From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V5 #29 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Thursday, 13 Feb 1992 Volume 5 : Issue 29 Today's Topics: Bug in SCANv86b?? (PC) Commercial virus releases.. (PC) Are there any viruses that disable both floppies? (PC) Which Package is Best? (PC) Re: Michaelangelo sigs comp./w stoned (PC) Re: Memory Discrepancies (PC) Re: Variant Virus (PC) Re: Stoned (PC) Device Names (PC) Re: yet another commercial Michelangelo (PC) mac virus scan/protection (Mac) Soliciting opinions Pathology of computer viruses SUMMARY: Polymorphic viruses (Long, sorry) VIRx v2.0 Released ! (PC) VIRX20.ZIP is on BEACH (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 10 Feb 92 10:46:29 -0500 From: Michael Powell Subject: Bug in SCANv86b?? (PC) From: Michael Powell Student Ass't, OPAS, University of Louisville Libraries Phone: (502)588-5945 Is there a bug in Scan version 86b? I have a copy on my PC and when I run SCAN with the command line: SCAN C:\DOS\*.* Everything works fine. However, when I attempt to SCAN the whole disk (SCAN C:) or when I try to SCAN the root and boot sector only (SCAN \), I get the following output: SCAN 8.3B86 Copyright 1989-92 by McAfee Associates. (408) 988-3832 Scanning for known viruses. Scanning partition table of disk C: (The 'S' at the beginning of the third line then changes to an ascii character and then the following message is produced, '*'s replace garbled ascii.... Sorry, ***********************SCAN 8.3B86 Copyright 1989-92 by McAfee Associate (408) 988-3832 ***************************************************************************** I hope that's a bug and not a virus....SCAN v85 works fine and finds noting wrong. Michael Powell GEnie: M.POWELL7 BITNET: mlpowe01@ulkyvm.bitnet or cl231135@ulkyvx.bitnet INTERNET: mlpowe01@ulkyvm.louisville.edu or cl231135@ulkyvx.louisville.edu ------------------------------ Date: Mon, 10 Feb 92 15:57:44 +0000 From: kpjone01@ulkyvx03.louisville.edu Subject: Commercial virus releases.. (PC) GREETS, Anyone happen to have a list of the companies that have released disks with the Michaelangelo virus on them? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Kevin Jones KPJONE01@ULKYVX.CT.LOUISVILLE.EDU Lab Supervisor KPJONE01@ULKYVX.LOUISVILLE.EDU Computing and Telecommunications PHONE: 502-588-6303 University of Louisville, KY FAX: 502-588-0150 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ------------------------------ Date: Mon, 10 Feb 92 12:21:51 -0500 From: Jean Balent Subject: Are there any viruses that disable both floppies? (PC) I'm wondering if I have a virus on my computer. Both my floppies won't format (can't write boot sector) and I can't boot from Drive a. I can't read any floppies - I get "sector not found error". Is this a virus or are my floppy drives just screwed up. I checked the floppy controller cables and they're secured ok. Reply to jbalent@ukcc.uky.edu please. ------------------------------ Date: 10 Feb 92 23:17:07 +0000 From: 6241weaverd@vmsf.csd.mu.edu Subject: Which Package is Best? (PC) We are comparing McAfee, Central Point and Norton's antivirus packages. Which is best? Are there any significant differences(e.g. ease of use, performance, technical support,etc.) since there are quantity price differences for us. Thanks in advance. ------------------------------ Date: Mon, 10 Feb 92 19:08:14 -0500 From: William Subject: Re: Michaelangelo sigs comp./w stoned (PC) > From: "Tim Martin; FSO; Soil Sciences" > Michelangelo has no text strings in it. (The name simply comes from > make your .com program search for any byte string, then the following > hex string should work: > a1 13 04 48 48 a3 13 04 Thank-you for this info -- sounds like it is exactly what I need. I will compare it with the stoned sig for interest's sake. > A caution, though: > Some MBR infectors will use stealth to get around your method: when your > *.com program asks for the first sector of the hard disk, they will give > you the sector where they hid the clean MBR (sector 7, for stoned.) Yes, this is a concern. I hear that the Empire Virus uses this technique, and is therefore a real pain. All of my (known) viral infestations have been from stoned, thank goodness. > It would seem to me just as easy to put Fridrik's VIRSTOP (part of the I'd appreciate a source for this software and a 2-line description of what it does. The beauty of my semi-effective approach is that it is extremely fast (unlike McAffee) and therefore can be used literally dozens of times per day (particularly important on our many public access PC's). The problem with many of the anti-viral measures I have seen is that they are not all of: fast, effective, cheap, and able to be run invisably by the most computer illiterate on public access machines which have no consistency in use. > Yet another strong recommendation: get Padgett Peterson's FIXUTILS, and Ditto this one. Thank-you again for the info, and for any futher info that you may care to offer. *WmP* *-----------------------------* | William M. Pipher | | pipher@utorvm.bitnet | | University of Toronto | | Library Systems | *-----------------------------* ------------------------------ Date: 10 Feb 92 21:51:16 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Memory Discrepancies (PC) padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) writes: > BTW - interesting bulletin on CNN last night, was amazed to discover > that the Michelangelo displays the message "The world will see me again" > (thought that was the Fu Manchu) and that "millions" of PCs are infected. > Must be right since when I called to comment, I was told that "their > expert said so" 8*). A good example how reliable CNN is when reporting viruses... I'm refering to the Iraqui printer virus... :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Tue, 11 Feb 92 18:11:40 +0000 From: Fridrik Skulason Subject: Re: Variant Virus (PC) In Message 6 Feb 92 17:19:57 GMT, JOHNSON@tarleton.edu writes: The name "Variant" does not sound familiar, and it is not included on our "standard" list of virus names - please run either McAfee's SCAN or my own F-PROT and check what they call it....then somebody should be able to answer the question... - -frisk ------------------------------ Date: 11 Feb 92 14:40:59 -0500 From: "David.M.Chess" Subject: Re: Stoned (PC) >From: Michael E. Goldstein > >I'm a little confused. Does a boot-sector virus, like STONED, infect >a floppy which is not bootable (command.com and system files)? If >it does, can an unsuccessful boot (beacuse of the lack of system files) >with the infected floppy, in a PC with a hard drive, infect the hard >drive? Don't worry, you're not the only one a little confused! This might make a good FAQ entry, Ken, if there isn't already one on it. Here's a proposed answer: [Moderator's note: Thanks for the FAQ, Dave. It's now in the file.] Any diskette that has been properly formatted contains a working boot sector. If the diskette is not "bootable", all that boot sector does is print a message like "Non-system disk or disk error; replace and strike any key when ready". But it's still a boot sector, and still vulnerable to infection. If you accidentally turn your machine on with a "non-bootable" diskette in the drive, and see that message, it means that any boot virus that may have been on that diskette *has* run, and has had the chance to infect your hard drive, or whatever. So when thinking about viruses, the word "bootable" (or "non-bootable") is really misleading. Almost all diskettes are bootable enough to carry a boot virus. - - -- David M. Chess mI' jIHbe' jay'! High Integrity Computing Lab loD tlhab jIH! IBM Watson Research -- qama''e' ------------------------------ Date: Tue, 11 Feb 92 21:01:10 +0000 From: trent@rock.concert.net (C. Glenn Jordan -- Microcom) Subject: Device Names (PC) Regarding the recent posting from the guy who found files named AUX in all his sub-directories: We had a tech call from a user this week who was dual-booting DOS and OS/2 2.0. He had a problem using VIRx to scan his OS/2 partition. The scanner would go along fine until it hit a file named "COM1", then it would lock up the machine. It turns out that under OS/2 he had created a legitimate file named COM1, for some reason, and while running DOS this file was visible, but not properly handle-able. C. Glenn Jordan - Virex for the PC Development Team ------------------------------ Date: Wed, 12 Feb 92 00:06:27 +0000 From: baalke@kelvin.jpl.nasa.gov (Ron Baalke) Subject: Re: yet another commercial Michelangelo (PC) martin@cs.ualberta.ca (Tim Martin; FSO; Soil Sciences) writes... >The Michelangelo virus was found at the University of Alberta on a >diskette from "Meridian Data, Inc.", who seem to be involved in CD-ROM >extension software for MS-DOS systems. The diskette was shipped >write-protected, and the infection was detected immediately. Meridian >Data have been informed of the problem. > >Is that 5 confirmed commercial distributions of Michelangelo, now? >This is beginning to smack of conspiracy. What are the statistical >odds of one relatively dumb boot sector infector being this >"successful"? Or do the various companies have something in common: >same supplier of pre-formatted diskettes, maybe? Same >diskette-copying service? Recipients of the same "Demo" disk that >required a system reboot? Beta testers of some software that does a >reboot for installation purposes? I find the "pure coincidence" >interpretation a bit too unlikely, though I have no statistics to >support my hunch. So which commercial products have been infected with the virus? I had the virus infect my computer from a commercial astronomy program called Distant Suns about four months ago. Distant Suns (PC version) had just been released and I was one of the beta testers for it. My virus checker immediately detected it and I removed it right away. At the time I didn't know it was a destructive virus. I contacted the company who made Distant Sun, Virtual Reality Labs, and they were very shocked. They contacted all the people who bought the program (around 100 I believe) and notified them of the virus. There were able to track down the source of the Michelangelo virus to one of their newly-purchased 486 computers. Apparently the computer was bought pre-infected with the virus. ___ _____ ___ /_ /| /____/ \ /_ /| Ron Baalke | baalke@kelvin.jpl.nasa.gov | | | | __ \ /| | | | Jet Propulsion Lab | ___| | | | |__) |/ | | |__ M/S 525-3684 Telos | Don't wait for your ship /___| | | | ___/ | |/__ /| Pasadena, CA 91109 | to come in, paddle out to |_____|/ |_|/ |_____|/ | it. ------------------------------ Date: Mon, 10 Feb 92 19:51:20 +0000 From: "Thomas R. Burkholder" Subject: mac virus scan/protection (Mac) I am posting for a friend (No really! :>) who is primarily a Macintosh user. Can someone recommend good shareware/freeware Mac virus scanners/ sterilizers similar to the MacAffee virus protection utilities. Thanks. - -- ****************** Hopfen und Malz Gott Erhalts **************** ****************** 17 different beers in 17 days, **************** ****************** I love Germany **************** ****************** I can't wait to go for a month :) **************** ------------------------------ Date: Tue, 11 Feb 92 15:54:03 +0000 From: dave%triton.unm.edu@lynx.unm.edu (Dave Grisham) Subject: Soliciting opinions A student from the Univ. of Southern Colorado has solicited "expert" testimony on these questions for a paper. He claims he has no access to 'news', so I am posting for him. I know some of you have strong opinions on these topics. If you wish to contribute an opinion please e-mail them to him at EBKnight@dockmaster.ncsc.mil 1. "Is there is a virus or can there be a virus that cannot be stopped by any known means of virus protection?" 2. "What measures are being taken by the computer industry and government to protect us from having our information destroyed by viruses?" 3. "How much education do you think will need to be known to the general public in order to prevent virus spreading?" grish I have given him some resources like the Virus-L archive site and told him to hit the library. ------------------------------ Date: Tue, 11 Feb 92 18:30:26 +0000 From: ferbrach@ajax.rsre.mod.uk (Dave Ferbrache) Subject: Pathology of computer viruses Hi, A brief note to apologise for a small number of technical inaccuracies in my book (A Pathology of computer viruses), in particular the 4096 virus operational technique and the location of the boot sector mentioned in the PC virus chapter (an unfortunate typo). As always when this type of book is produced (the text was completed about January 1991) a number of omissions, factual errors and new developments creep in. My intention (if Springer is interested) is to produce an extended second edition. In this regard I would be keen to correct any errors, and to extend the coverage of material for the second edition. In particular I would like to address the new developments in PC virus techniques; extend the coverage (and detail) given to theoretic analysis of virus replication and detection; add a new extended section on virus replication rate and spread modelling; add a section on US legislation and finally extend the sections on UNIX viruses to include information on developments in secure system models beyond Bell LaPadula including typed object systems, capability based architectures, etc. If you do come across any inaccuracies (opening flood gates now!) please drop me a note. I would also be extremely interested in details of any material which you think should have received coverage, particularly if the material is historically, technically or theoretically important. Many thanks for your time ******************************************************************************* David Ferbrache ferbrache@ccint1.rsre.mod.uk Defence Research Agency +44 684 895986 (Tel) St Andrews Road +44 684 894540 (Fax) Great Malvern, UK, WR14 3PS ******************************************************************************* ------------------------------ Date: 11 Feb 92 19:41:33 +0000 From: vail@tegra.com (Johnathan Vail) Subject: SUMMARY: Polymorphic viruses (Long, sorry) Sorry for the long article but the thread is growing and I think the inclusions are relevent... Otto.Stolz.RZOTTO@DKNKURZ1 writes: on 23 Jan 92 23:50:10 +0000 vail@tegra.com (Johnathan Vail) said: > frisk@complex.is (Fridrik Skulason) writes: > > Terms such as "Viruses using variable encryption with a variable > > decryption routine" are rather cumbersome, [...] > > It is hereby proposed that the term "polymorphic" be used for this > > class of viruses, [...] > polymorphic virus - A virus using variable encryption with a > variable decryption routine to avoid detection by its > "signature". V2P6, Whale, Maltese, Amoeba, Russian Mutant > and PC-Flu 2 are examples of this kind of virus. I think, the definition both authors are proposing is too confined, or too narrow. Rather, the term should cover more than variable decryption routines. I'll state my proposed definition as a FAQ list entry, so Ken can put it into that list, if most people agree. Could a kind soul, who has a better command of English and/or better knowledge of viruses than I have, proof-read the following contribution, before it goes into the FAQ list? On Mon, 03 Feb 92 19:08:00 +0000, Anthony Naggs said: > POLYMORPHIC is a term that I have been using about viruses for about a > year, however I use it in a different way. Polymorphic means having > multiple forms, so I have used the word to describe viruses which > infect different types of host or change their mode of operation. > Specifically I have applied the word to viruses which infect BOOT > sectors and program files (COM or EXE), or system files (eg .SYS). Recently, I have learned of another good term for this kind of viruses: Alan Solomon calls them Multipartite Viruses. I think this is a rather compelling term, as "polymorhic" is for the phenomenon I've dwelt on, in my FAQ contribution above. > For "Viruses using variable encryption with a variable decryption > routine" I would suggest the word "variable". Polymorphic seems > inappropriate as the form is still the same: As to my understanding, the latter viruses vary their form and not their function; hence "polymorphic" seems just appropriate. Hence, I plead to use the following terms: * polymorphic : for viruses that produce varying instances by the techniques described above (unrespective of them being self-encrypting or not), * multipartite: for viruses that exploit several distinct infection paths, and hence will be found attached to varying pieces of code (i.e. at least two of the following: program files, overlay files, program libraries, source programs, device drivers, boot records, etc.) I agree. The term 'polymorhic' has been in use for a while now with slightly different meanings. It can be used to generically describe code that changes itself. We could then use more specialized terms if needed to describe the different ways in which this happens like encryption or instruction mangling. "zmudzinski, thomas" adds: 2. At that, I'm not happy about his use of "multipartite" [which really means "divided into many parts"]. I would suggest using either "cross-infector" or "multivectored" as the group label for critters that infect .EXE, .COM, etc. [After all, we're stealing from pathology when we speak of "viruses", so why not "borrow" a little more?] And I'd reserve "polymorphic" [meaning "having, assuming, or passing through many or various forms, stages, or the like"] just for the signature changers. And back to Otto: If (when?) viruses will be able to operate on various hosts, we should coin a new term for them, perhaps something resembling the terms "cross- compiler" and "cross-assembler". Though technically not a virus, the Internet Worm had the ability to operate on various platforms by both using the host machine to compile portions of itself to having special code for Vaxen and Suns. The terms we pick should represent the larger class of self replicating programs. This very interesting message I recieved adds some more food for thought. Enjoy, jv. ________________________________________________________________ From: uunet!slig.ucl.ac.be!Meessen (Christophe Meessen) To: vail@tegra.com Subject: Re: Polymorphic viruses Organization: Universite Catholique de Louvain (Belgium) If you want to use vocabulary in common with biology, it should have the same meaning. 1.A polymorohic virus is a virus which THE OUTHER shell has changed it's composition. The immune system can't recognise it anymore. 2.The word polymorphic means 'many forms'. The form means it's apprearance to the world. If you want to make a parallel to biological terms which is a not a bad idear, it should be accurate. We could (or you already) associate genetic code to program code. The morphology of a virus is the outher shell form, composition and structure. It is on this basis that the computer may recognise a virus. Virus (biology) are not recognised on the genetic code. A polymorphic virus (biology) is a virus which changes it's MORPHOLOGIC APPEARANCE. The code is left unchanged !. A POLYGENIC virus (biology) is a virus which changes its genetic code. Which than change it's morphological appearance. I think the word POLYGENIC is more accurate than POLYMORPHIC for the type of computer virus you want to use it. In the computer world, virus are recognised on the program code. In the bilology world, virus are recognised (by the immune system) on the morphology. The equivalence of MORPHOLOGY in the computer world virus, is not clear.call v irus in computer science dont have shells equivalent around them. Most of the time, computer virus are just pieces of code that may be copied at different places. The biological equivalent of genetic code parts that may be copied are REPLICON. REPLICON are even simpler than virus, they just have the required genetic code to be copied around. This term is more accurate to what computer scientists call most of the time VIRUS. But, by shure, there is no specific limits between these concepts. I can currently not post this mail to the news. If you find this information relevant for the community please spread it. Sorry for mistakes, english is not my natural language. Christophe MEESSEN Internet : Meessen@slig.ucl.ac.be [And in a later message adds:] I refined the suggestion to the following: POLYCODE virus - A virus using variable encryption with a variable decryption routine to avoid detection by its "signature". V2P6, Whale, Maltese, Amoeba, Russian Mutant and PC-Flu 2 are examples. POLYMORPHIC virus - Any virus that changes it's behaviour such as infect different types of host or change their mode of operation. A virus that infects both .COM and .EXE programs as well as boot sectors can be considered polymorphic. ________________________________________________________________ ------------------------------ Date: Tue, 11 Feb 92 22:42:13 +0000 From: trent@rock.concert.net (C. Glenn Jordan -- Microcom) Subject: VIRx v2.0 Released ! (PC) Microcom's Virex for the PC Development Team and Ross Greenberg announce the release of the new version 2.0 of VIRx, our detection-only anti-virus scanner. We added in detection of new viruses, as usual, and something new. Michelangelo Virus is scheduled to "trigger" on March 6. It is very widely distributed, from what we are hearing. We suspect a large number of people have infected machines who are unaware of this. We do not want to have them find out on March 6th, when the virus overwrites an essential area of their hard disk. So, until after March 6, VIRx 2.0 will not only detect MICHELANGELO virus, but will also safely remove it from the infected drive(s). The use of VIRx is free to individuals and educational institutions, still. Corporate and governmental entities should note the changes to the licensing agreement first made in version 1.9, which still apply. VIRx20.ZIP is obtainable from beach.gal.utexas.edu, urvax.urich.edu, SIMTEL-20, FidoNet node 1:3641/1 (FREQ magic name VIRX), Compuserve, GEnie (soon), and our own support BBS at (919) 419-1602 v.32bis. We do not provide support for VIRx, but we're interested in your responses. ------------------------------ Date: Tue, 11 Feb 92 16:23:01 -0600 From: PERRY@beach.gal.utexas.edu (John Perry KG5RG) Subject: VIRX20.ZIP is on BEACH (PC) VIRX20.ZIP is available on beach.gal.utexas.edu (129.109.1.207). This version includes a disinfector to handle the Michelangelo virus. It is a time-based disinfector that will expire on March 10. If you have any problems with anonymous FTP on BEACH, please contact: perry@beach.gal.utexas.edu John Perry KG5RG | perry@beach.gal.utexas.edu - Internet University of Texas Medical Branch | PERRY@UTMBEACH - BITnet Galveston, Texas 77550-2772 ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 29] *****************************************