From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V3 #150 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Thursday, 30 Aug 1990 Volume 3 : Issue 150 Today's Topics: Re: Stealth viruses (PC) Re: Antivirus viruses Mysterious messages (PC) AntiCad virus ? (PC) Reduced risk Origin of screen effect code in the JOJO virus. Re: virus analogy Disk boot failure ? (PC) Scanning servers (PC) F-PROT version 1.13 available (PC) Re: Antivirus viruses Weird Mac Behaviour... (Mac) Joshi Virus (PC) 10000 was not a virus (PC) help/1701 (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: 27 Aug 90 22:30:18 +0000 From: ileaf!io!titan!prs@EDDIE.MIT.EDU (Paul Schmidt) Subject: Re: Stealth viruses (PC) mweiner@bene.at (Michael Weiner) writes: > [on the possibility for viruses to alter ROM BIOS code shadowed > into RAM on 386 machines] > >Still, this write protection is software-based only. As I understand >it, these memory managers work by placing the machine in protected >mode and running the PC in Virtual-86 mode. That's not true for all machines. Nearly all, if not all of the more recent support chip sets for PCs (both 286 and 386) allow BIOS shadowing (and Video BIOS shadowing, as well) in _hardware_, regardless of what mode the CPU is running in. Some of these chip sets can be manipulated to allow write access to the 0xF0000 area (after all, the boot-up code needs write access to copy the code over). Some others, however, have various interlocks that disallow write access after the initial copy, or from any executing code outside the BIOS. ------------------------------ Date: 28 Aug 90 02:46:28 +0000 From: sheinfel@grad1.cis.upenn.edu (Aviad Sheinfeld) Subject: Re: Antivirus viruses FXJWK@ALASKA (Jo Knox - UAF Academic Computing) writes: > As far as the morality/ethics question, I have no problems with this >idea; there's no reason you can't help someone without their >knowledge! I have to disagree. You have absolutely no right to mess with my computer or any of its contents, no matter what your intentions. Who are you to decide what strings of bytes I may or may not have in my personal machine? What right do you, a well-meaning (?) programmer have to affect my personal property? If I am walking along down the street and notice that your car's leaking break fluid, I might leave a note on the windshield, but I certainly wouldn't jack up your car and fix the problem. That is your responsibility. I can educate you, warn you - but I can't keep you from making mistakes. Another point is that you are killing these viruses with a virus! Look at what you're proposing! You decide what piece of code may roam unchecked in my machine and what piece of code may not?! I'm sorry, but I don't know you well enough to support such a dangerous idea. I feel that those who have learned to protect themselves are fairly safe from virus attacks by being careful and using available virus-detectors. As for those ignorant enough or foolish enough to go without protection ... they'll learn eventually. Education is the key, not forced action. (Wait a second, shouldn't this last paragraph have been posted to alt.sex instead?! :-) Aviad... ------------------------------ Date: Tue, 28 Aug 90 13:29:40 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Mysterious messages (PC) Does the number "7106286813" look familiar to anybody ? It is found inside the Bulgarian "1024" virus, but does not seem to have any obvious purpose. A Bulgarian identification number maybe - perhaps a date + something else - any Bulgarian programmer born on 7-10-62 ? :-) At least this is not a phone number..... :-) Does the text "Sudah ada vaksin" mean anything in any language ? It looks like Arabic to me. This text is found inside the French "Mardi Bros" virus. I believe I asked about this before - there are some mysterious messages inside the JOCKER.EXE program (which may or may not be a virus) Call (209) 683-6858 ! Does this number exist, and if so, to whom does it belong ? West Lake Software and Data Research, WA 0108077, New Orleans, (c) 1986 Does this company exist, and if so, do they know anything about the JOCKER.EXE program ? KONIEC PROGRAMU WABIKEXE.EXE This looks like Polish - does "Koniec" mean anything in that (or any other) language ? ------------------------------ Date: Tue, 28 Aug 90 13:35:10 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: AntiCad virus ? (PC) Does anyone have any useful information on the AntiCad virus. Accorrding to the list by Patricia Hoffman, "AntiCad" is just an alias for the V-1 virus, but I have received a virus from Dr. Alan Solomon, which is named ANTICAD.EXE and is clearly something entirely different. This virus is 10005 byte long, seems to contain bits and pieces from the Jerusalem virus - possibly even multiple copies of it, and is not at all related to the V-1 virus. Any information on the origin of the "AntiCad" name would be appreciated. - -frisk ------------------------------ Date: Tue, 28 Aug 90 13:46:36 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Reduced risk I don't know if everybody agrees with me, but it seems to me that the risk of a virus infection these days may be lower than it was a year ago. The main reason being increased awareness of viruses as well as increased availability of anti-virus software. The number of reported viruses continues to grow, doubling every 10 months or so, but the percentage of infected computers may actually be declining. At least it is here in Iceland, but I am not sure if this observation holds for the rest of the world. Another interesting phenomena is the extinction of various viruses. Many of the 250 or so known PC viruses are extinct or on their way to extinction. The Brain virus is an example of this - it was one of the most common viruses for a while, but is now becoming quite rare in many countries. ------------------------------ Date: 28 Aug 90 16:19:39 -0400 From: "Steve.R.White" Subject: Origin of screen effect code in the JOJO virus. The screen effect code in the JOJO virus appears to come from the program DAZZLER.ASM which was listed in the "User-to-User" section of PC Magazine (Nov. 24, 1987; pages 386-388). It was also one of the programs included with the book PC Power Tools, published in June 1988. The code in the virus is virtually identical, with at most a tiny number of changes. In particular, it is very likely that any virus scanner using the screen effect code as its signature string will give a false positive indication on the program DAZZLER.COM. Steve R. White Bill Arnold High Integrity Computing Laboratory IBM Thomas J. Watson Research Center ------------------------------ Date: Wed, 29 Aug 90 11:53:09 -0400 From: hartley@AIC.NRL.Navy.Mil Subject: Re: virus analogy >> me >Bridget Rutty >> The Salk vaccine (the primary polio vaccine in the US). This >> vaccine is a live, contagious, virus. Any Physician who administers it >> is releasing a virus into the population. > Physicians do not administer any medication, vaccine or otherwise, > without understanding the risks and benefits. You mean the known risks and benifits. More will inevitably surface when the treatment is used widely. In any case, this just amounts to knowing that the Salk Vaccine can cause paralytic disease and death - but not too often. See my discusion of bugs in live vaccines. > Patients do not get vaccines without consenting. Wrong! The Salk vaccine is CONTAGIOUS. It automatically administers itself without anyones consent or even knowledge. There is no consent and no one is informed. >> a version of a highly destructive virus from which the >> destructive code has been removed. > In the situation described, there is no informed consent and to my > mind such a program is no different than the virus with which it > competes. There is a big difference. The vaccine is less distructive. No one would use this type of approach against a relatively harmless virus like WDEF, for example. It may be no diferent to your mind but it would surely be different from point of view of the guy whose disk didn't get wiped. Note that the use of a live vaccine does not require anyone to lower his guard. >Mike Castle > I don't see much help in the way of having anti-viral viruses as > competition for "nasty" viruses either. I don't know all that much > about viruses (I just read this discussion to try to be an "informed > user"), and I don't see where or why a virus would worry about > competition for infection. Most (computer) viruses will not infect the same file more than once. If they did they would swamp the system and distroy their chances of spreading. Because of this different strains of the same virus will compete (as long as one virus recognizes the other as self). It is also posible to use an "immune" mechanism. Replace the "disk muncher" payload with an add for anti-viral software (It would be sure to get instant attention! Sort of like an AIDS vacine that changes people's behavior - by turning them purple.) ... Just a momment ... I'm not sure I like the direction this chain of thought is leading! Not an offical position of anyone. Ralph Hartley hartley@aic.nrl.navy.mil ------------------------------ Date: Wed, 29 Aug 90 02:02:06 +0700 From: CETEK63%TECHNION.BITNET@VM1.NoDak.EDU Subject: Disk boot failure ? (PC) Disk boot failure ? Moshe vainer had just described the phenomena of reviving a dead disk. Well, a friend of mine just bought a used disk, and after a week use it started reporting read/write errors and fill itself with bad sectoers. The disk went to repair and was found fully operational, but under severe Viral attack... The virus was identified as PingPong, but I doubdt it, since the PingPong doesn't cause SUCH trouble. Since both cases happened in Israel : the one diskette land, the homeland of Viruses... Maybe, Just maybe, we are encountering a new, unknown, virus ??? Good luck ! Shahar. ------------------------------ Date: Wed, 29 Aug 90 13:32:00 -0400 From: Don Kazem Subject: Scanning servers (PC) I am looking for a software to scan Novell file servers with. Are there any other ones, besides McAfee's NETSCN? DKAZEM@NAS.BITNET Don Kazem National Academy of Sciences Washington, DC ------------------------------ Date: Wed, 29 Aug 90 21:04:08 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: F-PROT version 1.13 available (PC) Version 1.13 of F-PROT is now available and will be distributed on Aug 30. I will send out copies by E-mail to those on my distribution list and also upload a copy to chyde.uwasa.fi and simtel-20 (if possible) for those with FTP access. This version will be distributed on comp.binaries.ibm.pc as well. The package is now free of charge to any individual using it only on a single computer. (The minimum fee of $15 has been dropped) The following features have been added in version 1.13: Detection and removal of the following viruses: Blood Itavir TUQ Slow Burger (removal not possible) 1024 V-1 (file and boot sectors) Joshi 10005 Filler Casper The disinfection program updated to remove "Flash" infections of boot sectors (version 1.12 could only handle disinfection of infected files) Analysis of suspicious boot sector code improved. ------------------------------ Date: 29 Aug 90 23:35:48 +0000 From: elw@netxcom.DHL.COM (Edwin Wiles) Subject: Re: Antivirus viruses User hartley@AIC.NRL.Navy.Mil writes: > I can think of at least one precedent from the medical profession >- - the Saulk (sp?) vaccine (the primary polio vaccine in the US). This >vaccine is a live, contagious, virus. Any Physician who administers it >is releasing a virus into the population. Bzzzzt! Bad analogy. The Salk vaccine is under fire for multiple reasons: 1) It has definitely been the CAUSE of cases of polio. Not a large percentage of the population, to be sure. 2) The concept of the vaccine spreading by 'contagious' means has been called into serious doubt. 3) There are much safer DEAD vaccines now, which have been in use in Europe for many years now that have absolutely NO cases of CAUSING a case of polio, that are cheaper to make, and easier to administer. The Salk vaccine is a much closer parallel with the best reasons for NOT having anti-virus viruses: 1) An Anti-virus virus COULD cause damage by infecting a boot block or other file and damaging it in the process by ignorance of special conditions. 2) Although it might spread, I believe it would not spread as fast or as effectively as a 'harmful' virus. 3) There are much safer ways to protect yourself from viri, other than by exposing yourself to a theoretically 'harmless' live virus. I see later in your message that you do mention that the Salk vaccine does cause the occasional case of polio. However, I find your minimal emphasis on that danger when there are *known*safer* methods rather alarming. Back when Salk was the only vaccine around, it made sense to use it. It was better than having polio epidemics, and the chances of getting polio from the vaccine were much less than those of contracting it 'naturally'. If all we HAD were anti-virus-viri, then I would agree to their existance. But we have MUCH safer methods to protect ourselves from viri, so as far as I am concerned, there is NO reason to sanction AVV's as 'acceptable behaviour'. In parallel, if all we had were the Salk vaccine, I would use it. But we have much safer vaccines available now, so I see NO reason to use the Salk vaccine. Those who refuse to protect themselves deserve what they get. Some will decry this as a 'cold', 'brutal' answer. Well it is, and so is nature. If you don't get vaccinated for the various diseases for which we have safe vaccines, then you've only yourself to blame. Edwin. ------------------------------ Date: Thu, 30 Aug 90 00:34:00 -0500 From: Michael Subject: Weird Mac Behaviour... (Mac) Hello, I think that my Mac IIcx was infected with a new virus. I have SAM II, Gatekeeper and Gatekeeper Aid running all the time. I was installing some software that I purchased from MacFriends onto my computer. There were about 10 fonts from Adobe and 10 from Bitstream and ColorStudio from Letraset. The system was fine before the software installation began. I might add that MacFriends had sent the Adobe fonts on their own labeled disks (? very strange) I'll have to ask them about that later. I had a recent backup so I was not too worried once the 'weird' stuff began. After I installed ColorStudio I tried to boot it up, but it asked me for the Settings file and then crashed. I rebooted and noticed that the SunDesk icon was now upside down!!! I checked the ColorStudio program disks for the settings file, but it wasn't there -- by the way I did purchase the program and it was fresh out of the shrinkwrap. I then tried to open the Control Panel and it told me that the system was missing some system resources. After opening up the system folder I tried moving some inits because I thought I was having init conflicts -- the inits couldn't be moved. The system said file busy/in use. I was pissed!!! I booted again from a floppy and tried to move the files and I got the same message. I then rebooted the mac from the hard drive and got a message stating that the finder was damaged and I should use the Installer to correct it. I did and rebooted. This time the SunDesk Icon was upsidedown and small, with some other trash. The mac hung and I rebooted -- the system then started up and only loaded four of my 15 inits and Cdev's!! Realizing that something was very wrong I tried to move the SunDesk icon and couldn't do it. I tried to delete the file and it seemed to be ok this time. I closed up the system folder and then opened it a few minutes later. The deleted files were back!! I ran SumII on the disk and many files were listed as having their checksum as changed. I didn't want to infect anymore disks so I initialized the disk and restored it. That's where I am now. I put the fonts back on because I desperately need them, but ColorStudio is off and I don't know what to make of my problems!! HELP....HELP....HELP has anyone seen anything like this before??? Please respond to me even if you want to take a guess...... Michael I. Wilson MWILSON@STSCI.bitnet Thanks in advance for your help!! ------------------------------ Date: Thu, 30 Aug 90 10:15:11 +0100 From: LBA002@PRIME-A.TEES-POLY.AC.UK Subject: Joshi Virus (PC) Are there any anti-viral routines that will eradicate the Joshi virus? Replies to: milton.u.washington.edu. Thanks on his behalf Rgds, Iain Noble - ----------------------------------------------------------------------------- Iain Noble | LBA002@pa.tp.ac.uk | Post: Main Site Library, JANET: LBA002@uk.ac.tp.pa | Teesside Polytechnic, EARN/BITNET: LBA002%pa.tp.ac.uk@UKACRL | Middlesbrough, INTERNET: LBA002%pa.tp.ac.uk@cunyvm.cuny.edu | Cleveland, UK, TS1 3BA UUCP: LBA002%tp-pa.ac.uk@ukc.uucp | Phone: +44 642 218121 x 4371 - ----------------------------------------------------------------------------- ------------------------------ Date: Thu, 30 Aug 90 10:21:31 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: 10000 was not a virus (PC) Yesterday I wrote that F-PROT was able to handle the removal of a previously unknown 10000 byte virus. This turned out to be somewhat incorrect, as this was not a single virus, but a combination of two viruses Plastique 5.21 4096 bytes Jerusalem 1808+5 bytes Plastique 5.21 4096 bytes ======= 10000+5 bytes This 10000 byte block somehow managed to replicate as if it was a single virus. It seems that the following sequence of events must have happened: A program is infected with Plastique, which adds 4096 bytes in front of the .COM file. It is then infected by Jerusalem, which adds 1808 bytes to in front of the Plastique virus, and appends a 5-byte signature to the end. The next time Plastique sees the program, it will reinfect it, because it does not find its signature at the beginning of the file. Now, when the program is executed, it will not be infected again by Jerusalem, as it appears to be already infected (signature at end of file), nor will it be infected by Plastique (signature at beginning of file. Rather remarkable.... - -frisk ------------------------------ Date: 30 Aug 90 15:46:08 +0000 From: N Porfiris Subject: help/1701 (PC) I have got my PC infected by a virus.When I try to boot it up a 1701 appears under the last date used information, followed by an inquiry to boot it up from drive a. I have tried chkdsk but no drive c can be found. I have also tried an antivirus kit, but the partition table can not be found. Could somebody advise me how can I retrieve the files of the hard disk and how can I scan my diskettes to find which are infected? I must note that I had used a scan.exe program that claims that 1701/cascade virus can be traced, but no traces of any virus appeared. Personal Mail : nico@emf.ed.ac.uk ------------------------------ End of VIRUS-L Digest [Volume 3 Issue 150] ******************************************