To:	   VIRUS-L@LEHIGH.EDU
Subject:   VIRUS-L Digest V6 #104
--------
VIRUS-L Digest   Tuesday, 20 Jul 1993    Volume 6 : Issue 104

Today's Topics:

Re: _Wired_and the Dark Avenger
Re: _Wired_ and the Dark Avenger
Gulf War Virus
Re: _Wired_ and the Dark Avenger
Viruses that cost $$$
Unix Viruses (UNIX)
Re: Unix Scanners (UNIX)
re: Are a-v products "boot-manager"-aware? (PC - OS/2,UNIX)
Re: Please help! (Removing Generic Boot Virus) (PC)
Re: WARNING: Stoned/Dir-2 infection in Israel (PC)
Re: MTE virus was not recognized by scan106. (PC)
Re: MTE virus was not recognized by scan106. (PC)
Genp in partition table - what to do? (PC)
Re: Joshi Virus (PC)
First HD always C: (was: re: how to kill...) (PC)
Re: Joshi Virus (PC)
Re: FORM Virus (PC)
Re: MTE virus was not recognized by scan106. (PC)
Re: how to kill virus in boot sector ? (PC)
Re: Please help! (Removing Generic Boot Virus) (PC)
FP-209.ZIP - F-PROT 2.09 virus scanner/disinfector (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform - diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CERT.org or upon request.)  Please sign submissions
with your real name; anonymous postings will not be accepted.
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list.  A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on CERT.org (192.88.209.5).

Administrative mail (e.g., comments, suggestions, beer recipes)
should be sent to me at: krvw@AGARNE.IMS.DISA.MIL.

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Ken van Wyk

----------------------------------------------------------------------

Date:    Mon, 19 Jul 93 08:11:46 -0400
From:    Garry J Scobie Ext 3360 <GSCOBIE@ml0.ucs.edinburgh.ac.uk>
Subject: Re: _Wired_and the Dark Avenger

> From:    atman@rahul.net (Visceral Clamping Mechanism)
> 
> _Wired_ magazine wants me to do an interview, preferably 
face-to-face
> with the Dark Avenger.  I have been unable to contact him despite 
quite
> a bit of effort on my part.  If anyone knows of an address for him on
> any network or a board that he frequents, could you please get in 
> touch with me?

Sara Gordon has published a series of interviews with someone using
the name of Dark Avenger in the January, February and March issues of
Virus News International this year. Maybe you'll want to check this
out first.

Cheers 

Garry Scobie
LAN Support Officer
Edinburgh University Computing Services
Scotland e-mail: g.j.scobie@ed.ac.uk

------------------------------

Date:    Mon, 19 Jul 93 09:30:25 -0400
From:    Anthony Naggs <amn@ubik.demon.co.uk>
Subject: Re: _Wired_ and the Dark Avenger

Visceral Clamping Mechanism, <atman@rahul.net>, writes:
>
> _Wired_ magazine wants me to do an interview, preferably face-to-face
> with the Dark Avenger.  I have been unable to contact him despite quite
> a bit of effort on my part.  If anyone knows of an address for him on
> any network or a board that he frequents, could you please get in
> touch with me?

I believe he reads virus-l/comp.virus, either on the Internet or the
relay provided by the Virnet bulletin boards.  If he is interested in
the interview, I expect he will tell you.

Regards,
Anthony Naggs                 Email:                  Paper mail:
 Software/Electronics Engineer amn@ubik.demon.co.uk    P O Box 1080, Peacehaven
 & Computer Virus Researcher   [or xa329@city.ac.uk]   East Sussex  BN10 8PZ
 Phone: +44 273 589701                                 Great Britain

------------------------------

Date:    Mon, 19 Jul 93 09:55:10 -0400
From:    THE GAR <GLWARNER@samford.bitnet>
Subject: Gulf War Virus

henrya@UCS.ORST.EDU writes:
>> and would like to include some information about a supposed computer
>> virus inserted into the Iraqi computer systems by the coalition
>> forces, or the U.S.  This virus (I've heard) blanked out iraqi
>> computer screens (like a screen blanker) making it impossible to see
>> information printed thereon.  ...

to which amn@ubik.demon.co.uk replies:
>This is another example of the US military disinformation (propaganda)
>campaign, that inevitably accompanies military actions.  The story is
>unsubstantiated and extremely unlikely.

to which I say:
Actually, it is an example of very irresponsible journalism, and proof
positive that journalists make up secret government official sources.
The news stories about the "gulf war virus" such as the one in US News &
World Report, began to surface coincidentally following an APRIL 1ST
publication of INFOWORLD, which did a spoof story for April Fools day on
the virus.  The story was clearly identified in the last paragraph as an
April Fools day JOKE, but few people read an entire article it seems.

 /++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\
!  Later        +   Systems Programmer                                 !
!  Gary Warner  +   Samford University Computer Services               !
!               +   II TIMOTHY 2:15                                    !
 \+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++/

------------------------------

Date:    Tue, 20 Jul 93 10:19:54 -0400
From:    db372@cleveland.freenet.edu (Cathy M. Chenez-Brewer)
Subject: Re: _Wired_ and the Dark Avenger

In a previous article, atman@rahul.net (Visceral Clamping Mechanism) says:

>_Wired_ magazine wants me to do an interview, preferably face-to-face
>with the Dark Avenger.  I have been unable to contact him despite quite
>a bit of effort on my part.  If anyone knows of an address for him on
>any network or a board that he frequents, could you please get in 
>touch with me?

As I understand, Dark Avenger has only given one interview. I read
it in Virus News International. It was done by Sara Gordon.

>Oh, this interview will not be a technthriller, hysteria-inducer, or
>a glorification of intrusion or computer abuse.  It will be a look
>at the social structure of the underground and an exploration of the
>technical possibilities and limitations of viruses and worms under
>various conditions, including government-sponsored research.
>please don't ask.

You should read her interview. This has already been done. I mailed
her about it, and she said she has been talking with WIRED about it
for some time.

Hate to dash your hopes, but I think that guy won't talk to or deal
with anyone else.

- -- 
blah this is a sig

------------------------------

Date:    Tue, 20 Jul 93 10:20:33 -0400
From:    Donald G Peters <Peters@DOCKMASTER.NCSC.MIL>
Subject: Viruses that cost $$$

I was the one that started this thread, and now I ran some
Beta software from Lotus (it was explicitly not warranted to
work) that switched my video from one mode to another about
once per second for 30 seconds. Ever since then, for the last
few days, my monitor has made a high pitched squeal. I consider
that to be physical damage of a good 15 inch monitor through
software. I suppose it wasn't Lotus' fault that my monitor
was unable to handle the functions they performed on it, but
regardless of fault, software damaged my hardware this week.
The noise is so loud I don't think I will be able to program
my computer any more unless I replace my monitor (since it
affects my ability to concentrate.)

------------------------------

Date:    Tue, 20 Jul 93 10:21:15 -0400
From:    radatti@cyber.com (Pete Radatti)
Subject: Unix Viruses (UNIX)

To continue on the thread about Unix viruses and scanners...

Until I read about Star Technologies's product, in the last virus-L,
I knew of 3 anti-virus products for Unix.  VFind, (my product),
Fortress and a product made by a company called Raxco.  I am unsure
what the other products do, however VFind simultaneously scans for 
Unix, MS-DOS, Macintosh and Amiga viruses on Unix and MS-DOS platforms.
Additionally, it includes a general purpose pattern matching language
with full VDL features.  Anyone who would like a copy of my paper on
this VDL just email me with a request for the CVDL paper.

Any comment on the fact that some Unix systems, like Sun Microsystems, can
run Unix, MS-DOS and Apple Macintosh executables?

As far as there being Unix viruses in the wild, look at the last
few months of virus-L for a string on this subject.   

The fact that distribution of Unix virus code is discouraged seems
to be helping.  Witness the fact that direct virus attacks against
Unix is still rare.  Anyone who really wants to can locate or easily
write a Unix virus.  Thankfully no one with malice has really wanted
to, esp since there are all those MS-DOS and Apple systems to feed. ;-)

Pete Radatti
radatti@cyber.com

------------------------------

Date:    Tue, 20 Jul 93 14:54:37 +0000
From:    bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Unix Scanners (UNIX)

Martin Overton (Martin@salig.demon.co.uk) writes:

> 1. Are there any UNIX viruses in the wild?

In practice - no. I have one reliable report about a Unix virus found
in the wild and half a dozen other, not verified ones. The software
sharing in the mainframe environment is much different from the PC
environment and viruses have much less chance to spread. Which doesn't
mean that they are impossible, of course. But usually worms and
trojans are much more effective.

> I have heard rumours of 'research viruses' writen for UNIX,if this is

It's not a rumor. I have seen two such viruses and have read about a
few others.

> true and the situation develops in a similar fashion to the DOS virus
> arena then sooner or later some of theses 'research viruses' will be
> found in the wild.

Unlikely, due to the different kind of environment, as I explained
above.

> 2. Are there any virus scanners available for UNIX?

Yes, there are several. Most of them are designed to look for MS-DOS
viruses in the files stored on a Unix system, which is used as a file
server for PCs. There are, however, also some generic Unix tools.
Everybody can scan for a set of regular expressions by using
{aef}grep. A generic pattern matcher, using a much more sophisticated
pattern language is sold by Cybersoft. (The product is called VFIND.)
It can be used also for scanning of MS-DOS files on a Unix system (if
you have the scan strings), but since it cannot do anything more than
complex pattern matching, it will not be able to handle the highly
polymorphic viruses like the MtE- or TPE-based ones.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de        22527 Hamburg, Germany

------------------------------

Date:    Mon, 19 Jul 93 10:01:26 -0400
From:    "David M. Chess" <chess@watson.ibm.com>
Subject: re: Are a-v products "boot-manager"-aware? (PC - OS/2,UNIX)

> From:    phys169@cantva.canterbury.ac.nz
>
> With the increased use of "dual boot"-type menus on PC's, is it
> possible that virus removal programs will have difficulty?  ...

It's certainly possible!   IBM AntiVirus explicitly scans the
boot record of the BootManager partition on machines where
that exists (the FORM virus has a particularly messy
interaction with BootManager that we have special code to
notice and fix up); I don't know about other anti-virus
programs.

In the general case, as systems become more complex, and
there are more unusual things (not obvious files or
traditional boot sectors) that might become infected,
there's more chance for scanners and removers to miss
things.  We just have to rely on the anti-virus producers
keeping their technical awareness up!   (And of course
we can help by asking prodding questions like yours, hehe...)

In some cases (such as when a security program intentionally
makes possibly-infected things inaccessible), users will
have to be aware of the complexity of their systems, and
take special steps (running anti-virus programs while
logged in as the administrator, or whatever).

- - -- -
David M. Chess                /  "In the long run, life depends less on
High Integrity Computing Lab  /    an abundant supply of energy than on
IBM Watson Research           /    a good signal-to-noise ratio." - Dyson

------------------------------

Date:    Mon, 19 Jul 93 06:24:39 -0400
From:    frisk@complex.is (Fridrik Skulason)
Subject: Re: Please help! (Removing Generic Boot Virus) (PC)

sbuffler@cs.uct.ac.za (Simon Buffler) writes:

>A friend's computer was recently infected by the Generic Boot Virus.

There is no such thing as  "the  Generic Boot Virus".  What Scan means
when  it  reports  GenB,  is  that  it  has  found  a piece  of highly
suspicious code in the boot sector, but does not find a search  string
belonging to any known virus.

This can mean:

    1) A new virus.
    2) A false alarm, for example if the boot sector contains some obscure
       security program.
    3) A damaged or partly overwritten copy of an old virus.

Determining exactly what is going on requires an analysis of the
actual boot sector.

- -frisk

------------------------------

Date:    Mon, 19 Jul 93 09:30:38 -0400
From:    Anthony Naggs <amn@ubik.demon.co.uk>
Subject: Re: WARNING: Stoned/Dir-2 infection in Israel (PC)

Harvey J. Stein, <hjstein@math.huji.ac.il>, reports:
>
>                    ***  W A R N I N G !!!  ***
>
> The Co-op Supermarket of Israel has been distributing a virus infected
> computer game called ZOOM.  DO NOT USE THIS DISK!!!  It is infected
> with both the STONED virus and the DIR-2 virus.  ...

Presumably the distributor of the game supplied the disks to the shop,
perhaps you could advise them of the problem too?

> ... The STONED virus
> causes infected computers to periodically display the message "This
> computer is stoned", and then to crash, thus causing the loss of
> unsaved data.  ...

Most versions of Stoned are relatively benign.  While the most common
variants may display "Your PC is now Stoned" (about 1 in 8 times) when
booting from an infected floppy disk, it does not 'crash' or harm your data.
If you think your system may be aflicted do NOT panic, most reputable
shareware and commercial a-v products should be able to repair the minor
damage done.

> and two of the executable files (bug.exe and scottex.exe) are infected
> with the DIR 2 virus.

Curious, DIR-II on a floppy disk usually infects all executables, (because
they are placed there by an infected computer).  I don't remember any other
reports of it in Israel, so it may be a false alarm.

Hope this helps,
Anthony Naggs                 Email:                  Paper mail:
 Software/Electronics Engineer amn@ubik.demon.co.uk    P O Box 1080, Peacehaven
 & Computer Virus Researcher   [or xa329@city.ac.uk]   East Sussex  BN10 8PZ
 Phone: +44 273 589701                                 Great Britain

------------------------------

Date:    Mon, 19 Jul 93 09:31:11 -0400
From:    Anthony Naggs <amn@ubik.demon.co.uk>
Subject: Re: MTE virus was not recognized by scan106. (PC)

Yuri Yulaev, <yuri@atmos.washington.edu>, asks:
>
>       I got MTE virus in my files.

'MtE' is not a virus - but a wrapper that virus authors use to hide
their viruses.  It is like the decorative wrapping paper used for gifts,
it makes quick identification of the virus difficult.  This was the aim
of MtE's author (Dark Avenger), but it leaves a second, easier problem
for a-v developers to solve - recognising the MtE wrapping instead.

> scan106/clean106 ddid not find it, but another program, NOVI did.

If only one file is reported as infected you may have a false alarm.
While recognising the MtE wrapping is easier than recognising an MtE
wrapped virus, some vendors have had trouble doing so reliably.  I
haven't tested the accuracy of MtE reporting of scan & I don't have
a copy of Novi to test.  (BTW which version do you have?)

> It did not damage my HD, but my friend lost about 20 MB with its
> help.
>       I would appreciate any pointers/info how to kill it.

Please send copies of the suspect files to McAfee and Symantec (owners
of NOVI), they should be able to provide you with details of the actual
MtE wrapped virus & how to recover from it.

You could simply delete (and reinstall) all affected programs, but I still
recommend sending a copy to an expert(s) who can tell you the side effects
the specific virus can cause.  (If in doubt our moderator, Ken, can advise
who you might send a sample to).

Hope this helps,
Anthony Naggs                 Email:                  Paper mail:
 Software/Electronics Engineer amn@ubik.demon.co.uk    P O Box 1080, Peacehaven
 & Computer Virus Researcher   [or xa329@city.ac.uk]   East Sussex  BN10 8PZ
 Phone: +44 273 589701                                 Great Britain

------------------------------

Date:    20 Jul 93 09:44:22 +0700
From:    "Michal Weis or INFI" <WEIS@cc.elf.stuba.cs>
Subject: Re: MTE virus was not recognized by scan106. (PC)

>     I got MTE virus in my files.
pretty algorhytm ;-)

> scan106/clean106 ddid not find it, but another program, NOVI did.
scan fail in detection of groove (sacn 100 sure, I didn't tested latest
scan, but it probably fail too). NOVI? Its unknown to me.
So MtE is not a virus but a decryptor algorhytm. Ant it's not so easy to
detect it (you must use a internal-debuger for detection) - so there are
many false possitive. So the answer is: it is a MtE virus and scan fail in
debuger, or there is no virus with MtE and NOVI fail in debuger.
Are there more than one file infected by MtE? If yes, ther is a MtE.
The only problem is that a few anti-virus programs in the world can remove
MtE infection (I think new Findviru (by solomon) can remove it - if no,
try TBAV (but it fail on MtE in 40% cases)

> It did not damage my HD, but my friend lost about 20 MB with its
> help.
some MtE viruses (the family of dedicated) overwrite a random sector on
disk if they fail with infection. It can be this one.

                            Regards,
                              Mike

p.s. if tbav also fail, you can contact me. I've analyzed a lot of known
MtE viruses & I done a MtE remover.


- - This is not a trick, this is -- _ --------------------------------------
                     ,     _  _  | )   ,
                    /|    / )/ ) |/   /|
                   / |   /  /  / /---' |
                  '   \_/  /  (_/|\     \_/
- -------------------------------- |_) ---- Origin: weis@cc.elf.stuba.cs ---

------------------------------

Date:    Tue, 20 Jul 93 10:18:23 -0400
From:    brymastr@eng.umd.edu (Bryan Lee)
Subject: Genp in partition table - what to do? (PC)

How does one kill a virus residing in the partition table of a
hard drive?  I saw a message (from VSHIELD - McAfee) about
the virus Genp being found in the partition table - what can
this virus do?  How is it transfered?  How can you kill it?
Thanks!
- -Bryan

------------------------------

Date:    Mon, 19 Jul 93 21:14:07 +0000
From:    suchit@shakti.ncst.ernet.in (Mr. Suchit Nanda)
Subject: Re: Joshi Virus (PC)

bayomi@bldghsc.lan1.umanitoba.ca (Dennis Bayomi) writes:
> Hello everyone - we've recently discovered a virus called "Joshi" on
> a 286 clone running MS-DOS 5....
 
> We've tried F-Prot 2.08A and it doesn't disinfect the virus.  It did
> detect and even claimed to disinfect but after rebooting and
> rescanning the virus was still there.
 
Hi Dennis,
 
There are a few precautions that need to be taken failing which the
infection may not be totally removed. In your case, you probably did
*not* cold boot the computer. Joshi survives a warm boot and in
addition since it uses stealth techniques can remain in the system.
 
The best thing to do is to cold boot from a clean write-protected DOS
disk and only then run an anti-virus software such as
F-Prot/FindVirus/SCAN etc. If you need more information feel free to
contact me. We are the folks in who found this Indian virus first as
also 3 other Indian viruses and alerted the anti-virus community.
Needless to add I shall not entertain any request for samples however
if anyone would like more detailed steps to remove it, I would be
happy to obligue.
 
Regards,
 
Suchit
 
- -- 
Suchit Nanda

Internet : suchit@shakti.ncst.ernet.in
FidoNet  : 6:606/1

------------------------------

Date:    Tue, 20 Jul 93 13:37:15 -0000
From:    cctr132@cantva.canterbury.ac.nz (Nick FitzGerald)
Subject: First HD always C: (was: re: how to kill...) (PC)

chess@watson.ibm.com (David M. Chess) writes:

[someone else's description of suspected Michelangelo infection on D:
drive deleted]

> Hm, that's unusual!  Michelangelo is a Master Boot Sector infector; that
> means it infects the very first sector of the physical hard disk.  Also,
> it will only infect the first physical hard disk in the system, and
> most anti-virus programs report that either as drive "80" or "C:".
> Is your D: drive on a second physical hard disk?  If so, is it
> possible that that hard disk was once the first physical hard disk
> in some system?   It could have gotten infected at that point.

Whilst having much respect for Dave, a bias probably induced by his
place of work and too much exposure to its product and documentation is
showing here.

Yes Dave, and anyone else who believes the "official", "it's documented
all over the place", IBM/Microsoft, "after all, we built the bloody
things/wrote the OS so we should know" line that the first hard drive in a
PC system is always C: -- there are situations in which the first physical
HD is D: and even E:.  Do -not- deny my experience of working on and
with such machines by spouting what the IBM Tech Ref or whatever says.

The days of dumb install routines blindly believing this have,
thankfully, all but passed.  Device 80 (hex by the way) is however, as
Dave says, always (what about SCSI ?) the first physical HD and that is
how MBR infectors find/infect it -- they work before DOS, or whatever
OS, is loaded, so it's somewhat academic what the user will end up
knowing the disk as).

I can't tell you -why- these machines are/were like this (they all have/
had a second or "fancy" floppy drive controller and 3 or 4 floppy drives
though, and I suspect the "magic" was due to the (possibly non-standard)
handling of the floppies by the BIOS extensions on these boards), but
they definitely have/had C: as a floppy drive.

Apologies if the tone is a tad intemperate, but some of the silliness
I've encountered due to people getting this wrong....

>The devil finds work for idle MIPS

MS Windows?    8-)

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z.
 n.fitzgerald@csc.canterbury.ac.nz  TEL:+64(3)364 2337, FAX:+64(3)364 2332

------------------------------

Date:    Tue, 20 Jul 93 10:20:11 -0400
From:    "William H. Lambdin" <73044.2573@compuserve.com>
Subject: Re: Joshi Virus (PC)

From:    bayomi@bldghsc.lan1.umanitoba.ca (Dennis Bayomi)

We've tried F-Prot 2.08A and it doesn't disinfect the virus.  It did detect 

and even claimed to disinfect but after rebooting and rescanning the virus 
was still there.

Joshi is a stealth virus. It intercepts the call for the boot sector, and 
re-directs the program to the copy of the original boot sector.
 
I have two suggestions.

1. cold boot the computer from a known clean diskette, then run the removal 
software..
2. get rid of the virus before January 5th. ;-)

Bill

------------------------------

Date:    Tue, 20 Jul 93 14:39:53 +0000
From:    bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: FORM Virus (PC)

Rinse Balk (Rinse_Balk@f7.n316.z9.virnet.bad.se) writes:

>  The Form Virus is a nasty virus indead...

Nasty? Why do you think so? Form is a pretty trivial boot sector
infector, which even doesn't cause intentional damage. It can be
easily removed using the SYS command.

>   McAfee has a special program for boot virusses! If you look in the Virlist.
> txt you can find by some virusses M-Disk. I think you need that programm to 
> remove the form virus safely. I'm not sure, but i think there's a 
> documentation by M-Disk that will tell you more...

Unfortunately, nowhere in the documentation of SCAN is mentioned where
exactly you can obtain M-Disk from. BTW, I wouldn't reccomend using it
to remove boot sector viruses. The best solution is to use an
anti-virus program, which does recognize the particular virus and can
remove it. If this is not available, use CLEAN and tell it to remove
the [GenP] or [GenB] virus (depending on whether you have a MBR or a
DBS infector). If even this fails, try FDISK /MBR (from DOS 5.0 or
above) for MBR infections and SYS (the same DOS version as the
infected volume) for DBS infections. If even that fails (usually it
doesn't), well, call a specialist. :-)

In particular, CLEAN 106 is able to remove the Form virus. If it has
failled (as the original poster implies), then it is probably a new
variant of the virus, or a different virus, or a false positive.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de        22527 Hamburg, Germany

------------------------------

Date:    Tue, 20 Jul 93 10:22:46 -0400
From:    "Michal Weis or INFI" <WEIS@cc.elf.stuba.cs>
Subject: Re: MTE virus was not recognized by scan106. (PC)

>     I got MTE virus in my files.
pretty algorhytm ;-)

> scan106/clean106 ddid not find it, but another program, NOVI did.
scan fail in detection of groove (sacn 100 sure, I didn't tested latest
scan, but it probably fail too). NOVI? Its unknown to me.
So MtE is not a virus but a decryptor algorhytm. Ant it's not so easy to
detect it (you must use a internal-debuger for detection) - so there are
many false possitive. So the answer is: it is a MtE virus and scan fail in
debuger, or there is no virus with MtE and NOVI fail in debuger.
Are there more than one file infected by MtE? If yes, ther is a MtE.
The only problem is that a few anti-virus programs in the world can remove
MtE infection (I think new Findviru (by solomon) can remove it - if no,
try TBAV (but it fail on MtE in 40% cases)

> It did not damage my HD, but my friend lost about 20 MB with its
> help.
some MtE viruses (the family of dedicated) overwrite a random sector on
disk if they fail with infection. It can be this one.

                            Regards,
                              Mike

p.s. if tbav also fail, you can contact me. I've analyzed a lot of known
MtE viruses & I done a MtE remover.

<
- - This is not a trick, this is -- _ --------------------------------------
                     ,     _  _  | )   ,
                    /|    / )/ ) |/   /|
                   / |   /  /  / /---' |
                  '   \_/  /  (_/|\     \_/
- -------------------------------- |_) ---- Origin: weis@cc.elf.stuba.cs ---

------------------------------

Date:    Tue, 20 Jul 93 14:45:21 +0000
From:    bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: how to kill virus in boot sector ? (PC)

Dong LI (U53077@uicvm.uic.edu) writes:

> I have a IBM compatible PC with DOS 6 and windows 3.1.
> My scanning-only anti-virus software found recently a virus named Michelongel
o
> in the boot sector on my hard drive D. I tried to use other antivirus
> softwares to kill it but failed, because they cannot even find the virus
> in the boot sector !

Please, read the FAQ for explanation of what kind of information to
provide when asking such questions. In particular, what kind of
scanning-only anti-virus software have you used? The one that comes
with MS-DOS 6.0? Beware, it is rather low quality.

Finding Michelangelo on drive D: is highly unusual (although not
completely impossible), since this virus infects only the first hard
disk. Do you use some kind of disk compression, swapped drives, and
others like that? Also, Michelangelo is a pretty well known virus;
almost any anti-virus program on the market is able to detect it. What
other anti-virus programs have you used? I mean, the ones that have
failled to detect the virus? It is very probable that you are not
infected at all and your first anti-virus program gives a false
positive (read the FAQ for more information on those terms).

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de        22527 Hamburg, Germany

------------------------------

Date:    Tue, 20 Jul 93 15:04:23 +0000
From:    bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Please help! (Removing Generic Boot Virus) (PC)

Simon Buffler (sbuffler@cs.uct.ac.za) writes:

> A friend's computer was recently infected by the Generic Boot Virus.

There is no such thing as "the Generic Boot Virus". This is a kind of
heuristic, used by SCAN. It looks for a short scan string, which is
often found in the boot sector viruses. When SCAN reports "the [GenB]
Virus", this means: "I have found in the DOS boot sector a short piece
of code, which is usually present in the boot sector viruses. This is
highly suspicious, and the boot sector is very probably infected, but
I have no real idea with what. In any case, it is not anything that I
know."

> I gave him a copy of Clean106 which is supposed to remove [Genb].

CLEAN uses another set of heuristics to restore the original boot
sector - if it can find it somewhere else on the disk. Unfortunately,
this fails if the virus does not preserve the original boot sector, or
if it encrypts it. Also, sometimes restoring the first thing that
looks like a boot sector is not exactly what the user would like.

> When booting from a clean system disk and running Clean (from floppy)
> on his hard- drive, he receives a "No viruses detected" message.
> However, [Genb] IS still sitting on his hard-drive, as when he
> reboots, the virus is loaded into memory ...and Clean picks up a
> "critical virus" when scanning RAM.

Well, this just means that the boot sector restoration heuristics of
CLEAN have failled. Such things can happen. Obviously, you have some
kind of new boot sector virus, which has to be analysed and the
appropriate disinfector for it has to be designed. I advise you to
send a copy of your infected boot sector to some anti-virus
researcher. Even better - boot from the (infected) hard disk, format a
floppy disk in drive A:, then convert it into a file with TeleDisk and
send this file to an anti-virus researcher.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de        22527 Hamburg, Germany

------------------------------

Date:    Tue, 20 Jul 93 10:22:20 -0400
From:    frisk@complex.is (Fridrik Skulason)
Subject: FP-209.ZIP - F-PROT 2.09 virus scanner/disinfector (PC)

I have uploaded to WSMR-SIMTEL20.Army.Mil and OAK.Oakland.Edu:

pd1:<msdos.virus>
FP-209.ZIP      F-PROT 2.09 virus scanner/disinfector

Version 2.09 - major changes:

        WE HAVE MOVED.  Our mail and E-mail addresses remain the same,
        but the phone/fax numbers of Frisk Software have changed.

                Phone number +354-1-617273
                Fax number   +354-1-617274

        Disinfection of boot sector viruses has been redesigned, and many
        boot sector viruses (most of which were in the "laboratory-only"
        category) that were only detected before can now be disinfected.

Version 2.09 - the following problems were found and corrected:

        Stoned.Azusa was still not identified accurately in all cases, but
        that should be fixed now.

        Earlier versions could not disinfect Stoned.Empire.Monkey.A from
        3.5" diskettes...fixed.

        When VIRSTOP /COPY was used, it would interfere with Quick Scan,
        and VIRSTOP would display a message about the file being infected,
        not F-PROT.

        For certain encrypted viruses, such as PCBB.1658, which may infect
        the same file multiple times, F-PROT would only remove one "layer"
        of the virus.

Version 2.09 - minor improvements:

        F-PROT will now always scan the MBR(s) even if no logical partitions
        are found on the hard disk(s).

        The behaviour of the /NOFILE switch has been changed - it now
        implies /NOUSER (in files), /NOPACKED and /NOTROJAN as well.

        A new exit code (7) was added: Insufficient memory.  Previously
        F-PROT would return 1 (general error) in this case.

        F-PROT now normally scans the memory area between 640K and 1M,
        as certain viruses such as Tremor can hide there.  To disable this
        (and only scan 640K) a new command-line switch "/640" is provided.

        A new command-line switch "/MONO" was added.  It gives monochrome
        operation on colour displays, which is useful on certain laptops.

        One new .DOC file (NEW_VIR.DOC) has been added, but it describes
        how to send us viruses.

Version 2.09 - new viruses:

   The following 202 new viruses can now be detected and removed when
   at all possible ... a few of them are primitive, overwriting viruses.
   Some of these viruses were detected by earlier versions, but are now
   identified accurately.

        _125
        _160
        _195
        _205
        _225
        _604
        _723
        _894
        Abraxas
        Albanian
        Alpha
        Amt (3000 and 4000)
        Aragorn
        Arcv (330, Ice250)
        Ash (817 and 1602)
        Atas II (3213, 3233 and 3321)
        Australian Parasite (142, 147, 150, 155, 162, 550 and 615)
        Backfont (472 and 896)
        Bad
        Barrotes
        Beer.3192
        Butterfly
        Cascade (1704.J and 1704.H)
        Cfsk
        Chang
        Chcc
        Chr
        Civil war (244 and Navigator)
        Civil War II (599 and 901)
        Code4-over
        Coffeshop
        Coib
        Cossiga.883.B
        Costeu
        Cpxk
        Crazy Imp.1402
        Cybertech.Star One
        Cysta.2954
        Danish Tiny.Wild Thing
        Dark Avenger.1693
        Dead
        Deicide II (Breeze, 2570)
        Denied
        Disdev
        Doomsday
        Dupacel
        Dutch Tiny (122 and 124B)
        E-riluttanza
        End of
        Experiment (416 and 755)
        Filehider.1067
        Filename
        Fish6.B
        Fisher (1100 and 2420)
        Frajer
        Freak
        Grunt (346, 427 and 473)
        Halley
        Hallo
        Hamster
        HH&H.4093
        Hitchcock.1238
        Hoa
        Ice9.Two Minutes
        Infector (444, 624, 726, 782, 933 and 984)
        Intrep (946 and 1092)
        Itti.Toxic
        James
        Jerusalem (Glory, Unam)
        Jos
        Keypress.1232.C
        Kot
        Kudepsta
        Leprosy (Crawler, Seneca.493 and Surfer)
        Lesson I.263
        Little Girl.1004
        Log
        Lovechild.2710
        Loz
        LPToff
        Luca
        Lyceum.1888
        Lythium
        Maffy.323
        Malign (575 and 630)
        Matura.632
        Meta.1103
        Metallica.1739
        Mithrandir
        Mr G.
        MX
        Murphy.Delyrium.1780
        Nanita
        Nazgul
        Naziphobia.A
        November 17th.855.B
        Omt
        Over.4032
        Own
        Oxana (1436, 1572, 1670 and 1671)
        Paramon
        PDP (822, 1477 and 1564)
        Perfume.653
        Pick
        Pitch
        Pojer.1919
        Porridge
        Print Monster
        Proto-T (Flagyll, Lockjaw and Number6)
        PS-MPC (897, Arcv-9, Arcv.657.B and Kouch)
        Puke
        Radyum (448, 519 and 860)
        Requires
        Russian Tiny (129, 132, 143, 145, 146 and 156)
        Screen
        SillyCR (185, 189 and 212)
        Silly Ice (159, 199 and 224)
        Skew
        Sleepwalker
        Storm.1163
        STSV.B
        Talking Heads
        Tankard (493 and 556)
        Techno
        Timid (431 and 557)
        Trivial (30.C, 30.D, 32, 34, 44.B, 68, 71 and 84)
        Turn
        Tver
        Ugur
        Ungame
        Uruk-Hai.427
        V3000
        VCL (384, 408, 423, 476, 519, 562 and Popoolar)
        Vengeance.613
        Vienna.1239
        Voodoo
        Wanderer
        Wilbur (B and C)
        Willow
        WWP
        XAM
        Yam.3599
        Youth.970
        Zaphod
        Ziuck.1372

   The following 43 new viruses can now be detected but not yet removed.

        AntiExe
        Arcv (839, Benoit, Joanna, More, Sandwich, Scroll, X-2)
        Arusiek
        Beer.3164
        Black Jec.378
        Chipshit
        Civil War.561
        Cysta
        Dir II (G, H and K)
        Explosion
        Harm
        Horror.1137
        Invisible man (2926 and 3223)
        Maffy.478
        MSJ
        Naziphobia (B and C)
        No Frills.Dudley
        Npox (609, 1686 and 1800)
        PS-MPC.Z10.662
        Rape.Basilisk
        Tchantches
        Terminator II
        Tu
        Ultimatum
        VCL (394, Divide.A, Mimic and Necro)
        Vienna.561
        Yankee (XPEH.5648 and XPEH.5808)

   The following 5 viruses which were detected by earlier versions can
   now be removed.

        Darth_Vader (3.A, 3.B and 3.C)
        Horse.2248
        PCBB.1141

Fridrik Skulason
frisk@complex.is

------------------------------

End of VIRUS-L Digest [Volume 6 Issue 104]
******************************************
