From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V3 #187 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Monday, 26 Nov 1990 Volume 3 : Issue 187 Today's Topics: Response to various comments Looking for list of antivirus & scan programs Response to WDEF A problems (Mac) Re: stealth viruses.. Have you seen this one? (PC) DOS-TREND front cover magazine Re: Stoned virus (PC) Mail/Defuze Re: How safe are FTP sites from viruses? Stoned in C (PC) Friend Needs Help With Running Man Virus in Germany (PC) Re: Viruses surviving warm boots. (PC) Re: New DOS virus for CUNY Grad Schl. VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: 19 November, 1990 From: Padgett Peterson Subject: Response to various comments >From: Herbert Lin >In a recent msg, someone said that a "stealth" virus could evade >checksum and CRC checks. Can anyone tell me how this is done? Basically, "stealth" viruses go resident in memory and trap the interrupts used by DOS. Then, whenever a file is requested, the virus checks to see if the file is infected. If so, the virus code is stripped off and the original file is presented. Nothing magic is done to defeat checksums. Of course, the fact that the virus goes resident is detectable, usually just by recording the CHKDSK memory return. - -------------------------- In issue 184 and in a VALERT-L posting I wrote concerning the DataLock/920 PC virus: >Each time an .EXE file is executed, it >will increase in size by 920 bytes. The virus will only infect a file >once but will infect any .EXE executed. I must apologise for the poor English. This virus will only infect an .EXE ONCE (an algorithm is used to place a signature in the file header) adding 920 bytes to the file. No "stealth" mechanisms are used. - --------------------------------------------- >From: William C Tom >*AND*, more importantly, how can I get rid of "Stoned" ?? Is there >a virus-killer program available ? McAfee's CLEAN will work or you can copy the original partition table on a hard disk back to sector 1 (I believe it is stored in sector 7) using DEBUG. On a floppy, simple replacement of the boot sector will render the virus harmless though some data/executables may be corrupted. (how fast can you press two keys and change floppies ?) - ----------------------------------------------------------- >From: p0.f7.n391.z1.fidonet.org!David.Hobbs@uafhp.uark.edu (David Hobbs) >Subject: Sunday virus description? (PC) The SUNDAY virus is a JERUSALEM derivative that goes resident as a 20xx byte un-nammed TSR. On Sundays the virus will print a message and delete (undeletable with several utilities) programs executed. A mistake in the code in one varient keeps it from ever triggering but all infect both .COM (once) and .EXE (each time run) programs. - ------------------------------------------------------------ Again, Patricia Hoffman's VSUM (currently VSUM9011.ZIP) should be required reading for VIRUS-L participants. ------------------------------ Date: Tue, 20 Nov 90 07:40:57 -0500 From: "Steve Huff, U. of Kansas, Lawrence" Subject: Looking for list of antivirus & scan programs Looking for list of anti virus & scan programs I recently became a new computer owner, and since I trade disks between colleagues frequently, would like to employ virus protection or some scanning mechanism. I've looked at the Frequently Asked Questions equivalent, and found the ftp sites just fine. My question: what do each of the programs do? Is there a program that's considered the best, at least as of today? Thanks. Steve - ------------------------------------------------------------------------------- Steve Huff, student, University of Kansas HomeNet: 913 749 4720 Internet: HUFF@kuhub.cc.ukans.edu Bitnet: HUFF@Ukanvax.Bitnet Don't_hold_your_breath_net: P.O. Box 1225, Lawrence, KS 66044-8225 - ------------------------------------------------------------------------------- ------------------------------ Date: Tue, 20 Nov 90 09:35:00 -0600 From: Ed the Computer Ninja Dude Subject: Response to WDEF A problems (Mac) Both Willem van der Wal and Kevin Hill wrote saying that they are experiencing problems saving files to their hard disks. While Kevin did not mention WDEF A (Kevin, have you found the same thing?) Willem did, however WDEF A may not be causing Willem's problem. Here at my university, we have been experienceing a rash of WDEF A infections over the past year. I found some information that stated this type of virus *usually* only affects the Mac IIci windowing system, though I do believe that it "gets in the way" of normal activity on other machines. You can get rid of virus by rebuilding the Desktop on your hard disk (which is where it resides). If you find that WDEF A is the problem, please let me know since it is a recurring thorn in my side. Hope this helps. ed P.S. To rebuild the desktop, hold down the command-shift-option keys on bootup _________________________________________________________________________ |ed murphy|consultant|university of new orleans|computer research center| | internet: memcr@uno.edu | bitnet: memcr@uno.bitnet | | "My views aren't particularly anybody's" | |_______________________________________________________________________| ------------------------------ Date: 20 Nov 90 16:55:40 +0000 From: vail@tegra.com (Johnathan Vail) Subject: Re: stealth viruses.. HLIN@NAS.BITNET (Herbert Lin) writes: In a recent msg, someone said that a "stealth" virus could evade checksum and CRC checks. Can anyone tell me how this is done? Wouldn't the author of the virus have to know the checksum/CRC technique being used in detail? Without specific knowledge of the polynomial being used, what could the virus author do? Checksums are easy to beat. CRCs are more difficult. The combination of both is unbeatable except by "stealth" techniques. As I understand it, the stealth type programs take over DOS or BIOS and if the infected files or sectors or directory info about these is read then a "fixed" version is actually returned. The fixed version makes it appear that the program or disk is uninfected. I can imagine that certain values wouldn't contribute to the checksum, but if you make the original size of the file part of the check, then adding those special values will change the file size, and render it detectable. Yes, the way to add code without changing the checksum or without calculating it from the entire file is to make the checksum of the additions be zero. Any addition would add to the file size. In short, it seems that if I am willing to give up the detection of virus propagation in real-time, I should be able to detect viruses ALL THE TIME (of course, if and only if I have a confirmed clean system to begin with). what am I missing? The stealth concept. That is why it is called stealth... Your detector would have to do all its disk I/O by itself, or somehow guarantee that the BIOS and DOS routines have not been compromised. And direct hardware I/O may not be completely safe on a 386 without checking the MMU, which again may not be guaranteed safe. "Like a clock, they sent, through, a washing machine: come around, make it soon, so alone." -- Syd Barrett _____ | | Johnathan Vail | n1dxg@tegra.com |Tegra| (508) 663-7435 | N1DXG@448.625-(WorldNet) ----- jv@n1dxg.ampr.org {...sun!sunne ..uunet}!tegra!vail ------------------------------ Date: Tue, 20 Nov 90 10:48:49 -0700 From: guido@bierstadt.scd.ucar.EDU (Gary Jensen) Subject: Have you seen this one? (PC) We have someone at NCAR that found an infected WprdPerfect file that had been created on good friday. On printing the file, the second page comes up with "Happy Easter" and sometimes more stuff about Christ and Easter. The file is protected and attempts to delete or copy it create more protected files. The PC is one used by students from time to time, so that is likely how it got the bug. I can't file any information on this one. Any help out there? GGGGG U U I DDDD OOO Gary Jensen guido@ncar.ucar.edu G _ U U I D D O O National Center for Atmospheric Research G G U U I D D O O Boulder, Colorado 80307-3000 GGGGG UUU I DDDD OOO Resident Big-Guy and National Monument ------------------------------ Date: Tue, 20 Nov 90 18:50:03 +0000 From: Christoph Fischer Subject: DOS-TREND front cover magazine Second message on the DOS-TREND magazine. I now received several copies of the magazine! we have two groups of people claiming there is a virus or trojan on the disks! 1. the "AIDS-TROJAN" This is certainly a false alarm these people used an older version of TNT-SCAN (Carmel) that had an ambigous search string. In fact it probably searched for the instrinsic part of MS-BASIC 3 compiled code. Thus it claimed that any file created by that BASIC is an AIDS-TROJAN 2.Some people claim there is STONED II on the disk. We couldn't find any infection on our samples! I am waiting for mail to arrive from people who had an infection on their disks. Since the disks are write enabled it is hard to say who put the virus on the disks. At the moment I can't say if it is just a coincidence that several people infected their disks with the *same* virus or if a certain ammount of the production load was infected. The publisher claims that their machines are clean! I'll publish more when we are done with the search but then in VIRUS-L not on VALERT-L ******************************************************************** * Christoph Fischer * * University of Karlsruhe * * Micro-BIT Virus Center * * Zirkel 2 * * W-7500 KARLSRUHE 1 Germany * * BITNET : RY15@DKAUNI2.BITNET * * INTERNET : ry15@rz.uni-karlsruhe.de * * Tel.: +721 37 64 22 FAX: +721 32 55 0 * ******************************************************************** ------------------------------ Date: Tue, 20 Nov 90 14:33:00 +0000 From: Jim Schenk Subject: Re: Stoned virus (PC) In VIRUS-L #186, Finn M.Jensen writes: > Some time ago I received a 5.25" disk (containing source-code, > OBJ-files and .EXE-files) which I copied (using XCOPY) to the > harddisk. I have used both the .OBJ and .EXE files. > > Later I found out that the disk contained a virus. > > SCANV67C reports that the BOOT sector of the disk (placed in A:) > is infected by the STONED virus, but no viruses are detected on > the C: drive ! > > Questions: > 1) Is my C drive clean ??? If SCAN doesn't detect any viruses on your C: drive, and as long as you didn't boot up from the infected floppy, then your C: drive is probably clean. Like all boot sector viruses, the ONLY way Stoned can infect a hard disk is to boot up from an infected floppy disk. Even if the infected floppy is not bootable (not a system disk), simply having it in the A: drive and rebooting or turning on the computer is sufficient to infect the hard disk. > 2) Is it safe just to copy the files to a new (clean) disk ? Yes. Stoned is strictly a boot sector virus; files are not infected. Just make sure that the virus is not present in memory on the machine you do the copying (boot up from a clean, write- protected DOS disk), and SCAN the target disk when finished just to be safe. > 3) If 1) and 2) have negative answers - what should I do ????? If, perchance, SCAN or some other virus-scanning software DOES detect an infection on your hard disk, the easiest solution is to obtain either F-PROT (Fridrik Skulason, Box 7180, IS-127 Reykjavik, Iceland, frisk@rhi.hi.is) or CLEAN (McAfee - same place you got SCAN). I believe the latest version of F-PROT (1.13) is available through anonymous ftp from chyde.uwasa.fi or from comp.binaries.ibm.pc; as for CLEAN, try the Home Base BBS at (408)- 988-4004, or ftp from mibsrv.mib.eng.ua.edu. Jim Schenk University Computer Services Florida International University Bitnet: jims@servax Internet: jims@servax.fiu.edu ------------------------------ Date: 20 November, 1990 From: Padgett Peterson Subject: Mail/Defuze a) To those who have sent me E-Mail without reply, there are two possibilities: 1) my "baroque" (as Ken puts it) server/address lost the mail (I get about 2/3rds of what is sent) 2) the same system could not decode the return address & I could not figure out an alternative route (not being very experienced in Internet) In any event I do try to answer all mail received but can make no guarentees. b) There seems to be a bit of hysteria builing about magical qualities of viruses. T'aint so ! On a PC at least, ALL viruses (and trojans, worms, etc) must execute to infect a system. Some have rather convoluted means of doing so but must execute FIRST in order to activate. The user is part of this process since a PC will not execute anything new unless told to do so. Incidently, the MAC is no different, only when a floppy is inserted, the O/S immediately looks for a DESKTOP file on the floppy and executes it. The CMOS RAM (clock, etc) cannot be executed. PERIOD. It might act as a storage facility for malicious software that knows where it is, but code executing from DOS memory addressable by the IP must have stored such information and is necessary to retrive it. DOS currently won't. Boot sector infectors (Stoned, Brain, Joshi, etc) are executable code that is stored in an area executed during the boot process. Without initiating a boot, you can leave the floppy in the drive forever and not become infected. COPYing or XCOPYing files from an infected disk will not infect a machine however DISKCOPY can pass the infection to a new disk. To infect a machine, the infected disk must be in the drive when a boot (warm or cold) is initiated. "Stealth" viruses simply trap interrupts (usually 21h) when they go resident and remove the virus code when an application requests an infected file so that a validator just "sees" the original file, but they must be resident in memory to work. Most go after COMMAND.COM first since the transient portion is usually loaded right after a upper memory virus goes resident. Good validation programs will flag this on the next load, but if the user says to "go ahead anyway", all bets are off. Every one of these that I have seen is easily detectable in memory just with what comes with DOS. The WHALE may have 30 different encyption algorithms, but all take memory from DOS. One of the biggest myths about nearly every virus is the "survives warm boots (ctrl-alt-del)". Yes, some do, but the few I am aware of all become resident in one area at the top of memory, change the Int 12h return (280h for a 640k machine), and trap the "warm boot" mechanism. Neither the common varieties of the Jerusalem nor the Stoned do this, however, to be safe, NOTHING survives a cold boot from a clean, protected floppy. Finally, for those just starting with Virus-L, I would suggest the following reading: Advanced MS-DOS by Ray Duncan, Microsoft Press; The 8086 Family User's Guide from Intel (later versions are also good); System BIOS for IBM PC/XT/AT Computers and Compatables from Phoenix Technologies Ltd, Addison-Wesley; Assembly Language Programming for the IBM PC AT, Brady; the Winn Rosch Hardware Bible by Winn Rosch, Brady; and THEN the Virus Information Summary List by Patricia Hoffman, available electronically. As a final exam, write a functional floppy boot record using LODSB, Int 10h (fn 0Eh), and Int 16h. For extra credit, use Int 12h and XLAT to report system memory at boot & validate your boot record. HINT: in the boot record, PUSH CS - POP DS won't work as you expect. Padgett ------------------------------ Date: Mon, 19 Nov 90 21:51:29 +0000 From: maven@rata.vuw.ac.nz (Jim Baltaxe) Subject: Re: How safe are FTP sites from viruses? mitchell@thesis1.hsch.utexas.edu (Philip Mitchel) writes: >The question was asked, "How safe are anonymous FTP sites from >viruses"? I'd like to know the answer as well. A user at our site >just retrieved some text files from the anonymous ftp server at >apple.com and found that her floppies began to be corrupted. McAfee's >virus scan identified the Stoned virus in the partition table. The >only known route of "infection" was the ftp connection. Just a reminder that the Stoned virus is a boot sector invader and executes only when a machine is booted from an infected disk. Simply running _any_ program whether FTP'd or not will not result in activating this virus. Therefore, there must have been another route of infection (vector?). For beginners (aren't we all...) tell people never to leave a disk in a drive when you turn a machine either on or off. On is obvious - to avoid executing a boot sector virus (this can happen even if the diskette is not a system disk). Off is included simply to prevent people from forgetting to take it out before they turn the machine on again. > By the way, what is the usual process for removing a virus such >as this once found? (I know, rank beginner question...we all start >somewhere). Thanks. Most of the major anti-virals will find and remove the stoned virus but if you want a specific for the Stoned virus, try using our NOSTONE.EXE which is available for anonymous FTP from several sites including our own, rata.vuw.ac.nz. Get /pub/nostone.exe. Jim Baltaxe - MAVEN@vuw.ac.nz - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= There are some days when I can't be sure whether life is trying to pass me by or trying to run me over. ------------------------------ Date: 21 Nov 90 02:20:45 +0000 From: William C Tom Subject: Stoned in C (PC) Thanks to all who responded to my previous questions on the Stoned virus. I used MDisk to remove Stoned from the partition table of my hard disk. According to ViruScan, the hard disk is now disinfected. BUT,.... the DiskEditor of Norton Utilities reveals some interesting stuff. In sector 0 0 1, what appears to be the correct partition table (I don't have the actual code) resides up to E1. Some distance after that, at FD, there begins a long string which includes the lines "your pc is now stoned", and "LEGALIZE MARIJUANA". Thus it seems that the virus is still present at least in some form in my hard disk. Looking into sector 7, there is what looks to me to be a corrupted version of the partition table; I am reluctant to test it by moving this version into sector 1 and possibly overwriting the correct partition table. My guess is that MDisk removed the infectivity of the Stoned virus from the hard disk while allowing some strings to remaiin Sector 1. Can some netters cast more light on this? Will these viral remnants be reactivated if I don't remove them? What is this material sitting in Sector 7 now; can it cause future trouble unless I rewrite nulls into the sector now? Thanks for any help. ------------------------------ Date: 20 Nov 90 21:36:02 From: mcmahon@tgv.com (John McMahon) Subject: Friend Needs Help With Running Man Virus in Germany (PC) A friend of mine in Germany has been having problems trying to disinfect his system. He has referred to the infecting virus as the "running man" virus, which tacks some code onto his executables and draws a silly icon running across the screen. Since he is in Germany (and I'm not) can someone direct me to a piece of software I can send him, or a person/place in Germany I can have him contact ? Many thanks in advance... John 'Fast-Eddie' McMahon : MCMAHON@TGV.COM : TTTTTTTTTTTTTTTTTTTTTTTT TGV, Incorporated : : T GGGGGGG V V 603 Mission Street : HAVK (abha) Gur bayl : T G V V Santa Cruz, California 95060 : bcrengvat flfgrz gb : T G GGGG V V 408-427-4366 or 800-TGV-3440 : or qrfgeblrq ol znvy : T GGGGGGG V ------------------------------ Date: Thu, 22 Nov 90 10:46:34 +0100 From: tomah@sssab.se (Tomas Ahl) Subject: Re: Viruses surviving warm boots. (PC) LANDEN@HROEUR5.BITNET writes: [...] >I have experimented quite a bit with Jerusalem-B but I have never seen >it survive a warm boot. Could anyone explain to me how it is possible >for any virus to survive a warm boot by any method other than >infecting something on the boot disk. In my experience a warm reboot >always re-initializes the interrupt vectors, a process that no virus >in memory would survive. Take this scenario: The virus traps the hardware keyboard interrupt and sorts out Ctrl-Alt-Del. When it detects C-A-Del it 'simulates' a reboot through stepping the floppy motors blanking the screen etc. After this the computer seems to restart and voila the virus can continue its 'work'. Not to mention I have a description of a virus doing excactly this, all other keyboard interrupts are passed on to the regular interrupt handler ofcourse... > >Peter van der Landen >Erasmus University, Rotterdam. In my view, the most important thing to remember when discussing viruses is that if BIOS and/or Dos can do it **any program can do it** and thus a virus can too. Ofcource this is true for any computer/operating system not utilizing hardware to block the normal user out from system areas in the machine. Not only Dos-systems. Dos-systems on the other hand are more voulnerable(sp?) than they need to because it is common practice for programs to fiddle around in the system areas to get things done that they need to do! ============================================================================ Tomas Ahl | phone +46 13 111660 Computer 'n' Ranch | fax +46 13 115193 | mail tomah@sssab.se ------------------------------ Date: Thu, 22 Nov 90 12:11:39 +0000 From: s30986u@kaira.hut.fi (Martin Helin) Subject: Re: New DOS virus for CUNY Grad Schl. DAC@CUNYVMS1.BITNET (Danny Choriki) writes: >I reported the following incident but forgot the screen message which >is as follows -- read on for more detail. Thanks again for any >assistance. > > on jo assennettu > icht deaktiviert werden -- Mausmenu ist aktiv I've no other comments but the language certainly is German in the latter sentence (althought, surely there must be a misspelling in the first word 'icht'). But the first sentence ('on jo assennettu') caught my attention because ... it's Finnish ! It also includes a misspelling ('assennettu' should be 'asennettu'), so if you copied it correctly it's hardly written by a Finn. The meaning is English would be "is already installed". With regards, Martin (from the, at the moment, very cold Finland = -15 degrees centigrade, that's way below zero in Fahrenheit as well I guess) Martin Helin Helsinki University of Technology, Finland Internet : mhe@otax.tky.hut.fi s30986u@kaira.hut.fi UUCP : uunet!kaira.hut.fi!s30986u ------------------------------ End of VIRUS-L Digest [Volume 3 Issue 187] ******************************************