To: VIRUS-L@LEHIGH.EDU Subject: VIRUS-L Digest V5 #203 -------- VIRUS-L Digest Wednesday, 16 Dec 1992 Volume 5 : Issue 203 Today's Topics: CARMEL Software (PC) Re: Untouchable (PC) Re: Untouchable (PC) Re: Untouchable (PC) Re: using %VARIABLE% with scan (PC) Re: VSHIELD, VIRSTOP, ... comparison ? (PC) Re: Vshield vs Virstop (PC) Pink dos color -Virus? (PC) Re: Newest and best scanner? (PC) Re: Untouchable (PC) Re: Filler virus (PC) Jerusalem (Israeli) Virus (PC) MS-DOS CHKDSK & why VER /R may not work (& something that might) (PC) RE:Your missing command.com, config.sys & autoexec.bat (PC) Stoned Virus (PC) Does anyone have info on DAME? (PC) Re: Vshield vs Virstop (PC) OS2-stuff (OS/2) SCAN for OS/2 uploaded to mcafee.COM... (OS/2) CHRISTMA Wannabes 2 (CVP) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 11 Dec 92 16:29:27 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: CARMEL Software (PC) Final note - I was just looking at the memory after executing Central Point Anti-Virus dated 6-15-92 (CPAV.EXE) and found the following strings: "Central Point Anti-Virus...Authors: Eli Shapira...Yuval Sherman", "CARMEL", "Anti-Virus Version 1.3", "CARMEL Software". Well, Lotus used to have SMURF so why not. Warmly, Padgett ------------------------------ Date: 11 Dec 92 21:39:13 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Untouchable (PC) @fuug.fi:kari.laine@compart.fi (Kari Laine) writes: > If you look at the adds they are bolstering you don't have actually > anything to worry. But if you have a look under the hood .... As always, the adds are overstating the features of the product and do not mention some of its drawbacks. Of course, it is possible to write viruses that the product will not stop (and will even not detect). Of course, its restoring engine cannot disinfect all kinds of viruses. Nevertheless, the product is -very- good, especially the integrity checking part of it. > I personally think the claims they make are rubbish. I am sure it > finds couple of viruses but to trust on it, well i won't This is an unfounded understatement... The product can deal successfully with WHOLE CLASSES of unknown viruses and is able to detect ALMOST ALL types of known viruses. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 11 Dec 92 21:44:35 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Untouchable (PC) RADAI@vms.huji.ac.il (Y. Radai) writes: > Regardless of the exact number, there's a strong possibility that > Vesselin's first statement above will be misinterpreted by some > readers, who might think that being able to handle only "one third of > them" (i.e. of the *infection methods*) implies being able to > disinfect only one-third of the *viruses*. In case anyone did get Yes, of course. One third of 17 known types of virus infection still means an INFINITE number of unknown viruses that the product is able to disinfect correctly. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 11 Dec 92 21:47:17 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Untouchable (PC) RADAI@vms.huji.ac.il (Y. Radai) writes: > When I said that companion viruses began to appear only in 1990, I > meant those which appeared in "the wild". Correct me if I'm wrong, > but I don't think that was true of TP_Worm (at least in 1989 and > probably regardless of date). Sigh... It depends on the definition of "in the wild"... It has been "in the wild" in the Technical University of Sofia, at least for a short time... Side note... Till now we all thought that PATH companions are just a theoretical attack and no such viruses exist yet. Looking carefully at the source of the TP Worm, I see that it has been not only the first companion virus, but also the first PATH-companion... When it is first started on a clean system, in its "initial burst", it spreads a lot of its spoofing bodies in up to 10 randomly selected directories from the PATH variable... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 11 Dec 92 21:56:59 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: using %VARIABLE% with scan (PC) craig@cadzook.columbiasc.NCR.COM (Craig.Williamson) writes: > OK here is what I am trying to do: > SET NETDRV=x: > scan c: d: e: /date/report %NETDRV%\vir_rep > The %NETDRV% is not getting replaced with x: like it should. Hmm... Very strange... It -should- work... What does %NETDRV% get replaced with? What DOS version are you using? What command interpreter (COMMAND.COM/4DOS)? In any case, it is not a problem of SCAN; it is a problem of the operating environment you are using... [Moderator's note: I agree that this appears to be a problem with the operating environment, and I'd like to request that follow-ups get handled via e-mail, with the exception of a follow-up summary of the solution (if anyone cares to post one).] Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 11 Dec 92 22:04:01 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: VSHIELD, VIRSTOP, ... comparison ? (PC) mramey@u.washington.edu (Mike Ramey) writes: > Is it possible that the three of you (McAfee, Frisk, and Slade) could > cooperate to produce a point-by-point comparison of VSHIELD and > VIRSTOP? It is just not possible to do such a detailed comparison, because there are features present in only one of the products. > One of my questions is this: VSHIELD intercepts a keyboard reboot and > checks for the presence of an infected diskette in the boot diskette > drive; it does not allow booting from a (boot-sector?) infected > diskette. Does VIRSTOP have this function? What other differences > are there? No, VIRSTOP doesn't have such feature (yet). Other differences are: 1) VShield can check the authentication codes added to the files by SCAN /AV (it is a BAD idea to modify other people's files!) and refuse to run those that are not "checksummed". Unfortunately, this feature can be trivially bypassed (i.e., it is trivial to write a virus that adds a correct checksum to the file it infects). 2) VShield can scan a file while it is being copied. VirStop does not have such a feature yet, although Frisk is promising it since a long time. 3) VShield uses much more memory than VirStop. 4) VShield can be swapped out to the disk, in order to reduce the amount of memory used. This slows down the loading of the programs. VirStop does not have such an option (although Frisk intends to implement it), but then the memory requirements for VirStop are much more modest. 5) VShield implements some kind of access control - you can tell it which programs are allowed to run. 6) VShield can be removed from memory (very BAD idea!). 7) VShield can be installed before a network shell is loaded. With VirStop, you must either install the program after the network shell, or run without protection. Frisk is expected to fix that problem soon. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 11 Dec 92 22:20:34 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Vshield vs Virstop (PC) mcafee@netcom.com (McAfee Associates) writes: > as789@cleveland.Freenet.Edu (Francisco J. Diaz) writes: > >Hi All! I have a small question, Which antivirus TSR would you > >recommend me to use? Vshield or Virstop? I have seen them both but the > Isn't VIRSTOP a program by IBM for internal use by IBM employees only? I guess, he is referring to the resident scanner called VIRSTOP.EXE from the F-Prot package. BTW, the IBM product is not "internal use only" any more; they have released it as a commercial (but cheap) product. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Sun, 13 Dec 92 00:41:32 -0500 From: Subject: Pink dos color -Virus? (PC) Help! My default dos foreground color is Pink not low intensity white. Is this possibly a virus? I booted from a protected floppy master disk - - no change! Virustop runs but identifies no virus. My screen turned pink in the middle of a Kermit download. I use NOrton contro center and it indicates that my default color is a pink but in the low intensity white position in the selection chart. I try to change the color but when I exit to dos the default is back. Any ides gladly accepted. ------------------------------ Date: Thu, 03 Dec 92 18:16:00 +0000 From: Martijn_Janssen@f16.n314.z9.virnet.bad.se (Martijn Janssen) Subject: Re: Newest and best scanner? (PC) - -->......They've really made a good job with these packages, - -->Vesselin, but I'd like someone else's opinion....maybe I'm - -->wrong..... Sure they made a really good job on that latest version of Thunderbyte 5.01. What for sure is a nice thing, is that there is a cleaner included. - -->....ciao! Bye Bye. Martijn. - --- FMail 0.92 * Origin: EarthQuake BBS Amsterdam +31-(0)20-6939665 (9:314/16) ------------------------------ Date: Sun, 13 Dec 92 08:07:57 +0000 From: sai@kauri.vuw.ac.nz (Simon McAuliffe) Subject: Re: Untouchable (PC) Nemrod_Kedem@f101.n9721.z9.virnet.bad.se (Nemrod Kedem) writes: > I've checked this package and I keep getting updates for it. It > ability to detect unknown viruses is *VERY* good and also it's restore > engine is good. I've seen it in action when the Emmie virus was > found. Untouchable detected changes in the infected files are restored > them whitout any delay. The restored files where 100% as the original > uninfected files. Earlier this year a represtative from Fifth Generation Systems was in New Zealand showing Untouchable off to the public. At that time I had only seen fairly early versions of Untouchable and it definitely was NOT untouchable. The newer versions are pretty good though. Making random modifications to files or corrupting files doesn't stop Untouchable for making repairs. Every time the files come out 100% restored. I was quite impressed at the time. While I am quite impressed with Untouchable, I know of some infection techniques which it does not detect and cannot recover data from. Untouchable is not completely generic and it is certainly not untouchable. I imagine it won't be long before there are a number of viruses using infection methods which Untouchable will not detect so don't put too much faith into it. ------------------------------ Date: Sun, 13 Dec 92 00:53:00 +0000 From: Nemrod_Kedem@f101.n9721.z9.virnet.bad.se (Nemrod Kedem) Subject: Re: Filler virus (PC) > Scan 99 detected "Filler" active in the memory of my computer. > When I booted from a write-protected floppy the nasty virus was not > found, no matter how many times I tried. By the way, I have CPAV > constantly running and it did not detect anything wrong. > Does anybody know anything about Filler ? > What can I do to get rid of the virus ? CPAV is known to cause SCAN to false alarm on some viruses. CPAV does not encrypt it's search strings and these that match McAfee's strings cause it to detect CPAV as a virus. Nemrod Kedem, Authorized Agent of McAfee Associates. - --- FastEcho 1.21/Real! * Origin: Make Safe Hex! (9:9721/101) ------------------------------ Date: Mon, 14 Dec 92 12:44:01 +0000 From: soth@spock.uucp (Samid Hoda) Subject: Jerusalem (Israeli) Virus (PC) I need some information on the Jerusalem B virus as it has infected almost every single file on my system. Does anyone know how it spreads and how it spreads so fast? Any advice in getting rid of the virus would be appreciated( except for a low level format as that is an obvious option.) - -- --------------------------------------------------------------------------- / soth@choate.edu / - ---------------------------------------------------------------------------/ - - _ _ __ __ _______ ____ __ _______ _ _ -/ - - /_/ /_/\ /__/\ /__/\ \ * / /___/| /_/\ /______/ /_/ /_/ -/ - - | | / _\/| | ||| | _\/| \ | / / ___|/ / _\/| |_____|/ |||__||| -/ - - | |_ || | | |--|/ || | | \ \_/ |_|__/| || | | | || ||/__||| -/ - - | |_/||_|/ ||\\ \||_|/ -+|========> /__\ || ||_|/ | || ||---||| -/ - - \___|\__/ ||/\\/|__/ / |____|/ \__/ |_|/ ||/ ||/ -/ - ---------------------------------------------------------------------------/ ------------------------------ Date: Mon, 14 Dec 92 15:05:17 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: MS-DOS CHKDSK & why VER /R may not work (& something that might) (PC) >From: Mike Ramey >Subject: RE: Dangerous bug in CHKDSK that comes with MS-DOS 5.0 (PC) (fwd) >I called Microsoft and requested the updated version for my computer >labs, even tho' we have not encountered the failure conditions yet. I >was told that in MS-DOS version 5.0a, the date on COMMAND.COM is >11-11-91. Just tried the VER /R trick after booting from a (relatively) old floppy with IO.SYS, MS-DOS.SYS, and COMMAND.COM all dated 03-22-91 5:10a. Guess what the report was: MS-DOS Version 5.00 Revision A DOS is in low memory Further, COMP finds no difference between this COMMAND.COM and the one I just expanded from a new set of distribution disks that is dated 11-11-91. However, COMP *does* find a difference between the earlier CHKDSK.EXE and the one dated 11-11-91, which has a three byte change (to make sure that the CH value is cleared ?) Assuming that this is causing the problem, DEBUG will find the string: 8b 4f 0f 8b f9 (MOV CX,[BX+0F] MOV DI,CX) at offset ds:263e in the "old" and 8b 7f 0f 32 ed (MOV DI,[BX+0F] XOR CH,CH) is at the same offset in the "new" CHKDSK.EXE. Both are 16,200 bytes long. Sounds like there may be more than one revision A (or why ver /r is undocumented). Warmly, Padgett Note: this was done without any advice/observations from Mircrosoft & only represents what I found in minimal testing. Caveat y'all. ------------------------------ Date: Mon, 14 Dec 92 15:26:36 -0500 From: J|rgen Olsen Subject: RE:Your missing command.com, config.sys & autoexec.bat (PC) Are you sure you do not have a joker or a joke-program that does it?? It does not sound like a virus to me - anybody else who believe that I am wrong ?? We had one clown that build such things into a program he released (a Trojan Horse). He is no more! Happy X-mas & hunting J Olsen ------------------------------ Date: Mon, 14 Dec 92 11:32:02 -0700 From: Jahed Sukhun Subject: Stoned Virus (PC) I am using a FPROT 2.06a. When I am checking the hard disk for viruses, FPROT comes with a message: A NEW VARIANT OF THE STONED VIRUS WAS FOUND. NO ATTEMPTS TO DISINFECT. It doesn't give a name to it or anything. I have FPROT set to the following settings: * Method Yes * Search Yes * Action Disinfect/Query * Targets - Boot Sector viruses Yes - File viruses Yes - Trojans and Joke programs Yes - User defined Strings Yes - Packed Files Yes * Files All files Any suggestions +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Jahed Sukhun, User Support Analyst + a2js@loki.cc.pdx.edu + + + Portland State University + (503) 725-3112 + Office of Information Systems + + +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ------------------------------ Date: Mon, 14 Dec 92 19:25:44 -0500 From: Dave Mickle x5205 Subject: Does anyone have info on DAME? (PC) We've got a PC which is displaying a message to the effect it's infected by the "DAME" virus. Don't know what symptoms there are in addition to the message. We're going to do a low level format, but would like to know what we've contracted. - ----------------------------------------------------------------------------- - ----David K. Mickle darn, i sure - ----if !(BITNET) MICKLE@CSMCMVAX hate to see this - ----then (VOICE) 310 855-5205 space go to - ----else (FAX) 310 967-0112 waste - ----while (Cedars-Sinai Medical Center, Los Angeles, CA USA) - ---------------------------------------------------------------------------- ------------------------------ Date: Tue, 15 Dec 92 01:02:59 +0000 From: ctwilson@rock.concert.net (Charles T Wilson -- Personal Account) Subject: Re: Vshield vs Virstop (PC) chess@watson.ibm.com (David M. Chess) writes: >> From: mcafee@netcom.com (McAfee Associates) > >> Isn't VIRSTOP a program by IBM for internal use by IBM employees only? > >No, you're thinking of VSTOP, which is used internally in IBM, and is >also available to people who buy the IBM Anti-Virus Service Offering. >The most recent incarnation of this code is as the DOS Session Shield >component of IBM AntiVirus/DOS and IBM AntiVirus/2 (it's no longer >called "VSTOP" there). > >VIRSTOP is something else, I'm not sure exactly what. Virstop is part of the F-Prot package.. - -- /-------------------------------------------------------------------------\ | Tom Wilson | | | ctwilson@rock.concert.net | | | | | ------------------------------ Date: Mon, 14 Dec 92 02:13:58 -0500 From: KARGRA@GBA930.ZAMG.AC.AT Subject: OS2-stuff (OS/2) Hi folks, I have downloaded from MCAFEE.COM OS2SCAN and OS2CLEAN. I checked OS2SCAN but not OS2CLEAN, as I don't have any viruses in my system and hope to keep it so. I ran it on my home-PC, with 2 IDE HDs with HPFS format. At work I have no OS2, but at home I even don't have a modem. What I found to be improved: 1) You state in the documentation, that there are several switches, which do not exist in the OS2 versions. But if you invoke "OS2SCAN /? " you will see all switches available under DOS. You should update these pages of help. 2) After scanning is finished, the program asks constantly if I want more help. "OS2SCAN C: D:" does not ask for help, does it? 3) Watching the filenames that pop up for short, I got the impression, that OS2SCAN does not scan *.DLL, *.DRV, *.ADD files. You can correct this either with /A or /E switch. But these do belong to the standard executables and it should not be necessary to think about these. Probably there are more ex- tensions to be included. 4) Did you think of the built-in undelete-function ? I hope the /D switch works correct. You need to overwrite first, and then delete the file to en- sure it does not survive as a deleted shadow. 5) A minor problem, but still annoying for OS2ers: VALIDATE should become a genuine OS2 program. For shure it does not need a fancy outfit, but why do I have to start a DOS session, just see the results of VALIDATE ? If I in- voke VALIDATE from an OS2-window a DOS window is created and closed immediately after it finished. I know, I could change the settings, but why do I have to do this for a single check ? 6) Another nice thing I miss is a background-scanner, that checks all in- coming files, be they from floppy or modem or whatever. Probably you can't check what the floppy is reading, but you can do a check on all newly appeared files on HD. I admit, that I still have no idea, how to check files executed from floppy. But at least all or specified drives could be scanned every n miutes or on request. 7) Maybe a kind of *.INI file could help to maintain the settings like drives and directories to scan and a userdefineable list of extensions and other often used options instead of writing them directly into OS2SCAN. I know of the parameterfiles you can create, but wouldn't look an interactively created setup (like the one you have in WSCAN) much nicer ? 8) SCAN for DOS rel.9.0 V99 (most recent on Dec. 12th, 1992) does not do any- thing within a OS2 DOS-box. Neither windowed nor fullscreen. Although I read the readme.1st and *.DOC, where I found a suggestion to use the /MAINT switch and/or the /AD option, it either told me it can not access my HPFS-drives (no options or /AD) or that D: is incompatible with /MAINT (/AD /MAINT) or no errors were reported for scanning drive C: (scan c: /maint), but nothing was scanned (no disk-access) and the program returned almost immediately. 9) In Virlist I found a passage for the fam*-viruses where no information is provided about their behaviour. Is this correct ? And if so, why ? I thought, that Mutation Engine is a .OBJ-file to be linked with viral coding. So DAME itself would not be a virus to be listed this way in VIRLIST.TXT. It would be better to introduce a new column for viruses using MtE. 10) I did some testing on F-Prot 2.06a too. The /NOBOOT switch is the thing to make it run on HPFS drives. What I miss in COMMANDS.DOC is the /EXT= switch to force scanning of other extensions. Especially within WINDOWS and OS2 we find extensions like *.DLL, *.DRV and the like. The should be scanned by standard too, as they contain executable code like any *.OV?. Also an example in the *.doc file for /EXE=switch would be nice. I did not manage to make it recognise multiple extentions. Does it work and if, what is the delimiter ? 11) A thing I could not recreate, but looking kind of funny: I did a heuristic scan on all drives and all files. No viruses found so far, but a suspicious file: my C-compiler (QC 2.5). It didn't say it looks like a virus or so, but there are opcodes which will make the program crash. "CRASH" was the word it used. Maybe due to the fact, that F-Prot checked for the CPU and found itself running within a virtual 8086. Frisk? 12) As Vesselin is getting sick of reiterating his answers on faqs: how about posting the last recent faq-list ? I think it is almost a full year, since the members of this list received one. Nobody seems to download and read it by him/herself. I suggest that faqs should be answered in a way like: email to "listserv@lehigh.edu" with the letterbody "get faq-list" (not exactly to be copied, but you know what I mean) 13) A more special question. I hope I didn't miss it in the faq-list: What is exactly a companion virus? I mean, under which circumstances does it infect and in which environments. Somehow I have the impression, they are especially dangerous within networks. Vesselin? Padgett? Anybody? 14) Sometimes even mailers seem have their DEJA VU ... :) Alfred JILKA ############################################################################# Alfred Jilka # Geologic Survey, Austria # OS2 is the worst OS I know, KARGRA@GBA930.ZAMG.AC.AT # but I don't know any better one ... ############################################################################# ------------------------------ Date: Fri, 11 Dec 92 11:24:46 -0800 From: aryeh@mcafee.com (McAfee Associates) Subject: SCAN for OS/2 uploaded to mcafee.COM... (OS/2) I have uploaded to mcafee.com pub/antivirus OSCAN99.ZIP SCAN for OS/2 Version 99 scans OS/2 PC's for viruses VIRUSCAN for OS/2 This is the first release of SCAN for OS/2 (OS2SCAN). Like it's DOS-based counterpart, VIRUSCAN (for DOS), OS2SCAN searches PC's for computer viruses. However, OS2SCAN contains several important differences: - - Since OS/2 operates in a protected mode environment it can only check its own area of memory or "memory image" for viruses. Viruses in a DOS session or VDM will not be detected in memory by OS2SCAN. - - OS2SCAN checks "extended filenames" and HPFS-partitioned drives as well as DOS (FAT) drives. - - OS2SCAN does not have the /CHKHI, /M, /MAINT, /NOMEM, or /UNATTEND switches that VIRUSCAN does. - - The /SAVE switch does not modify the OS2SCAN.EXE file. Instead, it creates a SCAN.INI file. - - OS2SCAN does not return an ERRORLEVEL for DOS batch files. OS2SCAN Version 99 detects all viruses the current version of VIRUSCAN does and is otherwise similar to VIRUSCAN. NOTE: OS2SCAN requires IBM OS/2 Version 2.00(GA) or above. VALIDATE for OS/2 To validate the OS2SCAN.EXE file for changes and/or tampering, a new version of the VALIDATE program has been created, OS2VAL.EXE. It should be used to validate all OS/2 executable files, as the DOS-based VALIDATE.COM will return incorrect information for Check Method 1 if run against an OS/2 .EXE file. OTHER OS/2 PROGRAMS CLEAN-UP for OS/2 (OS2CLEAN.EXE) is still in the beta-test cycle and should be available around the end of the month. VALIDATE values are as follows: SCAN FOR OS/2 V99 (OS2SCAN.EXE) S:178,352 D:12-09-92 M1: 78A3 M2: 10CA VALIDATE for OS/2 (OS2VAL.EXE) S:39,824 D:12-09-92 M1: BFD6 M2: 09DB Regards, Aryeh Goretsky McAfee Associates Technical Support - -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: aryehg@mcafee.COM 3350 Scott Blvd, Bldg 14 | FAX (408) 970-9727 | IP# 192.187.128.1 Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95054-3107 USA | USR HST Courier DS | or GO MCAFEE ------------------------------ Date: Fri, 11 Dec 92 14:03:00 -0800 From: rslade@sfu.ca Subject: CHRISTMA Wannabes 2 (CVP) HISVIRM.CVP 921022 CHRISTMA Wannabes - part 2 (continued from last week ...) In December of 1988, VMS systems on DECNet networks were hit by a worm based on a file called HI.COM. COM files on VMS systems are similar to the REXX exec files and MS-DOS "batch" files. They are "programs" in VMS DCL "source" code. HI.COM used the fact that DECNet nodes had, by default, a standard "anonymous" account that could be used, by the network and other machines, to gain limited access to a machine. This account was able to start processes running. The process that HI.COM started was intended to replicate, submit itself to other machines, to inform a specific account at a specific site, and to wait until midnight on December 24th, 1988, and then start mailing Christmas greetings to all users. The content of the message and the notification address seemed to indicate a German author with access to an account in France. The first notifications of this infestation came from the NASA SPAN network and the US Department of Energy's HEPNET. HI.COM owed a number of features to the Morris worm. One was a "stealth" technique, whereby the file was copied into memory and then erased from the disk. Another stealth procedure used by HI.COM was the use of a process name suggestive of normal mail routines. Spring of 1989 saw a resurgence of interest in mutating the original CHRISTMA on VM systems. A modified version (BUL EXEC) was released from the EARN backbone site in Turkey on March 8, ORGASM EXEC was released from Pennsylvania State University on April 4, and HEADACH EXEC found at the University of Ottawa on April 8. DIR EXEC, discovered November 1989, purported to be a version of the MS-DOS DIR command for VM systems, but was a dropper for CHRISTMA. There was a Turkish version EXEC in November 1990, called TERM MODULE, and a reposting of CHRISTMA EXEC to alt.hackers in December of 1990. The latest reported sighting was as GAME2 MODULE in January 1991. The WANK/W.COM worm of October 1989, and its successor, owed most of its inspiration (if you can call plagiarism inspiration) to the Morris worm and HI.COM. Finally, there was the XA1 Christmas Tree PC virus in March 1990. Although it owed no technical or programming detail to any of the network worms, it seems to have been written "in memoriam". It contains (in German) the message, "And still it is alive : The Christmas Tree !" copyright Robert M. Slade, 1992 HISVIRM.CVP 921022 ============== Vancouver ROBERTS@decus.ca | "virtual information" Institute for Robert_Slade@sfu.ca | - technical description of Research into rslade@cue.bc.ca | marketing info disguised User p1@CyberStore.ca | as technical description Security Canada V7K 2G6 | - Greg Rose ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 203] ******************************************