To:	   VIRUS-L@LEHIGH.EDU
Subject:   VIRUS-L Digest V6 #105
--------
VIRUS-L Digest   Friday, 23 Jul 1993    Volume 6 : Issue 105

Today's Topics:

Re: _Wired_ and the Dark Avenger
Re: _Wired_ and the Dark Avenger
Dark Avenger interview
Request Info on Computer Virus Conferences
Re: _Wired_ and the Dark Avenger
Re: Viruses that cost $$$
Re: Are a-v products "boot-manager"-aware? (PC - OS/2,UNIX)
Re: Are a-v products "boot-manager"-aware? (PC - OS/2,UNIX)
Re: Joshi Virus (PC)
Re: MTE virus was not recognized by scan106. (PC)
re: First HD always C: (was: re: how to kill...) (PC)
First hard drive (PC)
MtE False Alarm (was Re: MTE virus was not recognized by scan106.) (PC)
"Victor Charlie" (PC)
Re: Genp in partition table - what to do? (PC)
Re: FP-209.ZIP - F-PROT 2.09 virus scanner/disinfector (PC)
Re: FORM Virus (PC)
Re: NAV virus definition file wanted (PC)
Misc. things (PC)
Re: MTE virus was not recognized by scan106. (PC)
Re: Genp in partition table - what to do? (PC)
New file on risc (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform - diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CERT.org or upon request.)  Please sign submissions
with your real name; anonymous postings will not be accepted.
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list.  A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on CERT.org (192.88.209.5).

Administrative mail (e.g., comments, suggestions, beer recipes)
should be sent to me at: krvw@AGARNE.IMS.DISA.MIL.

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Ken van Wyk

----------------------------------------------------------------------

Date:    Tue, 20 Jul 93 15:22:17 +0000
From:    bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: _Wired_ and the Dark Avenger

Visceral Clamping Mechanism (atman@rahul.net) writes:

> _Wired_ magazine wants me to do an interview, preferably face-to-face
> with the Dark Avenger. 

You are unlikely to succeed. Dark Avenger has always refused any
face-to-face interviews, including proposals from New York Times
reporters. The most you can hope is an e-mail interview.

> I have been unable to contact him despite quite
> a bit of effort on my part. 

As I said, you are unlikely to succeed.

> If anyone knows of an address for him on
> any network or a board that he frequents, could you please get in 
> touch with me?

Sara Gordon has succeeded to take an interview from him - but again
electronically. The interview was published in Virus News
International (and probably in other places, but I don't know them;
maybe Sara can provide more information). You can contact her at
vfr@netcom.com.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de        22527 Hamburg, Germany

------------------------------

Date:    Wed, 21 Jul 93 09:32:32 -0400
From:    Sam Wilson <ercm20@festival.ed.ac.uk>
Subject: Re: _Wired_ and the Dark Avenger

Cathy M. Chenez-Brewer (db372@cleveland.freenet.edu) wrote:
: As I understand, Dark Avenger has only given one interview. I read
: it in Virus News International. It was done by Sara Gordon.

This interview was also run in the UK magazine Personal Computer World
(PCW), July 93. 

Sam Wilson
Network Services Division
Computing Services, The University of Edinburgh
Edinburgh, Scotland, UK

------------------------------

Date:    Wed, 21 Jul 93 12:22:17 -0400
From:    hqdoxs1@ramstein.af.mil (HQ USAFE/DOXS-TEMPEST;480-7984)
Subject: Dark Avenger interview

atman@rahul.net writes:
 
> _Wired_ magazine wants me to do an interview, preferably face-to-face
> with the Dark Avenger.  I have been unable to contact him despite quite
> a bit of effort on my part.  If anyone knows of an address for him on
> any network or a board that he frequents, could you please get in 
> touch with me?
 
A while back I read a paper called "The Social Organization of the
Computer Underground" by Gordon R. Meyer.  Maybe he can help.  Last
address I have is: Compuserv: 72307,1502 or GEnie: GRMEYER.  I don't
know if he has an Internet address.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Dennis S. Hernit                                 hqdoxs1@ramstein.af.mil
United States Air Forces in Europe                           DSN 480-7984
Ramstein Air Base, Germany                               +49-6371-47-7984   
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

------------------------------

Date:    Wed, 21 Jul 93 14:33:48 -0400
From:    rlebel@manitou.cse.dnd.ca (Richard Lebel)
Subject: Request Info on Computer Virus Conferences

I am looking for information on Computer Virus Conferences which will take 
place after September 1993.  Please send Locations and dates.

Thanks.

------------------------------

Date:    Tue, 20 Jul 93 18:29:54 +0000
From:    bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: _Wired_ and the Dark Avenger

Cathy M. Chenez-Brewer (db372@cleveland.freenet.edu) writes:

> As I understand, Dark Avenger has only given one interview. I read
> it in Virus News International. It was done by Sara Gordon.

Not quite. He has given another one, before that, to Chris Seely
(sp?). It was also published in Virus News International. If you read
carefully what he says in Sara's interview, you'll find a note about
this previous one.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de        22527 Hamburg, Germany

------------------------------

Date:    Tue, 20 Jul 93 18:42:30 +0000
From:    bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Viruses that cost $$$

Donald G Peters (Peters@DOCKMASTER.NCSC.MIL) writes:

> I was the one that started this thread, and now I ran some
> Beta software from Lotus (it was explicitly not warranted to
> work) that switched my video from one mode to another about
> once per second for 30 seconds. Ever since then, for the last
> few days, my monitor has made a high pitched squeal. I consider

Well, I am still not convinced that it has been the software that has
damaged your monitor. Maybe the monitor was already faulty and would
have failled sooner or later - the software has just triggered the
fault.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de        22527 Hamburg, Germany

------------------------------

Date:    Tue, 20 Jul 93 22:53:58 -0400
From:    mcafee@netcom.com (McAfee Associates)
Subject: Re: Are a-v products "boot-manager"-aware? (PC - OS/2,UNIX)

Mark Aitchison writes:
>With the increased use of "dual boot"-type menus on PC's, is it
>possible that virus removal programs will have difficulty? The
>conventional PC's hard disk goes through two "boot" sectors - the MBR,
>then the DOS boot sector. With a boot manager, there are at least 3
>boot sectors - perhaps disinfectors have difficulty going to the third
>level? (I don't want to use my system as a guinea pig to find out!).

The Master Boot Record and operating system Boot Sector(s) typically
reside on different parts of the hard disk.  The major difference with
dual-boot systems is that the MBR code pauses and allows an operating
system (boot sector) to be selected.  The problem, in the case of
an MBR-infecting virus like the Stoned is to restore the MBR code 
correctly so that the MBR code still provides dual boot-capability.
For an Operating System Boot Sector virus like the FORM, the problem
is locating which OSBS is infected, and then removing the virus from
that OSBS.

Recent versions (V105 and above) of McAfee Associates' anti-viral software
are "aware" of OS/2 Boot Manager's partitioning.  There is a /BMP switch
in to allow them to check for and remove boot sector viruses on an OS/2
Boot Manager-partitioned drive.

Regards,

Aryeh Goretsky
Technical Support
- -- 
- - - - - - -  Please send your reply, if any, to Aryeh@McAfee.COM  - - - - - -
McAfee Associates, Inc.  | Voice (408) 988-3832 | INTERNET: mcafee@netcom.com
2710 Walsh Ave, 2nd Floor| FAX   (408) 970-9727 |  or try: support@mcafee.com
Santa Clara, California  | BBS   (408) 988-4004 | CompuServe ID: 76702,1714
95054-3107  USA          | USR HST Courier DS   |  or GO MCAFEE
Support for SENTRY/SCAN/VSHIELD/CLEAN/WSCAN/NETSHLD/TARGET/CONFIG MGR/PROVIEW

------------------------------

Date:    Tue, 20 Jul 93 16:20:30 +0000
From:    bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Are a-v products "boot-manager"-aware? (PC - OS/2,UNIX)

 (phys169@cantva.canterbury.ac.nz) writes:

> With the increased use of "dual boot"-type menus on PC's, is it
> possible that virus removal programs will have difficulty? The

Yes, it is - and many of them do have problems. You mentioned the OS/2
boot manager. Another typical example are the compressed volumes in
DOS 6.0 - the "real" boot disk drive is usually available as drive H:,
which tends to confuse some programs.

> then the DOS boot sector. With a boot manager, there are at least 3
> boot sectors - perhaps disinfectors have difficulty going to the third
> level? (I don't want to use my system as a guinea pig to find out!).

The scanners/disinfectors are not the only kind of anti-virus software
that has problems in such environment. Integrity checkers are not
problem-free too. For instance, the Stacked volumes seem to constantly
change the area that is equivalent to the DBS of the volume.
Therefore, the integrity checkers must be aware of all those
situations, recognize them, and avoid the false positives.

> Also, the OS/2 boot manager changes the partition types of the boot
> sectors to some high number when they aren't being used, and DRDOS's
> security option also changes the partition type - perhaps some
> programs will think they are partitions not worth scanning, let alone
> attempt to disinfect?

Well, this is the purpose of DR-DOS' security option - if you boot
from a diskette, without passing through the login procedure, the disk
shouldn't be accessible. (In fact, this "protection" can be trivilly
cracked with the right tools, but this is irrelevant to the
discussion.) That's why, when the user is preparing a bootable
diskette, s/he must put on it everything needed to access the hard
disk after the DOS loads - any device drivers, TSRs, password
programs, and so on.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de        22527 Hamburg, Germany

------------------------------

Date:    Tue, 20 Jul 93 15:12:42 +0000
From:    bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Joshi Virus (PC)

Dennis Bayomi (bayomi@bldghsc.lan1.umanitoba.ca) writes:

> Hello everyone - we've recently discovered a virus called "Joshi" on a 286 
> clone running MS-DOS 5.  It seems to be a classic case of a youngster 
> bringing home a game disk and inadvertently infecting his parent's computer.

> We've tried F-Prot 2.08A and it doesn't disinfect the virus.  It did detect 
> and even claimed to disinfect but after rebooting and rescanning the virus 
> was still there.

F-Prot is, indeed, able to correctly detect and disinfect the Joshi
virus. BTW, didn't it call it "Joshi (A)"?

However, before attempting any virus removal (or even detection!), you
must make sure that there is no virus present in memory. For that
purpose, you must COLD boot from an uninfected, write-protected system
diskette. If you fail to do that, the virus can remain active in
memory, and either stealth the fact that it is present on the disk, or
re-infect the disk right after it has been disinfected, or both. In
your case it is probably the second thing that has happened. I'm just
wondering why F-Prot has not reported that the virus is present in
memory.

Note that I emphasized the word "cold" in the paragraph above. This
means that you have to turn your computer off and then switch it on
again - or press the Reset button, if your computer has one. Just
pressing Alt-Ctrl-Del might not be sufficient with some viruses - and
it isn't sufficient with Joshi.

The reason is that Joshi intercepts those keys and fakes a reboot,
while in practice remaining active in memory. An experienced user will
undoubtedly notice that on most kinds of computers (because the boot
simulation is not perfect - it just cannot be), but many users will be
fooled to believe that they have really rebooted their machine.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de        22527 Hamburg, Germany

------------------------------

Date:    Tue, 20 Jul 93 15:18:02 +0000
From:    bontchev@rzsun2.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: MTE virus was not recognized by scan106. (PC)

 (yuri@atmos.washington.edu) writes:

> 	I got MTE virus in my files.

There is no such thing as "the MtE virus". MtE is not a virus, it is a
library function, which the virus writers can link to their viruses,
in order to make them very polymorphic. Therefore, we are not talking
about "the MTE virus", we are talking about "MtE-based viruses".

There are many of them - about a couple of dozens - and they do
different things. Some are intentionally damaging, some are not.

> scan106/clean106 ddid not find it, but another program, NOVI did.

In my experience, SCAN was able to detect the MtE-based viruses
correctly. I have never used NOVI, but I would venture the conjecture
that NOVI is probably mistaken in your case. It is either a different
virus, or not a virus at all.

> It did not damage my HD, but my friend lost about 20 MB with its
> help.

As I said, there are many and different MtE-based viruses. I cannot
provide more information without seeing the actual infected file.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de        22527 Hamburg, Germany

------------------------------

Date:    Tue, 20 Jul 93 13:09:08 -0400
From:    "David M. Chess" <chess@watson.ibm.com>
Subject: re: First HD always C: (was: re: how to kill...) (PC)

>From:    cctr132@cantva.canterbury.ac.nz (Nick FitzGerald)

>Yes Dave, and anyone else who believes the "official", "it's documented
>all over the place", IBM/Microsoft, "after all, we built the bloody
>things/wrote the OS so we should know" line that the first hard drive in a
>PC system is always C: -- there are situations in which the first physical
>HD is D: and even E:.  Do -not- deny my experience of working on and
>with such machines by spouting what the IBM Tech Ref or whatever says.

Good heavens!  I hadn't planned to deny your experience, nor to spout
anything at all, nor even to claim that the logical C: drive is always
on the first physical hard disk.  (I can believe it isn't, and I don't
recall seeing a piece of IBM documentation lately that claimed that it
was.)  All I said was that most anti-virus programs refer to a virus
in the MBR of the first physical hard disk as being on either "80" or
"C:".  IBM AntiVirus uses "80", because as you point out it's more
accurate.

This is a problem in general; it's hard to describe in simple and
familiar terms just what some kinds of viruses are doing.  The typical
user may have no idea what "master boot record of the first physical
hard drive" means; on the other hand, using a familiar term like "C:"
instead doesn't accurately capture what's going on, and can lead to
the other sort of confusion (the user thinking he understand when in
fact he doesn't).  A hard problem.

- - -- -
David M. Chess                           Objects In Mirror
High Integrity Computing Lab                Are Closer Than They Appear
IBM Watson Research

------------------------------

Date:    Tue, 20 Jul 93 16:09:49 -0400
From:    padgett@tccslr.dnet.mmc.com (A. Padgett Peterson)
Subject: First hard drive (PC)

>From:    cctr132@cantva.canterbury.ac.nz (Nick FitzGerald)

>Yes Dave, and anyone else who believes the "official", "it's documented
>all over the place", IBM/Microsoft, "after all, we built the bloody
>things/wrote the OS so we should know" line that the first hard drive in a
>PC system is always C: -- there are situations in which the first physical
>HD is D: and even E:.  Do -not- deny my experience of working on and
>with such machines by spouting what the IBM Tech Ref or whatever says.

Now that many readers are thoroughly confused, it is my turn 8*).

In general, both Dave and Nick are right. What we have here are apples
and oranges.

First off, at the BIOS level things are very simple. Floppy disks are device
00 and 01, hard disks are device 80 and 81. These refer to physical devices
and are all that the IBM specification BIOS is designed to handle. 

Now before Nick gets excited, there is the case of a BIOS extension. This 
is firmware that resides in the ROM of an expansion board and which is 
loaded as part of the boot process. The ROM extension concept was 
incorporated by IBM in 1985 and represents the only major change to the BIOS.

Since a BIOS extension can take initial response to an INT 13 (the disk 
access instruction) away from the BIOS, it can respond in any way it chooses. 
For instance it may recognize two additional floppies as devices 02 and 03.

Now the letter designations are purely a DOS fiction and are assigned in 
order that DOS finds them. What happens is that IO.SYS (IBMIO.COM) simply
"walks" interrupt 13 looking  for drives beginning with 0, each drive found
is assigned a letter starting with A:. When Int 13 generates a CY flag 
indicating a failure of the drive to respond, DOS flips the high order
bit and starts counting again: 80, 81, etc. For each responding device, a 
block is created in the device chain residing in low memory. 

The difference is that if C has not been assigned yet, DOS begins fixed disk 
numbering with C: (and if only one floppy is found, it is declared both A: 
and B: with some useful properties).

Now DOS is not limited to the IBM technical specification and simply accepts
what it finds. If it get returns from device addresses 00, 01, and 02 - the
first hard disk will be D: (what Nick was talking about).

Once DOS has finished detecting all of the physical drives, it begins to look
for logical drives (extended partitions). Thus if a machine has two floppies
and two physical disks, the first physical disk (80) will become C:, the 
second (81) will be D, and a second logical partition on the first physical 
disk (80) will become E:. Add in Bernoullis and compressed drives (which 
load with device drivers after all of the above is done) plus drive swappers 
(how drive C: becomes drive H: when DBLSPACE loads) and things can become
*really* confusing. And then we have LAN drives...

The important thing to remember is that INT 13 drive *numbers* refer
to physical devices and do not change while DOS *letters* are logical 
assignments that are mutable. However, unless you have a board with a 
special ROM extension, or are using disk compression, the active partition 
on the first hard drive (drive 80) will be C:

The bottom line is that David is correct for 99 44/100% of all PCs (if
you have to ask...) while Nick is correct that 'taint necessarily so.

Now if you *really* want to be confused, I have this litle (4Dh) byte
file that uses drive counts to set my prompt depending on whether I have 
not yet logged into one of the Novell servers, am logged in, or was once 
but am not now. *I* can't keep track but it can.

					Warmly,
						Padgett

------------------------------

Date:    Tue, 20 Jul 93 23:03:52 -0400
From:    mcafee@netcom.com (McAfee Associates)
Subject: MtE False Alarm (was Re: MTE virus was not recognized by scan106.) (PC
	  )

Yuri Yulaev (yuri@atmos.washington.edu) writes:
>
>	I got MTE virus in my files.
>scan106/clean106 ddid not find it, but another program, NOVI did.
[...deleted...]

This is a known false alarm.  You can request a patch to fix the MtE
false alarm from Symantec by telephone at (310) 319-2020, or download
it from their BBS (I don't have the number, sorry).

SCAN V106 detects the virus as the DAME [DAME] Virus.

>It did not damage my HD, but my friend lost about 20 MB with its
>help.

With help from what?

Regards,

Aryeh Goretsky
Technical Support
- -- 
- - - - - - -  Please send your reply, if any, to Aryeh@McAfee.COM  - - - - - -
McAfee Associates, Inc.  | Voice (408) 988-3832 | INTERNET: mcafee@netcom.com
2710 Walsh Ave, 2nd Floor| FAX   (408) 970-9727 |  or try: support@mcafee.com
Santa Clara, California  | BBS   (408) 988-4004 | CompuServe ID: 76702,1714
95054-3107  USA          | USR HST Courier DS   |  or GO MCAFEE
Support for SENTRY/SCAN/VSHIELD/CLEAN/WSCAN/NETSHLD/TARGET/CONFIG MGR/PROVIEW

------------------------------

Date:    Wed, 21 Jul 93 00:26:17 -0400
From:    "Gary Wheeler, Housing Services @2584" <wheeler@hg.uleth.ca>
Subject: "Victor Charlie" (PC)

I was fortunate enough to have received a copy of a recent "News Feed"
passed on to me from a friend from the Virus-L Digest Friday 16, Jul
1993 Volume 6 : Issue 102, which referred to the "Victor Charlie"
anti-virus program.  I am very interested in this program and would
like to kow where I can obtain a copy of this program.  Unfortunately
I can not access "News" on my account here at the University of
Lethbridge (hopefully that won't last for long) so I do have to settle
for the info being sent to me by one of the operators.  This is not my
line of work here, but I am an avid "FTP'er" and user after hours on
"Internet".  That is why I am very interested in this "Victor Charlie"
program.  Thanks in advance for your time and assistance.  Gary
Wheeler

[Moderator's note: Gary - VIRUS-L is distributed via the USENET
newsgroup, comp.virus as well as via normal electronic mail.  If you
would like to subscribe to the electronic mail distribution, send a
"help" message to LISTSERV@Lehigh.edu.]

------------------------------

Date:    Wed, 21 Jul 93 06:17:47 -0400
From:    "William H. Lambdin" <73044.2573@compuserve.com>
Subject: Re: Genp in partition table - what to do? (PC)

From:    brymastr@eng.umd.edu (Bryan Lee)
>How does one kill a virus residing in the partition table of a
>hard drive?  I saw a message (from VSHIELD - McAfee) about
>the virus Genp being found in the partition table - what can
>this virus do?  How is it transfered?  How can you kill it?

I don't know which virus this is,
 
But one easy trick if you have DOS 5.0 and above,  FDISK/MBR

You should do this after booting from a known clean bootable diskette. If 
you don't have a known clean bootable diskette, run FDISK .MBR. After this 
is finished cold boot the computer.

Then make a known clean bootable diskette.

Bill

------------------------------

Date:    Thu, 22 Jul 93 07:02:46 -0400
From:    johan@blade.stack.urc.tue.nl (Johan Wevers)
Subject: Re: FP-209.ZIP - F-PROT 2.09 virus scanner/disinfector (PC)

frisk@complex.is (Fridrik Skulason) writes about F-PROT 2.09:

> For certain encrypted viruses, such as PCBB.1658, which may infect
> the same file multiple times, F-PROT would only remove one "layer"
> of the virus.

Am I correct when I assume that F-PROT 2.09 removes all the layers?
- -- 
J.C.A. Wevers                 The only nature of reality is physics.
johan@blade.stack.urc.tue.nl  

------------------------------

Date:    Mon, 12 Jul 93 09:26:00 +0200
From:    Andres_Arevalo@f0.n462.z9.virnet.bad.se (Andres Arevalo)
Subject: Re: FORM Virus (PC)

 -=> Quoting Yves Riedrich to All <=-
Hello Yves!!
This is my first message in this area, I d thank you reply me if you get this
message. 
 YR> From: riedrich@socrates.umd.edu (Yves Riedrich)

 YR> While using the McAfee virus scanner, I discovered the "form" virus
 YR> in my boot sector.

 YR> I tried to clean this virus off the hard drive...and got
 YR> the message "Virus can not be safely removed from boot sector"

 YR> If this has happened to you before or if you have any ideas
 YR> how to remove this from my hard drive...please send me e-mail
Have you tryed with the McAfee CLEAN?
If the CLEAN display you the same message, I think you d better make a backup
 YR> Thanks in advance     Yves Riedrich
Hoping be useful, Saludotes.               Andres.

... "What?!? This isn't the Files section?!?"
- --- FMail 0.94
 * Origin: -[ METAL KIT BBS ]-[ (91) 302-5480 ]-[ DE 24 A 10 ]- (9:345/105.0)

------------------------------

Date:    Tue, 20 Jul 93 16:23:27 +0000
From:    bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: NAV virus definition file wanted (PC)

Bryan D. Jones (bdj@uafhp.uark.edu) writes:

> Anyone know where on the internet one can ftp the latest nav*.def
> file?  The last one I have is from march.  BTW I'm useing NAV 2.10

Available from our ftp site as

ftp.informatik.uni-hamburg.de:/pub/virus/progs/nav21upd.zip

The file name is always one and the same, but the archive is
constantly kept up-to-date - Symantec send us the updates regularly.
There are also updates for NAV 2.0 - the archive name is nav20upd.zip.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de        22527 Hamburg, Germany

------------------------------

Date:    Tue, 20 Jul 93 17:02:39 +0000
From:    bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Misc. things (PC)

Hello, everybody!

Well, my German language course is over (not that I succeeded to
learn German, mind you <grin>), and I have a bit more time now to
participate the discussions - at least before my holidays at the end
of this month. Here is a short report about some things that we have
done while I didn't have time to post. If you are replying to some of
them, please change the Subject: line to something more appropriate.

===========

About a month ago, somebody sent me a program that was supposed to
destroy the hardware - the video card, more exactly. It tried to do so
by switching the video mode 64 K times. OK, we tested it. It takes
quite a lot of time to run and the monitor looks like if it is
switched off. But it didn't succeed to destroy anything, of course.
Therefore, my oppinion on this subject has not changed - I have yet to
see a program that can destroy the contemporary hardware. Until then I
claim that such program is impossible to be created.

===========

Somebody pointed out to me that CPAV gets such a bad score in the
virus detection tests, because none of the testers has run the tests
with the updates distributed by CPS. OK, I got the latest signature
updates from them, updated CPAV 1.4, and ran the tests again. The
updated scanner showed an "amazing" improvement - from 62% to 68%.
Just for comparison, F-Prot easily reaches 98%.

===========

I am aware that there is a newer version of CPAV - 2.0. It is supposed
to detect and disinfect Tremor, to have heuristic analyser, and so on.
I was sent a beta-version for tests. It did detect Tremor, indeed, but
failled to remove it from the EXE files. I wanted to test how well the
heuristic analyser detects viruses by itself (without using the scan
strings for known viruses), but couldn't, because the program crashed
miserably after scanning a few Andriyshka replicants. Also, the two
executables (INSTALL.EXE and CPAV.EXE) are not compressed and contain
some wildcard virus signatures in unencrypted form. This causes false
positives to some other scanners when they are scanning the CPAV
package. CPS is well aware of the problem, but has failled to fix it
since several years, regardless that to fix it from their side is more
than trivial.

============

Yisrael Radai's paper on integrity checking (in PostScrip format) is
available from our ftp site as

ftp.informatik.uni-hamburg.de:/pub/virus/texts/viruses/hashn60.zip

I am -strongly- recommending this paper together with mine
(attacks.zip) to anybody who is involved in the design and
development of integrity checking software. Those two papers are a
must for such people. In short, Yisrael's paper describes how to
implement integrity cheching (correctly!), while mine describes how
NOT to implement it (i.e., which goof-ups to avoid).

===========

Frisk's F-Prot 2.09 is out and available from our ftp site. It seems
to detect the Tremor virus reliably, although I have not performed
detailled tests. The documentation (the file NEW_VIR.DOC) contains 
Frisk's PGP public key. Get it and keep it carefully. I would advise 
Frisk to include with the new versions of his product PGP detached 
signatures of the executable files. This way, everybody who has PGP 
and Frisk's public key will be able to verify that the new version 
really comes from him - and no forging will be possible. Frisk, you 
should also include your public key in your .plan file, so that it 
can be obtained from you with the finger command by those people who 
are using Unix.

===========

I have updated the CARO naming scheme and the comparative virus naming
lists on our ftp site (in the /pub/virus/texts/tests/ directory). This
is the last time I am publishing the comparative report of the three
scanners (FindVirus, F-Prot, and SCAN). When I return from my
holidays, I'll begin to regularly publish single-scanner reports. That
is, a three-column report, containing the name of the file, the full
CARO name of the virus in it, and the name used by one particuar
scanner. I intend to do this kind of service for many scanners -
currently I am read to do it for FindVirus, F-Prot, TbScan, IBM
Antivirus/DOS, UTScan, AVP, VET, HTScan, and AVScan. Probably very
soon I'll be able to do it for VirX, PCVP, and NAV. The scanners
produced by members of CARO will have priority, but I intend to test
also other scanners, if they respond to a particular set of
conditions. I'll publish those conditions when I return from my
holidays.

===========

An updated version of Eugene Kaspersky's program AVP is available on
our site. The first time I mentioned it, I said that it cannot detect
the MtE-based viruses reliably - I was wrong. My mistake was caused by
not performing the full tests correctly. It -is- able to detect the
MtE-based viruses reliably. The updated version is also able to detect
reliably Tremor and many other viruses. It's detection rate is about
95% (measured only on the file infectors of our virus collection),
which puts it somewhere between F-Prot (98%) and SCAN (93%). One known
bug - it hangs under DesqView.

The full updated version is in the file avp_106b.zip. Those of you who 
already have the previous version can download only the update, which
is in the file avp_updt.zip.

===========

Well, that was I could think about; if there is something additional,
I'll post a follow-up.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de        22527 Hamburg, Germany

------------------------------

Date:    Tue, 20 Jul 93 18:27:15 +0000
From:    bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: MTE virus was not recognized by scan106. (PC)

Michal Weis or INFI (WEIS@cc.elf.stuba.cs) writes:

> scan fail in detection of groove (sacn 100 sure, I didn't tested latest
> scan, but it probably fail too). NOVI? Its unknown to me.

This is old news. The contemporary versions of SCAN are able to detect
the currently known MtE-based viruses reliably - including Groove.

> So MtE is not a virus but a decryptor algorhytm. Ant it's not so easy to

Not quite. MtE is a library routine, which encrypts a piece of code,
generates a random decryptor, and prepend this decryptor to the
encrypted code.

> detect it (you must use a internal-debuger for detection) - so there are

This is, indeed, one of the ways, but it is not the only one.

> many false possitive. So the answer is: it is a MtE virus and scan fail in
> debuger, or there is no virus with MtE and NOVI fail in debuger.

I do not think that any of the two products uses the debugging
techniques you are assuming (but I might be wrong; haven't
disassembled SCAN recently).

> The only problem is that a few anti-virus programs in the world can remove
> MtE infection (I think new Findviru (by solomon) can remove it - if no,
> try TBAV (but it fail on MtE in 40% cases)

Interestingly, CPAV/MSAV also can remove -some- MtE-based viruses. And
it does use the debugging techniques you are refering to.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de        22527 Hamburg, Germany

------------------------------

Date:    Tue, 20 Jul 93 18:39:27 +0000
From:    bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Genp in partition table - what to do? (PC)

Bryan Lee (brymastr@eng.umd.edu) writes:

> How does one kill a virus residing in the partition table of a
> hard drive?  I saw a message (from VSHIELD - McAfee) about
> the virus Genp being found in the partition table - what can
> this virus do?  How is it transfered?  How can you kill it?

Phew, a second "generic virus" request in two issues - maybe this
should go in the FAQ...

THERE IS NO SUCH THING AS -THE- GENB (or GENP, or Generic Boot, or
whatever) VIRUS! McAfee's SCAN uses a special short scan string (with
wildcards), which matches many of the existing boot (or MBR) viruses
and makes the assumption that this piece of code is often found in
boot sector viruses. Therefore, if it fails to detect a known virus in
one of the boot sectors, but does detect this short piece of code, it
announces to have found the GenP or the GenB virus.

THIS IS NOT A PARTICULAR VIRUS, so it is useless to ask what it does.
It is even not certain that it is really a virus, although this is
quite probable. The "GenB" and the "GenP" viruses are matched by one
and the same string, the difference comes from where the string is
found. If it is found in the MBR, the GenP virus is reported. If it is
found in the DBS - the GenB virus is reported.

This reports means nothing more than: "Look, I have found a short
piece of code in the MBR (or in the DBS), which is often present in
boot sector viruses. This is extremely suspicious, so the boot sector
is probably infected. However, I have really no idea with what it is
infected; in any case it is not a virus that I know."

To remove such viruses, use "CLEAN [GenP]" (or FDISK /MBR from DOS 5.0
or above) or "CLEAN [GenB]" (or SYS). This often works, but is not
guaranteed to. In general, treat it as an unknown virus and send a
copy to the anti-virus researchers.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de        22527 Hamburg, Germany

------------------------------

Date:    Tue, 20 Jul 93 14:26:36 -0400
From:    James Ford <JFORD@UA1VM.UA.EDU>
Subject: New file on risc (PC)

The file fp-209.zip has been placed on risc.ua.edu (130.160.4.7) for
anonymous FTP in the directory /pub/ibm-antivirus.

- -- jf

------------------------------

End of VIRUS-L Digest [Volume 6 Issue 105]
******************************************
