
Subject: re: how to kill virus in boot sector ? (PC)

>From:    Dong LI <U53077@uicvm.uic.edu>
>
>My scanning-only anti-virus software found recently a virus named Michelongelo
>in the boot sector on my hard drive D.

Hm, that's unusual!  Michelangelo is a Master Boot Sector infector; that
means it infects the very first sector of the physical hard disk.  Also,
it will only infect the first physical hard disk in the system, and
most anti-virus programs report that either as drive "80" or "C:".
Is your D: drive on a second physical hard disk?  If so, is it
possible that that hard disk was once the first physical hard disk
in some system?   It could have gotten infected at that point.

A virus in the MBR of the second physical hard disk isn't an
immediate danger, because that code isn't ever executed.  But
if such a hard disk is later used as the first disk, it will
boot with the virus.  IBM AntiVirus can find and clean up viruses
on the second physical hard disk, and other unlikely places;
you might want to give it a try...

- - -- -
David M. Chess                   \
High Integrity Computing Lab     \    The devil finds work for idle MIPS.
IBM Watson Research              \

------------------------------

Date:    Fri, 16 Jul 93 10:36:57 -0400
From:    bayomi@bldghsc.lan1.umanitoba.ca (Dennis Bayomi)
Subject: Joshi Virus (PC)

Hello everyone - we've recently discovered a virus called "Joshi" on a 286 
clone running MS-DOS 5.  It seems to be a classic case of a youngster 
bringing home a game disk and inadvertently infecting his parent's computer.

We've tried F-Prot 2.08A and it doesn't disinfect the virus.  It did detect 
and even claimed to disinfect but after rebooting and rescanning the virus 
was still there.

Has anyone got any experience with this virus ?

Thanks,
  Dennis

Dennis Bayomi                          (204) 789-3725
Computer Department               FAX: (204) 789-3489
Faculty of Medicine            e-mail: dbayomi@ccm.umanitoba.ca
University of Manitoba             or: bayomi@bldghsc.lan1.umanitoba.ca
753 McDermot Avenue
Winnipeg, Manitoba  CANADA  R3E 0W3

------------------------------

Date:    Fri, 16 Jul 93 12:39:30 -0400
From:    yuri@atmos.washington.edu
Subject: MTE virus was not recognized by scan106. (PC)

	I got MTE virus in my files.
scan106/clean106 ddid not find it, but another program, NOVI did.
It did not damage my HD, but my friend lost about 20 MB with its
help.
	I would appreciate any pointers/info how to kill it.

	Yuri Yulaev

INTERNET: yuri@atmos.washington.edu
UUCP:	  uw-beaver!atmos.washington.edu!yuri

------------------------------

Date:    Sun, 18 Jul 93 22:53:31 -0400
From:    bdj@uafhp.uark.edu (Bryan D. Jones)
Subject: NAV virus definition file wanted (PC)

Anyone know where on the internet one can ftp the latest nav*.def
file?  The last one I have is from march.  BTW I'm useing NAV 2.10

------------------------------

Date:    Fri, 16 Jul 93 12:35:06 -0400
From:    "Rob Slade" <roberts@decus.ca>
Subject: Other viral vectors (CVP)

FUNGENB.CVP   930713
 
                           Other vectors
 
Although the majority of current viral programs spread via disk boot
sectors or the infection of programs, it is possible to use other
means for replication and spread.  The important factor is the
ability of a system unit to submit information which is then "run"
as a program.  It is, therefore, possible for terminals, peripherals
and network devices to operate as viral vectors.
 
This sounds very much like the "Iraqi/Desert Storm/printer" and
"modem carrier" viral myths which we have already covered.  And,
indeed, these rumours used very plausible scenarios, as long as they
were not closely examined.  As previously stated, it *is*, in fact,
possible for a printer subsystem, in a network situation, to
"submit" information to other components in the network.  Depending
upon the network, configuration and levels of "privilege" allowed,
printer subsystems can even submit programs to other computers. 
However, in order for this vector to become a major threat, network
printing will have to become much more standardized than is
currently the case.
 
In order to function as a viral vector, a peripheral needs three
features (or components).  First, the "user" computers must be able
to submit information or programs to the peripheral.  Secondly, the
peripheral must be capable of a certain minimum amount of memory or
storage, and must be able to perform certain levels of automated
processing.  Finally, the peripheral must be able to communicate
with other "user" computers, and the information communicated must
be accepted by those computers as programming with access to at
least a minimum level of resources.  However, once those conditions
are met, any peripheral, be it printer, modem, disk pack, terminal
or otherwise, can act as a means of replication and spread.
 
As one example, in March of 1988 a thread begins in the RISKS-FORUM
Digest detailing problems with terminals that have programmable
function keys.  The specific examples given deal with pranks and
trojans, but the concepts and functions could easily be used to
generate, for example, mail viri.
 
However, this example again points out a major weakness in the use
of peripherals as viral vectors.  Peripheral command sets,
particularly those dealing with the more powerful functions, tend to
be very hardware specific.  In the "programmable function keys"
thread mentioned above one example given used Teleray terminals
while another referred to Wyse terminals.  The commands are not
interchangeable, although the functions are almost identical.  This
is fortunate in the current "incoherent" computing environment. 
However, as "open systems" initiatives gain strength many new viral
vectors may become possible.
 
copyright Robert M. Slade, 1993   FUNGENB.CVP   930713

==============
Vancouver      ROBERTS@decus.ca         | Omne ignotum pro magnifico.
Institute for  Robert_Slade@sfu.ca      |  - Anything little known
Research into  rslade@cue.bc.ca         |    is assumed to be
User           p1@CyberStore.ca         |    wonderful.
Security       Canada V7K 2G6           |               - Tacitus


------------------------------

End of VIRUS-L Digest [Volume 6 Issue 103]
******************************************
