From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V5 #56 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Thursday, 5 Mar 1992 Volume 5 : Issue 56 Today's Topics: Re: Michelangelo's handicaps. (PC) accessing non-existing HD (PC) Glitch in Padgett's fixutil3.zip collection of utilities (PC) Re: FDISK/MBR (PC) Re: a question re PKLITE and LZEXE (PC) Re: Possible virus? (PC) More about CLEAN 8.3B86 and the Form virus (PC) Validation numbers for FixMBR24.EXE (PC) Re: mutated FORM? (PC) Bugsres-2 Joke program? (PC) Michelangelo and JOSHI (PC) Plastique Virus (PC) Qusetions about fprot (PC) Re: dir a: doesn't work (PC) Michelangelo virus found at U of Utah (PC) Norton AV Problem-- Destroyed Extended Partition??? (PC) Re: a question re PKLITE and LZEXE (PC) Phone in Michelangelo (PC) F-PROT "SBC" false positive (PC) Mac users and PC/MS-DOS Viral Programs (Mac) OS/2 and DOS viruses??? (PC) (OS/2) Re: Viruses in general Ides of March conference schedule VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 04 Mar 92 07:43:29 +0000 From: wonge@sfu.ca (Edmund Wong) Subject: Re: Michelangelo's handicaps. (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >Landen@RRJ.FRG.EUR.NL writes: > >> In all the coverage about the Michelangelo virus I have missed a few >> points. I've browsed through the virus code and I've done a few (very >> limited) tests with the virus on a PC. As far as I could tell (I >> didn't go into it too deeply) the virus has two 'bugs'. > >In fact, it has three... :-) > >> Bug 1: >> The virus tells time (checks for march 6th) by checking the PC clock >> via BIOS int 1Ah. This interrupt is available only in AT-compatible >> computers and above. Soit seems that the virus will not do its >> destructive work on PC-type computers. An attempt to trigger the >> virus on an XT failed. > >Perfectly right. With one exception - some XTs (called "Turbo XTs") >also support INT 1Ah. > >> Michelangelo's birthday. IMO this disqualifies most of the computer >> population. > >Do you think so? I got the impression that the current population of >ATs and above already outnumbers the population of XTs... I happen to be one of the last XT users and PROUD OF IT. but I apologize for this, but from reading the above message as well as the originating one, I was wondering if the Michaelangelo virus would infect XT's(or Turbo XT's for that matter)? I know..I know.. I haven't been up to date with this virus that's supposedly gonna kill some systems on March 6th. Since there is still some time for my preparations for this virus, can you or someone who'se reading this, tell me what the hell is the Michaelangelo virus and what it does? Btw, how about the Friday 13th of March? Isn't there supposed to be a Virus that goes by that name? Friday the 13th March is NEXT week, so anyone gonna prepare for it? One more thing, last year in October, I remembered that there was one Virus scare. Can't remember the virus itself, but from what I've heard, nothing really happened. Is this just some scare? Hmm was it the October virus? 8) - -- wonge@fraser.sfu.ca.I.think.but.who.knows.?. \ "Hello, You fool, I love you, GO CANUCKS GO!!!! \ Come Join the Joyride.." \ - ROXETTE [WT 91-92] ------------------------------ Date: Wed, 04 Mar 92 12:56:00 +0200 From: KARGRA@GBA930.ZAMG.AC.AT Subject: accessing non-existing HD (PC) I found 2 arguments in the discussion started by Vesselin. 1) I do not think that a virus is able to access a HD which does "not exist" according to the CMOS-information. Reason: if it would be possible to find out, then we would not have to tell BIOS, that there is a HD and what para- meters it should use. Even programs like Norton won't find a disk, when the BIOS is not set for it. 2) I do think that it might be possible. Reason: I read one of these thick books where I found information on floppydisk-controllers and how to program them. It even described the opcodes to be used and waht messages come back. I know, it is only information on floppy-controllers, but: as we can exchange our HDs and controllers as we like and do not have load a new version of IO.SYS there needs to be a kind of standard for communication. So, this is why I think, that a HD can be accessed although. One guy said, that this would produce a BIOS-LEVEL error. I don't think so. What, if the virus behaves like a BIOS? Additionally there is nothing, that protects you, from setting wrong para- meters in your setup, i.e. your HD has 680 cylinders, but you can define it as a disk with 1024. The result will be(I've heard it myself), that the heads bang against the end of where the can go. NO ERRORMESSAGES!!! You should not do this unless you want to destoy your HD. But viri normally don't care too much about safety. The only errormessage we got, was from the lowlevelprogram which said something about a readerror. This might be a reason, why BIOSs can not find out the parameters of your drive, and is a possible reason, why viri might do the job although! ******************************************************************************* Alfred JILKA * KARGRA%gba930.zamg.ac.at@awiuni11.bitnet Geologic Survey * KARGRA%gba930.zamg.ac.at@helios.edvz.univie.ac.at Vienna, AUSTRIA * ---- Download your VIRI to hell. ---- ******************************************************************************* ------------------------------ Date: Wed, 04 Mar 92 06:55:24 -0500 From: David_Conrad@MTS.cc.Wayne.edu Subject: Glitch in Padgett's fixutil3.zip collection of utilities (PC) The following information comes from the recently released fixutil3.zip package of utilities by A. Padgett Peterson, obtained directly from the ftp site urvax.urich.edu and McAfee Associates' Validate program v0.3: [Moderator's Note: See Padgett's follow-up...] - -=-=- Validation numbers for FixMBR v 2.4 distribution (using McAfee Associates VALIDATE v0.3 Note: CM == check method - ------------------------------------------- Program Size(bytes) CM1 CM2 - ------- ----------- --- --- FixMBR24.exe 2,219 9788 1264 [...] File Name: fixmbr.exe Size: 2,219 Date: 1-21-1992 File Authentication: Check Method 1 - 97B8 Check Method 2 - 1264 - -=-=- As you can see, the CRC-16's of check method 1 do not agree. As you can also see, CM2 does agree, the validation information is in a different format which looks as if typed by hand instead of redirected from the program's output, and the checksum is very similar (a 'B' for an '8'). All other files in the package validate'd. Apparently an error on Padgett's part. If you trust me, then consider 97-B as in Bravo-8 to be the correct checksum. If you don't, wait for the acknowledgement from Padgett which will follow. :-) I send this to avert tons of messages reporting this (assuming that tons of people out there actually check these checksums (you do, don't you?!?)). Note to moderator: no cc sent to VALERT-L. Do so if you see fit. Note to Padgett: I know how much neater the columnar format in your validate.24 file is, but you ought to redirect validate's output and then edit it down instead of error-prone retyping. Sorry to almost certainly waste bandwidth, but I downloaded an anti- viral program and its checksums didn't check, what else could I do? If you've gotten this and installed it, relax. It's obviously human error, plus I scanned the sucker with VIRx 2.0, SCAN 86-B and F-PROT 2.02D and Frisk's Heuristic scanner and I gave Scan and F-Prot the recently published signature for TROI (I know, supposed to be a .COM infector, but I searched FIXMBR.EXE for it anyway), and everything came up clean. Paranoidly yours, David R. Conrad David_Conrad@mts.cc.wayne.edu ------------------------------ Date: Wed, 04 Mar 92 11:43:39 +0100 From: Martin_blas Perez Pinilla Subject: Re: FDISK/MBR (PC) James_Williams%ESS%NIAID@nih3plus.BITNET writes: > I have seen the command FDISK/MBR mentioned in various messages > recently. I have scanned all of my DOS 5.0 documention and find no > mention of it. Hence, I have three questions. > 1. Is this simply the DOS FDISK command with a /MBR option, or is this some special program? FDISK /MBR > 2. Where is it documented? In VIRUS-L, because is a undocumented feature :-) > 3. When it builds a new MBR, does it have any affect on the information on the rest of the hard disk? In theory, no. In fact, you can get in trouble if you MBR has been replaced for some anti-virus software. Regards, - -mb M.B. Perez Pinilla | mtppepim@lg.ehu.es | Write 10^6 times: Departamento de Matematicas | "I'll never waste bandwidth" Universidad del Pais Vasco | SPAIN ------------------------------ Date: Wed, 04 Mar 92 11:46:30 +0100 From: Martin_blas Perez Pinilla Subject: Re: a question re PKLITE and LZEXE (PC) rajwan@brachot.jct.ac.il (yair rajwan) writes: > i have a qustion: > is pklite or lzexe change file and infected file? > if yes: is there any program that clean the virus from the compressed > file? Well, there are two cases: (a) You infect a compressed file (external infection in SCAN nomenclature): If the virus is cleanable, you can make it. (b) You compress a infected file (internal infection in SCAN nomenclature): You must UNLZEXE or UNPKLITE and clean the program. (Note: Any good antivirus program _must_ be capable of search for a compressed infected program) In any case: is better wipe the infected file and restore from a backup. Regards, - -mb M.B. Perez Pinilla | mtppepim@lg.ehu.es | Write 10^6 times: Departamento de Matematicas | "I'll never waste bandwidth" Universidad del Pais Vasco | SPAIN ------------------------------ Date: Wed, 04 Mar 92 13:18:18 +0000 From: Simo.Muinonen@jyu.fi (Simo M Muinonen) Subject: Re: Possible virus? (PC) In a recent article, Robert Slade writes: >VM@CSPGIG11.BITNET (Vera Marvanova) writes: > >>caused by a virus? In two computers (386-SX AND 386 - 33) after some >>time of operation suddently all look like CAPS LOCK would be touched. >>All letters changes to upper case. After "SHIFT" all is O.K., but > >Actually, this is extremely common behaviour in MS-DOS machines in >general. I have often had machines that would suddenly behave as if >all the keys were "shift"ed, "ctrl"ed or "alt"ed. Some could be >recovered, and some couldn't (at least I never found a way to do it.) >None were virally infected. This might be what happens if keyboard scanning somehow doesn't catch the shift/ctrl/alt key not being pressed anymore. I am not sure if this is a hardware, BIOS code or operating system problem, but it always seems to be corrected by pressing and then releasing the very same shift key that caused the phenomenon. - - Simo Muinonen Mail: Simo.Muinonen@jyu.fi X.400: S=Muinonen/G=Simo/O=Elisa-Kuopio/ADMD=ELISA/C=FI ------------------------------ Date: 04 Mar 92 13:32:13 +0000 From: M.Meijer@cc.ruu.nl (Maarten Meijer) Subject: More about CLEAN 8.3B86 and the Form virus (PC) After a little more experimenting (McAfee asked me for more details) I must conclude that in *most* cases CLEAN isn't able to remove the Form virus, whether it (the virus) resides on hard disk or on floppies, and whatever DOS version you are using. - --> Don't use CLEAN to remove the FORM virus from your hard disk, as it will become unaccessible afterwards!!! Use SYS C: (the DOS command) instead (starting with a clean, write-protected floppy of course). The only case in which CLEAN was successful, was on a system booted with MS-DOS 3.3 where the virus had to be removed from a 360K floppy formatted with MS-DOS 3.3. All other attempts to remove the virus from floppy or hard disk, whatever DOS version booted with or formatted the infected disk, how many partitions on the hard disk, and whatever hard disk size (20, 40 or >=60 MB), failed. (All hard disks with standard FDISK-mbr and a bootable C-partition). On hard disks, CLEAN takes a random sector from the disk and puts it in place of the bootsector. I could trace the original location of this sector. On floppy disks, CLEAN tells that it has found the Form virus in "1 file" (meaning the boot sector, I suppose), but that it isn't able to correctly replace it. If in fact your hard disk has become unaccessible to DOS, use a sector editor to locate the original bootsector on your hard disk. The Form virus puts it at the last *physical* sector of the disk, no matter how many partitions you have. From there you (or your disk wizzard) can copy it back the original location - which is *not* the first physical sector! Beware of overwriting the *master* boot record! Regards, - -- Maarten Meijer, ACCU, Budapestlaan 8, De Uithof, 3584 CD Utrecht, Postbus 80011, 3508 TA Utrecht, the Netherlands. Fax: (31) 30 531633 E-mail: mmeijer@cc.ruu.nl Phone: (31) 30-531660 / (31) 30-531436 ------------------------------ Date: Wed, 04 Mar 92 08:44:50 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Validation numbers for FixMBR24.EXE (PC) >From: UVS1::"<@um.cc.umich.edu:David_Conrad@MTS.cc.Wayne.edu>" 4-MAR-1992 06:56:07.36 >Subj: Glitch in Padgett's fixutil3.zip collection of utilities (PC) Validation numbers for FixMBR v 2.4 distribution (using McAfee Associates VALIDATE v0.3 Note: CM == check method - ------------------------------------------- Program Size(bytes) CM1 CM2 - ------- ----------- --- --- FixMBR24.exe 2,219 9788 1264 File Name: fixmbr.exe Size: 2,219 Date: 1-21-1992 File Authentication: Check Method 1 - 97B8 Check Method 2 - 1264 David is exactly right. This was an old error and the value *should* be 97B8 instead of 9788 (didn't I post an apology about this once before - just my aging & store-bought eyes). Thought I had corrected it. The reason I went to the different format was so that it would all fit on a single screen. BTW, this is the archive (FixUtil3) that contains the programs previously mentioned - mostly freeware (all is free until March 7 & has been for a month) and the two Shareware elements are only a buck. Warmly, Padgett ------------------------------ Date: 04 Mar 92 14:35:01 +0000 From: jgunders@copper.denver.colorado.edu (James P. Gunderson) Subject: Re: mutated FORM? (PC) >Just a (wild) guess. Do you run any other (resident) form of virus >protection? Like the one that comes with Central Point Anti-Virus? If >so, remove it and check whether the "virus" (actually a ghost false >positive) will disappear. No we do not run any memory resident virus utilities on these machines, in general. And I actually got these results running on a clean vanilla DOS-only machine. A good guess, but it was one possibility that we had eliminated. The other aspect that throws me off, is that we got the infections without booting off the infected floppy. A series of DIR and executions of programs would result in the virus in memory. We are having quite a problem with it, since we cannot detect it on floppies, and so cannot effectively control the spread. In one lab, the autoexec simply rebuilds the system with every boot using the SYS command, in another, we check the drives every morning and disinfect 1-2 machines (out of 20) every day. It is becomming a problem. Of course, we don't worry about MICHAELANGELO much :-). No signature, just a name. JIM ------------------------------ Date: Wed, 04 Mar 92 15:41:26 +0000 From: stodola@relay.fccc.edu (Robert K. Stodola) Subject: Bugsres-2 Joke program? (PC) F-prot V2.04d reports a file called BUGRES.COM has "Bugsres-2 Joke program". I couldn't find anything in the documentation about it, and it appears to be a harmless :-) screen eating TSR utility. The machine is "disinfected" by removing the program. What does it all mean? I am a little confused why f-prot reports it at all? Is it a potential problem? If so, why, when running in disinfect mode, it doesn't do anything with it (or suggest that I do)? Thanks for any advice. Everyone around here is a bit paranoid this week... - -- stodola@fccc.edu -- Robert K. Stodola (occasionally) speaks for himself. ------------------------------ Date: 04 Mar 92 15:43:35 +0000 From: harvey@oasys.dt.navy.mil (Betty Harvey) Subject: Michelangelo and JOSHI (PC) I have several questions concerning the Michelangelo and JOSHI virus. I have been trying to inform our users about checking for viruses. In the last few days we have found numerous instances of Michelangelo, JOSHI and stoned. I have several questions. (1) Is there an easy way to detect the JOSHI virus without using SCAN. We have 3000 PC's and we can't get around to check each one of these in the time alloted. (2) Once Michelangelo hits a machine on Friday, is there any way of restoring the data. I am in panic mode about what could or could not happen on Friday. Any help would be interested. /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ Betty Harvey | Sometimes it seems the David Taylor Model Basin, Carderock Division | world's in a bad mood! Office Automation Systems Branch | It always helps to have Bethesda, Md. 20084-5000 | a good attitude. | Nancy Moran (301)227-4901 | (local Songwriter) /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\\/\/ ------------------------------ Date: Wed, 04 Mar 92 16:18:28 +0000 From: black@beach.csulb.edu (Matthew Black) Subject: Plastique Virus (PC) When we were infected with the [Plastique] virus, I tried using McAfee SCAN and CLEAN to rid our system. The problem is that CLEAN claimed that Plastique was found in memory and could not remove it from the diskette. How did it get in memory? Of course, I booted the system with a write-protected DOS diskette and used SCAN on a write-protected floppy? - -- Matthew Black Systems Analyst Computer Engineering & Computer Science California State University, Long Beach ------------------------------ Date: Wed, 04 Mar 92 17:08:30 +0000 From: kuchan@rtsg.mot.com (Joseph M. Kuchan) Subject: Qusetions about fprot (PC) As a new user of fprot, I have several questions that I hope someone will be able to anwser for me: 1) In the virus list, some virus names are in yellow text while others are in white. What does this mean? I cannot find anything about it in the documentation. 2) I'm using version 2.02d to scan a machine, and it detects the "SBC" virus in an executable (c:\dosexts\autotime.exe). There is no "SBC" virus in the list of viruses, only an "SVC" virus. Is this just a typo in the report? Does it really mean "SVC"? 3) The SBC/SVC virus mentioned in item 2, above, goes undetected by CPAV. CPAV also only has SVC not SBC in its list. How can I tell if the file is really infected? Fprot said infected files would contain a particular text string if infected with SVC, but I did not see that string in the "infected" file. 4) When I sacnned the same machine using heuristics (instead of secure scan, as done above, and ALL files instead of just standard executables, as above, fprot says there are 402 suspicious files, but NONE are infected (i.e. it "misses" the alleged SBC/SVC in autotime.exe). I guess I can understand this given the nature of heuristic scanning, but can someone "confirm" this behaviour for me? 5) After the heuristic scan mentioned in item 4, I tried to save the file (f-prot did not let me view it on screen from within fprot). When I quit fprot and tried to look at the report file it was 0 bytes long. In general, fprot looks like a great program, and much of what I report above is probably explainable in some fashion, but I wonder if there aren't some bugs here? - -- Joseph M. Kuchan - uunet!motcid!kuchan * Motorola - General Systems Sector * 3205 Wilke Road, Arlington Heights, IL 60004 * 708-632-7193 * ------------------------------ Date: Wed, 04 Mar 92 13:05:41 -0500 From: Subject: Re: dir a: doesn't work (PC) We experienced similar problem recently. A WYSE 286 computer had trouble not only diring the a: drive, it even overwrite diskette with contents it "remembered". Eventually the disk drive broke down and a new disk drive works fine. So I suspect it is caused by the disk driver rather than virus. The disk drive developed the sympton is a FUJITSU 1.2MB 51/4 disk drive. We have other PCs running in the lab and we have a lot of data exchange between them. If it is virus, it would infect others but only one computer have this problem. ------------------------------ Date: Wed, 04 Mar 92 11:36:00 -0600 From: Steven Klepzig Subject: Michelangelo virus found at U of Utah (PC) Virus: Michelangelo Anti-virus software used: F-PROT v 2.02D Other software tried: Did not try any other software since F-PROT worked; also, I was pressed for time by the person with the infected computer. I did get a copy of it however. Infected machine configuration: Computer type: Leading Techknowlogies 80386sx IBM clone Diskette drives: 1 1.2Mbyte 5.25" floppy (A), 1 1.44Mbyte 3.5" floppy (B) Memory: 2Mbytes of RAM, 640K conventional, balance EMS/XMS, managed using 386Max from Qualitas TSRS: 386Max (loads high), Netware ODI shells (LSL, TOKEN, IPXODI, NETX, loaded high), Logitech Mouse driver (loaded high) DOS: MS-DOS v 4.01 Infection vector(s): There appear to be two possible infection vectors: 1 - an infected computer at the person's home, 2 - DOS diskettes shipped with the computer. My money is definitely on #1. The person's home computer was discovered to be infected due to other infections in this local area (Salt Lake City, Utah). There have been several reports of infections being discovered at some of the higher ed. schools. This person's son-in-law was infected from one of these locations. In the process of testing his home computer, he decided to check the computer in question, and discovered that it was infected as well. This was relayed to the person here who proceeded to rush to my office in panic - "What do I do now?????" I told him I would prepare a "clean" diskette for him to take home and fix his home computer. Since he has the same computer at home as here I was going to use his computer here to prepare this diskette. Also, I don't have a 5.25 drive on my computer. I was fixing the diskette, getting ready to copy F-PROT onto it, and decided to just check, just in case. Much to my surprise there was the red/yellow box saying Michelangelo is here. From there I proceeded to disinfect his machine here, as well as 6 floppies that were also infected. The infected floppies were all manufacturers diskettes with DOS, VGA drivers, and stuff on them (they were NOT write protected from the manufacturer either!). But not all the diskettes that came with the machine were infected. Also, this man's son had been playing games with questionable origins on the home computer and had wiped out the root directory of the home computer. I am told that the infected diskettes were used to rebuild the home computer. So that combined with the fact that not all the manufacturer's diskettes were infected leads me to suspect the son and his games. I can't be 100% on that but I am comfortable with that assumption. I don't speak for the entire campus here at the University of Utah. I manage a 150+ node Novell Network. This one machine is the only infected PC I've heard about or seen here. I have heard of at least three other schools here in Utah that have had trouble with Michelangelo but can't confirm any of them. - -- Steven ======================================== Standard Response #1: Steven R. Klepzig = "We have not succeeded in answering University of Utah = all your questions. The answers we 135 Student Services Building = have found only serve to raise a Salt Lake City, Utah 84112 = whole set of new questions." = "In some ways we feel we are as Phone -- 801-581-3437 = confused as ever, but we believe we FAX -- 801-585-3034 = are confused on a higher level and InterNet -- sklepzi@ssb1.saff.utah.edu = about more important things." ======================================== ------------------------------ Date: Wed, 04 Mar 92 11:04:34 -0800 From: Subject: Norton AV Problem-- Destroyed Extended Partition??? (PC) Our group PC's were infected with th Michaelangelo virus. As a result, several of our home systems were infected as well. We obtained a copy of the Norton Anti-Vrus Michaelangelo Edition and used it to clean the virus out. One of our fearless leaders owns a 386/40 running MSDOS 5.0 with a 120 MB Quantum IDE hard drive, divided into 2 partitions (partitioning and formatting were done with MSDOS 5). Well, the NAV found the virus on his system, and he proceeded to clean it out as instructed. The virus is gone now, but so is his extended partition!!! I have not taken a look at his system yet (he lives in another county), and of course I have had no luck getting through to Symantec's support humans. We've had no similar problems with this package, and I can't think of any reason why this might have happened (considering the type of viral infection and the manner of cure). Any ideas, suggestions or similar experiences are solicited! /x aka roybal@slacvm.slac.stanford.edu ------------------------------ Date: Wed, 04 Mar 92 19:40:00 +0000 From: Nick Hilliard Subject: Re: a question re PKLITE and LZEXE (PC) In a previous article, rajwan@brachot.jct.ac.il (yair rajwan) writes: >i have a qustion: > >is pklite or lzexe change file and infected file? There are two ways in which a file compressed with PKLITE or LZEXE (or other file compression programs) can be infected. If the file is infected after it has been compressed, then scanners (should) treat it as a normal file. If, however, it was infected before it was compressed, then the virus code itself will also be compressed, making standard scanning useless, since compression, in general, will change the appearance of code. To detect the virus in this case, the scanner must decompress the file, and then check it for signatures (or whatever). SCAN v85 does this for LZEXE-compressed files (I think). Because compression changes the appearance of files, if a previously infected file is compressed, then it is quite likely to be reinfected, since the virus will not be able to detect that it has, in fact, infected the file before. >if yes: is there any program that clean the virus from the compressed >file? If the file was infected after compression, then it can be disinfected normally. If the file was infected before compression, then it is nececcary to decompress it first, and then disinfect it. Finally, if the file was infected both before and after compression, then it is necessary to disinfect it, decompress it, and then disinfect the decompressed file. I don't think, though, that any of the major virus disinfectors will disinfect compressed files yet (Frisk, Aryeh - there's a nice job for you ;-) Regards, Nick Hilliard. - ------------------------ Nick Hilliard hilliard_n@csvax1.ucc.ie - ------------------------ ------------------------------ Date: Wed, 04 Mar 92 13:13:40 -0800 From: rslade@sfu.ca (Robert Slade) Subject: Phone in Michelangelo (PC) I crave the indulgence of Ken, and all the VIRUS-L readers, but: On this Friday, March 6, CBC radio has asked me to participate in a "phone in" show regarding the effect of the Michelangelo virus. I would like to have reports of Michelangelo "disasters" (or fizzles) "as they happen", by phone or email. (I am sure Ken would second my request that you *not* post them to the net.) I recall the request for more detailed reports next week: all I want is a quick survey as you find the evidence (and time.) I will be calling in to the sfu and cue sites for email (as well as local BBSes) and will be taking calls at (604) 988-4097 and 984-4067. The phone number for the CBC studio will be (604) 669-3733. (Please do not call before 1400H GMT/ 0600H PST.) Thank you in advance for any and all reports. ============= Vancouver | "Kill all: God will know his own." Institute for Robert_Slade@sfu.ca | - originally spoken by Papal Research into rslade@cue.bc.ca | Legate Bishop Arnald-Amalric User CyberStore Dpac 85301030 | of Citeaux, at the siege of Security Canada V7K 2G6 | Beziers, 1209 AD ------------------------------ Date: Wed, 04 Mar 92 22:55:32 +0700 From: frisk@complex.is (Fridrik Skulason) Subject: F-PROT "SBC" false positive (PC) Version 2.02 of F-PROT may report the SBC virus in a few small EXE files. This is a false alarm - my apologies to anyone which got worried because of this. It is corrected in 2.03 (due out real soon....) - -frisk ------------------------------ Date: Thu, 05 Mar 92 11:14:08 -0600 From: Werner Uhrig Subject: Mac users and PC/MS-DOS Viral Programs (Mac) Due to my concern for Macintosh users of PC-emulating software and hardware, I asked for advice and received the following excellent response: > From: Chris McDonald ASQNC-TWS-R-SO > Subject: Answer to Question on PC/MS-DOS Viral Programs > Date: Wed, 4 Mar 92 13:45:18 MST Having tested 18 anti-viral MS-DOS/PC-DOS programs, I would personally recommend F-PROT by Fridrick Skulason for those on a restricted budget and those interested with one scanning feature which I have not seen advertised in other freeware, shareware and commercial programs: namely, a heuristic scanning option which looks for "viral characteristics" rather than just for a specific signature. F-PROT detects and disinfects and has a TSR component to block infected programs from running. Those interested in speed of scanning with no adverse impact on detection efficiency should consider VIRx, which is approximately one-third of the commercial Virex-PC program marketed by Microcom. VIRx is a detector only; Virex-PC is a detector, disinfector, and prevention program. The large commercial vendors, Microcom (VIREX-PC), Central Point (CPAV), Symantec (NAV), XTree (ViruSafe), have good products depending upon what your specific requirements are, the expertise of your user community, and the funds available to your organization for such protection. Fifth Generation Systems has recently entered the market, but I have not yet tested their product. All these products offer detection, disinfection, and prevention features. IBM has an EXTREMELY reasonable product, the IBM Anti-Virus Product, which offers numerous detection options and a site license cost of $35.00 total for an entire installation or activity--no limit on number of PCs which can load the software. The problem here is that it is only a detector, with a seemingly haphazard method of updating. The National Computer Security Association (NCSA) periodically updates its report on virus detection software. Its latest report is January 1992. I also have individual product test reports on those programs I have personally evaluated. Ken maintains the reports on the Virus-L repository at CERT; John Wack and Marianne Swanson maintain these test reports and other on the NIST security BBS. I would always recommend that one have or have access to at least two different programs to filter out false positive alarms, program incompabilities, and the potential for one vendor to close up shop. Chris ------------------------------ Date: 04 Mar 92 10:17:33 +0800 From: Fran Holtsberry Subject: OS/2 and DOS viruses??? (PC) (OS/2) How do we treat OS/2 machines? Do Boot sector viruses affect these machines? Do we disinfect for the same viruses as for DOS? Will .exe and .com files be affected by DOS viruses? Fran Holtsberry Cal State Chico Microcomputing Consultant ------------------------------ Date: Wed, 04 Mar 92 14:47:53 -0500 From: austin@tecnet1.jcte.jcs.mil Subject: Re: Viruses in general In VIRUS-L Digest V5 I50: IP_BOSS@syd.deg.CSIRO.AU (Jack Churchill) writes: >Date: Sun, 01 Mar 92 12:34:42 -0500 >Subject: Viruses in general >If it's that important to have a good anti-virus tool (which it is) >then it should be mandatory on all PCs. It's now come to the stage we >spend too much time chasing viruses and ant-viruse cures. PCs are >supposed to be useful, productive and cost effective means of >computing. I feel it's come to the stage that MSDOS should have >anti-virus tools as standard with the provision for updates through >normal computer stores or electronic means. In other words, why >should we put up with so many different forms of anti-virus tools when >one should be enough and made a permanent feature of all PCs. That >way the spread of viruses would be much harder since every system >would stop the spread as close to the source as possible. Then we can >get back to using PCs for other more productive uses. Otherwise, we >will quickly come to the stage of having so many new viruses (one per >day or worse) that we spend most of our time doing >backups/restores/virus-checking/etc. If it's not that important to >make every system safe then the opposite argument becomes true, namely >we are all becoming paranoid about viruses (which I don't think is >true). You see, you can't have it both ways. Either we take it >seriously or not. I agree with the idea that the Operating System (OS) on ALL PCs (MAC, DOS, UNIX, etc) needs to be setup to protect itself from this type of software invasion, but is this kind of thing possible? If it is possible, would it be too difficult to implement? And, if not difficult to implement, then how do we get it implemented? And, is this the place to be discussing it? (In other words, this should be directed to the OS developers. I am saying that I am glad to see the idea come up, and that this needs to be looked at very closely. The OS developers need to do this, if they aren't already working on it.) Thank you... --Randy +=================================================================+ + Randy Austin austin@tecnet1.jcte.jcs.mil + + + + * * SPACE FOR RENT * * + + (Not necessarily this Space) + +=================================================================+ ------------------------------ Date: Tue, 03 Mar 92 13:24:00 -0800 From: Judy S. Brand Subject: Ides of March conference schedule MARCH 12-13 SCHEDULE FOR 5TH INTERNATIONAL VIRUS & SECURITY CONF: (800-835-2246, ext 190) sponsors: dpma n.y. f.i. ch., acm-sigsac, cma, cos, ieee-cs (half-price Continental coach:800-468-7022 code EZ3P69) WEDNESDAY 3/11 COURSE: Info & Systems Security, Design of Secure Systems, Service Interrupt Recovery, Management of Risk, Security Management THURSDAY 3/12 MAIN KEYNOTE: Jan Newman, Novell VP for NetWare: Secure Networks after 1992 THURSDAY 3/12 10:45: MANAGEMENT & PRACTICE (Chair: Jack Holleran, NCSC): Grace Hammonds, ACCS: Trust and the Orange Book Marshall Abrams, Mitre: Trusted Network Interpretation Morgan E. Death, Hughes: Information Piracy and Computer Crime RESEARCH & TECHNICAL (Chair: Harold Highland, Computers & Security): Melvin Schwartz, Nobel Laureate: Identifying Entities & Paths William Murray, Deloitte: Modern Cryptography John Cramer, Racal: Key/Network Management Addison Fischer: Electronic Document Authorization FULL-TIME LAN TRACK (Chair: Padgett Peterson, Martin-Marietta): Nander Brown, RTC: Protecting LANs from Viruses Eugene Spafford, Purdue: Programmed Pests Kenneth van Wyk, CERT/CMU: Good Hygiene for Networks Bernard Zajac, Chicago Water: Valuing Anti-Viral Products THURSDAY 3/12 12:15: ANTIVIRUS METHODS CONGRESS: Researchers-only Swap Session THURSDAY 3/12 1:30: MANAGEMENT & PRACTICE (Chair: Dick Lefkon, NYU): Ed Fulford, Northern Telecom: Protecting Telecom Networks Philip Cunningham, MCI: The Combined Threat Steve Purdy, Kroll Associates: PBX Fraud Thomas Constantine, NYS Police Supt: NYS Computer Crime Lab RESEARCH & TECHNICAL (Chair: Dennis Steinauer, NIST): Timothy Polk, NIST: Security Tools for UNIX Systems Maria Pozzo (King): Identifying Undesirable Programs Karl Levitt, UC Davis: Malicious Code Detecton Testbed FULL-TIME LAN TRACK (Chair: William Murray): John McAfee: Strategies Avainst Virus Attacks John David: Recovering from a Virus Hit Peter Tippett: Is the Problem Growing Exponentially? Kephart & White, IBM: How Prevalent are Viruses? THURSDAY 3/12 3:30: MANAGEMENT & PRACTICE (Chair: Carol Bernstein, IBM): Derek Giroulle: European Strategic Contingency Approach Dmitry Gryaznov: Viruses in the Former USSR Vessalin Bontchev: Bulgarian and Soviet Virus Factories RESEARCH & TECHNICAL (Chair: Judy Brand, Nationwide): Robert Campbell, AIM: Waning U.S. Security Leadership Martha Branstead, TIS: TCSEC and ITSEC Patricia Toth, NIST: New NIST and NSA Criteria FULL-TIME LAN TRACK: Fred Cohen, ASP: Current Best Practice Greg Drusdow, NUI: Debate on Scanners vs. Integrity Products Alan Solomon, Toolkit: Mechanisms of Stealth L. Heberlein, UC Davis: Intrusion Detection System VIRUS & SECURITY "IDES OF MARCH" CONFERENCE, CONT. (800) 835-2246 THURSDAY 3/12, CONTINUED: 5:00: ANTIVIRUS METHODS CONGRESS: Board Meeting 6:00-7:30: Meet-the-Experts Reception FRIDAY 3/13 9:00 MANAGEMENT & PRACTICE: (Chair: Klaus Brunnstein, U. Hamburg): Ken van Wyk, Virus-L: Public Anti-Virus Security Resources Christoph Fischer, Karlsruhe: Micro-BIT Center Research Activity Dick Lefkon: Michelangelo and the Anti-Virus Gang RESEARCH & TECHNICAL: (Chair: Padgett Peterson, Martin-Marietta) Steve Bellovic, ATT: There Be (Gateway) Dragons Bill Cheswick, ATT: A Cracker is Lured and Endured Tom Duff, ATT (Chair): UNIX Worm LAW & JUSTICE: (Chair: Donn Parker, SRI): Scott Charney, U.S. Justice Department: Our New Initiative Steve Purdy: Investigating Unauthorized Access Gail Thackeray: Criminal Investigation Flowchart FRIDAY 3/13 10:30: MANAGEMENT & PRACTICE: (Chair: Jane Paradise, Apple): Robert Gezelter: How to Keep Your DEC System Secure Jeff Shulman: How to Prodect Your Macintosh Rebecca Mercuri: Physical Verifiability of computer Security Bill Houston: Comdisco's NYC Blackout Recovery RESEARCH & TECHNICAL: Fridrik Skulason (Chair): Virus Genealogy Roger Riordan: Extremely Fast Search Algorithm Frankel & Desmedt: Multisignatures for Virus Protection Andy Hopkins: Brain Surgery - Dissecting the Pakistani Virus LAW & JUSTICE: (Chair: Gail Thackeray, Phoenix County): Gunter von Gravenreuth: Legal Malware Classifications Marc Rotenberg, CPSR: Socially Responsible Viewpoint Buck Bloombecker, NCCD: Computer Virus Law 1:15: "ET TU, HACKER?" THE GREAT VIRUS/INTRUDER DEBATE Fred Cohen: A Case for Benevolent Viruses Donn Parker: Gullibility and Hacker Social Engineering Klaus Brunnstein: Social Implications Sara Gordon: A Former Hacker Speaks FRIDAY 3/13 2:45: GRAB BAG - NEW IDEAS: (Chair: Fred Cohen): Anthony Naggs: How & Why of Exact Virus Identification Dave Chess, IBM: Virus Verification and Removal Russell Davis, PRC: Peeling the Viral Onion Voas & Payne, NASA: Detecting Viruses in Realtime Yisrael Radai, HUJ: Checksumming Techniques LAW & JUSTICE: Ken Citarella, Bronx D.A.: Computer Crime Dan Delaney, NYS Police: Recent Convictions Dennis Jackson, Mu-Innovation: Computer Crime & British Justice Presenters other tracks include Manuel Barbero, France Telecom; Hugh Baker HB Engineering; Kevin Brady, UNIX Labs; Stephanie Davidson, Hughes; Dick McClung, Harcom; Tom Papa, Locate; David Stang, NCSA; John Toomey, LeeMah Registration includes Proceedings, 8 food breaks, half-price airfare, discount luxury double rooms at the New York Waldorf-Astoria, Marriott Marquis Hotel, Loews New York Summit, and Ramada Madison at Penn Station. ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 56] *****************************************