To:	   VIRUS-L@LEHIGH.EDU
Subject:   VIRUS-L Digest V6 #115
--------
VIRUS-L Digest   Thursday, 26 Aug 1993    Volume 6 : Issue 115

Today's Topics:

Marketoids
Re: origin of term virus
Re: Origin of the word "virus"
Re: Flash EPROMS
Form Virus (PC)
Re: Form virus (PC)
Re: Any good anti-viral shareware out there (PC)
Re: Perfume virus? (PC)
Re: FProt Professional (PC)
VT-Schutz wanted (PC)
Re[2]: Norton A-Virus (PC)
Re: Forms virus (PC)
Re: Sharing .def files between scanners (Novell) (PC) (MAC)
Re: Forms virus (PC)
SPORT21C.ZIP (PC)
Re: Any good anti-viral shareware out there (PC)
KOH Virus Description (PC)
LAN Security and Viruses (PC)
Vshell 2.05 (PC)
Virus Catalog: new edition
NCSC 16 Announcement
Mutlipartite - Pro (CVP)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform - diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CERT.org or upon request.)  Please sign submissions
with your real name; anonymous postings will not be accepted.
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list.  A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on CERT.org (192.88.209.5).

Administrative mail (e.g., comments, suggestions, beer recipes)
should be sent to me at: krvw@ASSIST.IMS.DISA.MIL.

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Ken van Wyk

----------------------------------------------------------------------

Date:    Thu, 19 Aug 93 09:19:07 -0400
From:    padgett@tccslr.dnet.mmc.com (A. Padgett Peterson)
Subject: Marketoids

>From:    Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv)

I wrote:

 > Until I hear of real world added benefit, it is
 > necessary to assume that the marketoids are in charge
 > & added features are for the manufacturer not us.

Amir replied (in part):

>I disagree with you here: I think that PC manufacturers are with an open ear 
>to what is happening in the world and to user demands since the compatition is
 
>so hard that any feature counts. Moreover it is my believe that we (the public
)
>influate the configuration of both hardware and software in the world. Is it 
>not a fact that MocroSoft swallowed an (BAD) Anti-Virus just to satisfy the 
>public? And a Disk-Doubler just for that same reason? And a ..... |-)

Unfortunately, it is the marketoids and the bean counters who are listening 
not the execs or the programmers. Two years ago I tried to GIVE both Microsoft
and Digital Research (now Novell) a proven mechanism for detection of MBR
viruses (STONED, MICHELANGELO, etc.) that would have been easy to integrate
into their new OS releases (much easier than my FreeWare FixUtils since they 
must work with anything from DOS 2.0 on up). Neither was even interested
enough to discuss it.

I am not going to go into DOS 6.0 other than to say that it is not a well
integrated product, rather it is a collection of sometimes incompatable
utilities that are not well documented. Further IMHO when I get a reply
from Microsoft about difficulty with DOS 6.0 that is essentially "You have
a BIOS made before 1989 ? That's your problem !" & goes far to explain
that .5% verified DOS 6.0 problem rate.

For those of you who are familiar with the IBM Technical manuals,
the transition from PC-DOS 2.0 to 3.0 in 1984 resulted in a manual about
half the size of the previous one with much vital information left out. By
1987 IBM's dominance of the market had dissipated. Compare the DOS 5.0
manual to the pamphet supplied with DOS 6.0.

It would seem that the really good programmers have gone on to other ventures.
Recently I purchased the QEMM 7.0 upgrade (one of the few packages I will 
spend money for - of course another is WordStar 7.0 so you can make your
oun opinion). Somewhere in the depths of Quarterdeck (probably kept in a cage
and fed twinkies) is an absolutely BRILLIANT programmer who can make
a 386/486 do incredible things. We talk about viruses "tunnelling" and
"hiding" but they are all crude in comparison to QEMM 7.0 "stealth".

True, OPTIMISE could be improved (the "millions" of combinations tried
do not yet include reordering), but with proper tuning the results are
incredible. Consider that my poor abused 386/25 now supports duty as a Novell 
3.11 server, Lantastic server, and DOS/Windows development; it also provides
a platform for Geoffery's CD-ROM, SoundBlaster Pro, & runs "The Seventh
Guest" admirably *and* with 620k free. Writing code while listening to Bob 
Seger is a new experience though I did have to post a list of which keys
(alt, ctrl or none) to hold down while booting for the different 
configurations.

Unfortunately, the marketoids at Quarterdeck do not seem to really know what
they have and the superb DeskView engine is marred by a not-ready-for-prime-
time user interface and it is Not Windows 8*(.

For those who study automotive history, I would say that the PC has reached
1922.

					Warmly,
						Padgett

ps DiskSecure II is almost ready (really 8*). I have it running at home & 
   just need to put the installation routine together. (Well the a/c in the 
   Judge is fixed and the stucco work is stalled until the weather cools off 
   a bit). Much like to original anti-virus, access-control, no-floppy-boot 
   program with some major changes:
   1) No longer need a special  "maintenance floppy", just hold the Ctrl key
      down during boot (password optional) like the current SafeMBR. Permits
      setting the BIOS to boot from C: only. Floppy boot takes place *after*
      protection is in place (I just leave the Novell boot floppy in A: now).
   2) Compatable for password/low level virus protection of Novell server 
      & with Windows 32BitDiskAccess
   3) Relocates to low memory after boot so DOS has full 640k to play with -
      TSR only needs 304 bytes (decimal not hex) of low memory.
   4) Automatic fail-op "recovery mode" using redundancy (just like F-16 8*)

------------------------------

Date:    Thu, 19 Aug 93 17:14:10 -0400
From:    Anthony Naggs <amn@ubik.demon.co.uk>
Subject: Re: origin of term virus

David Strip, <drstrip@isrc.sandia.gov>, writes:
>
> don't know if it's the first ref, but "virus" in a remarkably prescient use
> appears in the SF novel "When Harley was One" by David Gerrold (whose fame
> lies in his authorship of the Star Trek episode "The Trouble with Tribbles".

We haven't had this topic for a while ...

"When Harley was One" was written and published in 1972.

John Brunner's  SF novel "The Shockwave Rider" (1975) also uses the
terms "phage", "tapeworm" and "virus" to describe software that copies
itself around a national US government network.

Regards,
Anthony Naggs                 Email:                  Paper mail:
 Software/Electronics Engineer amn@ubik.demon.co.uk    P O Box 1080, Peacehaven
 & Computer Virus Researcher                           East Sussex  BN10 8PZ
 Phone: +44 273 589701                                 Great Britain

------------------------------

Date:    Fri, 20 Aug 93 01:26:08 -0400
From:    ksaj@pcscav.com (OS R & D)
Subject: Re: Origin of the word "virus"

David Gerrold did write about computer "VIRUSES", but they weren't quite 
the same as what we have now.  He was actually describing a worm.

In his 1985 release, he rewrote the plot to properly reflect what a 
computer virus was.

Either way, he was rather ahead of his time.

BTW:  I didn't realize he wrote "The Trouble with Tribbles".  That was a 
      good episode.

                        karsten johansson

- ---
ksaj@pcscav.com (OS R & D)
  PC Scavenger -- Computer Virus Research, Toronto CANADA (416)463-8384
  Free services: send EMAIL to info@pcscav.com or virus.list@pcscav.com

------------------------------

Date:    Fri, 20 Aug 93 04:42:50 -0400
From:    nigelm@ohm.york.ac.uk (Nigel Metheringham)
Subject: Re: Flash EPROMS

Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) writes:
>padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) writes:

Padgett> Now the real way to protect a system is with hardware.
Amir> So true.....!!!

Padgett> The real way to protect a Flash ROM is with a key switch connected
Padgett> to the write-enable pin, one that will not permit the machine to
Padgett> boot if the switch is in the "write" position.
Amir> It would be nice, but like you say later in your letter: it costs money.
Amir> Anyway remember that every key has at least 2 positions, and the
Amir> energy required to move it from one position to another is the same as th
e 
Amir> energy required to move a mountain when it comes to users behaviour (isn'
t it 
Amir> so ? ;-) ). Think of all the long-lost data that could be saved simply by
 
Amir> backups...

How about this as a senario for protecting your Flash ROM.  You have
a keyswitch which will presumably have the standard keyboard lock
function on it, but would also have a 3rd position which is spring
loaded (ie like a car ignition switch).
The PC contains circuitary which enables and disables writing to the
Flash ROM.  This circuit can only be armed if it is prodded by
software while the key is twisted into the spring loaded position. 
Once armed the Flash ROM can be written to.  The circuit can be
disarmed by software.  The circuit is always disarmed on power up
and if the key switch is put to the locked position.

So to update your Flash ROM code you would insert your update disk,
run the code, and it would then ask you to turn the keyswitch, it
could then do the update, and disable writes to the Flash ROM again.

That would seem to me to be a secure, other than a combination of
malicious code fooling the user into doing something silly.  To
really make things secure you could require this is done from the
pre-boot code, but that could probably be worked round by software
so buys very little.

The only problem is, as ever, cost - PCs are consumer items now and
adding cost for something esoteric is not generally a hit with the
manufacturers.

	Nigel.

- -- 
#   Nigel Metheringham  -- (NeXT) EMail: nigelm@ohm.york.ac.uk    #
#   System Administrator, Electronics Dept, University of York    #
#   York YO1 5DD. Phone: +44 904 432374, Fax: +44 904 432335      #

------------------------------

Date:    Thu, 19 Aug 93 09:28:56 -0400
From:    padgett@tccslr.dnet.mmc.com (A. Padgett Peterson)
Subject: Form Virus (PC)

>From:    gt2242a@prism.gatech.edu (Scot Wesley DeLancey)
>Subject: Forms virus (PC)

>I quit having things bogg down in my CPU for a
>while then it started happening again.  Can someone tell me if Form
>sleeps somewhere or can it exist on a LAN?

The virus cannot infect from a LAN by itself but a "dropper" is almost
trivial to write & unfortunately few scanners are of much use with
"droppers" (have been saying this for years now but so far only
Frisk has made a stab at it with his heuristic scan. The real answer
IMHO is integrity management and write protection/boot validation of the 
MBR/DBR. - read my lips: it can be done).

>From:    Jos_Callewaert@f907.n292.z2.fidonet.org (Jos Callewaert)
>Subject: Form virus (PC)

>I just sumbled on a diskette containing the FORM virus.  McAffee
>scanv106 finds it, but clean106 gives me a message : Virus cannot
>safely be removed.  It seems to be a boot record virus.

Am surprised since it is trivial to remove though like the Music-Bug
or Stoned can cause corruption of the floppy from where it puts the
rest of its code (nothing you can do about that but you can defang
the virus - try my FixFBR in FixUtil5).

					Warmly,
						Padgett
------------------------------

Date:    Thu, 19 Aug 93 13:05:00 -0400
From:    MAL@NETCOM.COM
Subject: Re: Form virus (PC)

Luc Henderieckx (Luc.Henderieckx@f902.n292.z2.fidonet.org) wrote:

:  JC> Does anybody has any idea as to how to get rid of the beast (and still
:  JC> have the data on the disk)?

: Boot from a protected diskette containing the same DOS-version as on your HD 
: and perform a "SYS C:" command followed by a "FDISK C: /MBR".

But, he found the virus on a diskette what your describing is how to remove a  
boot sector virus from his HD boot sector and clean his partition table (which
is unnecessary with the Form).

Clean cannot remove it because the form has actually damaged the boot
sector so much that it cannot be restored to it's original status. If
your HD is clean just boot up from the HD then after boot up put in
the floppy, copy the files to you HD, Format the Floppy and copy the
files back.
 
Regards,
Michael Albers.

------------------------------

Date:    Thu, 19 Aug 93 13:08:23 -0400
From:    MAL@NETCOM.COM
Subject: Re: Any good anti-viral shareware out there (PC)

dk010b@uhura.cc.rochester.edu wrote:
: I'm looking for a good anti-viral program that is available as
: shareware. If you know af a good one (and how I can easily get it) or
: if you have one you wouldn't mind sharing I'd really appreciate it.

Shareware, is not free-ware it means try before you buy. Try
Mcafee.com ftp site the best for me.
 
regards,

Michael

------------------------------

Date:    Thu, 19 Aug 93 13:11:45 -0400
From:    frisk@complex.is (Fridrik Skulason)
Subject: Re: Perfume virus? (PC)

d.j.e.nunn@durham.ac.uk (Douglas Nunn) writes:

>Can anyone tell me about the Perfume virus? F-Prot209a gave the message
>"Possibly a new variant of Perfume" recently, but other scanners found
>nothing.

Then you have three possibilities:

    1) It is a false alarm (somewhat unlikely, as I have not changed my
       detection of Perfume in a long time ?   However, if this is only
       reported in a single file, the chances off this being a false positive
       are significantly higher.

    2) It is indeed a new version - it that case you should send a copy of
       the file to anti-virus producers, so they can update their software
       if necessary.
  
    3) It is a new virus, but not related to Perfume - just mis-identified.
       Please note that there is a significant differencte between F-PROT
       saying "possibly a new variant of..." and "New or modified variant of.."

>Info that would help:-
>- - what does it do?

    Unknown - even if this is a virus it is probably a new one.

>- - what signature string would find it?

    Sorry, I don't understand what you mean by that question.

>- - can it be removed?

    Probably, yes...if it is a virus.

- -frisk

- --
Fridrik Skulason      Frisk Software International     phone: +354-1-617273
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-1-617274

------------------------------

Date:    Thu, 19 Aug 93 13:18:19 -0400
From:    frisk@complex.is (Fridrik Skulason)
Subject: Re: FProt Professional (PC)

James.Ford@seebeck.ua.edu (James Ford) writes:

>Can someone send me information on the difference between FProt v2.09
>and FProt Professional?

     The professional version includes everything that is included in the
     shareware version + an integrity checker with generic disinfection
     capabilities and various other programs that are procuded not by us
     here in Iceland, but the distributors of the Professional version.
     In addition, there are some programs they produce, which we (in Iceland)
     don't sell as a part of F-PROT, such as the recent NLM version.

>Does FProt v2.09 successfully take care of the Chinese Fish virus?  I
>haven't seen it, but a user here says that it does not.

Version 2.09a handles it - that version is not available on FTP sites, but
I can send it to anyone that has problems with Chinese Fish.  The reason I
have not uploaded 2.09a is that 2.09b is almost finished, and I will be
uploading that instead.

2.10 is scheduled for release in early September - just before the virus
conference in Amsterdam.

- -frisk

------------------------------

Date:    Thu, 19 Aug 93 14:04:40 -0400
From:    rw2@irz301.inf.tu-dresden.de (Ruediger Werner)
Subject: VT-Schutz wanted (PC)

Does anyone know where I can get the actual version of VT-Schutz ?
The number of my release is 2.54

Thanks

------------------------------

Date:    Thu, 19 Aug 93 17:07:42 -0400
From:    "Jimmy Kuo" <cjkuo@symantec.com>
Subject: Re[2]: Norton A-Virus (PC)

Re[2]: Norton A-Virus (PC)

clangenh@cs.uct.ac.za (Clement Langenhoven) writes:

>It would seem that the earlier posting concerning
>the NAV virus-ID files died very, very unnoticed.

It was answered in virus-l digests #082, #098, and #105.  I expect
when people are looking for something free, to do some research.  As
we sell an update service, I have to draw the line somewhere between
business interests and just being a good guy.

>A mention/query was made concerning someone uploading
>such files to an Internet-site.  I remember the guy
>from Symantec stating quite conclusively that this was
>legal.

>SO DOES ANYONE KNOW WHETHER SUCH A SITE INDEED EXISTS ???

>From Digest #105:
>From:    bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev)
>Bryan D. Jones (bdj@uafhp.uark.edu) writes:

>> Anyone know where on the internet one can ftp the latest nav*.def
>> file?  The last one I have is from march.  BTW I'm useing NAV 2.10

>Available from our ftp site as

>ftp.informatik.uni-hamburg.de:/pub/virus/progs/nav21upd.zip

>The file name is always one and the same, but the archive is
>constantly kept up-to-date - Symantec send us the updates regularly.
>There are also updates for NAV 2.0 - the archive name is nav20upd.zip.

I have yet to send Vesselin the August update as he is on vacation.

Jimmy
Norton AntiVirus Research

------------------------------

Date:    Thu, 19 Aug 93 17:14:08 -0400
From:    Anthony Naggs <amn@ubik.demon.co.uk>
Subject: Re: Forms virus (PC)

Scot Wesley DeLancey, <gt2242a@prism.gatech.edu>, writes:
>
> I have the Form virus on my pc.  I think I have infected several other
> peoples' machines.  I've run Norton Anti-Virus on it and it supposidly
> got rid of the virus.  I also cleaned my floppies with DOS 6's
> anti-virual program.  I quit having things bogg down in my CPU for a
> while then it started happening again.  Can someone tell me if Form
> sleeps somewhere or can it exist on a LAN?

I'll try to answer this, and some of the other queries about Form in
the latest Virus-L.

Form virus infects the boot record of floppy and hard disks, (NOT the
partition table).  It does not normally infect across networks.

FORM Infection
    Form infects your PC when you (accidentally) boot the computer with
    an infected diskette in drive A:.  Even if the diskette is not
    'bootable' the virus loads into memory.  When you remove the diskette
    and press a key DOS loads from your hard disk, BUT the virus infects
    the hard disk!

FORM Disinfection
    It is important to disinfect your hard drive, and check/disinfect
    ALL floppies that may have been infected.

    Hard disk:
        1   Use an anti-virus product, following the instructions.
        or
        2   (a) Boot from an uninfected disk with the same version of DOS
                as you use.
            (b) Use the 'SYS' program to reinstall DOS on your hard drive,
                typically by:
                SYS C:
                The 'C:' may be 'D:' or 'E:' ... if you are using an unusual
                configuration or disk compression software (eg Stacker,
                SuperStor ...)
            (c) Reboot the PC to regain access to all your programs.

    Floppy disks:
        1   Your anti-virus should detect infected disks, and will probably
            repair them.
        or
        2   You can use SYS to copy DOS to each infected disk, but they may
            not have enough free space.
        or
        3   Copy files to uninfected disks, eg with COPY, XCOPY or products
            like Norton Commander, Xtree  -  do not use diskcopy.  Re-Format
            the infected disks (use /U with DOS 5 and 6 FORMAT to force
            replacement of the infected boot sector).

Hope this helps,
Anthony Naggs                 Email:                  Paper mail:
 Software/Electronics Engineer amn@ubik.demon.co.uk    P O Box 1080, Peacehaven
 & Computer Virus Researcher                           East Sussex  BN10 8PZ
 Phone: +44 273 589701                                 Great Britain

------------------------------

Date:    Thu, 19 Aug 93 17:14:07 -0400
From:    Anthony Naggs <amn@ubik.demon.co.uk>
Subject: Re: Sharing .def files between scanners (Novell) (PC) (MAC)

Andy Wing "The Radio Gnome", <V2002A@VM.TEMPLE.EDU>, asks:
>      Is it possible for any of the popular PC scanners to use a MAC .def
> file to scan a Netware Volume with MAC namespace loaded?  ...Also vice-versa.
> e.g., have F-Prot load additional definitions from SAM or Disinfectant and
> scan the MAC volumes... have SAM load an F-Prot .def file and scan PC files
> on the server.

No (popular) virus scanners can do this.  A few Unix and VMS based products
attempt to scan for both, but they lack the ability to recognise polymorphic
PC viruses that encrypt themselves differently between each generation.

It would be relatively simple to produce a virus scanner for a Netware
server that would check for PC and MAC (and Amiga) viruses on MS-DOS and
MAC volume.  Perhaps Symantec or Datawatch (who have individual products
for both platforms) will offer such a product.

If I had a MAC and knowledge of MAC viruses I might even try it myself.  :-)

>      Is there or should there be a standard for virus definition files?
> Thoughts?

There isn't, and there should not be.  There is strength in the diversity
of anti-virus products, different vendors use different techniques and
so have different weaknesses.

Regards,
Anthony Naggs                 Email:                  Paper mail:
 Software/Electronics Engineer amn@ubik.demon.co.uk    P O Box 1080, Peacehaven
 & Computer Virus Researcher                           East Sussex  BN10 8PZ
 Phone: +44 273 589701                                 Great Britain

------------------------------

Date:    Thu, 19 Aug 93 18:09:05 -0400
From:    "William H. Lambdin" <73044.2573@compuserve.com>
Subject: Re: Forms virus (PC)

>I have the Form virus on my pc.  I think I have infected several other
>peoples' machines.  I've run Norton Anti-Virus on it and it supposidly
>got rid of the virus.  I also cleaned my floppies with DOS 6's
>anti-virual program.  I quit having things bogg down in my CPU for a
>while then it started happening again.  Can someone tell me if Form
>sleeps somewhere or can it exist on a LAN?

The problem about boot sector viruses is that they are very good 
replicators. Usually they infect evert diskette accessed in A:.

Just removing the virus from the hard drive is not good enough, Users must 
scan every diskette on sitem or the virus will usually return in 30 days or 
less.

I have an analogy that prooves the point beautifuly, it it shouldn't waste 
too much band width. 

I was contacted to remove Stoned-B from a computer used in the office of a 
nearby church. I drove over, and cleaned the hard drive. I removed the 
virus, then scanned all diskettes and cleaned the ones that were infected, 
then left.

The Next week, the computer was infected again. I cleaned the hard drive, 
and all diskettes, and asked if there were any more diskettes to check. I 
finished and left.
 
This kept happening every week until I had made five visits.
 
on my fifth visit, I cleaned the drive, and was getting ready to leave, and 
the Secretary's son Josh wanted to play Lode Runner from a bootable 
diskette.

I scanned the diskette, and sure enough it was infected with Stoned-B. I 
removed the virus from that diskette, and Stoned-B has not reinfected that 
computer since.

The moral of the story is to scan all diskettes.

Bill

------------------------------

Date:    Thu, 19 Aug 93 19:20:34 -0400
From:    sgt@lakes.trenton.sc.us (Sgt rock)
Subject: SPORT21C.ZIP (PC)

Has anyone out there heard of a file: SPORT21C.ZIP that supposedly
contains a virus that attaches itself to .com & .exe files and
increases the size of the files by 302 bytes. It also supposedly
changes the dates on some DOS files????

------------------------------

Date:    Fri, 20 Aug 93 02:02:53 -0400
From:    clangenh@cs.uct.ac.za (Clement Langenhoven)
Subject: Re: Any good anti-viral shareware out there (PC)

Yup, there's the classic, standard shareware anti-virus
package from Mcafee...
Known widely as 'Scan&Clean', it also includes a shielding
program which constantly monitors your system.
(you've *NEVER* heard of this package? 
Exactly how long have you been using your PC, then ?)

The individual programs are uploaded (regular updates)
to a number of sites such as

ftp.mcafee.com [192.187.128.1]
oak.oakland.edu [141.210.10.117]

and at a score of other sites.

Good Luck...

Clement
             
             \-\-\-\-\-\-\-\-\-\-\-\-\
            \ My brain's not twisted. /
            \                         / 
            \ It's hopelessly ....... /
            \ SPRAINED.               /
            \|_|_|_|_|_|_|_|_|_|_|_|_|/
              So send sprained
              messages to
              clangenh@cs.uct.ac.za
             
------------------------------

Date:    Thu, 19 Aug 93 11:52:33 -0400
From:    IE63@vaxb.acs.unt.edu
Subject: KOH Virus Description (PC)

- -----BEGIN PGP SIGNED MESSAGE-----

   I recently received the MBR/Boot virus KOH.  It is a virus that was at 
least written with good intentions, whether they are lived up to or not is
up to each person to decide.  It basically encrypts disks for the user
using a user-defined password - asking permission before infecting hard
drives (and recommending a backup) and allowing a toggle-key for floppy 
infection, as well as one for uninstallation from the hard-drive (complete
decryption, removal of interrupt handlers, and replacement of the old
Master Boot Record).  I have been working on a fully commented disassembly
of the virus, and the following are my findings so far.  A copy will be
forwarded to Mr. Lambdin for further analysis and distribution to the 
appropriate people.

- - --------------------------------------------------------------------------
KOH (King of Hearts/Potassium Hydroxide) bootsector/MBR virus description:

   The KOH virus comes in it's initial installation package as a 32000 byte
COM.  It is a comparitively "user-friendly" virus, with un-installation
routines and a floppy-infection toggle.  It's purpose is this: when run,
it asks for a password - it will encrypt the floppy using this password
and the IDEA encryption algorithm (not yet verified by my disassembly).
When the floppy is rebooted from, it will ask for permission to infect the
hard drive, and recommend a backup beforehand.  It will then ask for a 
password for the Hard-Drive to be encrypted with, and ask whether to use
IDEA encryption or a simple routine (Double Xor, I think...  still working
on dissecting the encryption parts of the virus).

  After the encryptions have been installed: the virus will ask for passwords
on bootup for the Hard-drive and floppy - this will be used to 
encrypt/decrypt calls that would read or write to the disk.  The floppy 
password may be changed at any time, allowing the reading of any encrypted
floppy as long as the user knows the password.  The function-keys for the
virus are as follows:

CTRL-ALT-K      Set new floppy password
CTRL-ALT-O      Toggle Floppy Infect
CTRL-ALT-H      Uninstall Virus From Hard-Drive

Notice that there is no floppy uninstall.....  Now on to the technical 
description:

The KOH virus infects floppies (at least the High-Density 1.2 meg variety)
by marking 8 sectors bad in the fat.  It will then copy the old bootsector
to one of those sectors, and place it's code on the remaining seven.  Then,
the viral bootsector will be copied over the original one on the disk.
If a disk is encrypted/infected with the virus, but the virus is not in
memory, complete garbage will be given for directories or related commands.

The KOH virus infects hard-drives by copying the MBR and partition table
to cylinder 0, head 0, sector 9 on the hard drive, which is usually unused.
It then places it's bootsector code onto the MBR (keeping the partition
table information) and places the remaining code on sectors 2-8.  Directories
on an encrypted disk will be as above.

When booted, the KOH virus reserves 9k of memory by lowering the memory
byte at 0000:0413 by 9.  It then places it's code at the top of user RAM,
where the space is now freed.  No displacement adjustments are found within
the virus, as it was written in three parts (though one .COM file), with
the starting of the first at 100h (installation module - not part of the
actual virus), the second at 5be0h (main virus), and the third at 7c00h 
(boot code).

The KOH virus performs its encryptions/decryptions by hooking interrupt
13h, functions 2 (Read), 3 (Write), and 16h (Disk Change).  Because of this,
any program that bypasses interrupt 13h (or traces it to its origins in
BIOS using various tunneling methods) will most likely trash the disk,
as they will read in encrypted data and be writing decrypted data - no
filter.  Disk utilities that use port I/O are probably going to be the
most destructive to the disk, but I have yet to test this.

KOH also hooks interrupt 09h (Keyboard) for checking for it's hot-keys.
When the virus is told to uninstall, it will restore the MBR of the hard
drive from the old copy on sector 9, then place far jumps over the beginnings
of each of its handlers to chain them to the next handler (generally BIOS).
Unfortunately, as of yet I have seen nothing in the code to clean the
remaining 8 sectors.... they keep the old code, which may cause false-alarms
on sector-based antiviral utilities.  Also - floppy drives are NOT 
uninstalled, but this will be difficult to write a cure for, as the 
disinfectant must include BOTH decryption routines and ask the user for the
password (unless it can be otherwise determined......  I'm looking for ways).

I have seen no destructive payload as of yet, and do not really expect one.
I will, however, continue to look as I work on disassembling it.  This virus
does break into a new realm, however - a virus that some users might WANT?
BTW - F-Prot 2.09 detects it as being a variant of the Stealth virus by
Ludwig, and there are some definite similarities, although I think it was
mainly used as a guideline for the shell of the virus.

- -----BEGIN PGP SIGNATURE-----
Version: 2.3a

iQCVAgUBLHOcL8ZkwUqsF4b1AQFLswP/ZglNP5QIqHpmKxk2Y8ki2rvX9XLjS4fI
JllJIgPFIHUjdMkzjMeKsY1phfGsMvzENAqzPw28J8GTidrJCfvflzz7gkeBwsMy
Vnz0DZ8khxMRUm5CD95VMm6BzTgop7gRuallPwSp87vanq7jG5yiPaTSEIaf4J8z
JNkRGoEXwZQ=
=Btyl
- -----END PGP SIGNATURE-----

------------------------------

Date:    Fri, 20 Aug 93 10:01:18 -0400
From:    s926191@yallara.cs.rmit.OZ.AU (Donald Edward Gingrich)
Subject: LAN Security and Viruses (PC)

I have read the article about the Novell network virus that was posted
on cert.org.  This was of great interest since I am a network
administrator.  I note that the article was several years old.  It
does, however, raise several questions.

1	Is this the only reported virus that directly
	targets Novell or other network OS?

2	Does it only affect version 3(.11) of Novell?

3	Is IBM LAN Server (MS LAN Manager) susceptable to
	a similar attack?  I am not conversant with the API
	of LAN Server -- does it provide similar back doors
	for a virus? (An answer in general terms would be
	prefered :-))

4	I have been running my anti-virus software on a LAN
	Server network from a directory that is limited to
	read and execute permission for ordinary users.  Is
	this sufficient to protect it from viral attack?

5	In fact, all of the software that will run in a directory
	with read execute permission only is protected in this manner.
	Any other software that needs to write to the directory 
	it resides in is set with read, write, and execute only --
	No attributes or permissions allowed.  The executable files 
	are all set as read only, if this will allow them to work.
	What is the safety/protection status of this?

6	I have heard, IBM is advertising, that LAN Server 3.0
	offers greatly enhanced security features.  What will
	the likely advantages be?

7	I have set up profile.bat files for users so that, as they
	logon on a daily basis the RAM of their machine is scanned,
	as well as several files which are regularly executed (
	a total of about 5 or 6 files).  On a Weekly basis the entire 
	hard disk is scanned.  Is this likely to provide a reasonable
	level of security?  NB I believe that the addition of any-
	thing that adds significantly to login time will result
	in mutiny!

Any and all comments and thoughts are appreciated.  To reduce
traffic could you please email them.  I will post a summary.

***************************************************************************
*  Don Gingrich                   *           Gingrich's Law              *
*  2nd Year Grad. Dip. In CS      *  Software expands to fill the space   *
*  R.M.I.T.                       *     available to it -- plus 10%       *
*  Melbourne Australia            *    I'm an optimist, alright? :-)      *
*  s926191@yallara.cs.rmit.OZ.AU  *      #include <std_disclaim.h>        *
***************************************************************************

------------------------------

Date:    Fri, 20 Aug 93 10:20:41 -0400
From:    as789@cleveland.freenet.edu (Francisco J. Diaz)
Subject: Vshell 2.05 (PC)

Hi all! Can anyone tell me which is the latest version of Vshell?
It seems to be unable to compile the virlist.txt included in
Mcaffee's v106 antivirus programs..Thanks!
- -- 
|     Francisco J. Diaz Rivera     | Freenet: as789@cleveland.freenet.edu   |
|     University of Puerto Rico    | Internet: 841901723@cutb.upr.clu.edu   |
|               Hey Waitress! There's a pubic hair in my soup!              |
|             "Don't give up, don't ever give up" - Jim Valvano             |

------------------------------

Date:    Fri, 20 Aug 93 09:38:42 -0400
From:    Klaus Brunnstein <brunnstein@rz.informatik.uni-hamburg.d400.de>
Subject: Virus Catalog: new edition

Computer Virus Catalog update July/August 1993
- ----------------------------------------------

With it's July/August 1993 edition, Computer Virus Catalog describes more
forms of Malicious Code = MalCodes (including chain letters, time bombs, 
trojan horses, viruses and worms)  on multiple platforms (IBM and com-
patible PCs, Macintosh, IBM-MVS/VM, UNIX, Amiga and Atari). 

Presently, ***340 MalCodes*** have been classified active on 6 platforms: 

          Amiga:       92 Viruses, 1 Trojan, 5 TimeBombs 
          Atari:       20 Viruses                   
          Macintosh:   35 Viruses, 2 Trojans 
          MSDOS:      172 Viruses, 6 Trojans, 3 Virus Generators
          MVS/VM:                  1 Chain Letter 
          UNIX:         2 Viruses, 1 Worm 

Entries for UNIX Internet Worm and IBM-VM CHRISTMA.EXEC are yet experi-
mental (in "old" CVC format 1.2). A generalized format (2.0) for the 
Computer MalCode Catalog will be available, including descriptions of 
DEC-VMS worms (Father Christmas, WANK and OILZ), with next edition 
(planned: December 1993).

New CVC entries are available in ASCII, and all entries are available 
either via CVBASE.EXE (the electronic edition of CVC, for PCs) or as 
compressed (PKZIPPED) files. See Virus Test Center's FTP site.

The July/August 1993 CVC edition describes the following MalCodes:
- ------------------------------------------------------------------
    Macintosh: 3 new viruses: 
                           INIT 17, INIT M = WDEF M,
                                 MerryXmas Hypercard virus

    IBM/compatible PCs: 26 new MalCodes:
           25 new viruses: (Goddam) Butterflies, Chinese_Fish=Fish Boot,
               Clone, Dec_Year=Last_Year(.604), Dudley, F-Word, 
               Gnat (1.0), Horns, Invisible, Involuntary, Junior,
               Little Red, Loren, Mabuhay, Nguyen,
               No_Int=Stoned.No_Int.A (Stoned Strain), Peter, QRRY,
               Requires=Requires.981=Demise=Later, RMBD, 
               Runtime=Runtime-err412, Su=Susan, Terminator II,
               Tonya, Warlock Virus.
           1 Virus Generator: PS-MPC G2 Virus Generator
           Update: Parity_Boot (A-C)=P-Check Virus (Parity_Boot Strain),
               14 Minimal viruses renamed Trivial viruses.     

     Amiga: 24 new MalCodes:
           19 viruses: AMIGA KNIGHT, CCCP, 
               COMPUPHAGOZYTE 1 (CompuPhagozyte Strain), CRIME'92,
               DARTH VADER (V1.1), FICA, HOCHOFEN=TRABBI,
               SADDAM_BOOT, SCA.D&A_dropper=SCA Dos kill=D&A 
               (SCA Virus Strain), TOMATES GENTECHNIC, TURK,
               VIRCONSET2, WARSHAW AVENGER Virus                               
       =793=
               and the following SADDAM Strain viruses:
               SADDAM (Hussein)=IRAK=DISK-Validator, SADDAM.ANIMAL,
               SADDAM_FILE, SADDAM.KICK, SADDAM.LOOM, SADDAM.NATO,
               SADDAM.RISK, SADDAM.][ Virus 
            1 Trojan dropper: TURK Color Dropper Trojan 
            4 (Time) Bombs: EXCREMINATOR_1, STARLIGHT, TIMEBOMB_09,
               VIRUSTEST_BOMB_936 Bomb                                    =793=

    UNIX: 1 new virus, 1 worm (experimental):
            1 virus: VMAGIC virus
            1 worm:  INTERNET worm

    IBM-MVS/VM: 1 chain letter (experimental): CHRISTMA.EXEC (G1,G2)

The following files may be downloaded from our ftp site:
        INDEX.793          (36 kBytes): Overview of CVC entries 
        AMIGAVIR.793       (92 kBytes): new Amiga viruses
        MACVIR.793         (18 kBytes): new Mac viruses
        MSDOSVIR.793       (84 kBytes): new MSDOS viruses (part 1)
        MSDOSVIR.893       (77 kBytes): new MSDOS viruses (part 2)
        MVSVIR.793          (8 kBytes): CHRISTMA.EXEC chain letter
        UNIXVIR.793        (11 kBytes): VMAGIC, INTERNET worm

The following files contain ALL entries published in the respective 
domain (since July 1989) in compacted (PKZIPPED) form:

        AMIGAVIR.ZIP                    All Amiga viruses
        ATARIVIR.ZIP                    All Atari viruses 
        MACVIR.ZIP                      All Mac viruses 
        MSDOSVIR.ZIP                    All MSDOS viruses
        MVSVIR.ZIP                      (=MVSVIR.793 PKzipped)
        UNIXVIR.ZIP                     (=UNIXVIR.793 PKzipped)
         
Virus Test Center's FTP site:
              ftp.informatik.uni-hamburg.de 
      Adress: 134.100.4.42        
              login anonymous; 
              password: your-email-adress;
              directory: pub/virus/texts/catalog 

Any assistance and helpful critical remarks are appreciated.

                           Klaus Brunnstein
            <brunnstein@rz.informatik.uni-hamburg.d400.de>
            University of Hamburg, Faculty for Informatics
                          Virus Test Center
                           August 18, 1993

------------------------------

Date:    Thu, 19 Aug 93 12:58:21 -0400
From:    Reiner@DOCKMASTER.NCSC.MIL
Subject: NCSC 16 Announcement

16TH NATIONAL COMPUTER SECURITY CONFERENCE

Dates:  20-23 September 1993

Location:  Baltimore Convention Center Baltimore, Maryland

Registration fee:  $275

The National Computer Security Center and the National Institute of
Standards and Technology will present the 16th National Computer
Security Conference from 20-23 September at the Baltimore Convention
Center.

This year's three and one-half day program features tracks in :
Research & Development; System Implementation; Management &
Administration; Criteria & Evaluation; Tutorials & Other Presentations.

A summary of the technical program follows.  To obtain more information
about the technical program send a message to

          NCS_Conference at DOCKMASTER.NCSC.MIL   or

          call the NCSC on 410-859-4371.

To obtain a registration form, call the Conference Registrar at
301-975-2775 or send a message to NCS_Conference at DOCKMASTER.NCSC.MIL

TECHNICAL PROGRAM SUMMARY:

    R&D TRACK

       PANELS - Strategies for Integrating Evaluated Products
                    Chair: J. Williams, MITRE
              - Multilevel Information System Security Initiative
                    Chair: G. Secrest, NSA
              - Trusted Applications
                    Chair: J. Cugini, NIST
              - Best of the New Security Paradigms Workshop II
                    Chair: H. Hosmer, Data Security Inc.
              - Enterprise Security Solutions
                    Chair: P. Lambert, Motorola

       PAPER SESSIONS - Honesty Mechanisms
                              Chair: E. Boebert, SCTC
                      - Database Research
                              Chair: M. Schaefer, CTA
                      - Access Control
                              Chair: P. Neumann, SRI

    SYSTEM IMPLEMENTATION TRACK

        Panels: - Perspectives on MLS System Solution Acquisition
                    Chair: J. Sachs, ARCA
                - Network Management -- The Harder Problem
                    Chair: R. Henning, Harris Corp.
                -  Application of INFOSEC Products on WANs
                    Chair: J. Capell, Lockheed
                - Security for the Securities Industry
                    Chair: S. Meglathery, NYSE

       Paper Sessions:  - Access Control Topics
                              Chair: D. Balenson, TIS
                        - Network Risks & Responses
                              Chair: B. Burnham, NSA
                        - Software Engineering
                              Chair: V. Gibson, Grumman
                        - System Engineering with OTS Products
                              Chair: M. Tinto, NSA
                        - Network Implementation
                              Chair: F. Mayer, Aerospace Corp

    MANAGEMENT & ADMINISTRATION TRACK

       PANELS - Virus Attacks & Counterattacks: Real World Experiences
                    Chair: J. Litchko, TIS
              - Terror at the World Trade Center
                    Chair: S. Meglathery, NYSE
              - Contingency Planning in the 90s
                    Chair: I. Gilbert-Perry, NIST
              - On a Better Understanding of Risk Management Techniques
                    Chair: S. Katzke, NIST
              - Security Awareness, Training & Professionalization
                    Chair: D. Gilbert, NIST
              - Accreditor's Perspective - How Much is Enough?
                    Chair: J. Litchko, TIS
              - Security & Auditability of Electronic Voting Systems
                    Chair: R. Mercuri, U. of Penn.
              - Protection of Intellectual Property
                    Chair: G. Lang, Harrison Ave. Corp.
              - The Privacy Impact pof technology in the 90s
                    Chair: W. Madsen, CSC
              - Electronic Crime Prevention & Investigation
                    Chair: R. Lau, NSA

       PAPER SESSION - Managing & Promoting INFOSEC Programs
                              Chair: D. Parker, SRI

    TUTORIALS & PRESENTATIONS TRACK

       Tutorials: - Threats & Security Overview
                              A. Liddle, IRMC
                  - Trusted Systems Concepts
                              C. Abzug, IRMC
                  - Trusted Networks
                              R. Bauer, E. Schultz,  ARCA
                  - Trusted Databases
                              G. Smith, W. Wilson,  ARCA
                  - Trusted Integration & System Certification
                              J. Sachs, ARCA

      Panel Presentations: - CLIPPER Chip
                                        Chair: L. McNulty, NIST
                           - Getting Your Work Published
                                        Chair: J. Holleran, NSA
                           - INFOSEC Standards: The DISA Process
                                        Chair: W. Smith, DISA
                           - Security Requirements for Cryptographic
                               Modules; Chair: L. Carnahan, NIST

   CRITERIA & EVALUATION TRACK

      Presentations: - Introduction to the Federal Criteria
                              G. Troy, NIST; D. Campbell, NSA
                     - Federal Criteria: Protection Profile Development
                              J. Cugini, NIST; M. DelVilbiss, NSA
                     - Federal Criteria: Registration of Protection Profiles
                              D. Ferraiool, NIST; L. Ambuel, NSA

      Panels - Federal Criteria: Protection Profiles for the 90s
                    Chair: R. Dobry, NSA
             - Federal Criteria: Vetting & Registration of Protection Profiles
                    Chair: L Ambuel, NSA
             - Evaluation Paradigms: Update on TPEP and TTAP
                    Chair: S Nardone, NSA
             - European National Evaluation Schemes
                    Chair: E. Flahavin, NIST
             - The European Evaluation Process
                    Chair: P. Toth, NIST
             - International Harmonization I
                    Chair: Y. Klein, SCSSI, France
             - Goals & Progress Toward the Common Criteria
                    Chair: G. Troy, NIST
             - Federal Criteria User Forum
                    Chair: C. Wichers NSA

   Plenary: "Information System Security Strategies for the Future"
                    Chair: Stephen Walker
                    Panel: James P. Anderson
                           Dr. Willis Ware
                           Dr. Roger Schell

------------------------------

Date:    Fri, 20 Aug 93 14:14:54 -0400
From:    ROBERTS@decus.ca
Subject: Mutlipartite - Pro (CVP)

(No, I am *not* promoting the writing of multipartites ... )

DEFGEN7.CVP   930817
 
                          Multipartite - pro
 
Boot sector infectors are the most "successful" of viral programs in
terms of the number of copies made, and the number of systems infected. 
This is rather odd, given that BSIs can only make, at most, one copy per
disk.  While it is sometimes possible for more than one "boot virus" to
infect a disk, it is also the case that some combinations, such as
Stoned and Michelangelo, conflict in their use of the same areas of the
disk.  This renders the system unbootable and alerts the user to a
problem.
 
On the other hand, boot sector infections, once "installed" on a hard
drive or boot disk, are almost always active, since they start at boot
time.  Unless the system is booted from a "clean" disk, the virus will
continuously infect any and all disks which are "proper" targets for it. 
BSIs also have a strong "psychological" edge, since most users still do
not understand how a virus can be carried on a "blank" disk.  The
InformationWeek survey of June, 1993, shows that while Stoned was the
highest reported virus, BBSes and networks are seen as the major
vectors.  The majority of computer users, and managers, in this case,
still do not understand the concepts that prohibit boot sector
infections from spreading via modems and networks, but allow them to
spread on *any* disk.
 
At first glance, file infectors have many advantages.  There are many
more program files on a given system than boot sectors, and therefore
more opportunities or targets for infection.  This allows multiple
copies of a given virus to reside on a given system.  While some viral
programs may conflict in the use of memory or interrupts, most of the
time multiple viri can quite happily infect a given program file.  Files
can be transferred via bulletin boards and communications links, and can
even be infected "through" a network.
 
On the other hand, a virus which has infected a file has to "wait" until
that file is executed.  The majority of "traded" information these days
tends to be data, rather than programs.  This provides a vector for a
BSI (if passed on disk) but not for a file infector.  Also, program
files tend to be passed in "archived" form, and, even if the program
becomes infected on one system, the archive itself is unaffected.  It is
usually the "original" archive that is passed along, rather than a "re-
archived" copy which might have become infected.  Therefore, unless the
original archive was infected, it will likely not become a vector, even
if it passes through an infected system.
 
Boot sector infectors, therefore, have some "advantages", while file
infectors have others.  To get the greatest "spread" one wants to build
a virus which will infect both files and boot sectors:  a "multipartite"
virus.
 
copyright Robert M. Slade, 1993   DEFGEN7.CVP   930817
 
============= 
Vancouver      ROBERTS@decus.ca         | "The only thing necessary
Institute for  Robert_Slade@sfu.ca      |  for the triumph of evil
Research into  rslade@cue.bc.ca         |  is for good men to do
User           p1@CyberStore.ca         |  nothing."
Security       Canada V7K 2G6           |            - Edmund Burke

------------------------------

End of VIRUS-L Digest [Volume 6 Issue 115]
******************************************
