From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V3 #182 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Thursday, 8 Nov 1990 Volume 3 : Issue 182 Today's Topics: Re: Sudden Reboot on PC (PC) re: FluShot Plus 1.7 (PC) Disinfectant / VirScan for IBM-PC ??? (PC) Re: FluShot Plus 1.7 (PC) Jerusalem B (PC) Re: Products for detecting viruses Re: Possible virus on Commodoore Various comments (PC) Strange Behavious (Virus?) On Novell LAN re: Possible virus on Commodore re: Virus Query (PC) VIENNA in GC Software (PC) V&S (PC) PC-cillan (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Tue, 06 Nov 90 16:38:38 -0500 From: Alex Nemeth Subject: Re: Sudden Reboot on PC (PC) One of the first things I would do is to have your PC checked out from a Hardware standpoint. The next step would be to have the power in your building checked out. After 5+ years in the PC repair field ( 2 with a ZDS Dealer) I've seen many strange things happen because of power problems. When checking out the power in the building I would recommend using a line monitor, with a paper tape preferably, inline with the PC in question. The next best choice would be a UPS, while these won't tell you what the condition of the power is, they will beep when the power fails and they usually supply a well regulated voltage output. Good luck, Alex P.S. Don't completely rule out a software problem. You might want to try to RE-SYS your Hard drive. If this solves your problem let me know. Acknowledge-To: ------------------------------ Date: Tue, 06 Nov 90 16:55:14 From: microsoft!c-rossgr@uunet.uu.net Subject: re: FluShot Plus 1.7 (PC) >From: "Robert McClenon" <76476.337@compuserve.com> > When it is started from my AUTOEXEC.BAT, it says that the size of the > protection table is 2048. I have 14 programs defined with checksums > that it checks, as well as several rules to prevent unauthorized > writes, such as no writes of *.COM files without an interrupt. If I > try to add a 15th program to the checksum list, FluShot Plus 1.7 HANGS > on startup. Robert: this really isn't the right place for me to do tech support, so please feel free to call me at (212)-889-6431 or FAX me at (212)-889- 9730 for future tech support. This sounds like an interesting kinda problem, though: is your FLUSHOT.DAT file > 2048 bytes (sounds unlikely with only 15 program entries)? What program does it appear to hang on (during the checksum scan)? I'll have to ask you some more questions before I can help further, but I'm always available for tech support at the above number(s). Finally, you should also coinsider updating to Version 1.81, the most recent version. It has some extra security, some bug fixes and a nifty scan program, a demo of my commercial VIREX-PC product's scanner. Ross M. Greenberg Author, FLU_SHOT+ & VIREX-PC ------------------------------ Date: 07 Nov 90 09:00:46 +0700 From: infocenter@urz.unibas.c.h Subject: Disinfectant / VirScan for IBM-PC ??? (PC) Where can I get a program against IBM PC viruses? Is there something like Disinfectant for the Mac? I would prefer something, that is - - PD or ShareWare - - updated regularly - - free of OWN viruses - - easy to get from a SAVE place I know, that IBM has a VirScan program. There are two versions: - - the version they sell - - the internal version The commercial version lacks far behind the internal one. Naturally, since it takes a long time from development to the counter! So is there any possibility for nonIBMers to download a SAVE copy of the internal VirScan version? Thanx for all infos ................................................. Didi ****************************************************************************** * Universitas Basiliensis InfoCenter * ****************************************************************************** ------------------------------ Date: Wed, 07 Nov 90 13:28:31 +0700 From: Shelly Glaser Subject: Re: FluShot Plus 1.7 (PC) If your copy of FLUSHOT is legitimate, why not contact the author directly? he is Ross Greenberg and is usually quite helpful. Yours Shelly Glaser PS: I think that FLUSHOT+ is not on the TRICKLE. Why? Acknowledge-To: [Ed. The above address for Ross Greenberg is no longer valid! His new address is: microsoft!c-rossgr@uunet.uu.net] ------------------------------ Date: Wed, 07 Nov 90 11:48:00 +0000 From: Jim Schenk Subject: Jerusalem B (PC) Does anyone out there have any information on the Jerusalem B virus? A student recently brought in an infected file and I'd like to know how it spreads, what damage it causes, etc., to try to prevent it from spreading further. Thanks in advance. Jim Schenk Florida International University Bitnet: jims@servax Internet: jims@servax.fiu.edu ------------------------------ Date: 07 Nov 90 21:22:00 +0000 From: vail@tegra.com (Johnathan Vail) Subject: Re: Products for detecting viruses 71435.1777@CompuServe.COM (Bob Bosen) writes: Yes. I hope you'll consider "SafeWord VIRUS-Safe" from my company. It is an extension to MS-DOS that automatically and transparently examines all your programs as they are loaded for execution. It quickly calculates a non-forgeable signature for each program being executed and compares that signature with records from prior executions. If anything has changed since the last time it was run, the user is alerted. Otherwise, execution continues without any disruption. It detects the spread of all known MS-DOS viruses, and is believed to be capable of detecting the spread of all unknown viruses This technique seems to be a good one for screening for *propogation* if viruses on a system or network. I have some questions and some what if's to run by, if I may: - -- This doesn't detect the program that is spreading the virus, only the ones that have been subsequently infected. Correct? - -- Does this provide any protection from attacks on COMMAND.COM, boot sectors or general attacks through DOS or BIOS? - -- Are there programs that legitimately modify themselves with various defaults and setup that can trigger the virus detector? Thanks, jv "... until then, any action will be like trying to herd cats." -- Gene Spafford _____ | | Johnathan Vail | n1dxg@tegra.com |Tegra| (508) 663-7435 | N1DXG@448.625-(WorldNet) ----- jv@n1dxg.ampr.org {...sun!sunne ..uunet}!tegra!vail ------------------------------ Date: 08 Nov 90 01:10:59 +0000 From: woody@chinacat.Unicom.COM (Woody Baker @ Eagle Signal) Subject: Re: Possible virus on Commodoore HAG2@vms.cis.pitt.edu writes: > In Digest V3 #177 someone mentioned that a virus could hide in the disk > drive since it has RAM, ROM, etc... However, the RAM is cleared whenever > the unit is turned off. Therefore, any virus would have to somehow store > itself in the drive whenever the computer is used, which can't be done. It can, and was done. The Commodore drives are intellegent. There are several buffers in ram, that can be freely written to. A knowlegeable Commodore hacker can do this quite easily, and very simply infect a program. There were several protection schemes based on this very thing. a program was downloaded into the drives ram. Rather easy to do with a disk read, and then a buffer transfer command. These routines then hooked one of the multitude of hooks into the system, and proceeded to veto copies etc. Way back in 1980, I was selling Commodore computers, and installing them. I may have some sample code hanging around somewhere, but I don't know where. I do have the source for the old 4040 roms, and have looked at it quite a bit in those days. Yes, it can be done. Cheers Woody > Besides, considering the abundancy of Commodore hackers, I'd assume that if > a virus was possible, it would have been written by now... When the commodore computers were really common, viruses were essentially unknown. ------------------------------ Date: Wed, 07 Nov 90 21:05:05 -0600 From: James Ford Subject: Various comments (PC) Got some comments/questions that maybe some of you can help with. Ross: Do the antiviral sites that carry FSP need to send a registration/ distribution form in? I wouldn't think so, but decided to get it straight from you. Also, what is the latest version out? General: I have a file called VIKIT404.ZIP, which seems to be some sort of antiviral software. However, the docs are in Italian. Does anyone know the file and/or care to translate the docs? I do not want to place it on MIBSRV until I know something more about it. Interested? Email me direct. Stoned has made its way to Tuscaloosa Alabama. It has been found on two floppies and 4 hard drives (that I know of). - ---------- Life is what goes by while you are watching television. - ---------- James Ford - JFORD@UA1VM.BITNET, JFORD@MIBSRV.MIB.ENG.UA.EDU THE University of Alabama (in Tuscaloosa, Alabama USA) ------------------------------ Date: Wed, 07 Nov 90 20:18:00 -0800 From: N7FRJ@locke.hs.washington.edu Subject: Strange Behavious (Virus?) On Novell LAN XT and AT class PC's running MS-WORD version 5.0B on an Advanced Netware 286 Version 2.15c LAN in Seattle have either 'crashed' while attempting to save the document they were working on, or have received a message saying: "You SHOULDn't print this file" when they attempt to print it... This started on 1-Nov-90, (I noticed thhalloween notice a couple days back) and thought i would report this as well. Other known symptoms so far have been: At least 2 unrelated executable files have been 'altered'. Unfortunately, several users had SUPERVISOR priv's. The executable file MENUPARZ.EXE (in the PUBLIC directory) had several chunks of it 'zeroed'. It's date and size were not changed, only it's contents. It was flagged as ROS. (But with SUPERVISOR priv's, you can do anything, right?) I was contacted in an attempt to 'quantify' what was going on. All comments are appreciated! George Saba N7FRJ @ Locke.hs.washington.edu N7FRJ @ UWALOCKE (BitNET) ------------------------------ Date: Wed, 07 Nov 90 22:35:51 -0500 From: pro-angmar!achilles@alphalpha.com (David Holland) Subject: re: Possible virus on Commodore > In Digest V3 #177 someone mentioned that a virus could hide in the disk > drive since it has RAM, ROM, etc... However, the RAM is cleared when the > unit is turned off. Therefore, any virus would have to somehow store > itself in the drive whenever the computer is used, which can't be done. Uh... not meaning to tell anyone how to write one, but there are drive commands that will do just that: store something in the drive's memory. It isn't particularly more difficult than loading a virus into the computer's main memory, in fact. A program with the virus would have to be executed before the virus could become active, but that's nothing new... :( The RAM in my PC clone is cleared when the computer is turned off, but that doesn't make it virus-proof either. It's maybe a good thing that the documentation for the C64's disk drive was so lousy. > However, as I mentioned before, someone running the GEOS operating system > could probably get a GEOS-specific virus. No kidding... if you've ever looked at any of the programming information for GEOS, you'll see it's full of holes. > Besides, given the abundancy of Commodore hackers, I'd assume that if a > virus was possible, it would have been written by now. I suspect the base of C64s in active use is too small at this point to support a virus. So it's rather a dead issue... - ---------- On a somewhat separate note, could someone e-mail me the phone number for McAfee's BBS? I can't seem to find it, and I don't have access to the archives. [Ed. The HomeBase bboard can be reached at 408-988-4004] Thanks. David A. Holland Internet: pro-angmar!achilles@alphalpha.com | There is no great aeneas@blade.mind.org (slower) | talent without a Citadel: blade!aeneas@{undermind, overmind} | mixture of madness. Fidonet: David Holland @ 1:322/337 (not preferred) | -Seneca ------------------------------ Date: 08 Nov 90 09:40:23 -0500 From: "David.M.Chess" Subject: re: Virus Query (PC) Dave Goodwin asks about side-effects of the Dark Avenger virus. It's a potentially rather nasty one; on something like every 16th execution of an infected program, a more-or-less random sector on the disk is overwritten with 512 bytes of garbage beginning with the string "Eddie lives". You might want to use some sector-string-search program to look for that string... DC ------------------------------ Date: Tue, 06 Nov 90 14:22:00 +0700 From: KLOTZBUECHER@MPI-MUELHEIM.MPG.DBP.DE Subject: VIENNA in GC Software (PC) A week ago one of the PC's in the chromatography department started to act up, going frequently into a re-boot. A quick check with McAffee's SCAN57 showed a massive contamination of .COM files with VIENNA A. As this PC is used only as dedicated service station, the contamination could easily be traced back to original diskettes of the software for the Shimadzu Photodetection Detector SPD-M6A, Version 2.14, which arrived a few months back. As this was an update, the older version 2.12 was checked, which is clean. Same contamination was found in the original diskettes of a second station in a different department, which had gotten version 2.14 independently. Company representatives of Shimadzu was notified, he claims that company is not source of virus infection. Collected infected disks and replaced them with clean version. :-) Has anyone else seen this infection of Shimadzu software? Any other gas chromatographic software? X\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\X X Dr. Werner E. Klotzbuecher Tel: 0208-31073 X X Max-Planck-Institut fuer Strahlenchemie Fax: 0208-384-741 X X Stiftstrasse 34-36; 4330 Muelheim/Ruhr, FRG Tlx: 856741 X X X X EAN : klotzbuecher@mpi-muelheim.mpg.dbp.de X X X X BITNET version : klotzbuecher%mpi-muelheim.mpg.dbp.de@dfngate.bitnet X X UUCP version : klotzbuecher%mpi-muelheim.mpg.dbp.de@unido.uucp X X DATA-STAR, IAS : klotzbuecher X X\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\X ------------------------------ Date: 08 November, 1990 From: Padgett Peterson Subject: V&S (PC) >From: Dave Goodwin >We've recently picked up the DARK AVENGER virus on some of our >systems, and I'd like to see if anyone can detail the activity this >one engages in. It has been a while since I looked at this one but there are at least two strains: one which is a normal TSR detectable with MAPMEM, and the other is in upper memory detectable with CHKDSK. It is quite nasty and fast- spreading. After a certain delay (xx files infected) it will start corrupting files by writing a copy of a low disk sector into random locations on the disk. It does not use any "stealth" mechanisms not does it affect the boot sector or partition table. Infected files grow by c.a. 1800 bytes. >From: Michael_Kessler.Hum@mailgate.sfsu.edu > although anyone >knowing how to get to the shell from a software package can of course >bypass the protection. Some time ago I "fixed" COMMAND.COM so that a batch shell could not be aborted. All that is necessary is to find the "Terminate Batch Job (Y/N)?" string, back up to the INT 21 call that prints it, and then change the preceeding branch (JN if I rember right) to a JMP. It is a touch more difficult to remove the "system" feature from software packages, but possible. >2. To avoid infecting the network should a student use outside >software on various stations, we recommend that all stations be turned >off after use so that nothing stays in memory (Jerusalem B survives >warm reboots). This seems to be a common mythconception about the Jerusalem but good practise nonetheless. I suspect a direct invocation of INT 19 with POST would have the same effect (but haven't tried it). >3. Administrative and academic usage will be kept on separate servers. >We had one network utility which required an open directory that was >shared between the two sides, and I think that this is how the >infection migrated. Have seen this happen more than once & can be very nasty. Separate directories are essential. Network administrators need special training & tools. (editorial) >4. Until the infection, WordPerfect was in a single open directory. >Now it is in a read-only directory, but linked to its SETUP files in >an open directory. The common wisdom around here is that write >protected files can get infected, but files in read-only directories >will not be infected. It is not well documented, but if the directory files in SETUP (sft-F1,6) are left blank, WP will work in the current default directory. Typically, we just point the DOCUMENTS entry this way, but any of the others should also work. This will give you more freedom in location. Padgett ------------------------------ Date: Thu, 08 Nov 90 11:03:00 -0500 From: "Dr. Harold Joseph Highland, FICS" Subject: PC-cillan (PC) Original-To: JUAN JOSE CARMENA In Virus-L Volume 3 Number 171 on 17 October there was your request from 17 Oct 90 for information about "PC-cillan." Steve Chang, president of Trend Micro Devices of Torrence CA, send us an evaluation copy of his product since he wanted a product endorsement. The product consists of software and hardware [a dongle] - -- a unit that must be attached to the parallel port. This dongle has two problems from my viewpoint. Its function is nothing more than to copy the hard disk's MBR [partition table and boot record], something that is easily done with Norton Utilities, PCTools, Mace and the Kolod package. Besides having the MBR on a floppy disk is safer than trusting an "attachment" to the micro. Unfortunately this dongle has no way to secure it to the port. If some joker removes it, the so-called security offered by the product is gone. If you had 30 of these in an office or lab and the joker shifted them around among the machines, think of the problem you'd have to find the right dongle for each machine! Furthermore, the software is promoted as protecting the user against any known and FUTURE viruses. We class such items as Ponce de Leon follies -- promises of eternal youth -- of utopia! Within the last month Mr Chang sent out a press release in which the product was endorsed by John McAfee who noted that it was one of the best he had seen. High praise from an author who fails to include mention of most anti-virus products in his book. In our conversation with Mr Chang he claimed the product was widely sold in Asia and Europe and was now making it available in the States. In the late 1940's there was a company, Wit's End, a printer and greeting card producer. Their stationary was printed on brown kitchen paper towels. On it was a saying from Mark Twain: "Be thankful for the fools for without them we could not exist." You must of heard of our famous American showman Phineas Taylor Barnum [1810-1891] who ran circus sideshows exhibiting animals and freaks. At one he had large signs reading "This way to the Great Egress." After the people passed through the curtained opening and walked through a maze, they found themselves outside of the exhibit area. Anyone who complained was told that "Egress" was another word for "exit" and that Mr. Barnum was not responsible for their lack of education. The Wall Street Journal and other newspapers ran stories about anti- virus product hyperbole. As a good friend of mine recently put it: "Barnum is not really dead!" He is probably selling anti-virus products! Dr. Harold Joseph Highland, FICS 20 October 1990 ------------------------------ End of VIRUS-L Digest [Volume 3 Issue 182] ******************************************