From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V5 #33 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Tuesday, 18 Feb 1992 Volume 5 : Issue 33 Today's Topics: Unknown Virus? (PC) Re: New virus????? (PC) VirX 2.0 (PC) Re: SafeMBR and SCAN8.3B86 (PC) Re: 112 byte AUX files (PC) New virus - ROBERTB (PC) Re: Bug in SCANv86b?? (PC) Re: CIAC Bulletin C-15: Michelangelo Virus (PC) Re: Michaelangelo 35. & B drive (PC) "Stoned" & Win MS-DOS 4.01; Yankee Doodle; "Mirrors Virus" (PC) Re: Fprot on XT Computer (PC) Re: Viruses and Backups (PC) Trojaned SCAN (87) (again) (PC) (sorry for all the parens) Re: Stoned (PC) SOFTWAR Re: Iraqi Virus Question? Latest Test Of PC Virus Packages By NCSA VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 13 Feb 92 20:44:25 -0500 From: Jon Freivald Subject: Unknown Virus? (PC) cksvih01@ulkyvx03.louisville.edu writes: > My brother was installing an expanded memory manager he had > legitamately purchased and found what he thought was a virus. Upon > rebooting the system, the following message flashed across the screen: > > Look out! Buy direct from Bob and Steve! > > He took the disk in and scanned it using McAffee's SCAN, but nothing > turned up. Is this a virus, or maybe just an extra tossed in by the > software designers? Let me guess - QEMM 6.0? I've installed over a dozen copies of this with exactly the same results -- you see it while doing the stealth testing. I also scanned the disks, found nothing & shrugged it off -- no problems to date... Jon ============================================================================= Jon Freivald ( jaf@jaflrn.uucp ) Nothing is impossible for the man who doesn't have to do it. ============================================================================= ------------------------------ Date: Thu, 13 Feb 92 20:54:25 -0500 From: Jon Freivald Subject: Re: New virus????? (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: > diaz@leland.stanford.edu (Kathy Diaz) writes: > > > I have a question it seems that I have come across some sort of virus. > > My Dos Machine has in every directory a file called aux. It seems also > > I don't know how exactly have you managed to "find" this "file". On > the previous DOS versions it usually appeared when you execute > Norton's FileFind and look for aux*.*. Unfortunately, I'm using MS-DOS > 5.0 right now, so I can't confirm this. > > BTW, regardless what you do, use the same method to look for the > "files" CON, COM1, COM2, LPT1, etc... You'll "find" them in all > directories as well. Don't worry, these are just reserved names for > the DOS device drivers. In many ways they behave as files. If you have > any other installed device drivers, you'll be able to "find" them as > well. > > Just ignore them and don't touch them; everything will be OK. BTW, the > "length" has nothing to do with the real size of the driver in memory. > Ignore this information as well. > > Hope the above helps. > > Regards, > Vesselin I'm also running MS-DOS 5.0 -- if I do a "dir aux" (or com1, com2, prn, lpt1, etc) I see a 112 byte file no matter what directory I'm in. Yes, these are just the reserved names showing up, but you can see them indeed! Jon ============================================================================= Jon Freivald ( jaf@jaflrn.uucp ) Nothing is impossible for the man who doesn't have to do it. ============================================================================= ------------------------------ Date: Fri, 14 Feb 92 05:44:56 -0500 From: jguo@cs.NYU.EDU (Jun Guo) Subject: VirX 2.0 (PC) Hi, I downloaded virx20.zip. The $toc file didn't match the zip file. Size, time stamp, CRC are all ok, but the compressed size are different. Apparently the zip file was repacked using a different zipper than the one generated $toc. Can someone upload an original copy? Thanks. Jun ------------------------------ Date: 10 Feb 92 22:20:10 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: SafeMBR and SCAN8.3B86 (PC) jwbutler@mentor.cc.purdue.edu (J.W.) writes: > Just thought I'd pass this along... When I ran McAfee's SCAN (8.3B86) > having SafeMBR installed on my MBR, SCAN reported a changed MBR, and > asked if I wanted to continue. When I ran SCAN again, this message > did not come up. > Anyone have similar experiences? SCAN V85 didn't do this. Seems to be caused by the "generic virus detection" technique. As far as I understand, SCAN is trying to guess wither the boot sectors look as they should... Or maybe performs a checksum on them and stores it somewhere (maybe someone form McAfee Associates can comment on this?). When you ran SafeMBR, it really installs itself in the MBR, so SCAN reported the change. You probably ran it in "update checksums" mode, so the next time it didn't detect the change. BTW, this could very well happen had SafeMBR be a virus... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Fri, 14 Feb 92 10:18:43 -0500 From: "Darryl O. (Doc) Cottle" Subject: Re: 112 byte AUX files (PC) Terry (terry@lawton.lonestar.org) writes: > Reference the AUX file in every directory, Check the date .... And Vesselin suggested they were an artifact of Norton 4.5 in conjunction with DOS (MS or PC?) 3.30. That happens to be the combination I use. (I'll get something more up to date when the department deems it necessary.) I tried what he suggested. It didn't work with "FF C:AUX*.*", but it DID work with "FF AUX". It reported a file name AUX present in all directories and all subdirectories. Further it stated they were 112 bytes long and the date and time stamp just so happened to be the current day/time. Further experimentation got the same results for CON, PRN, LPT1/2/3 and COM1/2/3/4. (COM5 and LPT4 didn't work of course.) Then I tried AUX again with the /A (report on all drives) parameter and noted that the date/time stamps were STILL current (matched my watch). Guess that is even definitive enough for horse shoes/government work. CHKDSK AUX reported "all specified files contiguous." EDLIN AUX hung the machine. "You can't expect to wield supreme authority just because a watery tart threw a sword at you now can you?" Monty Python and the Holy Grail +- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- -+ | Darryl O. (Doc) Cottle | (606)257-7577 (work) or (606)231-6675 (home) | | Agricultural Economics | docottle@ukcc.bitnet / docottle@ukcc.uky.edu | | 431 Ag. Engineering #2 |----------------------------------------------| | University of Kentucky | "I don't know what I'm doin'! If I ever DO | |Lexington, KY 40546-0276| figure it out, I'll prob'ly go HIDE!!" | +- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- -+ ------------------------------ Date: Fri, 14 Feb 92 17:49:37 +0700 From: Cezar Cichocki Subject: New virus - ROBERTB (PC) Hi folks ! I find new virus. It's .COM infector. For some reason i named it ROBERTB. Copy of ill file was sent to McAfee. More about this creature coming soon! Cezar ------------------------------ Date: Fri, 14 Feb 92 18:08:52 +0000 From: mcafee@netcom.netcom.com (McAfee Associates) Subject: Re: Bug in SCANv86b?? (PC) Hello Mr. Powell, We have not been able to duplicate your problem with SCAN V86-B hanging on your system when you type SCAN \ to scan the root directory and boot sector of your system. If you are running access control or other anti-viral software, network drivers, or from a DOS shell or menu program, this could be the reason for the problem. Another possibillity is that you have a damaged copy of SCAN.EXE, in which case you may want to obtain a new one. Regards, Aryeh Goretsky McAfee Associates Technical Support PS: Your system is refusing mail. - -- - - - - McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com (business) 1900 Wyatt Drive, Suite 8| FAX (408) 970-9727 | Santa Clara, California | BBS (408) 988-4004 | 95054-1229 USA | v32bis(408) 988-5190 | CompuServe ID: 76702,1714 ViruScan/CleanUp/VShield | HST (408) 988-5138 | or GO VIRUSFORUM ------------------------------ Date: 14 Feb 92 18:25:20 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: CIAC Bulletin C-15: Michelangelo Virus (PC) karyn@cheetah.llnl.gov (Karyn Pichnarczyk) writes: > installs itself as the boot sector. From then on, any access to > another disk spreads the virus to that disk. The disk which infects Please note that just like Stoned, Michelangelo infects only diskettes in drive A:. > On March 6 of any year this virus will destroy all data on any disk Not all. About the first 11 Mb of it only... :-) > from which the machine is booted. This occurs by overwriting hard > disk sectors 1-17, heads 0-3, tracks 0-255, or the entire diskette The number of sectors given is for hard disks. It is 1-9 for 360 Kb diskettes and 1-14 for anything else (usually high-capacity floppies). > with random characters, thus making recovery questionable at best. The "random characters" are what happens to be at address 5000:0000h. Very often this is zeroes. > Note that if your hard disk is partitioned and contains another > operating system, such as UNIX, in the area overwritten, that data If it has Unix partitions, they will become unaccessible not just on March 6, but as soon as the virus infects them. The same holds for Stoned. > lays dormant, merely copying itself to other disks. The infection > mechanism of this virus may also cause read errors to occur upon some > high density (1.2 M) diskettes. Why? As far as I know, it handles 1.2 Mb diskettes properly... > A problem can occur if a disk is infected by both the Michelangelo and > the Stoned viruses AT THE SAME TIME. Both move the 'original' boot Yeah, and the problem will occur as soon as the disk gets infected by both viruses. > sector to the same location on the disk, so when the second infection > occurs, the original clean boot sector is destroyed by being As a result, the hard disk becomes non-bootable (although accessible). > overwritten by the first virus. CIAC recommends a low-level format of > the disk if this double-infection occurs, although performing the > DOS SYS operation may repair a damaged diskette, and performing the > undocumented FDISK/MBR operation (in DOS 5.0 only) may repair a > damaged hard disk. Not "may". Will. Of course, if by "damaged" you mean a disk infected by both Stoned and Michelangelo. If Mich has activated on March 6, then low-level formatting is usually the only solution for most users... Of course, you should pay attention to the technical specifications of your hard disks, since as far as I know, some kinds of hard disks must not be low-level formatted. > of 655,360 bytes, with Michelangelo that value would be 653,312. Of > course, having less "total bytes memory" does not necessarily mean a > virus is resident on your machine, as some valid memory resident > programs can affect this value as well. To my knowledge, no valid TSR program does this, since it is caused by decreasing the total amount of memory from the top, while the TSRs are normally loaded in the low memory addresses. The decrease in size can be caused by a specific BIOS/hardware configuration though. Also, I had one case, when a user observed the decreased memory problem when booting from the hard disk and didn't observe it when booting from a floppy. This sounded clearly like a virus to me and I asked him to send me a copy of the boot sectors. However, there was no virus in them, so I couldn't solve the problem. Unfortunately, I also lost this person's e-mail address, so if he's reading this I would like to tell him that I have finally found the solution. I looked at his copy of the master boot sector not as a program (as I did when I was looking for a virus), but as a partition table data. I discovered then that his active partition (the one which gets control when he boots from the hard disk) is not DOS at all, but something called (according to Norton Utilities 6.01) 386/ix. Obviously he used to boot from the 386/ix partition and then to chain to MS-DOS. It seems that the 386/ix loader does some dirty things and reserves memory just like a normal boot sector virus... :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 14 Feb 92 18:49:34 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Michaelangelo 35. & B drive (PC) treeves@magnus.acs.ohio-state.edu (Terry N Reeves) writes: > Does Michaelangelo infect 3.5" flopiies? if so does it infect > B drives? Yes. No. Just like Stoned. > An experience here raised the querstion - Then I made my own test with > a sample. infected C drive and 5.25" A drive easily - did not infect > 3.5" disk in drive B despite formatting B drive after boot from infected > hard drive. Avoid making such experiments unless you know perfectly what you are doing. This is a general message to anyone of the readers, not particularly to you. > I have read of other viruses which fail to go for drive B or > are incomptible with 3.5" disks. have not seen this about Micahelangelo. It does not "fail" to infect; it just never tries. In fact, it carefully checks the accessed drive, and if it isn't drive A:, it does not infect it. In theory this means that you can disinfect the virus from the hard disk even if the virus is active in memory, but I do not advise anybody to rely on that. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 14 Feb 92 15:35:00 -0600 From: "William Walker C60223 x4570" Subject: "Stoned" & Win MS-DOS 4.01; Yankee Doodle; "Mirrors Virus" (PC) From: ST6267@SIUCVMB.BITNET (Jerome Grimmer) > A computer virus called "stoned" has been damaging systems in the > Washington DC area, and may have spread to other areas. > A known source for the "stoned" virus in the Washington area is > on commercially duplicated copies of MS DOS 4.01 packaged and > sold with new Win brand computers. The virus was apparently put > on many diskettes when Win Laboratories in Manassas, VA had DOS > 4.01 duplicated by another company. ... It had to happen sooner or later. The "original, write-protected DOS floppy" from which one is supposed to boot in the event of an infection is no longer 100% guaranteed clean. *NOW* what do you do? You hope that you have a machine with a B: drive the same size as your A: drive, do FORMAT B: /S, add a write-protect tab, and use it instead of your original. But that only works for "Stoned" and other viri which only infect diskettes in drive A:. Something else is bound to sneak onto another DOS diskette sometime. What the [censored] is "Stoned" doing on a disk-duplicating machine anyway?!? Do they do their duplication on a true mass-duplication machine or on a regular PC (which might be used for other stuff, too)? Or do their employees pirate copies of the software with their personal machines before duplicating it, possibly infecting the original in the process? How the [censored] is such a old, common virus like "Stoned" finding its way onto production diskettes? About a year ago, Padgett Peterson wrote to the effect, "Bring in the lawyers!" to which I replied (not in so few words), "Not yet, they'll take care of things themselves." Well, perhaps it's time to agree with Padgett. I can understand how a company which exercises at least a little care in checking their disks might have a fairly new virus, which isn't detected by their virus checker, get onto their production diskettes. But allowing an ancient one like "Stoned" onto their disks just jumps up and down and shouts "Negligence!" > ... Many federal and private > offices purchased Win computers with DOS 4.01 in 1991. Some federally-purchased Win computers were bought off of a government contract, and were packaged with XENIX rather than MS-DOS 4.01, but what fraction of the total number this is I don't know. Those that we have here were bought that way (thankfully). Still, this is a *serious* problem. > ... The virus attacks the boot files and destroys > the file allocation table of both the hard drive and any floppy > disks it corrupts. Eventually it makes floppys unreadable and > causes hard drives to crash. Hmmmm... Either this report is exaggerated, the observations were made on a machine with a high-density floppy and an unusual hard drive, or we've got a destructive variant of "Stoned" on our hands. Send a copy to McAfee, Frisk, Dr. Fischer, Vesselin, or someone else qualified to make an analysis of this bugger. - - - - - - - From: JEDI > To my knowledge, Yankee Doodle just infects .COM and .EXE files. From > what I've seen, it likes BASICA.COM to start off with. It also likes > to inhabit the Windows directory also. Nah, Yankee Doodle just infects files which are executed after it becomes resident. If *YOU* like BASICA.COM and Windows, Yankee Doodle will too. It will also prevent some protected-mode programs from running correctly. > Yankee Doodle isn't a malicious virus like 'Possessed' is... To put it > in my supervisor's words, it's a fun virus. Ain't no such thing as a *fun* virus. Before Yankee Doodle was discovered on a machine here, a lot of productivity was lost because Lotus 1-2-3 Release 3 and Windows/386 (this was a while back) wouldn't work with the virus in memory, and after it was discovered, many man- hours were spent tracing its source and spread. Perhaps if your supervisor had to do all the diagnosis, cleanup, and follow-up work himself, he/she would see just how much *fun* it really is. - - - - - - - From: baylor@ccwf.cc.utexas.edu (Baylor) > Tis teh season it seems. Our lab and sone others seem to be > breeding groundas these days. Does anyone know of the Mirrors virus? > Our slightly older versions of mcaffrey scan (sorry about spelling) > don't seem to know it, but i think the newest version might. Anyone > know what it infects or what it does? Any decenmt ways to check for it > (i was told by one person who came in that it leaves a huge file > called mirrors on the drive, but can't say i verified it)? There is a "Mirror" virus, but (to my knowledge) it doesn't leave a big file on the drive. Instead, it occasionally causes the display to make a mirror image of itself. IMHO, if there really is a big "mirrors" file on the drive, it was most likely created by the PC-Tools "Mirror" feature (which actually creates two files, "MIRROR.FIL" and a smaller file "MIRORSAV.FIL"), and not by a virus at all. If these files are NOT present, then check for a slight (928 byte) decrease in available memory, and for .EXE files to increase by about 927 bytes or so. It's been around for a while, so current versions of most A-V programs should detect it. Bill Walker ( WALKER@AEDC-VAX.AF.MIL ) | OAO Corporation | Arnold Engineering Development Center | AEDC -- Home of the "Chicken Gun" M.S. 120 | Arnold Air Force Base, TN 37389-9998 | ------------------------------ Date: 14 Feb 92 17:07:00 -0500 From: "HQPROD::SHEDIACK" Subject: Re: Fprot on XT Computer (PC) Date: Wed, 12 Feb 92 01:29:46 +0000 From: wonge@sfu.ca (Edmund Yat Ming Wong) Subject: Fprot (PC) JFORD@UA1VM.BITNET (James Ford) writes: >The file fprot202b on risc.ua.edu has been replaced by fprot202d.zip. > >- ----------------------------------------------------------------------- >The major change in 2.02D is improved ability to search for viruses in >compressed executables - the program can now search in LZEXE and PKLITE >(version 1.03 and 1.13)-packed files. > >This method is not foolproof, but a considerable improvement, compared >to earlier versions. > >I strongly recommend that anyone using 2.02A, 2.02B and 2.02C switch >to this version - it corrects a few (very minor) bugs in those >versions - those who are using 2.02 and have not bothered to get the >minor updates can just as well ignore this one too - 2.03 will be >released in early March. I've TRIED to use FPROT v2.0 and it doesn't seem to work on my XT computer. All it does is give a blank blue screen and that's all. I've followed it's install.doc file, but it still gives me the blue screen. I know this might be a bit old considering that v2.02d is out, but like I was wondering if FPROT works on XT's. Has anyone else have that kind of problem? - - -- wonge@fraser.sfu.ca :\/: | "If you were me, and I were you, =00= | would you be here and I be there?" /\ | = = = = = -- CrazyCat | "Hahahahaha" - Joker **** Fprot 2.02d worked yesterday (2/13) on a dual floppy Sperry 8088 XT without a problem (no hard drive installed in the system). Slower than mollasses in January, b-u-t it worked. Nailed "STONED" in a flash. The menus looked a little funny, light and fuzzy due to the type of screen in use (probably the oldest color monitor still in use around here...), but it worked flawlessly. Fprot 2.02d also works fine on a Tandy 1000TL (80286 w/8 bit slots), however, it can't check the boot sector on C:\ if one is using the MS-DOS in ROM (which is fine since the ROM is READ-ONLY ). Is ANSI.SYS in the config.sys file? Have you tried making a bootable floppy off a known clean systems disk and then copying fprot onto that new bootable floppy? Also copy ANSI.sys off the know clean systems disk. Write a short config.sys file (maybe just include files, buffers, device = a:\ansi.sys and device = a:\f-prot\virstop.exe statements. Then you could boot off the floppy and see if Fprot runs on your computer properly. Try that and see what happens.....also play with the contrast and brightness buttons on your computer---maybe they need some adjusting to display Fprot's screens. It that doesn't work, come back and we'll see what else we can think of on here.... >>>>>> Pat <<<<<< |===================================================| | SMSgt Patrick D. Shediack, USAF | | Info Mgt Systems Requirements Planner | | HQ Air Force Systems Command | | Andrews AFB DC 20334-5000 | | Commercial Phone: (Voice) 301-981-2032 | | Defense Switching Network: 858-2032 | | Internet: shediack@hqafsc-vax.af.mil | |===================================================| | "You know it don't come easy" --Ringo Starr, 1970 | | --> "Still true today!" --pds | |===================================================| | * ALL OPINIONS ABOVE ARE MINE ALONE! * | | * MY BOSSES DON'T PAY ME FOR THEM! (TRUST ME!) * | |===================================================| ------------------------------ Date: Sat, 15 Feb 92 07:10:51 +0000 From: rslade@sfu.ca (Robert Slade) Subject: Re: Viruses and Backups (PC) I've been waiting for this. As a matter of fact, I proposed this in answer to another question about Stoned (Which is probably still in the queue due to being sent from a less stable machine.) Yes, the Stoned virus will infect non-DOS formatted disks. We have seen that it will infect UNIX machines, even though the result will not be infectious. (It won't even work.) The PCTOOLS backup disk format is non-standard, and there is no reason to even suppose that the disk, so infected could even be recovered. ============== Vancouver | "Is it plugged in?" Institute for Robert_Slade@sfu.ca | "I can't see." Research into rslade@cue.bc.ca | "Why not?" User CyberStore Dpac 85301030 | "The power's off Security Canada V7K 2G6 | here." ------------------------------ Date: Sat, 15 Feb 92 07:24:31 +0000 From: rslade@sfu.ca (Robert Slade) Subject: Trojaned SCAN (87) (again) (PC) (sorry for all the parens) I have had a report today of a trojaned (no! I did *not* use that noun as a verb!) version of SCAN. The program is contained in a SCANV87.ZIP file, and was obtained from a local BBS run by one of the larger local computer stores. When unzipped, the file displays the -AV codes. The license number is not known at this time. When run, the program apparently deletes and "zeros out" both files and the FAT. PCTOOLS MIRROR was running on one machine and was unable to recreate anything. UNDELETE was able to recover only five small batch files from a 120 meg disk. The program initially appears to perform like, or rather behave like, SCAN. Files on the disk are listed (this is probably while they are being wiped out. The program then presents a screen referring to the Illuminatus. (This reference tickles at my memory, but I haven't research it yet. Yes, I know what the Illuminatus is, but I recall some reference to it in a virus or trojan.) I will be getting a copy for study tomorrow and will submit further details. ============== Vancouver | "Don't buy a Institute for Robert_Slade@sfu.ca | computer." Research into rslade@cue.bc.ca | Jeff Richards' User CyberStore Dpac 85301030 | First Law of Security Canada V7K 2G6 | Data Security ------------------------------ Date: Sat, 15 Feb 92 00:49:01 -0500 From: max%underg@uunet.uu.net (Max Cray) Subject: Re: Stoned (PC) GOLDSTN%MAINE.MAINE.EDU@VM1.gatech.edu (Michael E. Goldstein) writes: > I'm a little confused. Does a boot-sector virus, like STONED, infect > a floppy which is not bootable (command.com and system files)? If > it does, can an unsuccessful boot (beacuse of the lack of system files) > with the infected floppy, in a PC with a hard drive, infect the hard > drive? Yes it does. When you boot the disk the virus will be loaded into memory, infect the hard drive, and then tell you that your disk is not bootable. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -= Max Cray =- Internet: underg!max@uunet.uu.net Support UUCP: ...!uunet!idsvax!underg!max Free Data: The Underground Computing Foundation BBS Software 401-847-2603 -=- 9600 baud (v.32) (w/src) CI$: 76334,2203 ------------------------------ Date: Fri, 14 Feb 92 14:30:10 -0500 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: SOFTWAR This was actually a pretty good book despite the translation from the French and was probably the impetus for that army study on radio-transmitted viruses. In this case, the malicious software was planted in the operating system of a supercomputer sold to the Russians. The trigger (not a virus) was sent by a weather station in the Virgin Islands (St. Kitts ? - do not have the book at hand) reporting an impossible temperature. Since the computer was tied into world-wide weather forcasts, this was a reliable means of transmission. Made lots more sense than the "small business" RFP. Padgett ------------------------------ Date: Sat, 15 Feb 92 01:26:30 +0000 From: reuter@venice.sedd.trw.com (Joseph Reuter) Subject: Re: Iraqi Virus Question? It is unfortunate that some people are so POSITIVE that it cannot be done with a serial printer. I have encountered "turnkey" systems which could use the same port for a modem or printer. If a serial printer with "viral ROMs" were plugged into such a port, it could easily find getty running there. It may be IMPOSSIBLE on some machines, but given the dismal state of awareness among the general populace (and even our own ranks), it is definitely POSSIBLE on some Unix machines, depending on the configuration. Joe Reuter Speaking for myself. Just because it's incredibly stupid doesn't mean it isn't done 1,000 times every day. ------------------------------ Date: Thu, 13 Feb 92 15:58:00 -0700 From: "Rich Travsky 3668 (307) 766-3663/3668" Subject: Latest Test Of PC Virus Packages By NCSA The February 16th issue of Network World has another report of virus software being tested by the National Computer Security Association (NCSA). Here are some excerpts from the article. NOTE: I didn't do the test, I don't know why they did what they, I didn't pick the viruses, the packages, or set up the computers. Etc. I'm just passing this on. Bug the NCSA if you disagree with something. Whew. There. I said it. (Typos are mine however.) Nineteen packages were involved in this test: Central Point Software Inc. Anti-Virus V1.1 Certus International Corp. NOVI V1.0 Commcrypt Inc. Detect Plus V3.08 Computer Consulting Group Inc. Virus Clean V2.11 Dr. Solomon's Toolkit FindVirus V3.2 IBM VirScan V2.1.2 International Microcomputer Software Inc. Virus Cure V2.24 IRIS Software and Computers Ltd. Antivirus-Plus V3.7 Leprechaun Software International Ltd. Virus Buster Doctor V3.75.0 McAfee Associates Pro-Scan V2.01 McAfee Associates Scan V7a9V84 Microcom Inc. Virex-PC V2.0 RG Software Systems Inc. Vi-Spy V7.0 Fridrik Skulason's F-PROT V2.0 Sophos Ltd. Vaccine Sweep V2.30 Symantec Corp. Norton Anti-Virus V1.5 Harry Thijssen's HTScan V1.15 Trend Micro Devices Inc. Pccscan V3.02 XTree Co, ViruSafe LAN V4.50 Test setup involved a single workstation hooked up to a server running Netware 3.11. The server was a Compaq Systempro with 12M of memory and an 840 MB hard disk, dual 33 mhz 80486 processors. The workstation was a 80386 SX PC clone (brand unspecified) with 8M of memory and a 207 MB hard disk. Scanner software was loaded on the server and run from the workstation. There were two broad categories tested: detection, and features (including the user interface). There were a maximum of 76 points possible for features and 77 points possible for detection (total 153). The article doesn't seem to mention what viruses were used or how many. For features, they looked at such things as performing a self check on invocation and being capable of sending reports to a printer or a file. They devoted several paragraphs to scanning speed. This was evaluated by scanning a hard disk containing 4,868 files in 148 directories. There were 147 Mb of files, of which 36 Mb were executables. A package got 10 points if it could complete the scan in two minutes or less. Certus International completed the scan in 60 seconds (caveat: it also scored lowest in detection) and Dr. Solomon's Toolkit finished in 84 seconds. Central Point's AntiVirus took five hours (!) in its "thorough" scan mode, 7 minutes in its fast mode. Now the part you're waiting for: results, ranked by total score. Package Features Detection Total Score Score ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Dr. Solomon's Toolkit 69 72 141 Leprechaun Software Int'l Ltd. 63 75 138 \ tie Fridrik Skulason's F-PROT 64 74 138 / Central Point Software Inc. 60 75 135 McAfee Associates Scan 54 76 130 XTree Co, ViruSafe 61 68 129 RG Software Systems Inc. 53 75 128 Symantec Corp. Norton Anti-Virus 54 66 120 Harry Thijssen's HTScan 46 70 116 Microcom Inc. Virex-PC 42 72 114 Int'l Microcomputer Software Inc. 55 49 104 Sophos Ltd. Vaccine Sweep 36 66 102 McAfee Associates Pro-Scan 53 46 99 IBM VirScan 39 55 94 Trend Micro Devices Inc. Pccscan 26 67 93 IRIS Software and Computers Ltd. 49 43 92 Certus International Corp. 68 23 91 Computer Consulting Group Inc. 49 40 89 Commcrypt Inc. Detect Plus 18 58 76 See the _*ARTICLE*_ (as in "not me") for full details... Richard Travsky Division of Information Technology RTRAVSKY @ CORRAL.UWYO.EDU University of Wyoming (307) 766 - 3663 / 3668 "A straight line may be the shortest path between two points, but it is by no means the most interesting..." ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 33] *****************************************