VIRUS-L Digest Tuesday, 30 Mar 1993 Volume 6 : Issue 52 Today's Topics: Should viral tricks be publicized? (was: Integrity checking) re: Telephones #s for BBS Re: Disgust at the lack of interest in Atari Viruses (Atari) Re: Disgust at the lack of interest in Atari Viruses (Atari) Re: Catch from DIR? (PC) Re: WordPerfect File growth etc. (PC) could this be a virus? (PC) RE: MICHELANGELO (PC) Scanners and exe/com file compressors? (PC) help-Maltese Amoeba (PC) Re: Looking for OPCODE lists (PC) Michelangelo (PC) Re: Help with Michelangelo! (PC) Boot-virus or false positive? (PC) WIndows Virus (PC) Re: How to remove Lao Dong virus? (was: cluster pc 5) 1575 virus (PC) Proffesional Group Virusized ! (PC) Catch from DIR? (PC) Re: HELP: Harddisk deteriorating rapidly (PC) WSMR-SIMTEL20.Army.Mil archive switches to ZIP 2.0 FIXUTL4B.ZIP (PC) Antivirals - Define "Best" (CVP) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.org or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk, krvw@first.org ---------------------------------------------------------------------- Date: Mon, 29 Mar 93 07:26:33 -0500 >From: Y. Radai Subject: Should viral tricks be publicized? (was: Integrity checking) >>> = Malte Eppert >> = Me > = Vesselin >>> Then, Vesselin introduced the idea of a DOS file fragmentation >>> attack. You could not detect that with a file-oriented CRC checker, too. >> >> First, Vesselin didn't introduce the idea. It was known to some of us >> in 1988. > > Well, nevertheless it was me to -introduce- the idea to the general > public, so that people are aware about the danger... I agree that you > (and a few others) knew about it before, but you didn't piblish it... > I myself heard about it from a virus writer in 1990, so I decided that > it is better to inform the good guys - since the bad guys already knew > it... :-) Ok, if you interpret `introduce' to mean *disclose to the public*, then I guess Malte's remark might be considered correct. However, I'm not sure if *he* was aware that you were not the one who first thought of the idea. However, what you have written above raises a much more fundamental question: When one of the "good guys" learns of a trick, knowledge of which would help the bad guys as well as the good guys, under what condition(s) may he or should he disclose this trick in a public forum, where bad guys might also be listening? For example, even though I knew of extension companions, path com- panions, the "fragmentation" attack, and "slow" viruses in 1988, I felt that it would have been irresponsible of me to describe them in Virus-L. (Those who were around then may recall that I simply stated that there are "loopholes".) Up to here, I think you agree with me. However, you seem to be saying that your criterion for when to publicize info is that "the good guys should be informed about whatever the bad guys already know." There are two things that bother me about such a criterion: First, you speak of "the bad guys" collectively, as if they all had exactly the same knowledge. If a few virus writers in Bulgaria know something, does that imply that virus writers all over the world know it? For example, you learned (you say it was in 1990, but wasn't it really 1991?) that some Bulgarian virus writers were discussing the fragmentation attack. Does that mean that virus writers in other parts of the world also know about it? Perhaps you feel that it's safer to *assume* that they do, and that would justify your publi- cizing it. But isn't it possible that your assumption about they're all knowing the trick (or learning of it within a short time) is not correct, and if it isn't, then maybe you're doing more harm than good by publicizing it? (Actually, the fragmentation attack was never a very practical threat, and won't even work on DOS 5 and up, but this is just an example.) Secondly, I wonder if you're consistent in your criterion. As you know, there are books (e.g. Burger's and Ludwig's), underground elec- tronic magazines (e.g. 40 Hex and Crypt), electronic forums (e.g. FidoNet), etc. which discuss such tricks. If, as you state above, the good guys should be informed about whatever the bad guys already know, why don't you encourage everyone on this forum to read such publica- tions? Please don't misunderstand me. I'm not criticising, but merely questioning. At this stage all I'm trying to do is to get you to formulate a criterion which will cover those and only those actions which you really consider legitimate (taking into account the above two points). Then we can discuss your criterion and compare it with alternative criteria. Btw, it should be noted that on Fidonet there appeared an article describing tricks which can be used by virus writers to prevent tra- cing and disassembly of their code. The reason I mention this parti- cular article is that it appeared under the name of someone who has been contributing to this forum recently, Inbar Raz. The article is called "Anti Debugging Tricks", and one of the virus writers found it useful enough to forward it to 40 Hex (Number 9). Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL ------------------------------ Date: Mon, 29 Mar 93 09:51:50 -0500 >From: mikael@vhc.se (mikael larsson) Subject: re: Telephones #s for BBS > Date: 26 Mar 93 12:28:49 +0000 > From: hq!fhi0055@dsac.dla.mil (Marc Poole) > > > I'm looking for telephone numbers to call bbs for anti-viri > information. I have site address that I can trade in return. > However, ftp and telnet take a very long time to connect. If anyone > has direct number to systems that allow modem dial-in it would be > greatly appreciated. Hello Marc, I don't know if you're interested in this, but.. we have an antivirus BBS here in Sweden.. with lots of information about viruses and most of the common antivirus programs on the market (shareware of course) in the BBS... Line1: +46-26 275710 - USRobotics HST Dual Std/V32 Line2: +46-26 275715 - USRobotics HST > Marc Poole > mpoole@hq.dla.mil MiL - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Virus Help Centre Phone: +46-26 275740 Email: mikael@vhc.se Box 7018 Fax: +46-26 275720 or : mikael@abacus.hgs.se S-811 07 Sandviken BBS #1: +46-26 275710 Fido : 2:205/204 & 2:205/234 Sweden BBS #2: +46-26 275715 Authorized McAfee Agent! ------------------------------ Date: 29 Mar 93 17:08:02 +0000 >From: Sam Wilson Subject: Re: Disgust at the lack of interest in Atari Viruses (Atari) S12609@prime-a.plymouth.ac.uk (Trantor The Last Stormtrooper) writes: > Being a virus researcher on the Atari ST, I feel that > I must write to complain about the lack of interest in > discussing Atari viruses. ... > > [[[ more deleted ]]] > > Has anyone out there (especially Atari people!) got any > comments??? Discuss them! No one's stopping you! People in this forum can only talk about what they know. If you know about Atari viruses then tell us about them. Sam Wilson Network Services Division Computing Services, The University of Edinburgh Edinburgh, Scotland, UK ------------------------------ Date: Tue, 30 Mar 93 01:19:45 +0000 >From: rslade@sfu.ca (Robert Slade) Subject: Re: Disgust at the lack of interest in Atari Viruses (Atari) S12609@prime-a.plymouth.ac.uk (Trantor The Last Stormtrooper) writes: >Being a virus researcher on the Atari ST, I feel that >I must write to complain about the lack of interest in >discussing Atari viruses. I can understand why you talk Well, if you are a researcher, tell us something about Atari viral programs. I, for one, am all ears. I know very little about the Atari: I'd love to have some more details. What *is* a "link virus"? Is is like a file/program infecting virus on MS-DOS? Is it more like a companion/spawning virus? This is an old complaint. The answer is always the same. We talk about what we know: this is a forum for sharing information. The lack of discussion aobut system X is due to the usual cycle: no one talks about system X because no one here is using system X because no one is talking about system X. Talk, and more of your colleagues will come. ============== _________________________ Vancouver ROBERTS@decus.ca | | |\^/| | | swiped Institute for Robert_Slade@sfu.ca | | _|\| |/|_ | | from Research into rslade@cue.bc.ca | | > < | | Alan User p1@CyberStore.ca | | >_./|\._< | | Tai Security Canada V7K 2G6 |____|_______^_______|____| ------------------------------ Date: 26 Mar 93 11:02:37 -0800 >From: a_rubin@dsg4.dse.beckman.com Subject: Re: Catch from DIR? (PC) cftdl@ux1.cts.eiu.edu (Terry Lundgren) writes: >I have received some excellent replies to my posting on catching >a virus. Basically the question is this: Assume my system is >clean and I have an infected disk. I put the disk in the drive >and do a DIR. Then I take the disk out. Can my system be >infected now? >The responses are running about 1/3 saying no way and 2/3 saying >it is possible. I would really like to get a definitive answer. >If a virus can be passed in this way, would someone please >describe how it might happen? Or not. (1) Not on a PC. Nothing from the disk is ever executed. (2) On a Mac, maybe. I can't give a definiative answer, but I believe the a disk driver or file system can be loaded from the disk, and THAT could be infected. - -- Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea 216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal) My opinions are my own, and do not represent those of my employer. ------------------------------ Date: Sat, 27 Mar 93 02:42:47 +0000 >From: dhartung@chinet.chi.il.us (Dan Hartung) Subject: Re: WordPerfect File growth etc. (PC) seborg@first.org (Brian Seborg) writes: >I have seen the same problem with WordPerfect file growth in a Banyan >environment. We have traced it to users exiting WordPerfect abnormally. >Meaning that they either use cntrl-alt-delete to exit, or they turn off their >machines while still in WordPerfect. This causes WordPerfect to create a huge >file sometimes in excess of available disk space. The only way to prevent >this from happening is to educate your users not to abnormally exit from >WordPerfect. This is a known bug by WordPerfect, I imagine that they will >address it in the next release if enough people complain. There are problems related to abnormal exits from WP5.1 -- I haven't seen "huge files" but we do occasionally get situations where a user is locked out of their own SET file by Novell Netware. But the file-growth problem (of about 2K each time) is different. WP seems to be making multiple copies of the header information for fonts, printers, styles, and so on. (If you look at the file with DISKEDIT or the like this can easily be seen.) It only seems to happen to certain files under certain situations. It is a WordPerfect "behavior", however, and no virus causes it. - -- The Presidential Towers complex here | Dan Hartung | Ask me in Chicago is bounded by four streets: | dhartung@chinet.chi.il.us | about Jefferson, Adams, Monroe ..... | Birch Grove Software | Rotaract! and Clinton! ------------------------------ Date: Fri, 26 Mar 93 22:21:51 -0600 >From: tom mckibben 2 Subject: could this be a virus? (PC) This was originally posted on comp.os.msdos.pcgeos but it looks like it might belong here. Can anyone help this guy out? ========================================================================= Path: uicvm.uic.edu!news.acns.nwu.edu!zaphod.mps.ohio-state.edu! rpi!batcomputer!munnari.oz.au! >From: zjiang@metz.une.edu.au (ZHUHAN JIANG) Newsgroups: comp.os.msdos.pcgeos Subject: Help on 486PC problem Message-ID: <506@grivel.une.edu.au> Date: 27 Mar 93 01:22:12 GMT Sender: usenet@grivel.une.edu.au Organization: University of New England, Armidale, Australia Lines: 28 Nntp-Posting-Host: metz.une.edu.au I am having trouble with my 486 PC machine. I was wondering if anyone can shed some lights on the matter. The program is that my two floppy drives (5|1/4 and 3|1/2) failed *simultaneously* during a machine-to-machine file transfer done by a friend of mine. My PC since ceased to read data from either of the floppy disks--screaming 'data reading error' for a formated disk and 'general reading error' for a unformated disk. The machine, under DOS 3.3, is working as usual on hard disk. But I can neither read or directly reboot from floppy drives. I have looked at my CMOS configuration at the booting point, the disk configurations are correct. I firmly believe that the problem lies in software or configurations as I can hardly believe that both drives physically failed at the same time when no violent physical impact was experienced by the PC. If you have any idea or advice on how to locate the problem of my PC properly, please give me some suggestions---big or small, complete or incomplete--all of them will be greatly and equally appreciated. Thank you very much for your efforts Zhuhan ------------------------------ Date: Sat, 27 Mar 93 12:30:27 -0500 >From: mikko.hypponen@compart.fi (Mikko Hypponen) Subject: RE: MICHELANGELO (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: > BTW, I am very curious how many Michelangelo hits have happened > this year... Yesterday (25th of March) I consulted one Finnish company that was hit. One of their employees went to work on Saturday the sixth and turned his machine on. The machine did not boot. They had no idea that a virus might be the cause of this. They tried to recover the drive but, as one might except, were unable to do it. So they posted to hard drive back to the manufacturer to USA. What makes this case more interesting, is that the hard drive in question was quite large: over one gigabyte. The workstation (a fast 486) was used for pre-press production and needed big storage space. Unfortunately there were no current backups of the contents of the 1GB hard drive -- but the employee who got hit says there's no problem as he "can easily recreate almost all of the lost data". The Michelangelo connection was found out almost three weeks later as one of the workers runned antivirus software on his machine, which was also infected. The source of the infection seems to be an original infected diskette received directly from USA. The software in question is a rare special-purpose program. The manufacturer has been notified about the problem. - --- mikko.hypponen@compart.fi / mikko.hypponen@mpoli.fi Mikko Hypponen // Data Fellows Ltd's F-PROT Support, Finland PGP 2.2 public key available, ask by e-mail - ---- +-----------------------------------------------------------------------+ | Delivered by: ComPart BBS Finland +358-0-506-3329 19 lines V.32bis | +-----------------------------------------------------------------------+ ------------------------------ Date: Sun, 28 Mar 93 21:51:57 +0000 >From: phil@wearbay.demon.co.uk (Philip Coull) Subject: Scanners and exe/com file compressors? (PC) I have been reading comp.virus for a while now, and find it most informative, and interesting (apart from some of the nit-picking on definitions!). Anyhow, I have a question which I have not seen asked, and which is not in the FAQ: Do virus scanners "unpack" exe/com files that have been packed/compressed? If they do, how do they cope with all the various packing programs? I'm absolutely sure that most "average" users are totally unaware that some of their executables are modified in such a way. Does it compromise the ability of scanners? I've never seen the ability of scanners to deal with such programs mentioned in any reviews. Even more worrying, is the following quote from PKWare's PKLite documentation, when discussing the Professional PKLite version: It uses a slightly different algorithm, which also scrambles the excutable file. This scrambling makes the executable data more resistant to disassembly or "reverse engineering" procedures. After a file is compressed using this method, it cannot be expanded to match the original executable file. What if a virus writer managed to deliberatley "distribute" his virus within such a file, would any scanners ever find the offending file??? - --------------------------------------------------------------- Philip Coull G3XVY phil@wearbay.demon.co.uk CI$ 76046,332 ------------------------------ Date: Mon, 29 Mar 93 01:53:58 +0000 >From: smasilam@midway.ecn.uoknor.edu (Senthilamudhan Masilamani) Subject: help-Maltese Amoeba (PC) A file I have is infected with the Maltese Amoeba. I installed Norton Desktop for Windows 2.0 and installed the Norton Anti-virus. For some stupid reason , I scanned a disk I had and NAV reported a strain of the maltese amoeba. The latest McAfee scan did not report the virus (version 102?). Luckily I havent executed the .exe infected file yet (I think, no problems with my system so far, I had a low memory problem, but running qemm6.02 optimize corrected the problem). But NAV wont repair the file, I think it had to have info of the infected file prior to infection, I dont know, i havent looked at the docs yet, if so, what a lame program, suppose you scan a file you just got and it is infected(like in my case), you wont have a record of the file prior to infection. Is there any anti-virus program out there that will id the virus and clean it? I dont want to lose the file if possible. Thanks, Sm ------------------------------ Date: Thu, 25 Mar 93 16:54:00 +0100 >From: Kees_Boss@f0.n462.z9.virnet.bad.se (Kees Boss) Subject: Re: Looking for OPCODE lists (PC) -=> Hello Charles, You had a question: CH> My question: CH> What are some opcodes that have two possible numeric values? CH> This is for the 80x86 family of machines. I guess these are the mnemonics you are looking for: MOV reg,reg XOR reg,reg OR reg,reg ADC reg,reg ADD reg,reg SUB reg,reg SBB reg,reg CMP reg,reg AND reg,reg reg = any register both 16bit & 8bit but NOT a Segment register. the opcodes for these instructions are two 8-bit bytes, build according this scheme: byte 1 byte 2 7_________________________0 7_________________________0 |. |. |. |. |. |. | d | w | | 1 | 1 |. |. |. |. |. |. | i n s t r u c mod field r e g 1 r e g 2 d : direction, if 1 operation-result into reg1 w : word, if 1 then word opertion mod field : both 1 in case of register register operation. codes for reg W = 1 W = 0 000 AX AL 001 CX CL 010 DX DL 011 BX BL 100 SP AH 101 BP CH 110 SI DH 111 DI BH So, if you swap the d-bit and reverse the reg1 & reg2 codes you have two opcodes that perform exactly the same task!. For OR AX,BX the two possible opcodes are instr d w m r1 r2 000010 0 1 11 011 000 = 09 D8 000010 1 1 11 000 011 = 0B C3 I hope you got the idea, is a bit hard to explain. Kees. .. Luc. 6:45. - --- GoldED 2.41/FMail 0.93e+ * Origin: -=[ Quest For Data BBS +31-40-854657 ]=- (9:313/6.0) ------------------------------ Date: Sat, 27 Mar 93 05:15:11 +0100 >From: Chris_Franzen@f3020.n491.z9.virnet.bad.se (Chris Franzen) Subject: Michelangelo (PC) >> Oh come on. There is NO town in Germany where Mich could not be >> found. > The question was: where did it hit :-) So far I know about three blank > hard disks. Uh ok. Yesterday, we (the PC manufacturing company I work for) received a 40 MB hard disk from a German distributor. It seems it was infected with Mich. We checked three additional disks from the lot (~30-40 HDDs). None found. So you can add *at* *least* 1 to your Mich hits highscores. The infected HDD was returned by the customer who received it. He was unable to make it bootable. He checked all disks (including, and especially) & all floppy disks - - - no Mich found. It looks like Mich was on the HDD when it reached our house. At that time, there was no partition on the HDD. Crazy. Horrible. > cu! > eppi Chris, The Blast I - --- GEcho 1.00/beta+ * Origin: You wanted junk -- so I drop some. (9:491/3020) ------------------------------ Date: Mon, 29 Mar 93 05:20:23 -0500 >From: "Michal Weis (Infi)" Subject: Re: Help with Michelangelo! (PC) How to recover computer after michelangelo's action. Recomended tools - Norton Utilities 6.0: Norton Disk Doctor, Diskedit, Disktool, Unerase. * At first the best way when miki is activated is to turn off the computer as soon as possible. * Miki's action: on 6th march he (after re-boot-ing) owerwrite a disk from data from memory (adress 5000:5000 - un-defined bytes in memory). He owerwrite first 255 tracks of Hard-disk 0 completly (all sectors on all heads). It stars from track 0 (of course), up to 255, (if you didn't turn him off before he finish...) * result of action: you can't boot from hard-disk (computer probably still after it), and after re-boot from system disk in A: the hard-disk drives (C:, may be D: etc. are non-acessable). * Possiblities to recover data: data after track 255 (or before, if miki was turned off) are o.k, but low data are overwritten and there is no way to repair it. * lost data & partitions: If your disk was devided into more partitions (HD 0 was disk C:, D: may be E:), and another partitions on disk are farer than 255 tracks, they are o.k. (but un-acessable in this step). Data about disk partitions was destructed very first, it meens that you cann't acess other partitions. * how to proove partitions: If you have back-up of your partition table (created e.g. in Disktool's "Create Rescue Disk") re-fresh your partition from flopy-disk, if you don't have a backup of partition table, you must creat new table, that is same that before. Run Norton Disk Doctor, & he try to make a disk table o.k. - he search for partitions and put then into 1st sector with loader program. * after re-booting from flopy again, Other partitions (if they are situated after track 255) shold be done and fully working. * recovering data on first partition: If you have backup created via Disktool, you would recover boot-sectors too. If not, you must creat buut sector of first partition. He was probably situated on sector 1, track 0, head 1 (as usualy). If DiskDoctor didn't repair him, you must create him e.g. this way: copy boot-sector from any disk-media (floppy): create two windows in Norton's DiskEdit, in first of them put HardDisk's physical sector 1, head 1, track 0; in second - floppy's physical sector 1, head 0, track 0. Copy one sector from floppy to hard-disk (via Ctrl-B,