From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V3 #123 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Thursday, 12 Jul 1990 Volume 3 : Issue 123 Today's Topics: re: Is it possible ? (PC) re: Stoned and Stoned-II (PC) Re: Problems with McAfee's VSHIELD and MS Word (PC) Re: Is it possible ? (PC) Virus Catalog edition 6/90 Re: Internet worm code (UNIX) Re: Internet worm code (UNIX) Re: Friday, 13 July RE: File Shield (PC) Re: new virus 1022 (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: 11 Jul 90 09:39:46 -0400 From: "David.M.Chess" Subject: re: Is it possible ? (PC) > Is it possible to make something for PCs, which works effectively against > all the virus, old or new? Well, you can turn the machine off, and leave it off! *8) More seriously, Fred Cohen showed awhile back, in his thesis, that no 100% perfect virus detector is possible (all detectors will either miss some viruses, or accuse some non-viral programs of being viruses). On the practical side, it seems unlikely that any anti-virus can be even close to 100% effective against unknown viruses, since that would require being able to tell an intended change from an unintended change (and if we could do that, we could find all *bugs*, not just all viruses...). It's relatively easy, in general, to be 100% effective against any given *known* virus. DC ------------------------------ Date: 11 Jul 90 09:43:31 -0400 From: "David.M.Chess" Subject: re: Stoned and Stoned-II (PC) Mark Parr : > How is the Stoned-II virus different from the Stoned virus? > Using VirusSCAN (V64), I got the following: > > Scanning for known viruses. > Scanning boot sector of disk A: > Found Stoned-II Virus (S-2) in boot sector. > Found Stoned Virus (Stoned) in boot sector. SCANV64 apparently has an error that causes it to identify Stoned-infected diskettes as having both the Stoned and the Stoned-II. Try just removing the Stoned, and see if that fixes it. (In general, I can't think of a way a diskette could have two different viruses in the same boot sector, at least not with the kinds of boot-sector infectors that we've seen so far. Of course, there could be one virus in the boot sector, and another in the saved copy of the "original" boot sector stashed away by the first, but a scanner that just read the boot sector would see only one virus.) DC ------------------------------ Date: Wed, 11 Jul 90 13:50:26 +0000 From: gmartin@polyslo.CalPoly.EDU (Hackman) Subject: Re: Problems with McAfee's VSHIELD and MS Word (PC) leilabd@syma.sussex.ac.uk (Leila Burrell-Davis) writes........ >I have experienced problems with PS/2-50's running VSHIELD versions >62B and 64 when using Microsoft Word v5 and the PS/2 mouse. The >machine frequently hangs up. Sometimes the mouse cursor continues to >move and CAPSLOCK, etc., lights go on working, in which case the >machine can be reset using CTL/ALT/DEL. On other occasions, there is >no keyboard or mouse response and the machine has to be turned off. I am the PC tech for our microcomputer lab here at Cal Poly. I have installed VSHIELD on all of our machines. (these include 4 PS/2 50's). We are running various software, including MS word v5. I have not seen any problems of the sort that you describe. A suggestion would be to try setting up a batch file that removes VSHIELD before startup of MS word and the reinstalls after returning from Word. (vshield /remove is the option) I had to do this with Word and several other programs that needed their memory clean. Hope this helps. -Guy Guy Martin (Hackman) // Internet: gmartin@polyslo.calpoly.edu - --------------------- // Fubarnet: hackman@fubarsys.slo.ca.us Amiga, the tool for the \\ // AIX: gmartin@nike.calpoly.edu creative mind---------> \X/ UUCP: ucbvax!voder!polyslo!gmartin ------------------------------ Date: Wed, 11 Jul 90 14:44:13 +0000 From: mitel!sce!doe.carleton.ca!dfs@uunet.UU.NET (David F. Skoll) Subject: Re: Is it possible ? (PC) T.TENG@Macbeth.Stanford.EDU (T. Teng) writes: >Is it possible to make something for PCs, which works effectively against >all the virus, old or new? I wrote a program for the PC called VPROT which "sort of" achieves this. The program examines files (.EXE, .COM, whatever) and adds a two-byte checksum to the end of the file. You can pass the file through an encrypting filter before generating the checksum to reduce the chances of a virus realizing the file is protected. Then, you periodically run the program to ensure that the file checksums are still valid. If a virus has modified the file, chances are high that the checksum is wrong, because I used the CRC-16 generating polynomial. BUT: 1) This does not protect the boot sector, although the idea can be extended to cover this case. 2) If you "protect" files which are ALREADY infected, you're in trouble. 3) You must run the program fairly often to check your files. 4) If a virus is found, you need another tool to disinfect it. So, is it worth it? I guess if you copy lots of software from a BBS or other "suspicious" sources, it is. Otherwise, I wouldn't bother. +--------------------------------------------------------------------------+ | David F. Skoll Department of Electronics | | dfs@doe.carleton.ca Carleton University | | (613) 788-5771 | 788-5772 Ottawa, Ontario, Canada | +--------------------------------------------------------------------------+ ------------------------------ Date: 06 Jul 90 12:02:00 +0100 From: Klaus Brunnstein Subject: Virus Catalog edition 6/90 Apart from the first MacVirus entries (which are under revision and will be available by July 20), the June edition of the Virus catalog adds 61 new virus descriptions and updates several earlier descriptions. In order to allow for easier distribution, I am willing to send new entries to servers provided that interested operators inform me about their interest and give me their electronic mail adresses. Klaus Brunnstein ======================================================================= == Computer Virus Catalog Index == == *** 119 Viruses *** == == *** 4 Trojans *** == ======================================================================= == Status: June 10, 1990 (Format 1.2) == ==July'90==> 10 Mac-Viruses (MACVIR.790; 54 kB): July 20,1990 == == 15 MsDos-Viruses (MSDOSVIR.A89; 62 kB): Nov. 15,1989 == == +17 MsDos-Viruses (MSDOSVIR.290; 65 kB): Feb. 15,1990 == ==June'90==> +28 MsDos Viruses (MSDOSVIR.690;100 kB): June 30,1990 == ==June'90==> 18 AMIGA-Viruses (AMIGAVIR.590; 78 kB): June 5,1990 == ==June'90==> +17 AMIGA-Viruses (AMIGBVIR.690; 78 kB): June 5,1990 == == 6 Atari-Viruses (ATARIVIR.A89; 21 kB): Nov. 15,1989 == ==June'90==> +12 Atari-Viruses (ATARIVIR.690; 35 kB): June 5,1990 == ======================================================================= [Ed. Due to length, the body of this text is being placed on-line for anonymous FTP on cert.sei.cmu.edu (IP # 128.237.253.5), in file pub/virus-l/docs/catalog.brunnstein.jul90. BTW, I also put the latest version of VSUM9005 there, for those who are interested.] ======================================================================= == For their outstanding support and continued help, we wish to == == David Ferbrache (Edinburgh), Christoph Fischer (Karlsruhe), == == Yisrael Radai (Jerusalem) and Fridrik Skulason (Rejkjavik). == == In the Macintosh field, Zbigniew FiedorowicZ (Ohio-State) and == == MAC-MASH (Werner Uhrig) were extremely helpful. == == Critical and constructive comments as well as additions are == == appreciated. Especially, descriptions of new viruses will be of == == general interest. To receive the Virus Catalog Format, containing== == entry descriptions, please contact the above address. == ======================================================================= == The Computer Virus Catalog may be copied free of charges provided == == that the source is properly mentioned at any time and location == == of reference. == ======================================================================= == Editor: Virus Test Center, Faculty for Informatics == == University of Hamburg == == Schlueterstr. 70, D2000 Hamburg 13, FR Germany == == Prof. Dr. Klaus Brunnstein, Simone Fischer-Huebner == == Tel: (040) 4123-4158 (KB), -4175 (SFH), -4162(Secr.) == == Email (EAN/BITNET): brunnstein@rz.informatik.uni-hamburg.dbp.de == ======================================================================= == This document = INDEX.690: 219 Lines, 16 kBytes == ======================================================================= ------------------------------ Date: Wed, 11 Jul 90 15:43:42 +0100 From: "K. Krallis" Subject: Re: Internet worm code (UNIX) Three months ago there was a rumor that the code was to be published in June 1990 issue of Unix World. Unfortunately not much was published, none of the functional parts of the Worm, just a reconstruction of main(). I'm afraid no mainstream publisher would publish virus code as most people think such code should not be public. However there is an underground publisher, the 2600 magazine. who sells the code for $10.00 . They have a Nwe York address which unfortunately I cannot find now. Maybe somebody on the network knows it. Costas Krallis G7AHN Imperial College London, UK E-Mail g7ahn@cc.ic.ac.uk ------------------------------ Date: 11 Jul 90 13:31:00 -0500 From: "STEINAUER, DENNIS" Subject: Re: Internet worm code (UNIX) Unix Review did just have a detailed article on the Internet Worm. It provided a good solid description of the strategy and mechanisms used and some code fragments -- but the author made the point that the code supplied was far from enough to be picked up and used. dds ------------------------------ Date: 12 Jul 90 00:13:08 +0000 From: spaf@cs.purdue.edu (Gene Spafford) Subject: Re: Friday, 13 July LUNKC@NUSVM.BITNET writes: >Any advice from you folks out there on how to prevent a Friday 13th >virus attack? I see that Friday, 13 July is coming soon. Yup. Do a *complete* backup of your system today or tomorrow. Keep the backup in a safe place. If something happens on the 13th, boot the system from a protected floppy, set the date/time to 10 minutes after you finished your backup, then restore the files and get rid of the infection (by deleting bad files or running disinfectant-type programs). If you are really adventuresome, set the clock ahead to the 13th (or 14th) immediately after you've done your backups. That way, you won't lose any changes that you make between the backup and the time anything happens (if anything does). There is no need to panic or run right out and buy any software. If anything happens, a good set of backups and a little common sense are all you need to handle the problem. - -- Gene Spafford NSF/Purdue/U of Florida Software Engineering Research Center, Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004 Internet: spaf@cs.purdue.edu uucp: ...!{decwrl,gatech,ucbvax}!purdue!spaf ------------------------------ Date: Thu, 12 Jul 90 13:20:11 +0300 From: Yuval Tal Subject: RE: File Shield (PC) When a file, which has File Shield installed on it, is being executed, File Shield checks the file size and the file date/time. What Dr. Marchese did - he changed the file using Norton Utilities which does not change the file size or the file date/time stamp. File Shield is supposed to remove viruses not anything else! 95% of the viruses changes the file size and sometimes even the file date/time stamp. There are other viruses (the left 5%) which are considered as Stealth viruses like the 4096 virus. File Shield alone cannot detect that virus while the virus is active in memory because the virus hides its real file size. People who register File Shield also receive a very small devide driver (400 bytes) which is installed in the CONFIG.SYS and can identify whether a file was infected even if it was infected by the 4096 virus. - -Yuval Tal +--------------------------------------------------------------------------+ | BitNet: NYYUVAL@WEIZMANN Domain: NYYUVAL@WEIZMANN.WEIZMANN.AC.IL | | InterNet: NYYUVAL%WEIZMANN.BITNET@CUNYVM.CUNY.EDU | +----------------------+---------------------------------------------------+ | Yuval Tal | Voice: +972-8-474592 (In Israel: 08-474592) | | P.O Box 1462 | BBS: +972-8-471026 * 20:00-7:00 * 1200 * N81 | | Rehovot, Israel | FidoNet: 2:403/143 | +----------------------+---------------------------------------------------+ | "Always look on the bright side of life" *whistle* - Monty Python | +--------------------------------------------------------------------------+ ------------------------------ Date: 12 Jul 90 13:01:13 +0000 From: lexw@idca.tds.PHILIPS.nl (Lex Wassenberg) Subject: Re: new virus 1022 (PC) >>Is the text you mentioned contained in straight ASCII in the virus >>itself? In that case, If you own a virus scanner which is modifiable >>(that is, it works with a .dat file that contains the fingerprints of >>virusses) you could easily adapt the scanner so that it will recognize >>the virus. For example, use as fingerprint the first line: "This >>message is dedicated to". That would be: >> >>54686973206D6573736167652069732064656469636174656420746F >> >>But you could just as easily pick one of the other lines (or all of them). To which the moderator added: > >[Ed. The danger in looking for ASCII strings, of course, is that you >could get a lot of false alarms. This digest, for example, would be >identified as containing the virus, since it contains the string "This >message is dedicated to". Perhaps searching for the string _and_ some >identifiable code would be more robust? Just a thought...] That would off course be true if you scan ANYTHING on your disk. However, since virusses are only dangerous when they are executed, most scanners only scan boot sectors, .COM files and ..EXE files. By doing so, this digest would NOT be marked infected, in fact it wouldn't be marked at all since it's a plain text file. The same holds for .DAT files or any file that contains no executable code. Off course there could be such clever virusses that hide part of themselves in other files than the ones which they are invoked from. In that case scanning a file for ASCII text makes no sense. You would have to scan for the part that will initially be executed, the first few instructions of the virus. Otherwise you'll not be able to tell WHICH file causes the malfunctioning of your system. { By the way, I wouldn't feel very comfortable if I knew there was a virus on } { my disk, even if I knew it would be in a file that's never executed :-) } ________________ / / ___ _____/ Lex Wassenberg, Philips TDS / / /__ \/ ___/ Apeldoorn, The Netherlands / / ___/ /__ lexw@idca.tds.philips.nl / / /____/\___/ / /____________/ It's said that only 10 people on the whole world understood /_______________/ Einstein. I'm so brilliant that nobody understands me at all . Disclaimer: Since nobody understands me, I speak only for myself. ------------------------------ End of VIRUS-L Digest [Volume 3 Issue 123] ******************************************