From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V5 #39 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Friday, 21 Feb 1992 Volume 5 : Issue 39 Today's Topics: Michelangelo on ARTEC AM25 3 button mouse driver disk (PC) looking for... (PC) Device Drivers, Enough with the AUX awreddy (PC) WP.EXE appended to, up front (PC) Michelangelo information requested for article (PC) re: how not to recover data after Michelangelo (PC) Re: VSHIELD v86 bug? (PC) Wierd Joshi (PC) Weird Joshi - Correction (PC) Caching Removable Drives (PC) Michelangelo's handicaps. (PC) re: Boot Sector Virus Infections (In General) (PC) re: Boot Sector Virus Infections (In General) (PC) Michelangelo hits Sandia from a vendor (PC) PolyMorphic Trojan Horse exact definition? VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 21 Feb 92 17:17:37 -0500 From: ry15@rz.uni-karlsruhe.de Subject: Michelangelo on ARTEC AM25 3 button mouse driver disk (PC) URGENT - URGENT - URGENT - URGENT - URGENT - URGENT - URGENT - URGENT Michelangelo on ARTEC AM25 3-button mouse driver disk. The BSI (Bundesamt fuer Sicherheit in der Informationstechnik) or GISA (German Information Security Agency) just informed me that the driver disks of the ARTEC AM25 3-button mouse were infected with Michelangelo virus! These mice have been sold world wide. An estimated number of 20000 in Germany! The disk is permanently write- protected and 5,25" in size. We urge customers, who bought this product to scan their PCs with an uptodate scanner. We are currently investigating to find out if other products of that company are also shiped with infected disks. Christoph Fischer on behalf of Frank W. Felzmann Christoph Fischer Micro-BIT Virus Center University of Karlsruhe Zirkel 2 W-7500 KARLSRUHE 1 Germany +49 721 376422 Phone +49 721 32550 FAX email: ry15@rz.uni-karlsruhe.de ------------------------------ Date: 18 Feb 92 15:35:14 +0000 From: suned1!slced1.Nswses.Navy.Mil!lev@elroy.Jpl.Nasa.Gov (Lloyd E Vancil) Subject: looking for... (PC) I'm trying to locate a program called PROTEC.COM. This program prohibits writes to the C: drive. Any thoughts? tnx - -- |suned1!lev@elroy.JPL.Nasa.Gov|lev@suned1.nswses.navy.mil|sun!suntzu!suned1!lev | |S.T.A.R.S. The revolution has begun!| My Opinions are Mine mine mine hahahah! | ------------------------------ Date: Thu, 20 Feb 92 20:54:17 -0500 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Device Drivers, Enough with the AUX awreddy (PC) >From: KARGRA@GBA930.ZAMG.AC.AT >Subject: auxfiles (PC) Ok folks, this has gone far enough to be confusing so lets sort itidation that it is installed ("type swvsvers" will return the logo if installed, fail if not). The "DIR" command supplied with DOS is smart enough to be able to separate a real file from a device driver but many other programs are not - note that the intercept only occurs if the explicit name is used - CON or CLOCK$ will work, C* will not. This happens because the device driver is doing the interception, not DOS, and it only reacts to an explicit name, not wild cards. Consequently, those programs that follow DOS rules or use the DOS "dir" mechanism (DDIR - Double Dir is one) will not pick up device drivers. Those that do not (e.g. SDIR - Sorted Dir) will display the driver. Evidently, Norton's FF is one of this, as will probably be any program which does not look for attribute bits. Since these programs simply use DOS rules to change directory and then look for the file, AUX, CON, or NUL for that matter will be found in every directory and will probably report the current time and date. Hopefully, this will answer the question. Warmly, Padgett ------------------------------ Date: Thu, 20 Feb 92 22:42:41 -0500 From: FRYSTD@ACAD.LVC.EDU (Michael Fry) Subject: WP.EXE appended to, up front (PC) On Zenith XT hard drive: We found several files on a directory with WordPerfect 5.0 with size increases ranging from 380 to 3000+ bytes. When the contents of WP.EXE were inspected, the bodies of several text files (.BAT files from a different directory) were at the top of the file, with names and a few bytes of data between them. The names were, like, "WP.BAT" in 6 characters, so not directory entries. Format looked a little like WP .SET file entries, but no open space (0's) between bodies of text. The file started with the text of a .BAT file, not its name. These were tightly packed (not caused by FAT shuffling). Not sure if original WP.EXE is still in there, but suspect this strange data appended to the front of WP.EXE. File size increased by 2101 bytes. The .BAT files in that other directory were inspected. They seemed to have their old sizes (not confirmed, but about right) but their content had been replaced by garbage (mostly null characters). One had all \0's except for a single 'Z' (5Ah). (These could have had their directory entries changed (first cluster), all were smaller than 1 cluster, I think). Other files on the WP's directory were also made bigger, by various sizes (but didn't find text at front, maybe binary files appended to front? anyway they grew) Help file, LEX, WP.FIL. File sizes grew by various amounts, from 300 or so to 3000 or so bytes. User was using WordPerfect OFFICE menu system to bring up WordPerfect when the problem was noticed (if that's the word). VI-SPY, F-PROT showed no known viruses (memory after boot on hard disk, disk after boot from clean floppy). Too neat to be a bug, eh? It was a tough day. Chasing this stuff isn't my job. Mike Fry Lebanon Valley College Annville, PA 17003 frystd@acad.lvc.edu ------------------------------ Date: Thu, 20 Feb 92 23:01:00 -0500 From: Sliner Subject: Michelangelo information requested for article (PC) Hello, I am in the process of writing a story on the Michelangelo virus (and other viruses as well) for my campus newspaper. I would appreciate if ya'll have some time if you could help me out on some information. A prompt reply is requested because I need to have the information by Saturday (or as soon after as possible) so I can start writing the story early Sunday morning. What campuses have been hit by Michelangelo or any other virus? What are you doing to check for and prevent Michelangelo (and other viruses) from getting on your system? What companies have shipped out viruses on their products (I already know about Leading Edge and Novell)? What are computer companies doing to make sure that their products are not being shipped out with viruses? Please reply directly to me because I would like this information by Saturday so I can write the article early Sunday morning. I will post this information to the list if ya'll would like me to after the article is written. Please send replys to either of the following addresses: Bitnet: Sline@Ithaca Internet: Sline@Ithaca.bitnet Thank you in advance, Dan Sline Bitnet: Sline@Ithaca Internet: Sline@Ithaca.bitnet Compuserve: 71161,1455 ------------------------------ Date: Fri, 21 Feb 92 07:31:17 -0500 From: "Dr. Martin Erdelen" Subject: re: how not to recover data after Michelangelo (PC) Good morning everyone, Padgett wrote: >> Note: these estimates [chances of data recovery after Michelangelo struck] >> only apply if *NO* attempt is made to restore the >> disk with any other tools before delivery to a *good* tech. If you (or >> Norton) worked on it first, all bets are off. Why is that? (I'm *not* a good tech, and I'll need an excuse to tell the users...;-) ) Interestedly (14 days to go...), MArtin (~ , , (___/__/__-_ Dr. Martin Erdelen EARN/BITNET: HRZ090@DE0HRZ1A.BITNET - -Computing Centre- Internet: erdelen at hrz.uni-essen.de University of Essen Tel.: +49 201 183-2998 Schuetzenbahn 70 FAX: +49 201 183-3960 D-4300 Essen 1 Binary: . .-. -.. . .-.. . -- (~~ Germany (()~~ +-----------------------+ Smoke: ()))) ((()))~~~ ())~~~ | Remarkably | ())))) ~~~ | remarkless | (())()~(())()) | room | (())()) +-----------------------+ ((()()()))) Acknowledge-To: ------------------------------ Date: Fri, 21 Feb 92 08:07:55 +0000 From: mcafee@netcom.com (McAfee Associates) Subject: Re: VSHIELD v86 bug? (PC) Hello Chris Tohline, TOHLINE@ecs.umass.edu (Chris Tohline 546-5988) writes: >Here is a problem a friend of mine ran into yesterday when attempting >to compile (this worked before he installed the new VSHIELD...): > >| VSHIELD 4.8B86 Copyright 1989-92 McAfee Associates. (408) 988-3832 >| Sorry, I don't understand "/tlink.exe". Your compiler is executing a program named "/tlink.exe" and VSHIELD is picking this up and trying to run with it as an option. This only occurs when VSHIELD Version 86 or 86-B is run with the /SWAP mode. It will be fixed in the next release. In the meantime, I'd recommend that you either load VSHIELD high with a memory manager like QEMM, or create a batch file to run your friend's compiler from that includes a statement to unload VSHIELD at the beginning and re-install it afterwards. Regards, Aryeh Goretsky McAfee Associates Technical Support - -- - - - - McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com (business) 1900 Wyatt Drive, Suite 8| FAX (408) 970-9727 | Santa Clara, California | BBS (408) 988-4004 | 95054-1229 USA | v32bis(408) 988-5190 | CompuServe ID: 76702,1714 ViruScan/CleanUp/VShield | HST (408) 988-5138 | or GO VIRUSFORUM ------------------------------ Date: Fri, 21 Feb 92 03:09:00 -0400 From: SINGH_HA@BENTLEY.BITNET Subject: Wierd Joshi (PC) Hi! I had a peculiar problem with Joshi on a disk. This disk was a 3.5" 720K type, in drive B. I was reformating some of my old disks. After doing a directory listing of the disk, I ran F-Prot (Ver 2.02D), and found Joshi acitve in memory. Before the directory listing, I know the computer wasn't infected, as I had scanned just before that with F-Prot. I immediately powered down, and rebooted from a clean boot disk. I was expecting my hard disk to be infected as I had run F-Prot from my hard-disk. However, after booting and rigorous scanning with F-Prot, McAfee Scan (86B) and Norton Anti-Virus (Ver 1.5), nothing was found on the hard disk. All the three scanners found Joshi on my floppy. I performed another directory listing, with the same results. On further testing, I found that this happened only on computers running DOS 5.0, both 286 and 386. It did not occur on HP Vectras running HP MS-DOS Ver 3.30, nor HP MS-DOS 3.20. Even after intensive usage, hard disk was not infected. On changing the However, the virus IS a strain of Joshi, and exhibits all its characteristics after I attempt a boot from it (on a portable). I still have the disk with me and would be happy to send a copy to anyone who truly needs it. I always thought that boot sector viruses can only infect on an attempted boot from a infected floppy. Is this true?! Can a boot-sector-only-virus infect a computer through the B-drive. I am also getting a false (at least, I think its false) positive with the F-Prot on FORMAT.COM accompanying HP portables (Ver 3.20). (this is not related to my above message) Again, I can send a copy of the program to anyone who needs to analyze it. Harpreet Singh Lab Supervisor | Bentley College | Waltham | MA 02154 - 1818 - -------------------------------------------------------------------- "..A person fills in the missing pieces of the puzzle with his own personality, resulting in a conclusion based as much on instinct and intuition as on fact" - Mr. Data in "The Defector" | Star Trek - The Next Generation ------------------------------ Date: Fri, 21 Feb 92 05:58:00 -0400 From: SINGH_HA@BENTLEY.BITNET Subject: Weird Joshi - Correction (PC) Hi! I just sent a message a little while ago, about F-Prot giving a false alarm on FORMAT.COM. I forgot to say what the alarm is. On HP DOS Ver 3.20 accompanying HP portables, The FORMAT.COM is labeled as being a "Joshi Dropper" by F-Prot 2.02D. I shall format a disk using the file and see what happens. The only reason I am saying that its probably a false alarm is because none of the other scanners I use (SCAN86B, and NAV1.5) pick it up. Harpreet Singh | Singh_Ha@Bentley.Bitnet - -------------------------------------------------------------------- Lab Supervisor | Bentley College | Waltham | MA 02154 - 1818 - -------------------------------------------------------------------- "..A person fills in the missing pieces of the puzzle with his own personality, resulting in a conclusion based as much on instinct and intuition as on fact" - Mr. Data in "The Defector" | Star Trek - The Next Generation ------------------------------ Date: Fri, 21 Feb 92 03:09:00 -0400 From: SINGH_HA@BENTLEY.BITNET Subject: Caching Removable Drives (PC) Hi! I use Norton Cache (Ver 6.01) to cache my floppy drives, as well as the hard disk. I understand and take all the necessary precautions while using a cache on removable drives. Scanning a bunch of diskettes, I found that while running F-Prot (Ver 2.02D) in /MULTI mode, or in the menu-driven mode, a change of disk was not detected. This can be a very serious problem as the scanner may go on passing diskettes as clean, whereas they might not be. F-Prot is the only software (anti-virus, and others) I have come across till now that is unable to detect the disk change, while running NCACHE.EXE. I am in the process of contacting both Symantec and Fridrik. However, anyone else using a cache on a removable drive may please be careful. The last time I checked, Padgett's SafeMBR was not included in the FIXUTIL's that he makes available. Has it been replaced by another program in the utilities? Also, can someone tell me through private mail the FTP site and directory at which Padgett's utilities can be found. On BitNet, it is very cumbersome to search for a particular program using the FTP server at Princeton. Harpreet Singh Lab Supervisor | Bentley College | Waltham | MA 02154 - 1818 - -------------------------------------------------------------------- "..A person fills in the missing pieces of the puzzle with his own personality, resulting in a conclusion based as much on instinct and intuition as on fact" - Mr. Data in "The Defector" | Star Trek - The Next Generation ------------------------------ Date: Fri, 21 Feb 92 09:35:52 +0700 From: Landen@RRJ.FRG.EUR.NL Subject: Michelangelo's handicaps. (PC) In all the coverage about the Michelangelo virus I have missed a few points. I've browsed through the virus code and I've done a few (very limited) tests with the virus on a PC. As far as I could tell (I didn't go into it too deeply) the virus has two 'bugs'. Bug 1: The virus tells time (checks for march 6th) by checking the PC clock via BIOS int 1Ah. This interrupt is available only in AT-compatible computers and above. Soit seems that the virus will not do its destructive work on PC-type computers. An attempt to trigger the virus on an XT failed. Bug 2: I have been unable to infect 3.5" floppy disks (720's as well as 1.44's) other than by simply copying a 5.25" image over a 3.5" floppy. This might lead to the conclusion that only systems with a 5.25" A: drive can be infected. The combination of these two bugs would lead to the conclusion that only the owners of AT's (or higher) with 5.25" A: drives should fear Michelangelo's birthday. IMO this disqualifies most of the computer population. I have to stress that these are the results of a test with only one copy of the virus on only one computer system. So don't go trying it out if you don't know exactly what you're doing. Could anyone (in)validate or comment on these findings? Peter van der Landen Landen@cvx.eur.nl +----------------------------------+ | Centre for Computers and Law | | Erasmus University, L7-60 + | PO Box 1738 | | 3000 DR Rotterdam | | The Netherlands | +----------------------------------+ ------------------------------ Date: 21 Feb 92 12:31:05 +0100 From: "Otto.Stolz" Subject: re: Boot Sector Virus Infections (In General) (PC) On Wed, 19 Feb 92 14:10:43 -0500, Randy Austin said: > ... turn > on the power to the computer and let it attempt to "boot" up. Instead > of a DOS Prompt, we now have "Non-system disk or disk error; replace > and strike any key when ready" or something like that--you get the > idea. ... > If we were to turn the system power off, killing the virus in memory, > and then reboot from a "non-infected" floppy disk, would the hard drive > already be infected? In most simple terms, you can think of the original boot sector as a little program that diplays the "Non-system disk" message, and of the infected boot sector as a not-so-little program that first infects the hard disk and/or memory and subsequently diplays the "Non-system disk" message. Whether hard disk or memory or both are infected depends on the particular virus; but in any case, infection happens before the message is displayed. Regards, Otto Stolz ------------------------------ Date: 21 Feb 92 10:21:22 -0500 From: "David.M.Chess" Subject: re: Boot Sector Virus Infections (In General) (PC) austin@tecnet1.jcte.jcs.mil asks if booting the machine with an infected, but "non-bootable" floppy in the A-drive, then opening the door and c-a-d'ing at the "Strike any key when ready..." prompt will result in an infected hard disk. The answer is yes, quite often, but it depends on the virus. Both the Stoned and the Michelangelo infect the hard disk during the boot process; so as soon as you boot from an infected floppy ("bootable" or not), your hard disk is infected, and booting from it puts the virus in memory (as does booting from an infected floppy, of course). Some other viruses, like the Joshi, for instance, only infect the hard disk when something reads or writes the hard disk, so if you boot from an infected floppy and *power off* before anything reads or writes the hard disk, your hard disk is still probably clean (although I personally would act as though it were infected; better safe than sorry!). Powering off is key, though; if the virus is in memory when you c-a-d, all bets are off. Some viruses, including the Joshi as I recall, intercept the c-a-d sequence, and arrange to remain in memory. So if you boot from a Joshi-infected diskette, then open the door and c-a-d at the "Strike any key" message, your hard disk will be infected shortly thereafter (if I'm remembering correctly; I don't have Joshi source at hand at the moment). Unless you're actually doing direct anti-virus hacking yourself, it's probably best not to try to remember all these details! If you've ever booted from an infected floppy, or used an infected program, you should go into full "search and destroy" mode, and not try to figure out exactly what might be infected and what might not; assume everything is, scan it all, and clean up any hits that are found. Anyone who's done much work with virus incidents will tell you that the one floppy that you're *sure* "was never in the machine while the virus was active" is the one that still has the virus on it, and will lead to a reinfection next Tuesday... DC ------------------------------ Date: Fri, 21 Feb 92 17:19:03 +0000 From: dave%triton.unm.edu@lynx.unm.edu (Dave Grisham) Subject: Michelangelo hits Sandia from a vendor (PC) I recieved this mail after Sandia notified us of their infection. My comments are in [ ]. grish - -----Begin forwarded letter--------------- Date: Fri, 21 Feb 92 00:21:37 -0700 From: Harold Iuzzolino We (a Sandia Labs division) received several new 486/33 IBM compatibles last week. Immediately after powering up one system, a virus checker (Central Point Anti Virus) was installed and run. CPAV found and removed the virus [Michelangelo]. The other new pc's were checked and the results were the same. The dealer was called, and he found the virus on his stock pc's. (The dealer has expressed annoyance at my mentioning his name so I am not going to mention any dealers' names.) [It bears note that the vendor wasn't checking or wasn't checking with an updated checker. - grish] The virus came with the MS DOS 5.0 sent to the dealer. [I would hope the vendor notifies his DOS dealer.- grish] The dealer said that he would notify all of his customers. We notified computer security people at Sandia Labs, Los Alamos National Labs, and UNM, since the virus may be on pc's from other dealers. I called four or five local computer dealers that I have dealt with in the past. Two of the dealers said that they had detected the virus about a month ago and stopped it then. ------------------------------ Date: Fri, 21 Feb 92 03:10:00 -0400 From: SINGH_HA@BENTLEY.BITNET Subject: PolyMorphic Hi! Christophe Meessen wrote sometime ago about the biological interpretation of Polymorphic: A virus in which the outer shell has changed its composition. However, he says that this is not highly accurate, as the code is unchanged. However, I would say that it is very accurate as the final executable code can be analogous to the DNA, while the encrypted code is analogous to the virus complete with its shell. Harpreet Singh Lab Supervisor | Bentley College | Waltham | MA 02154 - 1818 - -------------------------------------------------------------------- "..A person fills in the missing pieces of the puzzle with his own personality, resulting in a conclusion based as much on instinct and intuition as on fact" - Mr. Data in "The Defector" | Star Trek - The Next Generation ------------------------------ Date: 21 Feb 92 10:26:28 +0700 From: Pim Clotscher Subject: Trojan Horse exact definition? Dear virus-experts on this list, We are in a hurry with a publication about computer viruses in a local bulletin. We had a discussion about the exact definition of a Trojan Horse and a WORM program. Could somebody please give it? Thank you very much, Regards, - -----------------------------> Pim Clotscher <------------------------------ Erasmus University Rotterdam E.R.C. - Computer Support Hoboken Roomnumber : Ee2067 Dr. Molewaterplein 50 P.O. Box 1738 NL-3015 GE Rotterdam NL-3000 DR Rotterdam the Netherlands Tel: +31 (0)10 4087420 Fax: +31 (0)10 4362719 E-mail (Internet): clotscher@coh.fgg.eur.nl ============================================================================== ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 39] *****************************************