From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V5 #73 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Tuesday, 24 Mar 1992 Volume 5 : Issue 73 Today's Topics: Re: F-PROT warning: false positive? (PC) Re: INFO wanted: BBS methods of virus detection (PC) Re: McAfee 8.3B86 and EDV - *HELP* (PC) Re: Measuring Michelangelo (PC) Re: Michelangelo Aftermath (PC) Re: Need info on No-Int (Stoned) virus (PC) Re: Novell Anti-Virus??? (PC) Re: Protection from boot-sector viruses (PC) Re: SCAN + VIRx Conflict (PC) Re: Stacker and viruses (PC) Re: Stoned/Michelangelo/etc overwriting partition (PC) Re: TBScanX question (PC) Re: Tequila Virus (PC) Brush with No-Int (PC) Re: virus scanners (PC) Michelangelo, news and backup tapes (PC) Re: Origins of viruses Re: Viruses in Depth course Re: Virus Signatures and other research data? VIRUS-L.ZIP available VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: 23 Mar 92 12:35:31 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: F-PROT warning: false positive? (PC) 0004839378@mcimail.com (Joshua Proschan) writes: > I just tried scanning a program diskette using f-prot 2.02d; just to > see what would happen, I tried a heuristic scan of all files on the > diskette. The program produced a long report, flagging all of the > text files as containing illegal instructions (reasonable), and ended > with an alert message saying it had found a stealth virus in memory. > Is this a false positive, or should I be getting worried? (The > diskette checked clean under the f-prot full scan.) > A related question: f-prot identifies nearly all the Norton Utilities > programs and several Microsoft Word programs as exhibiting virus-like > behavior, when the heuristic scan is used. Is this also a false > positive? Yes, it's a false positive. In general: the heuristic analysers (F-Prot's analyser, CHECKOUT/BOOTID) are woderful tools for the anti-virus researchers (Mark, I'm still waiting for a version of your tools which can work on files), but they MUST NOT be used by the average users in their dayly scan procedures. I hereby refuse to give any explanation of the problem. You just must not use this mode, unless you perfectly know what it does. Otherwise we (the anti-virus researchers) will be flooded with questions and "suspicious" programs that caused a heuristic false positive. I sincerely believe that Frisk will remove this feauture in the next versions of his program and will make it available as a separate tool to the research community. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 23 Mar 92 12:57:59 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: INFO wanted: BBS methods of virus detection (PC) jkristof@lucpul.it.luc.edu (NiteLine) writes: > How safe is it to scan for viruses on a BBS. I run a BBS, but I > usually take the line off-hook, shut down all my running programs > (including DESQview) and scan the uploaded files. It is both overdone (you don't need to shut down everything for just scanning the uploaded files) and underdone (just scanning can catch only known viruses). > There are some > BBSes that scan the upload automatically as soon as it is recieved. > Is that safe? Yes. For known viruses only. But your method won't catch a new virus either. > Wouldn't the virus be able to infect the BBS program if > one is detected. Depending on the type of virus of course. No way. The virus code must be executed in order to infect your system. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 23 Mar 92 13:19:09 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: McAfee 8.3B86 and EDV - *HELP* (PC) nils@f109f.mil.se (Nils Hammar) writes: > I was thinking about the EDV-virus, since EDV with the eight bit set, > and using the ISO 8859-1 character table will result in the > swedish/finnish national characters in their major form and in > alphabetical order, I am wondering about the origin of this virus, and > what it does. This may well be a coincidence, but it seems > interesting. -- nils@f109f.mil.se 4341@msg.abc.se Another coincidence is that EDV is the German equivalent of EDP (Electronic Data Processing). The EDV virus is French, however. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 23 Mar 92 13:20:59 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Measuring Michelangelo (PC) jmann@vineland.pubs.stratus.com (Jim Mann) writes: > I agree. However, I'm not sure that there will be a "next time we have > the public's attention." Most of the TV and radio stations I've > listened to have played up the Michelangelo scare as "the boy who > cried wolf." I have a feeling people aren't going to listen next > time. The next time (March 6, 1993), they probably won't. Since the virus continues to spread, this will cause much more hard disks to be wiped out than this year. That's why March 6, 1994 will be a good "next time"... :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 23 Mar 92 13:37:30 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Michelangelo Aftermath (PC) tstern@curtiss.SEAS.UCLA.EDU (Tsafrir Stern) writes: > I was reading today about the Mutating Engine 0.9. If anyone can > expand on this I'd be very appreciative (it sounds REALLY powerful). Yeah, it mutates damn well... And -is- powerful. But there is no such thing made by a man, that cannot be broken by another. > Basically, just like a real virus, this virus mutates each time it A lot of viruses already do that. They are called polymorohic. The problem with the MtE is that it mutates -too- well... :-( > copies itself. That way, it's (I believe) impossible to check for it > with standard virus checkers. It uses encryption/decryption, and so is Not impossible. Just damn hard. Currently there are three viruses, produced with the MtE 0.90-beta. SCAN 86-B is able to detect one of them (Pogue) in most cases (but still misses some). Dr. Solomon's Anti-Virus ToolKit is able to detect any virus, made with the MtE in most cases (but still misses some). The people who produced The Untouchable (BRM from Israel; they are -not- the company that markets the product) claim that they are able to detect -any- virus made with the MtE in -all- cases. They have promissed to provide a freeware detector for these viruses. > very hard to check for. Anyone know more about this?? Sounds like this > will be THE virus to watch out for (and pray once you get it) because > of its genious design. If it was THE virus, it wouldn't be such a problem... It is a problem, because it's a -toolkit- for building very highly mutating polymorphic viruses. So that just any kid (well, almost) can get it and produce his own polymorphic virus. And this is -much- more dangerous... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 23 Mar 92 14:21:14 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Need info on No-Int (Stoned) virus (PC) tapio@nic.funet.fi (Tapio Keih{nen) writes: > No-Int doesn't do anything except spread. But, when I was testing > virus scanners on the other day, I noticed that Scan 8.3B86 says that > all my disks which are infected with different versions of No-Int and > Stoned are all infected with No-Int (Stoned) virus. I'm sure that Yeah, as I have noted several times, Scan is only reliable in telling whether an object is infected or not. It's pretty good on that. Anything else (the exact name of the virus, it's properties, to which viruses it is related) is often wrong. > previous versions of Scan did make a difference between those viruses. Yep, John has "optimized" his signatures... :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 23 Mar 92 15:11:05 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Novell Anti-Virus??? (PC) gary@sci34hub.sci.com (Gary Heston) writes: > The reason I specify one network drive is that F-Prot will change to > the root of *every* mapped drive, and scan the entire volume. This > results in a much longer execute time than is necessary, as things > get scanned several times. You should be able to circumvent this by telling it to scan only the current directory of the drive (and downwards), like in f-prot z:. /trojan /noboot Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 23 Mar 92 15:45:25 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Protection from boot-sector viruses (PC) ether@bencd.gedlab.allied.com writes: > For each PC, determine where is the ROM code which services int13 > to load the MBR into memory during the boot process. Then use > that code in your VET program instead of calling INT13 to read > the MBR. i.e: The general idea makes sense, indeed. Especially if improved as you are suggesting. I only didn't like that the program (as far as I understood) "corrects" the boot sector if it thinks it's wrong. This must be done only when the user explicitely requests it, and the original contents of the corrected boot sector must be saved in a file. I hate the "I know better what programs you must be running" approach. > How do you find the Int13 entry point? Simple, really. Use > DEBUG to search system ROM for typical int13 code, and try it: > C:>DEBUG > - - s f000:0 l FFFF 80 FA 80 Good guess... But totally wrong. :-) On my XT the INT 13h handler for the hard disk is on the hard disk controllers's EPROM and is at address 0C800:0000h. > look at the first offset reported, and back up a byte (or two) if > the preceeding bytes are FB (or FC). That will be your entry > point. Un-assemble the code to make sure it looks like an > int13 service routine, then try it. Are you serious is proposing the average user to perform the above operation, in order to install the anti-virus program? The same user who can't make the difference between a boot sector and a partition table and between a virus and a spreadsheet? > Another (sure-fire) way is to write a small machine-code program > to replace the boot sector of a diskette. This program just > grabs the Int13 vector (before DOS or any virus can change it) > and displays it on the screen. Boot off this diskette, write the > value down, remove the special diskette, and re-boot the PC. Voila. This sounds much better. Another idea is to trace INT 13h (like some viruses do). A program that does this, called ShrDog, can be found at our ftp site (ftp.informatik.uni-hamburg.de, IP=134.100.4.42, pub/virus/progs/shrdog.zip). Warning - it doesn't seem to work with DR DOS 6.0. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 23 Mar 92 16:03:16 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: SCAN + VIRx Conflict (PC) sdh@po.CWRU.Edu (Scott D. Heavner) writes: > Here's the situation. Yesterday, I decided to check > everything for viruses, especially Friday the 13th. I used VIRx (by > Microcom) and SCAN V80. When I stopped VIRx with ^C and run SCAN, > SCAN reports the presence of a TAIWAN 3 virus and says shut everything > down immediately. Which I did and then spent the next two hours > proving to myself that I didn't have a TAIWAN virus. My guess is that > SCAN was picking up the virus ID clip that Virx was using. This did > not occur if I allowed VIRx to complete its operations normally (i.e. > I didn't hit ^C). Well, Ross, I guess you didn't expect that a user will use your program in this way... :-) Will have to make the Ctrl-Break handler clean up the memory... > The other test I attempted was to dump the memory to a disk > file and then run both scanners on that file. This produced no result > from SCAN, but VIRx reported a Hacker2 virus (which was good because I > could page through the file and found SCAN's virus ID table intact). > VIRx seems to stop after the first occurence of a virus because it > should have reported hundreds. Strange, Scan is supposed to never decrypt its scan strings... It should encrypt the scanned data instead... At least it was this way the last time I looked at it... > 1) Do SCAN and VIRx look for the same key pieces of virus? (How similar > would their ID tables look?) Nobody knows for sure, since both John McAfee and Ross Greenberg do not disclose the scan strings that they are using. But, since you claim to have found the signatures in the memory dumps, you should be able to compare them and see which are the same... > 2) Why won't SCAN detect its own table when encountered in a file? Because it's intelligent enough to encrypt it. > 3) Do scanners typically encode the ID clips so that they don't appear > as viruses until decoded? Intelligent scanners - yes. Silly scanners (like CPAV) - no. That's why they (the silly ones) cause false positives. The even more intelligent antivirus programs don't scan the file for the signatures; they look for them only at the places where they should be. > If they don't, do they alter the clip after > they have completed the scan so that all those pieces won't still be > in memory. The intelligent scanners are supposed to do so. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 23 Mar 92 16:12:14 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Stacker and viruses (PC) wales@CS.UCLA.EDU (Rich Wales) writes: > As I've said above, there is no reason to avoid Stacker or other com- > pressing disk drivers out of concern over viral infection. You just Oh, yes, there is one. Consider a virus which randomly overwrites sectors of the hard disk (e.g., Dark_Avenger.1800.Standard). Suppose that it does the dammage before the Stacker's device driver is loaded (or alternatively, does the damage to the drive, on which the large stacked file can be seen). Overwriting just ONE sector of the file, which contains the stacked volume, will damage the whole volume - just like damaging a few bytes in the middle of a ZIP archive damages the whole archive. Fortunately, Stacker comes with a wonderful utility, called SCHECK, which is able to repair the damage, or at least to minimize it. It is something like CHKDSK and PKZIPFIX combined. I'm not aware of the existence of such tool for SuperStor (the Stacker's alternative, which comes with DR DOS 6.0). The above said, I personally love Stacker and am using it without any problems. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 23 Mar 92 16:25:37 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Stoned/Michelangelo/etc overwriting partition (PC) FRYSTD@ACAD.LVC.EDU (Michael Fry) writes: > 1. Do CLEAN and F-PROT and NORTON and friends check for matching 1st > and 2nd FATs when they disinfect these viruses, offering to copy 2nd > FAT to first? (The damage is almost certainly in the 1st FAT, unless Nope, they don't. I have written a program, which does exactly that (checks whether the FAT copies are the same and if not can copy any of the FAT copies to all the others). If there is enough interest, I'll make it available for anonymous ftp at our site. > the disk is like a 10Mb with 8K clusters). Same question for > floppies, really, since sector 3 would usually be in the 1st FAT, too, > ain't? Well, Stoned actually overwrites the root directory of the floppies, not the FAT. > 2. Can it be relied on that FDISK or PART with newer DOS (like ver > 3,4,5) would start the partition later on the disk (18th logical > sector is what seems more "normal", so sector 1 of head 1 of cylinder Usually, yes. > 0)? So re-paritioning might reliably prevent file damage by > infection? Yep, but "re-partitioning" might need to include a low-level format. > 4. Has somebody out there got a simple "vulnerable to Stoned file > damage" testing program that reports the logical sector number of the > start of the 1st partition? FDISK doesn't quite tell everything you > want to know about your partitions. Norton Utilities provide signifficant information about the MBR. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 23 Mar 92 16:32:08 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: TBScanX question (PC) JHOPKINS@cbacc.cba.uga.edu (John D. Hopkins) writes: > What is the latest version of TBScanX? The latest I have seen is the > file TBSCNX29.ZIP. There are much later versions of TBScan. Is > TBScanX still being supported? Thanks. The latest one I know about is 3.0. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 23 Mar 92 16:48:17 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Tequila Virus (PC) jmadow@juliet.caltech.edu (Madow, Jessica) writes: > partition table). Anyone have any info on what will trigger it and > what it will do? The virus triggers some time after the initial infection has taken place. After four months, I believe... The effect is displaying a crude fractal image, written in text mode with the pseudographic characters. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Mon, 23 Mar 92 11:51:23 -0500 From: Doc Cottle Subject: Brush with No-Int (PC) Hi gang, After being SO pleased that my university only had 36 reported cases of Michelango and my college (which has networks into all 120 counties) had NO reports of Michelango, I did a dumb thing! I made drive "A" the current drive with an UNSCANNED floppy in it. I quickly realized my error and ran SCAN on the diskette: with it still in the "current" drive. Sure enough, it was infected (with "No-Int"). (We have a grad lab which is chronically infected with stoned - clean it every week!) While still logged on drive "A" I tried to clean the diskette and got a " ... EXE file error..." or something like that and got dumped back to the prompt. When I realized what I had done, I removed the diskette and cleaned it on another computer. I logged the original one back to the "C" drive but still couldn't activate CLEAN. Further checking uncovered a zero length CLEAN.EXE in the root directory. I'm 99.44% sure it wasn't there before this happened. I cold booted the machine from a clean, write protected floppy and scanned it. The hard drive was not infected, so the virus never got control. Did the virus make that zero byte entry??? Is logging to a drive with an infected diskette in it enough to activate a virus??? Any thoughts?? +- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- -+ | Darryl O. (Doc) Cottle | (606)257-7577 (work) or (606)231-6675 (home) | | Agricultural Economics | docottle@ukcc.bitnet / docottle@ukcc.uky.edu | | 431 Ag. Engineering #2 |----------------------------------------------| | University of Kentucky | "I don't know what I'm doin'! If I ever DO | |Lexington, KY 40546-0276| figure it out, I'll prob'ly go HIDE!!" | +- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- -+ ------------------------------ Date: 23 Mar 92 17:08:01 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: virus scanners (PC) scott.gregory@canrem.com (Scott Gregory) writes: > Unfortunately, it is dangerous to put a gun in the hands of a child, as > you have aptly demonstrated. By posting the scan codes that McAfee uses > for common viruses, you have assured us (the rest of the world) that in > short order, a slew of 'old' viruses with these codes changed will > sprout up to annoy everyone. Oh, don't worry... :-) He has "cracked" a -very- ancient version of SCAN. Since then, McAfee Associates have changed several times (1) some of the virus signatures they are using, (2) the encryption method, and (3) the encryption strategy. What really bothers me is that he succeeded to post on a moderated newsgroup... I would like to know how exactly he did it... > GR> What I found out was scan was just a simple hex searcher (that kept > GR>its data locked up till needed). It could also be fooled by any program > You were expecting maybe a computerized Sherlock Holmes? What else is a > virus SCANNER to do but SCAN for known viruses. Well, a lot more can be done. Like better detecting unknown variants of known viruses (F-Prot), better reporting related viruses (F-Prot), exact virus identification (Dr. Solomon's AVTK), more flexible wildcards (HTScan/TbScan), etc... > GR> One thing that I think is a good idea is when a program allows users > GR>to add new footprint data to it (like nortons' virus package). For now > Correct me if I am wrong, but McAfee works this way too. It has the Yeah, now. But he has cracked a version of Scan (64, if memory serves), which is from the stoned age - more than a year ago... :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Mon, 23 Mar 92 15:25:00 +0100 From: Martin_blas Perez Pinilla Subject: Michelangelo, news and backup tapes (PC) (Alternative Subject: Michelangelo, foolishes and backup tapes) As an example of the Michelangelo hysteria, here is the translation of a piece of news appeared on March 5 in several Spanish newspapers, but perpetrated by a local news agency (bracket-enclosed laughters are mine). - ----------------------------------------------------------------------- The attack virus 'Michelangelo' took place earlier and destroyed Uruguayan army Files It can affect seventy millions computers all over the world EFE [Local News Agency] LONDON. The computer virus 'Michelangelo', considered as one of the most destructive, may become active between today and tomorrow Friday in infected computers. According to Scotland Yard [:-)], a temporal solution [:-)] to avoid Michelangelo becoming active is program [:-)] the clock of the computer to March 7th, to jump the dates 5 and 6 when the virus can become active. Another possibility is not to use the computers during the day 6 [:-)]. Michelangelo acts deleting all the data stored in the memory [:-):-):-):-)] of the computer. Previously to Friday the sixth, Uruguay was a victim of the virus as a week ago [??] some files from the Army and from the Electricity National Company were destroyed. It is considered most likely that the virus came to Uruguay from Buenos Aires, by electronic mail [:-):-):-):-):-)] or data transmission network [:-):-):-):-):-)... also by telephone, fax and smoke signals]. The Army has lost all its documents of intelligence and spying [:-) meaning happiness]. The victims Sixty million [:-):-):-):-)] computers all over the world will be victims of Michelangelo on 6 March, which will wake up to relentlessly destroy all data stored in their memories [:-)]. Experts [:-):-):-):-)] from the main multinational companies [The main multinational companies have virus experts? I think that they only spread viruses] agreed that this is a especially [:-)] perverse virus, that will stand out in the history of computer terrorism. The experts [:-):-):-):-):-):-)] estimated that between 55 and 65 millions [:-):-):-):-):-):-):-)] personal computers worldwide have the tramp in their entrails in latent state, waiting for the clock to strike the sixth of March. In this way, Michelangelo, thus christianed because it will attack on the 517 anniversary of the genial Italian artist, has spread all over the world since it was discovered in Holland ten months ago. This virus enters clandestinely [:-) I have heard about some who first ask permission] in the computer and infects any program [:-):-):-):-)], that when used allows the virus to move to the hard disk [where was the program, to start with?]. - ----------------------------------------------------------------------- Moral: Since newspapers do not have virus experts, they ask for information to the main multinational companies... who don't have either. I wish to thank the help in the translation (and some wicked remarks) of Eduardo Sainz de la Maza, Julian Aguirre and J.J. Merelo. ------------------------------ Date: 23 Mar 92 15:14:57 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Origins of viruses kiae!rtech!vl!ALS@vl.ts.kiev.ua writes: > > I heard from the news that origins of virus points to Bulgaria. Is it > > true? And anti-virus activities started in Israel ? > Oh,no! While I agree that the first viruses and anti-virus programs (the - -very- first ones!) are of American origin, your statements need some corrections. > The fact is that before starting of Bulgarian virus storm there were > more than 100 viruses written all over the world Wrong. The first Bulgarian virus (Old Yankee) was written in November 1988 (I personally know the person who wrote it). At that time there were very few IBM PC viruses - Brain, Lehigh, Jerusalem (with the Suriv variants), Cascade, Vienna, Ping Pong. Maybe a couple more. > and 90% of them were written by US hackers. Wrong. Of the above, only Lehigh is of American origin. > Bulgaria added not more than 20 new viruses for them. About 180, if you count all the variants (as you seem to do below). This is 15 %. A bit too much for a single country, I have to admit, but certainly not "most of the viruses", as some journalists seem to claim... > Just now antiviral researches report about more than 1000 > different known viruses - from US, Europe, Japan, former Soviet Union. They are about 1200 right now... And I haven't merged the new ones that I just received; they are probably about 50 new ones... > Wait some years and we can get reports about viruses from Africa. No need to wait. We already have them. Republic of South Africa has produced several (extremely silly) viruses. > The same reasons are valid for anti-viral activity. American programmers > at first wrote some anti-viral products, all other - later. Right. The mistake of the original poster is caused probably by the fact that the first anti-virus program, which became known world-wide is the Israeli program UnVirus (used to disinfect the Jerusalem virus). > Shehovtsov Alexander, (8-044)266-70-28 (9:00 - 18:00 Kiev, Ukraine) voice > als@vl.ts.kiev.ua Relcom | 2:463/30.5 or 2:463/34.4 FidoNet Greetings to Nikolay Nikolaevitch! Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 23 Mar 92 16:57:12 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Viruses in Depth course suresh@iss.nus.sg (Suresh Thennarangam - Research Scholar) writes: > 1> Are there ftp sites where I can get scanners, monitors etc.? I am > interested in source code for anti-virus programs , especially monitor > programs. Try oak.oakland.edu, directory pub/msdos/trojan-pro. However, most people don't provide the source code for their anti-virus programs. And why are you interested mainly in monitoring programs? This is the weakest line of defense against the computer viruses... > 2> Has anyone come across hardware protection schemes ? Last year > a small Indian company demonstrated at the IT91 trade fair held here, an > anti-virus card that takes over the PC bus before the bootstrap and > thereafter monitors unauthorised memory access and other potential virus > activities. I haven't got their address but does anyone know of similar > devices ? Yep; there are several such devices. Their functions range from a simple write-protect switch for the hard disk, to sophisticated monitoring functions. One good device of this kind is the ThunderByte card. Unfortunately, it is usually possible to bypass -any- such protection. It is true, however, that it is not easy, and such cards (if well designed) are able to stop almost all of the current viruses, which to not target the cards speciffically. > 3> How and where can I get a copy of the most recent version of > Patricia Hoffman's virus information listing ? Available at oak.oakland.edu, file pub/msdos/trojan-pro/vsumx202.zip. > 4> I need some information on network issues of viruses. Is it possible, > for example,to bypass the read-only server options offered by 3COM, > Novell etc ?(personally I think so). Well, you are wrong. The file attributes used by Novell are an emulation of the DOS attributes and can be bypassed just as easily, but the file access rights CANNOT be bypassed. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 23 Mar 92 17:14:59 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Virus Signatures and other research data? FORRESTC@CC.SNOW.EDU (Forrest W. Christian) writes: > I was wondering if anyone could tell me where I could get the > following information. I would perfer an internet source. > 1) A listing of Virus Signatures..... Simtel20, directory pd1:, file VS[0-9]*.ZIP. > 2) Information on detecting and scanning for some of the stealth viruses, > like those that return the original boot sector when the boot sector > is read from the disk. The stealth viruses are nothing special. You just need to scan the memory first. If they are not found to be active, you can scan the files as with any other normal virus. The really tricky ones are the polymorphic viruses... > 3) Any other information that would be helpful in writing a public domain > virus detector. Maybe you should begin with looking at an already available and pretty good user-programmable shareware virus scanner? Take a look at HTSCAN16.ZIP (at Simtel20, same directory). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Sun, 22 Mar 92 03:40:00 -0500 From: HAYES@urvax.urich.edu Subject: VIRUS-L.ZIP available Hello. Just to announce the availability of VIRUS-L.ZIP, the Frequently Asqued Questions (and answers ) about virus, AV programs and related topics created recently under the direction of Ken Van Wyk. ----- Filename: VIRUS-L.ZIP Site: urvax.urich.edu, [141.166.1.6] (VAX/VMS using Multinet) Directory: [anonymous.msdos.antivirus] FTP to urvax.urich.edu with username anonymous and your email address as password. You are in the [anonymous] directory when you connect. cd msdos.antivirus, and remember to use binary mode for the zip files. ----- Regards, Claude - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET) University of Richmond hayes@urvax.urich.edu (Bitnet or Internet) Richmond, VA 23173 ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 73] *****************************************