To:	   VIRUS-L@LEHIGH.EDU
Subject:   VIRUS-L Digest V6 #107
--------
VIRUS-L Digest   Thursday, 29 Jul 1993    Volume 6 : Issue 107

Today's Topics:

Virus Calendar
Re: Viruses that cost $$$ (monitor faults)
Re: Unix Scanners (UNIX)
Re: Type 4 virus (Mac)
Re: Type 4 virus, where to get Mac anti-viral software (Mac)
Please help! (Removing Generic Boot Virus) (PC)
HELP on DIR 2 Virus (PC)
Vshield and Windows (PC)
Joshi Virus (PC)
possible virus? (PC)
info on 1530 and Chile Medeira? (PC)
Re: Other "resting" places (CVP)
Virus that damages harddrives (PC)
Flash ROM BIOS and viruses. (PC)
Dudley [odud] virus ? (PC)
Name this virus (PC) ?
Re: Arj-virus? (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform - diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CERT.org or upon request.)  Please sign submissions
with your real name; anonymous postings will not be accepted.
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list.  A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on CERT.org (192.88.209.5).

Administrative mail (e.g., comments, suggestions, beer recipes)
should be sent to me at: krvw@AGARNE.IMS.DISA.MIL.

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Ken van Wyk

----------------------------------------------------------------------

Date:    Tue, 27 Jul 93 20:30:45 -0400
From:    "William H. Lambdin" <73044.2573@compuserve.com>
Subject: Virus Calendar

From:    Schwartz_Gabriel@f101.n9721.z9.virnet.bad.se (Schwartz Gabriel)

>TO: axtlp@acad2.alaska.edu
>I think VSUM from Patricia Hoffman has all the viruses database including 
>viruses dates.  

Vsum does have a list of virus activation dates, but it's not as complete 
as I would like.

Bill 

------------------------------

Date:    Wed, 28 Jul 93 06:25:27 -0400
From:    A.APPLEYARD@fs1.mt.umist.ac.uk
Subject: Re: Viruses that cost $$$ (monitor faults)

Olivier MJ Crepin-Leblond <o.crepin-leblond@ic.ac.uk> wrote on Fri 23 Jul 93
07:23:12 -0400 (Subject: Re: Viruses that cost $$$):-

  > ... TVs & monitors don't like having either `no signal' or a floating
input. It often happens that a PC in a lab here is switched off, and the
monitor left on. On one particular brand, we've had 100% failure rate when
that happens. Each time, we've had to have the Power supply replaced. In
another incident, we left one of our router's monitors on by mistake
overnight. The router crashed, the video card sent `god-knows-what' to the
monitor and next day when we came in the monitor had blown its fuse, and there
was a distinctive burning smell emanating from its vents. We had to trash it.
Not a faulty monitor to start with: it was working perfectly fine every day
before the incident.

  How long have TV's and VDU's been around, and still the scientists can't
design them all to 100% reliably tolerate such a likely and ordinary event as
being left switched on with no signal coming in!?!?!? Qu'vatlh!

------------------------------

Date:    Tue, 27 Jul 93 16:18:32 -0400
From:    volf@eb.ele.tue.nl (Frank Volf)
Subject: Re: Unix Scanners (UNIX)

craig.williamson@columbiasc.ncr.com (Craig Williamson) writes:

>frisk@complex.is (Fridrik Skulason) writes:
>>Martin@salig.demon.co.uk (Martin Overton) writes:
>>>2. Are there any virus scanners available for UNIX?

>>There are several, but many of them only scan Unix File servers for PC 
>>viruses.  Those that attempt to scan for UNIX viruses are much better at
>>finding "suspicious things" in general, than in finding the above "research"
>>viruses ... in fact, they may totally miss them.

>Where can I get one?  Right now I have to use my PC and I can't use it
>during that time and also it generates unnecessary network traffic.

Yes, I would be interested too. We are using a pcnfs network in which 
pc's mount directories on a UNIX system (Apollo).
It is *impossible* to test these directories for viruses from the pc-side
(there is no super user access possible over nfs), so I must test for
virus from the UNIX side!

So, where can I get such a scanner?
 
>Craig
>                                           "Behind every dark cloud, 
>- -Craig Williamson                           there's usually rain." 
> Craig.Williamson@ColumbiaSC.NCR.COM      - Mike Nesmith,  The Monkees
> craig@toontown.ColumbiaSC.NCR.COM (home)

Best regards,  Frank
- -- 
Frank Volf (volf@eb.ele.tue.nl)
Eindhoven University of Technology
Digital Systems Group, Room EH11.24
P.O. 513, 5600 MB Eindhoven, The Netherlands

------------------------------

Date:    Tue, 27 Jul 93 21:10:15 -0400
From:    mha@baka.ithaca.ny.us (Mark Anbinder)
Subject: Re: Type 4 virus (Mac)

I said...

> The only way to be certain of what's on your hard drive is to use a
> current antiviral utility, such as Disinfectant 3.1.

As an observant reader pointed out, what I meant to say is "such as
Disinfectant 3.2." :-)  Version 3.2 is current, and all users should be
certain that's what they're using.

=========================================================================
 Mark H. Anbinder                  |       Technical Support Coordinator
 BAKA Computers Inc.               |               mha@baka.ithaca.ny.us
 200 Pleasant Grove Road           |                (or) mha@tidbits.com
 Ithaca, New York 14850 USA        |    Phone 607-257-2070  Fax 257-2657
=========================================================================
Cartoon Law 8: Any violent rearrangement of feline matter is impermanent.
=========================================================================

------------------------------

Date:    Thu, 29 Jul 93 02:50:20 -0400
From:    kram0027@student.tc.umn.edu (Michelle G Kramer-1)
Subject: Re: Type 4 virus, where to get Mac anti-viral software (Mac)

mha@baka.ithaca.ny.us (Mark Anbinder) writes:
>The only way to be certain of what's on your hard drive is to use a
>current antiviral utility, such as Disinfectant 3.1.  This is
	The current Disinfectant version is 3.2 and you can get it:
>available free from most user groups and online services, and from
>many dealers and other organizations.
and straight from the source via ftp:
ftp.acns.nwu.edu, cd pub/disinfectant

Gatekeeper is another fine antiviral product which provides more generic
protection than Disinfectant (they complement each other nicely).  Gatekeeper
(current version is 1.2.7) is also free, and available from online services
and user groups and ftp to:
microlib.cc.utexas.edu, cd microlib/mac/virus

>Please feel free to let me know if you have any other questions or
>need further help in diagnosing the problem.
Ditto.
- -- 
One likes to believe in the freedom of music.

------------------------------

Date:    Tue, 20 Jul 93 06:55:00 +0200
From:    Fred_Janssen@f1.n9931.z9.virnet.bad.se (Fred Janssen)
Subject: Please help! (Removing Generic Boot Virus) (PC)

 > A friend's computer was recently infected by the
 > Generic Boot Virus.
[...]
 > Any ideas or suggestions?

Boot from a write protected clean floppy disk with the SYS commnd on it.

Then issue a SYS C: and smile...

Problem solved.

REgards,
FRed

- ---
 * Origin: Fred's Home (9:9931/1)

------------------------------

Date:    Mon, 26 Jul 93 07:09:26 -0400
From:    9239561@rkw-lan.cs.up.ac.za (KRUGER S)
Subject: HELP on DIR 2 Virus (PC)

Can anybody help me with a DIR II virus.
I would like to know if there is a cure for it, and if so, where I can 
obtain it.
I would appreciate any answer helping me with the virus.
Must the hard drive be formatted or is there a something else that I can do?
Thanks!!

S.Kruger
Skruger@rkw-risc.cs.up.ac.za

------------------------------

Date:    Mon, 26 Jul 93 10:52:09 -0400
From:    cctb@kudu.ru.ac.za (Tim Bouwer)
Subject: Vshield and Windows (PC)

Hi

I have a problem with using Vshield and Windows - I have had the same
symptoms with 104 and 106.

In summary, what happens is that I have three DOS windows in my
startup group - they start minimised.  Two of them are simply DOS windows
with default directories pointing to two different Novell file servers 
and the third starts up telbin (CUTCP) in server mode.

I have run the option in Vshield which sets up the windows message
mechanism for vshield.

What happens is that when I start windows with Vshield loaded at least
two (somethimes all three) of the icons flash with a "violated system
integrity" message when the startup group fires them up.  If I take them
out of startup and start them manually once windows is loaded they work
fine.

I load vshield before I log into novell and after loading ipx and netx.
At the moment I am removing vshield (vshield /remove) just before
starting windows but that is obviously not the ideal situation.

The following are my setup details:

My Config.sys:

buffers=20
files=40
device=C:\WIN\HIMEM.SYS
device=C:\WIN\EMM386.EXE x=ca00-cfff noems
device=c:\bin\netdev.sys
dos=high,umb
shell=c:\command.com /e:6500 /p
STACKS=9,256

My Autoexec.bat:

C:\WIN\SMARTDRV.EXE
@verify on
@Prompt $t$h$h$h$h $p$g
@Ver
@path c:\dos;c:\bin;c:\win;c:\4dos
@loadhigh wd8003e -n -w -d 0x7e 5 0x300 0xca00
@set configtel=c:\etc\config.tel
@echo ---------- Installing Novell ------------------
@loadhigh ipxbyu
@loadhigh netx ps=giraffe
@loadhigh C:\WIN\mouse.COM /Y
@loadhigh f:swatcher.com
@doskey
@f:\login\vshield /chkhi /nobreak
@f:
SET TEMP=C:\TMP

- --

| Tim Bouwer                   /~~~~--~\ Tel +27 [0]461 318233/318279 |
| Computing Centre             \___     \_  FAX: +27 [0]461 25049     |
| Rhodes University                \     /                            |

------------------------------

Date:    Thu, 22 Jul 93 07:20:00 +0000
From:    Yuri Stefanov <yuri.stefanov@p27.f20.n467.z2.fidonet.org>
Subject: Joshi Virus (PC)

To: Dennis Bayomi

Hello, Dennis!

01 Jan 42, Dennis Bayomi wrote to [NONAME]:

 DB> @REPLYADDR bayomi@bldghsc.lan1.umanitoba.ca
 DB> @REPLYTO 2:467/2 uucp
 DB> Hello everyone - we've recently discovered a virus called "Joshi" on a 286
 DB> clone running MS-DOS 5.  It seems to be a classic case of a youngster
 DB> bringing home a game disk and inadvertently infecting his parent's
 DB> computer.

It's quite an old virus, so use VIRUSCAN by McAfee Associates 9.15V104
Detect virus using SCAN.EXE and remove it using CLEAN.EXE If you are
sure that it was Joshi, just use and enjoy: clean <drive> [Joshi]

    Sincerely Yours
          Yuri Stefanov.

- --- GEcho/beta
 * Origin: 
#Via Tesseract Corner GATE (2:467/2.100@FidoNet)

------------------------------

Date:    Mon, 26 Jul 93 23:06:29 +0000
From:    pdavies@alchemy.chem.utoronto.ca (Paul Davies)
Subject: possible virus? (PC)

This is what I have experienced.  I have noticed that there seems to be
a bit too much disk activity, most notably when Windows is loading.
This might just be paranoia.

My computer has crashed a few times when running Telix.  One time when
running Telix my machine froze up and there where (random?) flashing
characters all over the screen.  I thought that this was the behaviour
of a known virus.

I used the latest version of McAFee Scan (106) on my machine and it did
not find anything.

I am currently running DOS 5 and Windows 3.1.

thanks,

Paul

- -----------------------------------------------------------------------------
                                 | "The effects of technology do not occur
Paul Davies                      | at the level of opinions or concepts, but
pdavies@alchemy.chem.utoronto.ca | alter sense ratios or patterns of per-
                                 | ception steadily and without resistance."
                                 |  - Marshall McLuhan
- -----------------------------------------------------------------------------

------------------------------

Date:    Tue, 27 Jul 93 14:06:37 -0400
From:    mjmunoz@toconao.usach.cl (Marcelo J. Mun~oz C.)
Subject: info on 1530 and Chile Medeira? (PC)

holaholahola!!!

	Could u post or mail some info on 1530 and Chile Medeira Viruses
please? It seems Viruscan106 is not detecting 1530 on files, but it does
it when it's loaded in memory...(am I right?), please check it and post
the results, ok?

	Thanks a lot..

Marcelo J. Mu~oz C.
mjmunoz@toconao.usach.cl

------------------------------

Date:    Tue, 27 Jul 93 15:52:04 -0400
From:    Anthony Naggs <amn@ubik.demon.co.uk>
Subject: Re: Other "resting" places (CVP)

Rob Slade, <roberts@decus.ca>, writes:
>
> In addition to tracks outside of, and between, normal formats, there
> is substantial space between the sectors on a disk.  ...

Typically 90 bytes between sectors on a 360k or 720k floppy disk.

> ... There are
> programs which can increase the number of sectors so as to increase
> the space on disk.  However, it is also possible to use the
> additional space without formatting additional sectors, simply by
> writing information to the space between.  ...

'simply writing information between sectors'?

I don't think 'simple' is the word.  I'll discuss this further in a
moment.

> ... This fact has
> occasionally been used for the purposes of copy protection with
> commercial software.

There are two reasons for this:
1.  It is a lot easier to read the 'extra data' than to write it.
2.  The 'extra data' on a software distribution diskette is unlikely
    to be corrupted by subsequent disk use.

INTRODUCTION
    Before discussing this in too much depth, it is important to realise
    that different computer systems use diskettes in slightly different
    ways:
    +   IBM compatible PCs use an NEC 765 FDC (floppy diskette controller),
    +   Atari STs use a Western Digital 1772 FDC,
    +   Commodore Amigas use proprietry circuits.

    [   Recent Apple MACs use a format compatible with the NEC 765 for    ]
    [   1.44Mb and larger diskettes, but 800k disks and earlier systems   ]
    [   (II's, III's and Lisas) use a proprietry format that does not     ]
    [   seem to be documented.  However, I shall not make any further     ]
    [   references to Apple computers in this message.                    ]

BACKGROUND
    The FDCs in PCs and STs have the task of controlling the diskette
    drives, and reading & writing sectors of data.  The data is stored on
    the disk in IBM System 34 format.  This places data sectors around a
    disk track, with gaps inbetween.  The gaps allow timing errors when
    data is rewritten to sectors, (a correctly functioning floppy disk
    drive can vary in speed by +/- 2%, thus changing the length of the
    sector).  In such a hostile environment data placed between sectors is
    likely to become corrupted.

    The Commodore Amiga also uses sectors to store data, but it always
    reads and writes a whole track at a time.  So it does not need the gaps
    between sectors at all (or the sector numbering information, etc..),
    and can fit more sectors on each track.  This leaves very little
    spare space on a track, and guarantees to destroy 'extra data' on all
    tracks that are modified.

IS IT POSSIBLE TO READ BETWEEN SECTORS?
    Both the ST and PC controllers can read the data between sectors, by
    using a "read track" or "diagnostic read" function.  However there are
    two problems:
    +   Neither the PC or ST offer builtin functions for this, so the virus
        author must program it himself.  First finding a buffer big enough
        to read a whole track.  Second, programming the diskette controller
        to perform the required function, and third to configure the DMA
        (direct memory access) circuits to correctly transfer the data to
        the buffer.
    +   The 'extra data' cannot include synchronisation information, unless
        it is accurately aligned with the preceeding data sector it will
        read back as garbage.

IS IT POSSIBLE TO WRITE BETWEEN SECTORS?
    Here the FDCs used in PC and ST computers diverge.

    The 1772 has a 'write track' command, which writes data both in the
    data sectors and the gaps between.  However the data values are limited
    as the 1772 interprets some values as special commands, (eg place a
    start of sector mark on the disk, etc..).  Normally the 'write track'
    command is used to format a disk track.

    The 765 does not have a 'write track' command, and uses a simpler
    'format track' command when formatting.  The only available method to
    write between sectors is:
    +   Read two consecutive sectors from a disk.
    +   Write a larger than normal sector (eg 1024 bytes instead of 512)
        where the first sector was, with the 'extra data' at the correct
        offset.
    +   Write the first sector back, skip the 'extra data' and write the
        second sector back.
    [Actually it is even more complicated, as the 'format track' command
    must be used to change sector sizes and positions].

CONCLUSION
    Altogether it is a great deal of effort for very small chance of
    success- fully hiding and recovering a small amount of information.  As
    a virus must already gain control of the computer in order to access
    the gaps between sectors, it seems unlikely that any virus author would
    spend the time and effort to do so.

    So, it is not impossible to use the space between sectors in a virus -
    but I sincerely doubt that anyone capable will do so.

For further information, check the data published by NEC and Western
Digital about their FDC circuits, and the Commodore Amiga reference books
(published by Addison-Wesley).

> Both of these "hiding places" are so well hidden that viral programs
> infecting them would never have a chance to become active.
> Therefore viri using them would have to "start" with normally
> infected files or boot sectors.  The initial viral code would have
> to provide the means to access the extra tracks or "extra-sector"
> space, and then use the "hiding space" in order to store additional
> code.  (This is, in fact, already happening to a limited extent.
> The Joshi virus stores part of itself and the original boot sector
> on an "additional" track.)

Denzuko ("den zuko" ?) is probably the first PC virus to format and store
data on an extra diskette track.  This elegantly avoids the corruption
of directory and file information that most other boot sector viruses are
likely to cause, and the sudden appearance of "BAD clusters" that Brain
causes.  However not all disk drives can access the extra tracks, and the
disk media becomes less reliable near the centre of the disk.

Hope this helps,
Anthony Naggs                 Email:                  Paper mail:
 Software/Electronics Engineer amn@ubik.demon.co.uk    P O Box 1080, Peacehaven
 & Computer Virus Researcher   [or xa329@city.ac.uk]   East Sussex  BN10 8PZ
 Phone: +44 273 589701                                 Great Britain

------------------------------

Date:    Wed, 28 Jul 93 02:30:29 -0400
From:    Steve Mazdeh <STEVEM@sjsuvm1.bitnet>
Subject: Virus that damages harddrives (PC)

Hello everyone,

 I am a regular reader of the Virsu-l; however, upto recently I have
not had any reason to send any mail.
 recently, I downloaded a communication package of a listserv to test.
This program was windows based. However, when I tired to hangup the
software froze up. I tried to reboot the computer using Ctrl-Alt-Del.
As usual windows asked me are you sure? I repressed the combination
keys. The computer seemed to reboot. But in the middle of the process
the harddrive started to make a hard knoking noises. I quickly pressed
the the reset key and the system seemed to start rebooting. But the
harddrive would not reboot. I used Norton utility 5.0 which said the
FAT was damaged. I tried to use Norton to repair the FAT but it would
get stuck repairing the copy of the FAT. It would do fine rebuilding
the first 1/2 whickh I assumed was the one in sector 1 but not the
backup copy. I tried to reformat the hard drive but no success.  After
the second reformat attempt the C: drive was no longer recognizable!
I could not even use the CMOS setup to setup the harddrive. I had to
finally pay $200 for a new IDE harddrive.  My system configuration
was:
                      386 33MHZ, COM1, LPT1, COM2(MODEM), 24bit vga board,
                      Puma 44MB paralle cartridge, and 120MB IDE hd drive.

MY QUESTION IS: did I have a virus problem or just a bad harddrive.
                How can I fix the Harddrive without sending it back
                to the manufacturer. This hard drive is made by
                XEBEC and is model XE3100 105.2MB AT/IDE drive.

- --------------------------------------------------------------------
  STEVE MAZDEH (STEVEM@SJSUVM1.SJSU.EDU)

------------------------------

Date:    Fri, 23 Jul 93 21:35:07 +0200
From:    Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz)
Subject: Flash ROM BIOS and viruses. (PC)

Amir Netiv writes about Flash ROM BIOS viruses:

 > This sets a new front to us Anti-Virus developers, that may be easy to
 > solve at first look (simply backing up the BIOS) but what if our product
 > is applied to an already infected PC. In such a case those of us that
 > rely on the BIOS's integrity ;-) (not to mention those who doesn't)

[Text removed]

 > I'd be happy to read your opinions on the issue...

Well, I think that this problem is nothing we can't handle. The way I see it,
it's just like backing up your system without virus-checking it, and then,
when the virus has destroyed it, restoring from the infected backup set.

However, I believe it's within the BIOS manufacturer's responsibility to 
produce a program to either check the integrity of such BIOS systems, or 
completely restore the BIOS, not to mention version updates :-)

Inbar Raz
Chief Data Recovery
- - --
Inbar Raz                 5 Henegev, Yavne 70600, ISRAEL. Phone: +972-8-438660
Chief Data Recovery, 15 Habanim, Nes-Ziona 70400, ISRAEL. Phone: +972-8-400070
Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210            Fax:   +972-8-403295

- --- FMail 0.94
 * Origin: Inbar's Point - Home of the first UnTinyProg. (9:9721/210)

------------------------------

Date:    28 Jul 93 20:54:24 +1000
From:    williamss@topaz.ucq.edu.au
Subject: Dudley [odud] virus ? (PC)

Does anybody know of the "Dudley" virus (Dudley [odud]).

Is there a scanner that will disinfect it and where can I get it from.

Please email me at williams@jade.ucq.edu

With thanks

Steve Williams

------------------------------

Date:    Wed, 28 Jul 93 10:13:48 -0500
From:    Jerry Dallal <JERRY@hnrc.tufts.edu>
Subject: Name this virus (PC) ?

Is this the behavior of an IBM-PC virus that anyone is familiar with?
If so, any ideas about how to get rid of it?

Files are being created on floppy disks.  One invariably shows (DIR) a
size of over 21Mb (on a 1.4Mb disk) and has a name composed of
graphics characters.  Another file will be named 'read me.com' or 'DOS
5.0xxx'.

UTScan   early '92
Norton Anti-Virus  fall '92
Microsoft Aint-Virus (DOS 6.0)  
                                show no infection.
UTScan can't scan the files with graphics characters in the name (bad
path).  Norton says somehting like access denied to these files.

Thanks.

------------------------------

Date:    Wed, 28 Jul 93 15:02:24 -0400
From:    mmeltzer@wam.umd.edu (The Meltz Inc.)
Subject: Re: Arj-virus? (PC)

: >Hi! I use Arj verision 2.41 (The best). Well, i have a memory-resident
: >program, that says if files are being changed. Everytime i access .exe
: >files that belong to arj the program warns me that the file has
: >changed.  Has this happened to you? Will you test the problem?

I don't know if these are the problems that were fixed, but there is
a new version, which corrected a couple of bugs.  The new file is:
	"arj241a.exe"
and can be FTP'd from most sites.

- ---------------------------------------------------------------------
			mmeltzer@wam.umd.edu is

			     Marc Meltzer
		      President of The Meltz Inc
	 "Our job is to play games.  Our hobby is to consult."
- ---------------------------------------------------------------------

------------------------------

End of VIRUS-L Digest [Volume 6 Issue 107]
******************************************
