To:	   VIRUS-L@LEHIGH.EDU
Subject:   VIRUS-L Digest V6 #110
--------
VIRUS-L Digest   Thursday,  5 Aug 1993    Volume 6 : Issue 110

Today's Topics:

Re: Name this virus (PC) ?
Re: Virus that damages harddrives (PC)
Re: Re[2]: NAV Updates (was CPAV updates) (PC)
Re: Name this virus (PC) ?
Stoned Virus - found on my system-Bad? (PC)
Hokay, boot sector viruses (PC)
Re: Arj-virus? (PC)
Suspicious .COM files (PC)
Flash ROM BIOS and viruses. (PC)
WARNING: Stoned/Dir-2 infection in Israel (PC)
Flash ROM BIOS and viruses. (PC)
Re: Learning how to make virus programs: Info? (PC)
Re: Memoires of a (infected) virus researcher (PC)
re: Learning how to make virus programs: Info? (PC)
re: Virus? (PC)
re: checking for illegal programs (PC)
Re: Virus? (PC)
Network update mechanisms (PC)
Flash EEPROM BIOS (PC)
Re: Virus? (PC)
Re: Flash ROM BIOS and viruses. (PC)
Re: Virus? (PC)
Thanks - re possible virus (PC)
SIMTEL 20 Closing Down (archive site) (fwd)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform - diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CERT.org or upon request.)  Please sign submissions
with your real name; anonymous postings will not be accepted.
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list.  A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on CERT.org (192.88.209.5).

Administrative mail (e.g., comments, suggestions, beer recipes)
should be sent to me at: krvw@AGARNE.IMS.DISA.MIL.

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Ken van Wyk

----------------------------------------------------------------------

From:    oenglund@bilbo.abo.fi (Olof Englund)
Subject: Re: Name this virus (PC) ?

I'm not sure, but the virus could be too complicated or too new for
theese scanners to detect. My advice for you, is to download (from a
friend who is NOT infected with the virus) mcafee scan (newest
verision) and mcafee clean from mcafee.com (or was it mcaffee.com) and
put it on a boot disk and write protect the disk. Then boot from the
disk and use scan on your compy (note: I think this won't worked on
stacked drives). If you still cant find anything, try getting f-prot
from complex.is and do with that as you did with the others.  (It can
scan for generic viruses too, and thats a +). Hope this will help.

Note2: You should scan your harddrive first and disinfect it, then get vshield
       from mcafee.com, install it, and then copy the virus scanner that
       detected the virus to your harddrive (don't forget the disinfector)
       NOW you are ready to disinfect your disks.

I hope this wasn't too complicated. Keep us posted via News! =)

                                                Olle

------------------------------

Date:    Tue, 03 Aug 93 05:47:16 -0400
From:    oenglund@bilbo.abo.fi (Olof Englund)
Subject: Re: Virus that damages harddrives (PC)

Boy, this sound bad. I think your'e at the point of no return now.
Hmm.... An idea would have been to try Pctools "diskfix" (i suspect
it's a bit better than norton). And.....um.....perhaps bring the drive
to a hardware dealer to check it out (perhaps some part has screwed),
well, diskfix will ofcource not work with your harddisk if it's
non-recogniziable, and what your harddisk has done is (i think) a bit
out of the normal behaviour. Well, it could have been a virus, yes, i
think so. In the state that your HD is now, i have no real help to
give. Hope things clear soon. Good luck!

                                                Olle

------------------------------

Date:    Tue, 03 Aug 93 06:57:01 -0400
From:    clangenh@cs.uct.ac.za (Clement Langenhoven)
Subject: Re: Re[2]: NAV Updates (was CPAV updates) (PC)

cjkuo@symantec.com (Jimmy Kuo) writes:

>Vesselin asks:
>>cjkuo@symantec.com (Jimmy Kuo) writes:

>>Mr. Slade mentioned ftp servers. Will Symantec permit the distribution
>>of the updates via ftp servers?
>Yes.

>>>They can be available through anyone who wishes to redistribute.
>>I wish to distribute them via anonymous ftp. May I do so?
>Yes.

>>> Basically, NAV definition file updates are and can be freely distributed in
>>> its present form (note lack of copyrights).
>>Even via anonymous ftp?
>Yes.

>>If you don't support ftp access, would you allow to others to do it
>>for you?
>Yes.
>I guess Vesselin wanted to be real sure.  :-)

SO, after *ALL* these affirmatives, the Q U E S T I O N  is :

Where (ie a sitename please) can the NAV definition file updates be
found (assuming they've been uploaded).

I've heard that there are BBS's which have them, but this is of NO 
use to most INTERNET-users.

Any advice would be welcome.

THANX
Clement

  ------------------------------------
- --   LEFT! LEFT! T U R N  L E F T !  --                           
   --  NO! N O T  T H A T  L E F T -- 
      --  M Y  L E F T , Y O U  --                      
       --   )-% T W I T ! ;-(  --     
            ----------------
         clangenh@cs.uct.ac.za

------------------------------

Date:    Tue, 03 Aug 93 16:13:01 -0500
From:    Jerry Dallal <JERRY@hnrc.tufts.edu>
Subject: Re: Name this virus (PC) ?

JERRY@hnrc.tufts.edu (Jerry Dallal) writes:
> Is this the behavior of an IBM-PC virus that anyone is familiar with?
> If so, any ideas about how to get rid of it?

A kind respondent suggested ftp-ing f-prot.  It uncovered the AntiExe
virus, which infects master boot sectors.  Ain't the Internet grand?

------------------------------

Date:    03 Aug 93 21:38:30 -0600
From:    z_hustonfn@ccsvax.sfasu.edu
Subject: Stoned Virus - found on my system-Bad? (PC)

	Recently I loaded Central Point Anti-Virus on my system and it
found the "Stoned Virus" in my memory.  Well, I've been having serious
problems with Windows like it's causing an error stating, "General
Protection Fault in module KRNL386.exe at 0002:14a9."  This error
happens randomnly.  I can't remember when the last time I had
Anti-Virus on there, but I'm afraid that this virus may have caused
some serious damage internally, BUT I don't know, so I'm asking
anybody to give me some kind of answer.  If you know anything about
this virus and what it does please explain it to me because I am
really sick of this problem I'm having and just would like to get it
all over with.

------------------------------

Date:    Wed, 04 Aug 93 03:21:44 -0400
From:    corneliu@cs.curtin.edu.au (Nigel Cornelius)
Subject: Hokay, boot sector viruses (PC)

Ok, dudes and dudettes (sp?),

I can't tell if my computer is infected or not, apparently a boot
sector virus called "Boot 437" is being spread around the campus PC's
(methinks, not too sure, McAfee's Scan V106 can't pick it up, but
F-Prot can, unfortunately, fprot cannot eradicate this menace.) Now,
as yet I don't know if my home pc is infected yet.

The thing is, I have been downloading many files from my account to
floppies, and need to know if by chance my floppy is infected with
this boot sector virus, and I just read the files from floppy (copying
them across, etc) will this (as yet) un-scannable (and un-cleanable)
virus infect my pc?

Any help would be appreciated. Flames will gratiously be ignored.

Thanks in advance,
Nigel
corneliu@marsh.cs.curtin.edu.au

------------------------------

Date:    Wed, 04 Aug 93 09:32:47 +0000
From:    warwickb@stallion.oz.au (Warwick Burrows)
Subject: Re: Arj-virus? (PC)

The Meltz Inc. (mmeltzer@wam.umd.edu) wrote:
: : >Hi! I use Arj verision 2.41 (The best). Well, i have a memory-resident
: : >program, that says if files are being changed. Everytime i access .exe
: : >files that belong to arj the program warns me that the file has
: : >changed.  Has this happened to you? Will you test the problem?

: I don't know if these are the problems that were fixed, but there is
: a new version, which corrected a couple of bugs.  The new file is:
: 	"arj241a.exe"
: and can be FTP'd from most sites.

I have also seen an 'arj241e.exe' file on a couple of the german
sites, and am FTPing a copy of it as I type. Is this the real thing?
Do we have anybody who is tight with the ARJ developer (Mr Jung) and
could tell us if there is an 'arj241e' (or is it a sneaky attempt to
spread a virus dressed up as legit software).

Warwick

------------------------------

Date:    Wed, 04 Aug 93 06:17:55 -0400
From:    A.M.Zanker@newcastle.ac.uk (A.M. Zanker)
Subject: Suspicious .COM files (PC)

I recently downloaded a file, SPORTS.ZIP from the CIX online system
in the UK. It's a program for determining the addresses of your serial
ports, I think.

I scanned it with the new Central Point Anti-Virus version 2.0, which
contains a "virus analyzer" which looks for suspicious virus-like activity
in executable files. It reported a possible file virus in both the files
in the ZIP archive, DOCUMENT.COM and SPORTS.COM. I looked at both files
using a binary editor and discovered that they both have the string

   Hurray the crusades

near the end of the file. Does this ring any bells with anyone? I've also
scanned with SCAN 106 and F-PROT 1.08 but neither detected anything.

Regards,

Mike
- -- 
Mike Zanker                              |  A.M.Zanker@ncl.ac.uk
Department of Mathematics and Statistics |
University of Newcastle upon Tyne, UK    |

------------------------------

Date:    Wed, 28 Jul 93 19:07:00 +0200
From:    Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv)
Subject: Flash ROM BIOS and viruses. (PC)

Nemrod Writes:

 > May I jump in?
Certainly and by all means...

 > We can assume the that any FALSH-ROM (FR) Bios computer will also have a
 > ROM part. This is to assure the integrity of the FR. Now, the RR part
 > of the BIOS may include a VANDOR defined algorythm to check the
 > integrity of the FR.

 > This same thing is done with WD IDE Drives when
 > playing with the IDE drive's serial number.
... more

 > Implementing a similar algorythm in FR computers will solve the
 > problem as long as this information if internal for each manufacturer.

Although this might be a way to DETECT that something is wrong it will
still won't prevent viruses from doing it.  Besides, just like you say
when you change something in the IDE sector you have a way to assure
the IDE rom will accept this, maybe in our case a virus can do the
same (?).

But worse: The fact is that these FR-BIOSs alredy exists and are
simply a FR alone. So it may be a good idea to implement such an
algorithm, but it is not still in use. |-(

 > Another way is to make the FR unself modified. This
 > meens that as soon as the computer is up and running
 > the FR does not allow any changes to be written to it.
 > So, you'll ask, how can we upgrade the FLASH-ROM
 > program? - well, the FR will check the following
 > conditions (for example):

 > 1. The computer as last COLD-BOOTED with a combination
 > of keys pressed (line    the INS or ALT in AMI BIOSs).
 > 2. The computer was booted from a manufacturer
 > supplied diskette.
 > 3. The FR is about to be changed by a manufacturer
 > supplied program.

 > This program checks the integrity of the current FR,
 > saves it in memory, writes the new FR program, checks
 > its inntegrity and only then, if everything is OK -
 > boots the machine.

Great idea !!! I like it.  I would suggest that you (or better who
ever is responsible for VIRUS_L) will keep it for a final conclusion
and suggestions that someone might send a hard- copy to some of the
interested companies.

Any idea what do we do with the present state UNTIL such a method is
implemented?

cu

* Amir Netiv. V-CARE Anti-Virus, head team *

- ---
 * Origin: <<< NSE Software >>> Israel (9:9721/120)

------------------------------

Date:    Thu, 29 Jul 93 11:02:00 +0200
From:    Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv)
Subject: WARNING: Stoned/Dir-2 infection in Israel (PC)

hjstein@sunrise.huji.ac.il (Harvey J. Stein) writes back to
amn@ubik.demon.co.uk (Anthony Naggs):

 > I informed the supermarket chain, and they informed
 > the distributer and the manufacturer.
As i wrote to you a week ago: Check your own PC before blaming others! since I 
personally checked sample floppies from EACH supermarket store + The masters 
used for duplication + the duplication factory itself and more.

Gues what: non of them was infected !!!!!!!!!!!!!!

 > Well, I never actually contracted the virus, so I
 > could be wrong as to
 > it's action.  But what I said is what I remember
 > hearing.
Irrelevant in this case !

* Amir Netiv. V-CARE Anti-Virus, head team *

- ---
 * Origin: <<< NSE Software >>> Israel (9:9721/120)

------------------------------

Date:    Sun, 01 Aug 93 09:30:04 +0200
From:    Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz)
Subject: Flash ROM BIOS and viruses. (PC)

Amir Netiv writes about infected BIOS:

 > The question is what do we do in case such a virus will (and i'm sure it
 > will) exist, and the PC you are introduced to is ALREADY infected. No
 > backup of the BIOS exists at that time... Rest asure that most users
 > with such computers will not take the time to backup the BIOS even if
 > they had a program that does it for them!

Amir, this is a different issue here. This is a matter of responsibility, just 
like it is the responsibility of software marketers to make sure the programs 
they market are virus-free.

As in both cases, if your product is infected, and you find that out, you call 
the manufacturer/marketer, and get a clean copy. This shouldn't even get to 
that, but this is what you'll have to do.

 > If I get you correctly; you mean that the FLASH BIOS will include a
 > procedure that checks (for example at POST time) the BIOS's CRC or
 > CHKSUM (or anything else for that matter.

Well, at the beginning, I thought it should be within the bios. However, after 
I read the first two lines of your next paragraph, I thought of two more 
solutions:

2. The CRC check will be on a factory-protected (notch-less) floppy;

3. The CRC is on a ROM segment of the ram, even if a few byte only (assuming
   such a thing is possible).

 > Well if that's what you meant, I think the problem obviously will be
 > that a virus can put this procedure to sleep since it has access to the
 > entire BIOS area and the procedure is within this area.

There went the original idea...

 > You might say: Let`s split the BIOS into a FLASH-ROM plus another ROM-
 > ROM, So the ROM-ROM's part is solely to verify the FLASH-ROM's
 > integrity. But it even if this could be a nice idea it will not solve
 > the problem (as it cannot restore that whi was damaged) and furthermore
 > the FLASH-ROM technology exists today and works simply as one might
 > expect: with no safety means.

There goes the third solution...

 > Besides: The solution you suggest needs at least 64K of backup file.
 > Even though it can be easily applied, this is not a practical solution
 > (but maybe the only one we will be able to come up with)... 8-)

Well, so far, solution two still applies. If a floppy disk is non-writeable,
and assuming that passing this protection is indeed impossible, then it SHOULD 
be possible to examine, and completely restore infected BIOSs.

After reading the correspondance between you and Nemrod, I find it is possible 
to defend against Flash Bios attacks, since, like I originally claimed, it is 
much like fighting with normal software viruses. You just have to get the 
first brake.

Inbar Raz
Chief Data Recovery
- - --
Inbar Raz                 5 Henegev, Yavne 70600, ISRAEL. Phone: +972-8-438660
Chief Data Recovery, 15 Habanim, Nes-Ziona 70400, ISRAEL. Phone: +972-8-400070
Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210            Fax:   +972-8-403295

- --- FMail 0.94
 * Origin: Inbar's Point - Home of the first UnTinyProg. (9:9721/210)

------------------------------

Date:    Wed, 04 Aug 93 07:38:26 -0400
From:    A.APPLEYARD@fs1.mt.umist.ac.uk
Subject: Re: Learning how to make virus programs: Info? (PC)

mile5057@gmi.edu (Kristian Nmi Milec) wrote on Sun 01 Aug 93 13:16:59 -0400
(Subject: Learning how to make virus programs: Info?) wanting to write a
"virus" that lives in a Novell/etc server and infects the networked PC's and
on them checks for "illegal" software.

  (1) What sort of virus (Boot or .COM or what)? What is to stop it from
spreading further?
  (2) What software is illegal? (a) only allow an approved list of binary
programs?, or (b) reject a forbidden list? If (a), what about programs that
the network admin does not know about but the user has legally? In particular,
what about programs that he has written himself? I have been writing programs
for nearly 30 years, and I could not live on a system where I was not allowed
to compile and run my own programs for use in situations where no legal
commercial software did what was wanted. What is he trying to eliminate? (i)
merely breaches of copyright, (ii) also videogames etc, (iii) anything
suspected to be not part of the user's paid work.

------------------------------

Date:    Wed, 04 Aug 93 07:45:23 -0400
From:    Martin Zejma <8326442@awiwuw11.bitnet>
Subject: Re: Memoires of a (infected) virus researcher (PC)

Regarding an infection of Dir-II:

Your test machine seems to use a DOS version prior to 5.00.  Last week
I tried to infect an hardware protected PC running 5.0, and it just
freezed the machine. I retried with an unprotected laptop running 5.0
ditt o, freezed too. When tracing using Quaid's Analyzer (anyone else
using this uni que tool ??), I saw the reason. Dir-II takes an
assumption where the entry in the Dos-segment should be, cause it
calculates its offset for int 21h calls itself. And under 5.0 (maybe
6.0 , too) it fails.

                                        Regards, Martin

+-----------------------------------------------------------------------+
| Martin Zejma                                  8326442@AWIWUW11.BITNET |
|                                            Martin.Zejma@wu-wien.ac.at |
|                                                                       |
| Wirtschaftsuniversitaet Wien  ---   Univ. of Economics Vienna/Austria |
+-----------------------------------------------------------------------+

------------------------------

Date:    Wed, 04 Aug 93 08:46:24 -0400
From:    "David M. Chess" <chess@watson.ibm.com>
Subject: re: Learning how to make virus programs: Info? (PC)

>From:    mile5057@gmi.edu (Kristian Nmi Milec)

>G'day!

>I am interested in making virus software, and am looking for methods
>in which to reach that end.  The purpose for the software is to make
>network (Novell, Banyan etc.) viruses that will be capable of performing
>certain tasks by a network administrator that can only be done by
>approaching each machine's local drive.

You don't actually need, and almost certainly don't want, to use a
virus to do this.  Just add a program to users' logon scripts, or to
some BAT file or other executable that you provide, that does the
tasks that you need done.  This is very common in the LAN world; when
you log onto the LAN, some programs that the LAN admin wants run on
your machine get run.  (It's often used for virus-checking, for
instance!)  The details depend on just what LAN software you're using,
and how it's set up.  But you don't want to use a virus; there's no
reason to alter the programs on the users' machines.  If you can get
the users to run a program that you provide (and you'd have to, in
order to get your "virus" to spread), you might as well just do the
admin acts right there, and save yourself the infinite hassle, bad
publicity, and boss-grilling involved with actually writing a virus...

- - -- -
David M. Chess                    |         Buy Now
High Integrity Computing Lab      |            Pay Later
IBM Watson Research               |

------------------------------

Date:    Wed, 04 Aug 93 08:52:56 -0400
From:    "David M. Chess" <chess@watson.ibm.com>
Subject: re: Virus? (PC)

>From:    00mltimmons@leo.bsuvc.bsu.edu

>   I accidently left a disk with a few zipped files in my A drive
>when I rebooted my computer.  Instead of the normal "Non-System
>disk or disk error" message, I get the following "Kein System
>oder Laufwerkfehler Wechseln und Taste drucken".

That just means that you have a few diskettes that were formatted
with a German diskette-formatter.   The "Non-system disk or disk
error" message comes from the diskette itself; diskettes formatted
with non-English formatting programs have non-English versions of
that message on the diskette.   What you're seeing is the usual
"Non-system..." message, in German.  This doesn't mean that there's
definitely *not* a virus there, of course, but by itself it's no
reason to worry.

DC

------------------------------

Date:    Wed, 04 Aug 93 09:44:26 -0400
From:    Gene Shackman <GS6206@albany.albany.edu>
Subject: re: checking for illegal programs (PC)

Kristian Milec asked about making viruses to check users pc's
for illegal programs.

Why don't you use another way that does not involve viruses?  For
example, use a file finder to search for certain files, like wp.exe,
word.com, things like that, that start the possible "illegal"
programs.  It seems to me that using viruses of any kind may
lead to too many problems.

Gene Shackman
Network Manager
SUNY-A

------------------------------

Date:    Wed, 04 Aug 93 10:06:58 -0400
From:    amn@ubik.demon.co.uk (Anthony Naggs)
Subject: Re: Virus? (PC)

Mike Timmons, <00mltimmons@leo.bsuvc.bsu.edu>, asks:
>
> Symptoms:
>       I accidently left a disk with a few zipped files in my A drive when
> I rebooted my computer.  Instead of the normal "Non-System disk or disk
> error"
> message, I get the following "Kein System oder Laufwerkfehler   Wechseln und
> Taste drucken".  Where the e in drucken has two dots above it.  I'm no
> computer
> wizard, but I know that that this isn't a good sign.  Only a few of my disks 
do
> this.

You should not need to worry, the text is in German and (approximately)
translates to, "No System on Diskette   Change and press a key".  The disk
was probably formatted with a German edition of MS-, PC- or DR- DOS.

Hope this helps,
Anthony Naggs                 Email:                  Paper mail:
 Software/Electronics Engineer amn@ubik.demon.co.uk    P O Box 1080, Peacehaven
 & Computer Virus Researcher   [or xa329@city.ac.uk]   East Sussex  BN10 8PZ
 Phone: +44 273 589701                                 Great Britain

------------------------------

Date:    Wed, 04 Aug 93 10:52:05 -0400
From:    padgett@tccslr.dnet.mmc.com (A. Padgett Peterson)
Subject: Network update mechanisms (PC)

From:    mile5057@gmi.edu (Kristian Nmi Milec)
was: Subject: Learning how to make virus programs: Info?

>I am interested in making virus software, and am looking for methods
>in which to reach that end.  The purpose for the software is to make
>network (Novell, Banyan etc.) viruses that will be capable of performing
>certain tasks by a network administrator that can only be done by
>approaching each machine's local drive. 

We discussed this quite a bit a couple of years ago (Anthony ?) and came to
the conclusion that excepting for Fred Cohen's definition, this does not 
require a virus (since I did not win Fred's $1000, I guess he didn't think
so either).

What you are looking at is a two part solution:

a) A login script (why you can do this with Novell Netware and not with
   Lantastic - yet).
b) A "seek and report" program

Of course there could be resident components but in simplest terms it works
like this: As part of the login scripting process the "seek & report" program
is launched and persorms the checkout of the client system. On termination
an ERRORLEVEL is left (and sometimes an information file) that can be used
to determine software/revision/load condition. The script can then use this 
information to decide whether to update the client or to refuse to allow
the login. Reports may also be sent to the administrator.

I first used that technique in combatting a virus on a large Novell network
c.a. 1990 that could not be brought down for de-toxing. Also passed some 
thoughts on to McAfee & Co. resulting in the Vshield/Chkshld combo.

Point is that non of the components require a "virus" since none propagate
themselves. At most, a new version of a software package is downloaded but
this has nothing to do with viruses.

					Warmly,
						Padgett

>Kristian Milec
>GMI Engineering & Management Institute

Ah yes, dear old Flint (believe it or not I am also a GMI grad (ME) with
a minor in Corvettes & pulled many cars out of the "student" parking lot 
with my GTO wagon (the lot was saucer shaped & after an ice storm
there were many "opportunities"). Also where I became semi-proficient with
computers calculating 1+ gee cornering forces and suspension settings (the
canned programmes did not go high enough for my BP Vette & "TIRE" did not
include 12.65x15 Goodyear cantilever racing tires 8*).

------------------------------

Date:    Wed, 04 Aug 93 10:58:34 -0400
From:    "William Walker x4570" <WALKER@aedc-vax.af.mil>
Subject: Flash EEPROM BIOS (PC)

I started a discussion about the perils of a software-upgradable BIOS 
back in 1991 (VIRUS-L Vol.4 #087 or thereabouts).  After my overreaction 
and input from various VIRUS-L contributors (particularly Michael Maxim), 
I stopped writing about it, satisfied that there would be enough security 
to prevent a virus from entering the Flash EEPROM BIOS.

A few weeks ago, I got to mess around with one of the Zenith 486 machines 
that is offered to the Air Force on the Desktop IV contract.  Among other 
nifty features, it has a software-upgradable BIOS.  However, it is NOT 
upgradable from the DOS prompt.  The machine has to be booted to the ROM 
Monitor (a different sequence from Ctrl-Alt-Del), and a menu selection 
from the Monitor will upgrade the BIOS from a special diskette.  The 
information on the diskette is verified by a secure part of the BIOS 
which is NOT upgradable (see description of the Flash EEPROM below).

This may be the method used by other machines, but there may be others, 
too.  One contributor during the original discussion mentioned that one 
of the first manufacturers to offer the software-upgradable BIOS required 
that some hardware action like setting a switch be done to prevent any 
unscheduled change to the BIOS.  This is also good.  As long as it is a 
user-initiated change that cannot be performed solely by a program 
running under DOS (or OS/2, UNIX, Novell, etc.), the BIOS should stay 
secure from malicious or other unauthorized changes.

Here is Michael Maxim's post regarding the Flash EEPROM chip, and non-
volatile memories in general: 

From:    mmaxim@sc9.intel.com (Michael A. Maxim)
> I noticed some concern and confusion about E/EEPROMS on the Virus-l
> list lately, and, since I work at Intel's NVM development fab, I
> figured the least I could do was to clear things up a bit.  [...]
>
> Definitions/explanations:
> NVMs    - Non-Volatile Memories.  ROMS, PROMS,EPROMS,EEPROMS, ferromagnetic
>           DRAM's, etc.  Memory storage devices that don't lose data when the
>           power goes out.
> fab     - Short for Fabrication.  Place where silicon wafers are turned into
>           semiconductor devices.  Very clean, very very expensive factory.
> ROMs    - Also called mask ROMs.  Read Only Memories.  Programming is done
>           during manufacture.  "Cheapest" memory for high volume use on static
>           designs.  Minimum order might be several-to-tens of thousand parts.
>           Real peanut parts, these may only cost pennies apiece.
> PROM    - Programmable Read Only Memory.  These babies you program once.
>           Heard the term "burn in a PROM"?  Very literal saying.  To program
>           them, you actually fuse the innards into the configuration you want.
>           Inexpensive unless you make lots of mistakes, 'cause they are either
>           right or they are scrap.
> EPROM   - Also called UV EPROM's.  Invented by Intel 'way back inna '70's.  An
>           Erasable Programmable Read Only Memory.  They are programmed
>           electronically, and erased with ultraviolet light.  They've got a
>           little transparent window in the package just for that purpose (it's
>           usually covered up with a sticker or something, though; even
>           ambient light WILL eventually wipe them out...note also that if the
>           package doesn't have a window then your EPROM is effectively a PROM.
>           Lots of these are used in automobile engine controllers, bios chips,
>           etc.  Also pretty cheap, available commercially in densities up to
>           4mbit or so.
> EEPROM  - Also called E2PROMS.  These are Electronically Erasable Programmable
>           Read Only Memories.  You don't need UV to erase them.  However, you
>           do generally need at least 11 volts on one of the pins to erase/
>           program them.  More on this later.  More expensive than EPROMS, but
>           still cheap in all but the largest sizes.  [...]
> Flash   - The hot rods of EEPROMs, also invented by Intel (of course. ~8^) )
>           They program and erase quickly and have fast access times. These are
>           available in either bulk (entire bank or chip) or sector (single 
>           byte) erase versions.  Their lifetime is measured in program/erase
>           cycles.  Some parts have lifetimes as low as 1000 erase/program 
>           cycles; these are useful for some applications that don't require 
>           many changes, but aren't any good for solid state disks or memory 
>           cards, for example.  Other types have program/erase lifetimes of 
>           100K+ cycles. (guess who makes those... ~8^) )  [...] 
>
> Here's a shameless plug for the company that signs my paychecks, and
> what seems to have caused the concern in the virus community.
>
> Intel has just recently introduced the 1mbit 28F001BX Flash.  It's
> designed for use in PC operating system software and embedded control
> applications.  Features include a security-protected 8kb block on the
> chip to boot applications, 2 4kb parameter blocks for configuration
> info, a 112kb main memory block, 150 ns access time and single byte
> erase.  It's available in PDIP or PLCC (plastic dual inline package or
> plastic leaded chip carrier, I think...I just do wafers, not
> packaging) and costs $17.20 in quantities of 1000. What does
> security-protected mean?  Good question.  I'll see if I can find out.
>
> Here's my own $.02: unless a really clever virus finds a way to shove
> a sun lamp into your PC, you have nothing to worry about with EPROMs.
> As for EEPROMs and Flash chips, they look just like PROMs or EPROMs to
> your system.  Unless your system is specially configured to reprogram
> them (remember that pin I mentioned earlier?) there is nothing ANY
> program could do to change an EEPROM.  If some board maker actually
> wanted to enable software modification to the BIOS EEPROM, there is no
> reason that he couldn't do it; but that is a problem with the board
> and manufacturer, not the chips.
>
> DisClaimEr: I think most of the stuff above is pretty near correct,
> and of course I don't speak for Intel in any official or unofficial
> way.  I also didn't have anything to do with the 28F001BX, but it does
> sound like a neat chip.

BTW, I exchanged some E-mail with Mr. Maxim last year, and unless things 
changed between then and now, he was shifted from production of NVMs to 
production of what he called P5 then, and is now known as the Pentium.

Bill Walker ( WALKER@AEDC-VAX.AF.MIL ) |
OAO Corporation                        |  This .signature does NOT contain
Arnold Engineering Development Center  |  a stealth .signature virus!
1103 Avenue B                          |
Arnold Air Force Base, TN  37389-1200  |

------------------------------

Date:    Wed, 04 Aug 93 11:01:49 -0400
From:    "William Walker x4570" <WALKER@aedc-vax.af.mil>
Subject: Re: Virus? (PC)

From:    00mltimmons@leo.bsuvc.bsu.edu (Mike Timmons)
> [...] I believe I have a virus on my computer.
>
> Symptoms:
>   I accidently left a disk with a few zipped files in my A drive when
> I rebooted my computer.  Instead of the normal "Non-System disk or disk 
> error" message, I get the following "Kein System oder Laufwerkfehler 
> Wechseln und Taste drucken".  Where the e in drucken has two dots above 
> it.  I'm no computer wizard, but I know that that this isn't a good sign.  
> Only a few of my disks do this.  
>
> [...] Any suggestions or even a translation of the text would be helpful.  
> If I have a virus on my system, it doesn't seem to be doing any harm.  At 
> least yet.  

As Arte Johnson once said, "Verry Interesting!"  I posted a message to the  
same effect earlier this year (VIRUS-L Vol.6 #075).  I got two replies to it, 
which corroborated my interpretation of the event: 

From: "Jochen Gloe"  <GLOE@cci.de>
> Hello from Germany...
>
> I inspected the boot sector of a 3,5" 1,44 disk and I found a Message
> similar to yours displayed on the screen.
>
>   Keine System- o. fehlerhafte Diskette
>   Wechseln und danach eine Taste druecken
>
> It seems to me that you don't have a virus in that suspicious boot
> sector because these messages are generated during the formatting of
> a disk and even F-PROT doesn't report a virus. To my mind F-PROT is
> one of the best virus-scanners and when that program says that you
> don't have a virus, you can nearly be sure that you don't have one.

(BTW, you're welcome for the plug, Fridrik!)
and 

From: Michael Hermann <hermann@kirk.fmi.uni-passau.de>
> the message you posted is from the german version of msdos and is
> displayed when you try to boot from a non-bootable floppy...
>
> I do not kow why you did not find the message on the disk (I never
> searched for it though..)
>
> IMO your explanation was right, it was formatted by a german dos
> version and that is it.. no virus

"My explanation" was that the disk had been formatted with a German version
of DOS, as the message translates roughly to "No System or DOS error.  
Replace and press a key."  (Sorry, my German is rusty -- care to give it a 
try, Vesselin? ;-) )  What makes it interesting is how several people in 
the U.S. can get a German boot sector on their floppy without having a 
German version of DOS.  From sheer speculation, I would say it was via a 
DISKCOPY of a diskette with a German boot sector, which was a DISKCOPY of a 
diskette with a German boot sector, ad nauseum.  Does this explanation meet 
with everyone's approval?  Or is there a benign boot virus which carries 
the German message?  Or is there a German boot sector dropper?  ;-)

Bill Walker ( WALKER@AEDC-VAX.AF.MIL ) | "Simply do not ask me what this is
OAO Corporation                        |  all about, parce que je ne sais
Arnold Engineering Development Center  |  pas, mes chers."
1103 Avenue B                          |       -- Holly Golightly, 
Arnold Air Force Base, TN  37389-1200  |       "Breakfast at Tiffany's"

------------------------------

Date:    Wed, 04 Aug 93 15:28:39 +0000
From:    lps@rahul.net (Kevin Martinez)
Subject: Re: Flash ROM BIOS and viruses. (PC)

Nemrod_Kedem@f101.n9721.z9.virnet.bad.se (Nemrod Kedem) writes:

>Amir Netiv wrote to Inbar Raz:

> > Your turn...... |-))

>May I jump in?

> > Inbar Raz answers:
> >> However, I believe it's within the BIOS manufacturer's
> >> responsibility to produce a program to either check
> >> the integrity of such BIOS systems, or completely
> >> restore the BIOS, not to mention version updates :-)

>Amir Writes:
> > If I get you correctly; you mean that the FLASH BIOS will include a
> > procedure that checks (for example at POST time) the BIOS's CRC or
> > CHKSUM (or anything else for that matter.

> > Well if that's what you meant, I think the problem obviously will be
> > that a virus can put this procedure to sleep since it has access to the
> > entire BIOS area and the procedure is within this area.

>We can assume the that any FALSH-ROM (FR) Bios computer will also have a
>ROM part. This is to assure the integrity of the FR.
>Now, the RR part of the BIOS may include a VANDOR defined algorythm to check 
>the integrity of the FR. This same thing is done with WD IDE Drives when 
>playing with the IDE drive's serial number. When editing such a sector on 
the 
>disk you must keep a correct checksum of the sector and write this chechsum (
>or a variation of it) to a specific offset in that same sector. Implementing 
a 
>similar algorythm in FR computers will solve the problem as long as this 
>information if internal for each manufacturer.

>Another way is to make the FR unself modified. This meens that as soon as 
the 
>computer is up and running the FR does not allow any changes to be written 
to 
>it. So, you'll ask, how can we upgrade the FLASH-ROM program? - well, the FR 
>will check the following conditions (for example):

>1. The computer as last COLD-BOOTED with a combination of keys pressed 
(line   
>the INS or ALT in AMI BIOSs).
>2. The computer was booted from a manufacturer supplied diskette.
>3. The FR is about to be changed by a manufacturer supplied program.

>This program checks the integrity of the current FR, saves it in memory, 
>writes the new FR program, checks its inntegrity and only then, if 
everything 
>is OK - boots the machine.

>Hmmm... Any comments ?

>Nemrod.Kedem@f138.n403.z2.fidonet.org       (Nemrod Kedem)
>FidoNet: 2:403/138    VirNet: 9:972/0    CI$ ID: 100274,73
>(972)3-966-7562 (14.4K)            (972)3-967-0348 (Voice)
>P.O.Box 8394,     Rishon Le-Zion,   Zip 75253,     Israel.

>- --- FastEcho/386 B0617/Real! (Beta)
> * Origin: <Rudy's Place - VirNet, Israel> Make Safe Hex! (9:9721/101)

Greetings!

At my place of employment, we have a huge compatibility lab for testing 
hardware. The motherboards I have seen with FLASH ROM or EEPROM Bios chips 
have a header and a shunt. The shunt is removed to change the contents of the 
chip. If this is not true of all motherboards then some certainly may be 
suceptible to damaging programs someone may write be they virus, logic bomb 
or poorly written user applications. The nu8mber of times I have seen 
software that we have purchased go out to lunch and do unexpected things 
would lead me to never buy a motherboard without hardware protection for a 
re-writeable BIOS. This goes for personal and corporate purchases.

Good Luck!

Kevin Martinez
lps@rahul.net
 
- -- 
Kevin Martinez <lps@rahul.net>

------------------------------

Date:    Wed, 04 Aug 93 09:06:35 -0800
From:    a_rubin%%dsg4.dse.beckman.com@biivax.dp.beckman.com
Subject: Re: Virus? (PC)

00mltimmons@leo.bsuvc.bsu.edu writes:

>	This is my first time actually posting to any newsgroup, and of all 
>of them, this is the last one I ever hoped to have to post to.  First, I'm 
>posting because I believe I have a virus on my computer.

>Symptoms:
>	I accidently left a disk with a few zipped files in my A drive when
>I rebooted my computer.  Instead of the normal "Non-System disk or disk error"
>message, I get the following "Kein System oder Laufwerkfehler   Wechseln und
>Taste drucken".  Where the e in drucken has two dots above it.  I'm no computer
>wizard, but I know that that this isn't a good sign.  Only a few of my disks do
>this.  

Does anyone here know German?  That looks vaguely like a German
translation of the standard non-bootable disk message.
- --
Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea
216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal)
My opinions are my own, and do not represent those of my employer.

------------------------------

Date:    04 Aug 93 15:49:09 -0500
From:    00mltimmons@leo.bsuvc.bsu.edu
Subject: Thanks - re possible virus (PC)

	I'd like to thank everyone who replied to my post about a
posible virus.  I don't know a whole lot about boot records and such,
but after looking at a couple, O was coming to the same conclusion
that everyone else had.
	If only I'd taken German.  Thanks for all the help.

Mike Timmons

------------------------------

Date:    Wed, 04 Aug 93 13:23:24 -0400
From:    Gleason Sackman <sackman@PLAINS.NODAK.EDU>
Subject: SIMTEL 20 Closing Down (archive site) (fwd)

For those who frequently get antiviruses from Simtel20, read this:

;- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Data SEGMENT PARA PUBLIC
     name DB 'Fabio Esquivel Chacon'     ;
      job DB 'Computer Science student'  ; C:\>dir a:
     site DB 'University of Costa Rica'  ;
   bitnet DB 'fesquive@ucrvm2.bitnet'    ; Virus found on drive A:
 internet DB 'fesquive@ucrvm2.ucr.ac.cr' ; Retreat, Apply, Install, Panic?
Data ENDS

- ----------------------------Original message----------------------------
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Forwarded by Gleason Sackman, InterNIC net-happenings moderator
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- ---------- Text of forwarded message ----------
Date: Tue, 3 Aug 93 12:01:54 PDT
From: InterNIC Info Scout <scout@is.internic.net>
To: sackman@plains.nodak.edu
Subject: SIMTEL 20 Closing Down (archive site)

- ---------- Forwarded message ----------
Date: Tue, 27 Jul 1993 01:43:52 -0400 (EDT)
From: "Tansin A. Darcos & Company" <0005066432@mcimail.com>
To: OPERS-L@vm1.cc.uakron.edu, Telecom Digest <telecom@delta.eecs.nwu.edu>,
     Keith Petersen <w8sdz@tacom-emh1.army.mil>, COM-PRIV@psi.com,
     games-l@utarlvm1.BITNET, libernet@dartmouth.edu,
     tdarcos@access.digex.com, tdarcos@access.digex.net,
     info-vax@crvax.sri.com
Subject: SIMTEL 20 Closing Down

>From: Paul Robinson <TDARCOS@MCIMAIL.COM>
Organization: Tansin A. Darcos & Company, Silver Spring, MD USA
- ---

The massive archive site WSMR-SIMTEL20.ARMY.MIL at White Sands Missile
Range, New Mexico, USA, which is home to more than 2 gigabytes of files
for many computer systems, including MSDOS, Unix, VMS and some mainframes,
will be shut down by its operators as of September 20, 1993.  Unless a new
home is found for the archives, this major archive site will vanish.

This is a major archive and if it is possible to save it, then it should
not be allowed to just disappear. If anyone knows of a site that can house
the master archives, please send a message to

             Keith Petersen <w8sdz@TACOM-EMH1.Army.Mil>

Mr. Petersen is trying to find a new home for the master archives.  Note
that many of the older files are on CD-ROM, so it is not absolutely
necessary that a site dedicate two GB of disk space, as perhaps 3/4 of
this is on CDs, so the option would be to loan perhaps 4 CD slots in
an optical jukebox, along with perhaps 500 meg of disk space.

Please pass this message to any list that might find it of interest.
Thank you.

- ---
Paul Robinson -- TDARCOS@MCIMAIL.COM

------------------------------

End of VIRUS-L Digest [Volume 6 Issue 110]
******************************************
