From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V5 #71 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Monday, 23 Mar 1992 Volume 5 : Issue 71 Today's Topics: Re: Help on Yankee Doodle virus (PC) Re: SCAN + VIRx Conflict (PC) St. Patrick's Day Virus? (PC) Re: FLIP virus... (PC) Michaelangelo & Noint (PC) FDISK /MBR (PC) Re: Drug Rehab - Stoned (PC) Re: Disabling boot from floppy? (PC) Virus Question (PC) chkdsk reporting 654336 total memory (PC) Re: Norton quote (PC) Re: virus scanners (PC) polymorph virus questions (PC) Re: **Information on anti-virus program** (PC) Re: Virus Signatures and other research data? (PC) Re: INFO wanted: BBS methods of virus detection (PC) Combat - a virus? (PC) New Virus? (PC) Re: VIRUSes (was Re: Unix based FITS table browsers?) (UNIX) Re: Origins of viruses Mac anti-viral site no longer available (Mac) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 18 Mar 92 16:04:57 -0500 From: JEDI Subject: Re: Help on Yankee Doodle virus (PC) Yankee Doodle is one of the more easier viruses to disinfect from a computer. Central Point Anti-Virus will do the job, as will the Mcafee virus software. - --JEDI ------------------------------ Date: 18 Mar 92 16:12:49 -0500 From: "Ross M. Greenberg" <72461.3212@CompuServe.COM> Subject: Re: SCAN + VIRx Conflict (PC) >Date: Fri, 13 Mar 92 18:56:39 +0000 >From: sdh@po.CWRU.Edu (Scott D. Heavner) > > Here's the situation. Yesterday, I decided to check >everything for viruses, especially Friday the 13th. I used VIRx (by >Microcom) and SCAN V80. When I stopped VIRx with ^C and run SCAN, I never did get around to sticking a ^C intercept into the code: if you ^C out of VIRx, it will leave our virus table around in memory. I should probably fix that in the next version of the code.... >..VIRx seems to stop after the first occurence of a virus because it >should have reported hundreds. Exactly: we stop on finding the first virus in a file. Seems no point to continue scanning: if we have a disinfector enabled and you disinfect the file we'll continue scanning after removing the first virus. >1) Do SCAN and VIRx look for the same key pieces of virus? (How similar >would their ID tables look?) About 80% of our scan strings we've derived ourselves. The remaining 20% come from the Virus Bulletin. I've no idea where McAfee Associates gleans their strings from. >3) Do scanners typically encode the ID clips so that they don't appear >as viruses until decoded? If they don't, do they alter the clip after >they have completed the scan so that all those pieces won't still be >in memory. We do a minor encoding of our string table, and remove the memory table when we complete. You discovered one of our "gee, we'll fix it next release" holes. We'll fix it next release! Ross M. Greenberg Author, VIRx & Virex-PC ------------------------------ Date: Wed, 18 Mar 92 22:46:11 +0000 From: mhollowa@csws5.ic.sunysb.edu (Michael Holloway) Subject: St. Patrick's Day Virus? (PC) A friend reports that his computer was taken over by a virus that replicated his root dir structure many times. Since this happened on St. Patty's day he suspects it was timed. Any info out there? Thanks Mike ------------------------------ Date: Wed, 18 Mar 92 18:15:00 -0600 From: "Ron Hahm @ the University of Northern Iowa" Subject: Re: FLIP virus... (PC) giani@nexus.yorku.ca (John Sfetsas) writes: > I have a PS/2 model 70 which has what is called a FLIP virus. F-PROT > antivirus program detects it but it cannot remove it. I also tried > scan and norton antivirus. Does any of you have a program that will > remove that virus? I know that McAfee's CLEAN will remove quite easily. - -- +-------------------------------------------------------------------------+ |Ronald Hahm INTERNET ADDRESS: HAHM@ISCSVAX.UNI.EDU | +-------------------------------------------------------------------------+ ------------------------------ Date: Wed, 18 Mar 92 21:25:00 -0500 From: Hama@DOCKMASTER.NCSC.MIL Subject: Michaelangelo & Noint (PC) I noticed that when I scanned a MICH infected diskette with SCANV86B that it reported reported the NOINT, The diskette was re-scanned using V84 and sure enough the MICHAELANGELO was reported. I recall that on the week of Mar 02 there were numerous NOINT reports, but few MICHAELANGELO's being found. II tested a NOINT sample with V84, but it is reported as a STONED related virus. I wonder if the NOINT reports were really NOINT or MICHEALANGELO? Anyone notice a sudden surge in NOINT reports? - ------------------------------------------------------------------------------ Gord Hama , Research Analyst RCMP Technical Security Services (613) 993-8775 Voice EDP Security Branch (613) 952-2229 Fax 720 Belfast Rd. 1:163/506.5 ( Fido BBS ) DOCKMASTER.NCSC.MIL =============================================================================== ------------------------------ Date: Tue, 17 Mar 92 09:16:58 -0700 From: Subject: FDISK /MBR (PC) My experiments with FDISK/MBR seem to indicate that if you are starting with a completely non-sense MBR, then FDISK /MBR will *not* be able to create an MBR which is useable without further editing. For example, I filled the entire MBR of a Compaq 386 with the letter 'E' (045h), then booted from a DOS5 diskette, then ran FDISK/MBR, then tried to boot from the fixed disk. No siree. The Partition Table starts at offset 01BEh in the MBR. I believe that if this area contains reasonable values, then FDISK /MBR will *leave them intact* when it re-builds the MBR, and the MBR *will* then be usable. Michelangelo, when infecting a fixed disk's MBR, appears to leave the PT area of the MBR alone. This would explain why FDISK /MBR is able to rid the fixed disk of the virus *and* "restore" the original partitions (I put "restore" in quotes because they were never really modified). Just because *Michelangelo* leaves the PT in the MBR alone, doesn't mean *all* boot-sector viruses are so obliging. As discussed above, it would seem that FDISK/MBR would *not* successfully bring back a fixed disk whose MBR had been infected with a boot-sector virus which overwrites the PT. So the advice being given on comp.virus about using FDISK/MBR should carry some kind caveat to this effect. Also, I first learned about FDISK /MBR by talking to the folks at Microsoft tech support. I was upgrading to MS-DOS5 from a PC with a fixed disk partitioned and formatted under Compaq DOS3.31. After installing MS-DOS5 and trying to run SMARTDRV.SYS, I kept getting an annoying message about my partition not being compatible or something. MS told me to run FDISK/MBR to fix it. It worked. Ether (ether@enc.gedlab.allied.com) ------------------------------ Date: Fri, 13 Mar 92 14:05:16 -0500 From: wplace!mlewis@duke.cs.duke.edu (Mark Lewis) Subject: Re: Drug Rehab - Stoned (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: > James_Williams%ESS%NIAID@nih3plus.BITNET writes: [... trim ...] > > My question is this, I'm probably going to be asked to get stoned off > > the remaining computers. What is the best way to do this? > > Two possibilities. Either get a better disinfector, or (preferred) get > a MS-DOS 5.0 system diskette (should be write protected). Go to every > computer, boot from that diskette, and run FDISK /MBR. Should remove > the virus without problems. am i to understand that this will work on all previous DOS versions? i'm going to assume that it is correct for 3.xx and up. i know that 4.01 also had some structure differences but i don't know where they were/are. mlewis (Mark Lewis) - -> The Waffle House at Waldo's Place <- ------------------------------ Date: 19 Mar 92 10:22:09 +0000 From: ggrant@firsthand.Eng.Sun.COM (Gary Grant [CONTRACTOR]) Subject: Re: Disabling boot from floppy? (PC) kondor@ee.ualberta.ca (Ran Kondor) writes: >I have often wondered, is it possible to disable the drive >capable of booting from a floppy? > >If this is done, much heartache can be spared as most viruses, >that I have seen, rely on a boot to load up to memory. This would >be used to help those who, much to their dismay, find out, only too >late, that they have booted with a floppy in drive A. They would >now be at the mercy of a possible virus. > >My question is this: >Is is possible to disable a boot from a floppy and then enable upon >demand? Could it be done by just executing some batch or .EXE file? >This should take care of the Michaelangelo virus! In the more modern PC Bios's (AMI etc) there is a cmos parameter which says in which order the computer will boot either A: first and then if A: does not have a drive in it, then boot from C:. It is possible to reverse this, so that the system boots from C: first then, if there is no bootable Hard Disk it will then boot from A:. Thus If you change the boot order parameter your system will boot from the hard disk (if there is one). - -Gary ------------------------------ Date: Thu, 19 Mar 92 08:27:00 -0600 From: JOHN RATH Subject: Virus Question (PC) I would like to ask a question to all of you who know a little more about a virus than I (which doesn't take much). There was a message on a computer in my office lately that puzzled me. I've heard a lot about different things that a virus will do, but not this. When turning this computer on, a message like follows appears on occasion. ok IBM (the ok has a circle around it and is crossed out like a no smoking sign) This only happens every now and then. Does anyone have any ideas what this could be? To my knowledge, we were not hit by Michaelangelo. Thanks John Rath Rath6051@iscsvax.uni.edu ------------------------------ Date: Thu, 19 Mar 92 16:31:12 +0000 From: luc.bussieres@dmi.usherb.ca (Luc Bussieres) Subject: chkdsk reporting 654336 total memory (PC) [Moderator's note: Added to FAQ.] When I run chkdsk on several pc it is reporting 654336 total memory instead of the 655... that it is usually reporting. I then decided to run scan version 86 on those pc from a clean floppy and it is detecting no viruses. Is it possible that it is a new virus that is unknown from McAffee scan ? thanks for your help. - -- Luc Bussieres ---- System Analyst - Dept. of Mathematics and Computer Sciences University of Sherbrooke Internet : luc.bussieres@dmi.usherb.ca Tel: (819) 821-7981 ------------------------------ Date: 19 Mar 92 16:55:27 +0000 From: vail@tegra.com (Johnathan Vail) Subject: Re: Norton quote (PC) rsr@garnet.berkeley.edu (Roger Rosenblum) writes: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >The "improbable life forms" become quite real when they hit your >computer... Recall that not so long time ago Peter Norton has said >that computer viruses don't really exist, and that they are just an >urban legend. Yikes! Is that quote really attributable to Peter Norton? If so, does anyone know where, when, or in what context he said it? I could believe it. Last summer I claimed to have never seen a PC virus (except ones I had written myself). Only about three weeks later someone's PC here contracted Dark Avenger. If you are not in a "high risk" category there is good chance you may not run into a virus. At least until recently. I dislike the shareware concept and prefer playing with things that I have the source code for. I actually pay money for things like Borland C and Quattro. Finding viruses in major commercial software and source code is still relatively rare. jv "If you know what Life is worth You will look for yours on Earth So stand up for your rights" -- Bob Marley _____ | | Johnathan Vail vail@tegra.com (508) 663-7435 |Tegra| jv@n1dxg.ampr.org N1DXG@448.625-(WorldNet) ----- MEMBER: League for Programming Freedom (league@prep.ai.mit.edu) ------------------------------ Date: 19 Mar 92 16:45:31 +0000 From: vail@tegra.com (Johnathan Vail) Subject: Re: virus scanners (PC) scott.gregory@canrem.com (Scott Gregory) writes: GR> -=[ "Information is the greatest weapon of power to the modern wizard." ]=- Unfortunately, it is dangerous to put a gun in the hands of a child, as you have aptly demonstrated. By posting the scan codes that McAfee uses for common viruses, you have assured us (the rest of the world) that in short order, a slew of 'old' viruses with these codes changed will sprout up to annoy everyone. As you pointed out later, that is already happening. Maybe publishing the codes did help those who are too dim to do what GR did. Maybe pointing out what he did will help to educate people about whats going on with virus scanners. It took RTMs Worm to wake people up to the lack of even basic security on most machines. GR> So it seems my question was answered. Some 'virus scanners' just scan GR>for a single string of hex character. This is fine if viruses NEVER changed GR>or programs would NEVER use code similar to what a virus would (the smaller Viruses don't change, people change them. While this may seem like a ^^^^^^^^^^^^^^^^^^^^ Trivial statement but wrong. Encrypted viruses with changing encryption keys are nothing new. The "mutating engine" described in this group sounds like a more sophisticated technique. These things do change themselves and can render virus scanners obsolete. People should wake up that scanners are not a very good way to prevent viruses. trivial statement, it is important. This is why a program scans for 'variants' of viruses, and one reason that updates are so frequent is because people have nothing better to do with their time than change virus code to make its 'signature' different. Frequent updates to signature files can be convenient if you are in the virus scanner busniness. jv "There are only two mistakes one can make along the road to truth: not going all the way and not starting." -- Buddha _____ | | Johnathan Vail vail@tegra.com (508) 663-7435 |Tegra| jv@n1dxg.ampr.org N1DXG@448.625-(WorldNet) ----- MEMBER: League for Programming Freedom (league@prep.ai.mit.edu) ------------------------------ Date: Thu, 19 Mar 92 13:29:55 -0500 From: sander@engin.umich.edu (Scott D Anderson) Subject: polymorph virus questions (PC) I am looking for information on the ibm PC 'polymorph' virus, which is self-encrypting, self mutating, and overwrites random sectors on the hard drive. Supposedly, the only way to find an infection of this virus is to notice an unexplained growth in COM files. Has anyone heard of this virus? Is it true that there are currently no means of detecting it other than mentioned above? If this isn't true, how would I go about detecting such a virus? thanks in advance, scott anderson - -- Programming YIN-YANG CHOOSE CHEAP Scott Anderson TWO: / \ sander@engin.umich.edu ------------------------------ Date: Thu, 19 Mar 92 18:06:27 +0000 From: heli@eichow.tuwien.ac.at (Helmut Dier) Subject: Re: **Information on anti-virus program** (PC) valhert@mist.cs.orst.edu (valhert) writes: >Hi Everyone, > >I have a new IBM compatible. With all the shareware that I use I am >afraid of viruses. I was wondering if anyone can help explain to me >what are the best anti-virus I can get. In my opinion the best program (also for use at startup of the PC) is SCAN from McAfee. It is a rather easy to use commandline program which even returns DOS errorcodes (useful in Batch files). The last version (as far as I'm informed) is SCANV86B. It is shareware and available via Internet and bitnet. Best thing is to FTP to your neareset FTP-srever with and try to find it. My preferred source is WSMR-SIMTEL20.ARMY.MIL [192.88.110.20] and all it's mirrors as well as the TRICKLEs. >and how I can set it up on my >computer to where it will scan everytime I turn on the computer. Installation instructions are in the .ZIP (or whatever archiver the server uses). Helmut - ---------------------------------------------------------------------- Helmut Dier, | E-Mail: sutdent of computer science, | HELI@EICHOW.UNA.AC.AT Technical Universitiy of Vienna | Austria, Europe | - ---------------------------------------------------------------------- ------------------------------ Date: Thu, 19 Mar 92 17:58:30 +0000 From: heli@eichow.tuwien.ac.at (Helmut Dier) Subject: Re: Virus Signatures and other research data? (PC) FORRESTC@CC.SNOW.EDU (Forrest W. Christian) writes: >I was wondering if anyone could tell me where I could get the >following information. I would perfer an internet source. > >1) A listing of Virus Signatures..... Try in Simtel20's pd1:. There are posted regular Updates to the signatures of a program named HTSCAN. Perhaps this helps you. - ---------------------------------------------------------------------- Helmut Dier, | E-Mail: sutdent of computer science, | HELI@EICHOW.UNA.AC.AT Technical Universitiy of Vienna | Austria, Europe | - ---------------------------------------------------------------------- ------------------------------ Date: Thu, 19 Mar 92 23:37:30 +0000 From: rslade@sfu.ca (Robert Slade) Subject: Re: INFO wanted: BBS methods of virus detection (PC) jkristof@lucpul.it.luc.edu (NiteLine) writes: >How safe is it to scan for viruses on a BBS. I run a BBS, but I >usually take the line off-hook, shut down all my running programs >(including DESQview) and scan the uploaded files. There are some That would seem to be a bit extreme. It is perfectly safe to "scan" for viral programs on any uninfected machine, and I am assuming that you are worried about infecting your own machine from new uploads, rather than infecting the new uploads from an infection that is already running on your system. A viral program cannot infect you until you run it. Thus, until you run any of the new programs, you are not at risk from them. (By the way, do you have Fidonet access? I recently answered a similar question on the VIRUS_INFO echo.) >BBSes that scan the upload automatically as soon as it is recieved. Actually, it's a dumber practice than it sounds. I support a number of the larger local bulletin boards, and have tried to break the sysops of this practice, particularly where antiviral software is concerned. One of the factors involved is the false sense of security this creates. Sysops seem to think that this one factor precludes testing of the software itself. We had a situation recently where a BBS (which used an automatic scanning program) posted, and promoted, the latest version of SCAN, SCAN 87. Trouble was, McAfee Associates hadn't made SCAN 87 yet: the thing was a trojan. (Following usual practice in such cases, I understand the next version will be 89.) A second factor is that some of the "unzip and SCAN" programs will only use the McAfee and PKWare products. A third is that some the the programs insist on "rezipping" archives, destroying what little security the "security envelopes" provide. >Is that safe? Wouldn't the virus be able to infect the BBS program if >one is detected. Depending on the type of virus of course. I seem to recall, in the dim and distant recesses of my memory, either a trojan or a virus which did test for the presence of BBS software. However, even if I do recall correctly, these types of programs are extremely rare. ============= Vancouver | "The client interface Institute for Robert_Slade@sfu.ca | is the boundary of Research into rslade@cue.bc.ca | trustworthiness." User CyberStore Dpac 85301030 | - Tony Buckland, UBC Security Canada V7K 2G6 | ------------------------------ Date: Fri, 20 Mar 92 03:08:11 +0000 From: mhollowa@csws5.ic.sunysb.edu (Michael Holloway) Subject: Combat - a virus? (PC) Does anyone have information on a PC virus that makes false subdirectories (a huge number of false subdirectories) all named "combat"? Mike ------------------------------ Date: Thu, 19 Mar 92 11:09:00 +0000 From: Roy Coates Subject: New Virus? (PC) Hello All, I *think* that we have a new virus on one of our Lab PC's. The machine in question is an old Opus running Dos 3.3 and the students (read cockroaches) using it are mostly using GW-Basic and their own programs. Once the machine has been on for a while (typically 5-6 hours) it while either start playing some unknown tune, or produce a *firework* type display using the asterisk character. No damage seems to have been done to data or programs, the system is just as slow as it ever was, and NONE of the anti-viral packages that we have can detect anything at all. I have been running Jim Bates' VISCHECK for about two weeks now and this tells me that none of the .EXE or .COM files have changed in any way. The HD boot sector is clean, and the only thing loaded at startup (apart from command.com) is the keyboard driver. This is driving me CRAZY :-( Anyone out there come across this kind of activity before ?? Roy Coates Computer Unit Dept of Mech Eng Liverpool University England ROY@UK.AC.LIVERPOOL.ME.MVAX1 ------------------------------ Date: Thu, 19 Mar 92 13:44:23 +0000 From: pmurphy@NRAO.EDU (Pat Murphy) Subject: Re: VIRUSes (was Re: Unix based FITS table browsers?) (UNIX) (Anthony J Stieber) writes: I really suggest that anyone interested in finding viruses get one of the several virus scanning programs. F-prot, McAffee Scan, and Virex are all good programs and are freely distributable. I am not familiar with these (don't have time to be a full-time security guru in addition to my gazillion other tasks :-) but I would be pleasently surprised if they were supported for ConvexOS 9.x, SunOS 4.1.1 and 4.1.2, Ultrix 4.0, IBM RS/AIX 3.1.5, VMS 4.6 and 5.1-1, ... you get the idea. The binary in question was for SunOS, not DOS. I agree that viruses, trojans, etc are rare but they (and cracker intrusions) do happen and the consequenses can be very damaging. In the absence of suitable unix-based tools, you do what you can to screen things like these. And strings can work (for root) on anything you feed into its stdin (like a dump of /dev/drum for example). It's just one extra tool you can use to protect yourself. In any case, viruses are only one of many possible ways to loose valuble information. The best preparation is to back up the information. Well said. See comp.virus and archive sites like wuarchive.wustl.edu. If only I had time... :-( - Pat - -- ========================================================================== | Patrick P. Murphy, Ph.D. Scientific Programming Analyst | | National Radio Astronomy Observatory Net: pmurphy@nrao.edu | | 520 Edgemont Road or: uunet!nrao.edu!pmurphy | | Charlottesville, VA 22903-2475 Phone: (804) 296-0372 | | "I don't believe in the no-win scenario" --- James T. Kirk | ========================================================================== ------------------------------ Date: Thu, 19 Mar 92 09:19:58 +0000 From: markf@syma.sussex.ac.uk (Mark Foster) Subject: Re: Origins of viruses kiae!rtech!vl!ALS@vl.ts.kiev.ua writes: : > I heard from the news that origins of virus points to Bulgaria. Is it : > true? And anti-virus activities started in Israel ? : : Oh,no! : But answer is simple: virus writing started with wide PC using and : anti-virus writing started when people recognized couple of viruses on : their PC's. The very first virus that I ever saw or heard of was the SCA (Scandinavian Cracking Association) virus for the Commodore Amiga. Obviously inspired by the film 2010 approx 4-5 years ago and all in < 1k. Can someone confirm or deny if this was indeed the one that started it all. Something wonderful has happened.... Your Amiga is Alive.... And even better.... Some of your disks have been infected.... By a VIRUS !!!! ------------------------------ Date: Thu, 19 Mar 92 15:54:40 -0500 From: xrjdm@calvin.gsfc.nasa.gov (Joseph D. McMahon) Subject: Mac anti-viral site no longer available (Mac) The Macintosh anti-viral distribution site at SCFVM.GSFC.NASA.GOV is no longer available. Budgetary constraints required us to remove the operating system which supported the server. Sorry, all. --- Joe M. ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 71] *****************************************