To:	   VIRUS-L@LEHIGH.EDU
Subject:   VIRUS-L Digest V6 #111
--------
VIRUS-L Digest   Friday,  6 Aug 1993    Volume 6 : Issue 111

Today's Topics:

Flash EPROMS
RE: Learning how to make virus programs: Info
Re: Learning how to make virus programs: Info?
Re: SIMTEL 20 Closing Down (archive site) (fwd)
nVIR A Virus (Mac)
Re: Dudley [odud] virus ? (PC)
Boot Sector (?) virus (PC)
Beijing virus or just a bad hard disk? (PC)
Re: Stoned Virus - found on my system-Bad? (PC)
Virus protection Software recommendation (PC)
Search & Destroy (PC)
HELP!!!!! russian virus (PC)
Re: Information on the 'Trident' Virus (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform - diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CERT.org or upon request.)  Please sign submissions
with your real name; anonymous postings will not be accepted.
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list.  A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on CERT.org (192.88.209.5).

Administrative mail (e.g., comments, suggestions, beer recipes)
should be sent to me at: krvw@ASSIST.IMS.DISA.MIL.

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Ken van Wyk

----------------------------------------------------------------------

Date:    Thu, 05 Aug 93 09:15:42 -0400
From:    padgett@tccslr.dnet.mmc.com (A. Padgett Peterson)
Subject: Flash EPROMS

By now most readers are undoubtedly  confused ( I worked with some of the
first 2816s and _I'm_ confused).

In simplest terms, a "Flash" EPROM is an EEPROM (aka EAROM) that is faster
than most. It is similar to the "CMOS" memory in that it can be reprogrammed
"in situ" & is different in that it will not lose its mind if a battry goes
dead.

To a manufacturer, it is nice because if someone makes a boo-boo in 
programming the BIOS (like happed with the Nippon Electric Corp. machines
that would not reboot on a ctrl-alt-del) they can just send out a floppy
and all is well. Of course the marketoids dress it up by pointing out
the future reconfigurability capability of the ROM but I have a sneaking
suspician that a few QA engineers might have been "rightsized" also.

Now the real way to protect a system is with hardware. The real way to
protect a Flash ROM is with a key switch connected to the write-enable
pin, one that will not permit the machine to boot if the switch is in
the "write" position. Unfortunately this costs money but is a good 
indicator of who was driving the manufacturer, the marketoids or the
engineers. I have yet to see a virus that can throw a physical switch.

As pointed out, a ROM checksum is fine, but not if the Flash ROM is still
programmable. Today, and particularly for the military, denial of our
assets in a tactical situation is a strategic objective. Consider if on
Jan 15, 1991 all of the systems in Saudi had decided to refuse to boot
because there was a "CRC error" in the Flash ROM. They do not put battlefield
"run until meltdown" switches on military electronic gear without reason.

Like anything else "Flash ROM" is a mixed blessing. For instance, automatic
virus protection could be designed in that could take a signature of the 
fixed disk as installed and loaded. I have yet to hear of anyone having that
added feature though. Until I hear of real world added benefit, it is 
necessary to assume that the marketoids are in charge & added features are
for the manufacturer not us.

					Somewhat cynically,

						Padgett

ps To anyone who has a NEC that will not warm boot, my NoFBoot (part of
   the FreeWare FixUtil package) will take care of the problem - it worked
   for me 8*). 

------------------------------

Date:    Thu, 05 Aug 93 13:42:42 -0400
From:    SWB9%SVC%MBPP@cts27.comp.pge.com
Subject: RE: Learning how to make virus programs: Info

>mile5057@gmi.edu (Kristian Nmi Milec) wrote on Sun 01 Aug 93 13:16:59 -0400
>(Subject: Learning how to make virus programs: Info?) wanting to write a
>"virus" that lives in a Novell/etc server and infects the networked PC's and
>on them checks for "illegal" software.

>  (1) What sort of virus (Boot or .COM or what)? What is to stop it from
>spreading further?

There really is no need to make programs such as this virus-like, in
that they don't need to replicate and spread themselves.  A network
administrator can usually add commands to a user's profile to be
executed every time the user logs onto the network.  A "post-login"
command such as this can be used to check for software that is not
supposed to be on the computer, or really anything the sysop wants.
The only "virus-like" behavior might be to have a procedure to
automatically add the appropriate command to the profile.

The actual code would reside somewhere on the server, most likely in a
public "utility" directory, and would not need to ever get copied to
the user's workstation.  It certainly should not need to attach itself
to existing executables!!  (It's more like a "trojan" except that the
user would be informed of the procedure beforehand.  If refused the
user would be denied access to the network.)

>  (2) What software is illegal? (a) only allow an approved list of binary
>programs?, or (b) reject a forbidden list? If (a), what about programs that
>the network admin does not know about but the user has legally? In particular,
>what about programs that he has written himself?

This is a matter of network policy, and will be determined by each
individual network administrator.  The policy on the network I oversee
is to allow each user to use whatever he/she wants to so long as it
doesn't interfere with the normal operation of the network.  However,
I would be within my rights to demand that only company software be
present.

In any case the discussion of network policy has little bearing on the
original subject

------------------------------

Date:    Thu, 05 Aug 93 18:18:16 -0400
From:    Dennis Clouse <ISCDEC@uccvma.ucop.edu>
Subject: Re: Learning how to make virus programs: Info?

On Sun, 01 Aug 93 13:16:59 -0400 Kristian Nmi Milec (mile5057@gmi.edu)
suggested writing a 'virus' to spread over a network, the purpose being
to locate 'unwanted', 'illegal', or 'unapproved' programs on network
client machines.
  Hmmmmmmmm.
  Gee, Kristian, I forsee a minor design problem.
  When _your_virus_ encounters anti-virus and integrity software on the
clients' machines, how are you gonna convince that A-V software, just
this once, and just for you, that _your_virus_ is OK?
  ... if you can't, what do you propose doing?
      1) put them on your 'disallowed' list?
      2) disable them?
      3) modify them to ignore _your_virus_?
      4) let them choke on _your_virus_?

------------------------------

Date:    Thu, 05 Aug 93 23:13:18 +0000
From:    gb03@ns1.cc.lehigh.edu (GEORGE PHILIP BLUHM)
Subject: Re: SIMTEL 20 Closing Down (archive site) (fwd)

>The massive archive site WSMR-SIMTEL20.ARMY.MIL at White Sands Missile
>Range, New Mexico, USA, which is home to more than 2 gigabytes of files
>for many computer systems, including MSDOS, Unix, VMS and some mainframes,
>will be shut down by its operators as of September 20, 1993.  Unless a new
>home is found for the archives, this major archive site will vanish.

Is this part of the reduction of the Milt budget?

Our president wants to have a nation wide network of computer
services.  Now we are about to loose what does exist.  So much for
technology in a liberal society. (Remember an informed prolatariat is
dangerous (Stalin))

- -- 
George P. Bluhm Jr.
Graduate Student
Lehigh University

------------------------------

Date:    Thu, 05 Aug 93 11:35:42 -0400
From:    grimhac@santafe.edu (Chris Unger)
Subject: nVIR A Virus (Mac)

	The other week my university found a virus on one of it's macs.
Was wondering if anybody has any info on it. It's called "nVIR A" I
believe. 

- --

(*************************************************************************)
(**   Chris Unger                            Kutztown University        **)
(**   unge1845@acad.csv.kutztown.edu         Computer Services          **)
(**   grimhac@sanjuan.santafe.edu            (215)-683-4152             **)
(**                                                                     **)
(**     Last night as I lay in bed looking at the stars I thought	**)
(**		    'Where the hell is the ceiling?'			**)
(*************************************************************************)

------------------------------

Date:    Thu, 05 Aug 93 07:45:58 -0400
From:    oenglund@bilbo.abo.fi (Olof Englund)
Subject: Re: Dudley [odud] virus ? (PC)

Nope, i don't think there is. I looked the virus up in VSUM (Oi Dudley)
aaand.....no detection method....YET! Just delete infected files (however
you'll find out wich are infected)

                                          Olle

------------------------------

Date:    Thu, 05 Aug 93 08:34:11 -0400
From:    padgett@tccslr.dnet.mmc.com (A. Padgett Peterson)
Subject: Boot Sector (?) virus (PC)

From:    corneliu@cs.curtin.edu.au (Nigel Cornelius)
Subject: Hokay, boot sector viruses (PC)

>I can't tell if my computer is infected or not, apparently a boot
>sector virus called "Boot 437" is being spread around the campus PC's
>(methinks, not too sure, McAfee's Scan V106 can't pick it up, but
>F-Prot can, unfortunately, fprot cannot eradicate this menace.) Now,
>as yet I don't know if my home pc is infected yet.

Nigel:

The question is whether you have a boot sector of MBR infector virus
- - the answer will determine the easiest repair.

First, however, is the matter of determining if you are infected. Since
such viruses must go resident and there is only one consistantly "safe"
place for a program to do so during boot (the TOM - see the FAQ), both
MBR and BSI infectors are easily detected by the loss of "total bytes
memory" as reported by CHKDSK or MEM. This is also a good check of
whether or not the cold boot was really from an uninfected floppy.

This type of virus allocates from one to nine (most I have seen) k of memory
and the normal 640k (655,360 bytes) will be reduced. Caveat: some OSs take
some memory from the top also so if 1k is missing I would be just suspicious
but if 2 or more is gone, I would want to know why.

Several programs exist that can remove this kind of virus including those
bundled with DOS - most MBR infectors can be removed with DOS 5.0 & 6.0
FDISK /MBR. BSI infectors can be removed with SYS following a cold, clean
boot. SYS also works on both kinds of virus for a floppy but the DOS 6.0 
SYS takes up 180k limiting its usefulness.

My FreeWare FixUtil (v5 is current) contain a number of programs for this
including FixFbr which is designed for the fast repair of floppies (nearly
as fast as you can insert & remove the floppy). FixFBR also uses no memory.
FixMBR will repair many viruses that FDISK / MBR cannot plus has the ability 
to add  "smart" virus detecting code to the MBR.

The important thing is that my programs do not need to know what has infected
a PC, they operate on the principle of what the PC requires to boot properly
(with some additional checks that were "not in (Microsoft's) business
interest" to include with DOS).

I work in a corporate environment and fully understand the problems of 
licensing even trivial amounts. For this reason, my FixUtil programs, while
copyrighted, are FreeWare and may be used anywhere without restriction
so long as unchanged.

In recent months I have been noticing a disturbing rise in the number of MBR
& BSI infections being reported - 100% in some areas. I do not understand why
this is occuring.
						Good luck,

							Padgett

------------------------------

Date:    Thu, 05 Aug 93 12:39:53 +0000
From:    hlr@aber.ac.uk (Hazel Marie Davey)
Subject: Beijing virus or just a bad hard disk? (PC)

Hi there,
	I hope someone can help with my query....
I have a 386sx PC running DOS 5. Recently I started getting Disk
errors reported by Windows 3.1 when it was saving files. Eventually
last week when I tried to open file manager Windows crashed and
when I rebooted my PC there were two new null-name directories
below my windows directory, about half a dozen new files in the
windows dir with strange names (hearts / spaces etc) and one file name
that I recognised as some of the contents of a file that had been 
there before. Also system.ini and win.ini were missing.

	Also for about the last month the 5 1/4" A: drive has not
been working. I returned my PC to the computer unit and they now
tell me that they think it was a beijing virus. I know that this
interferes with floppy drives but nothing else about it. I scanned
my hard disk immediately after the windows crash and the last time
was probably about a week before. I also scan all floppies before
copying anything from them onto my machine and any software I download
by ftp gets scanned both in the zipped form and after unzipping. - 
As you can see I'm pretty paranoid! I used McAfee v100 to do these
scans and nothing was ever picked up. The computer unit didn't
pick anything up with their scanner either but just said the symptoms
indicated a beijing virus. 

If it was would my scanner have picked it up?
Will my scanner pick it up on my backup files?
Do you think I had a beijing virus?

Please reply either by Email or to the net. 

Thankyou in advance

Haze
- -- 
		(hlr@aber.ac.uk)
Department of Biological Sciences
University of Wales
Aberystwyth

------------------------------

Date:    Thu, 05 Aug 93 10:29:04 -0400
From:    "William H. Lambdin" <73044.2573@compuserve.com>
Subject: Re: Stoned Virus - found on my system-Bad? (PC)

From:    z_hustonfn@ccsvax.sfasu.edu

>some serious damage internally, BUT I don't know, so I'm asking
>anybody to give me some kind of answer.  If you know anything about
>this virus and what it does please explain it to me because I am
>really sick of this problem I'm having and just would like to get it
>all over with.

Stoned hides in the boot sector of floppies, and the partition table of 
hard drives.

Stoned is rather benign.

There are several ways to get rid of it.

Turn off the computer for a few seconds, and boot clean from a write 
protected bootable diskette.  Stoned has been reported to survive a warm 
boot (ALT-CTRL-DEL sequence).

Removing the virus 

there are two ways to remove Stoned.

1. Anti-viral software like CPAV, F-Prot, Clean etc.
2. If you're using DOS 5.0, or higher try FDISK /MBR

If you don't have a write protected bootable diskette, remove the virus 
with one of the methods listed above, but cold boot the computer after the 
process is finished, or Stoned may re-infect the hard drive again.

After the Hard drive is back up to speed, clean every diskette in the 
Building, or Stoned will be back.

Hope this has been helpful.

Bill Lambdin

------------------------------

Date:    Thu, 05 Aug 93 21:17:16 +0000
From:    bjgreenb@rs6000.cmp.ilstu.edu (Brian Greenberg)
Subject: Virus protection Software recommendation (PC)

I am looking for the best Anti-Virus software for DOS or Windows
(perferably Windows).  I used to use McAffee and Norton.  Are there
any reccomendations of types and prices, also why might one out weigh
another.

Thanks, Brian

P.S. If you know of any versions that would work on a network that
would be a plus.

*******************************************************************************
    _/_/_/   _/_/_/  _/_/
   _/   _/    _/   _/   _/                 Brian J. Greenberg
  _/_/_/     _/   _/                 bjgreenb@rs6000.cmp.ilstu.edu
 _/   _/ _/ _/   _/   _/_/                c15892@email.mot.com
_/_/_/   _/_/     _/_/ _/           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*******************************************************************************

------------------------------

Date:    Thu, 05 Aug 93 21:36:45 -0400
From:    mvjma2@cbnewsb.cb.att.com (jenny.m.abar)
Subject: Search & Destroy (PC)

an anyone tell me where I can get the program or updates for
Search & Destroy?  If not, are there any other programs that
check inside of zipped files?  I keep mostly zipped files on
my hd and could never get ziplab local to work properly, so 
S & D seems to do a good job.  Any reviews on the effectiveness
of theis program would also be appreciated. Thanks.

Jenny Abar

------------------------------

Date:    Fri, 06 Aug 93 08:10:45 -0400
From:    Astrid Kuhr <ICH561@djukfa11.bitnet>
Subject: HELP!!!!! russian virus (PC)

Very urgent help needed!!!!!_

We have a virus on our PC, and no antivirussoftware which is able to find
him!!! (e.g. f-prot 209)
The symtoms of the virus: After some times a melody is played (different)
One is the beginning of the russian national hymne, so it's perhaps a virus
from there.
Sometimes some ascii-symbols going through the screen.
And since a few days you get the message 'Formatting c: complete, do you
want to formate another disk?' during booting (but very gald, that he dont
formatte realy!!)
'How do you feel now after formatting your hard disk?' then appears.

Is there somebody who has a similar virus?
And how can I find and clear him???????????????

Regards, Astrid Kuhr

- --
a.kuhr@kfa-juelich.de

------------------------------

Date:    Fri, 06 Aug 93 13:26:09 +0300
From:    eugene@kamis.msk.su (Eugene V. Kaspersky)
Subject: Re: Information on the 'Trident' Virus (PC)

> We've recently had an attack of the 'Trident' virus, and seemed to
> have gotten rid of it, but no one was able to supply us with information
> as to what it would do when activated.

Trident? Which of scanners reported this name? I have not Trident virus(es)
in my collection, but several viruses contain internal string "Trident":

Girafe:    "[ MK / Trident ]"
Trivial-64:  "Trident"
Caco:      "(C) 1992 John Tardy / Trident"
Civilwar:  "Trident/Dark Helmet"
Crusher:  "Bit Addict / Trident"
Cruncher: "[ MK / Trident ]"
TPE-based viruses (Trident Polymorphic Engine): "[ MK / Trident ]"

BTW, did you have *real* attack? Maybe it's false alarm? Several scanners I
tested generate false alarms on testing the files for TPE-based viruses.

Regards,

Eugene

- -- 
- -- Eugene Kaspersky, KAMI Group, Moscow, Russia
- -- eugene@kamis.msk.su +7 (095)939-4066

------------------------------

End of VIRUS-L Digest [Volume 6 Issue 111]
******************************************
