To: VIRUS-L@LEHIGH.EDU Subject: VIRUS-L Digest V6 #64 -------- VIRUS-L Digest Friday, 16 Apr 1993 Volume 6 : Issue 64 Today's Topics: Re: Sending viruses over Internet/Fidonet Re: Beneficial/Non-Destructive Re: Survey Re: Scanners getting bigger and slower Macintosh [and non-PC] Postings Re: Should viral tricks be publicized? What is a fragmentation virus Re: Censorship/40-Hex Removing PingPong virus from boot sectors (PC) VSUM (PC) McAfee latest version (PC) Re: VSUM (PC) Re: gerbil.doc virus (PC) Re: Help with Michelangelo! (PC) Re: "DIR" infection, or "Can internal commands infect" (PC) Re: Censorship/40-Hex (PC) Re: "DIR" infection, or "Can internal commands infect" (PC) Re: McAfee latest version (PC) Re: New (?) virus ? (2294) (PC) Re: Scanners and exe/com (PC) Re: Scanners and exe/com (PC) Virus Defense Activated - System Halted ??? (PC) re: Virus Buster (PC) FTP Available Virus Protection (PC) Single state machines and warm reboots (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.org or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk, krvw@first.org ---------------------------------------------------------------------- Date: Wed, 14 Apr 93 12:06:06 -0400 From: Donald G Peters Subject: Re: Sending viruses over Internet/Fidonet One additional concern that I have with Fidonet is that there has been at least one "bug"(?) in a Fidonet program which allowed the author(s?) of the well-respected program to log in to any BBS running their software as a privileged user. Naughty stuff. I s'pose life is a risk, though. I liked David Hanson's argument with VB that people should have access to 40-Hex. May I suggest that the good guys at least limit distribution of 40-hex to poor quality photocopies (to prevent scanning) and keepa master copy of the good-guy mailing list. Okay, that idea causes extra work, but it would help to prevent the spread of the rag to anonymous bad guys, at least electronically. Personally, I would think it is fair to email it to anyone with a government Internet address (is this reasonable?) or to anyone that one thinks is probably a good guy. Life's a risk. Of course, I have not yet seen 40-Hex. If it also contains material on how to commit crimes (eg, I have seen an email mag which tells people how to commit murders) then I may change my mind. Somehow I don't think writing a virus is as bad as committing a murder. Right now I would equate virus magazines with gun magazines. In theory, no harm done. ------------------------------ Date: Thu, 15 Apr 93 09:13:24 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Beneficial/Non-Destructive kari.laine@compart.fi (Kari Laine) writes: > First if virus would come to my system and start infecting my > programs I wouldn't like that all and when I noticed it I would > SWAT it. Because I am sure it would cause some problems with > my existing hardware and software and if for example it would > have some problems with my cache-program and I wouldn't notice > that it would possibly ruin my data - and that not so nice thing > to do. Don't be so sure... Suppose that the beneficial virus does the following: 1) Modifies only one executable file on your system. 2) This file is an anti-virus program. 3) The modification consists of replacing the program with a newer copy. 4) The virus infects your computer when you log to the LAN server. 5) The virus has been installed on the LAN server by the LAN administrator. 6) The LAN owner has a policy that no workstations are allowed to log in unless they are running the latest version of this particular anti-virus software. 7) The virus (actually a worm - it does not "attach" itself to programs and spreads via networks) does not do anything else. 8) The whole thing is marketed by the producer of the anti-virus software not as a virus, but as "a centralized method for automatic update of the software on the workstations". I guess, you won't SWAT a virus like that, unless you want to lose your right to use the LAN. I don't see any kind of damage that a virus like that could cause, at least not more damage than any other piece of software that you run from the server. And there is a clear beneficial effect - all workstations automatically get updated copies of the latest version of the anti-virus software, so you don't need to update the manually. > Second If we think we would have such a beneficial virus (huh)O > there is a problem with support. What do you think would happen > If I have this 'beneficial' virus in my system and everything > is working fine. Then after some period I am starting to get > problems with other software. When I call the supportline of > this software maker I am sure they will say "Hey get first rid > of that virus and THEN after that call here when you have > a clean system". How is this different with any other piece of software? I am running DR-DOS 6.0 and have problems with some programs. The producers of those programs are telling me "Sorry, that's probably a problem with DR-DOS, get rid of that first". In your particular case, you report the problem to your LAN administrator. He either fixes the problem, or reports it to the producer of the virus. The producer either ships a fix, or the LAN admin deinstalls the virus from the server. What is so problematic with this? The main problem is in your mind, because you are afraid of the word "virus"; if it is sold to you as something else, you'll happily use it... > Other point to this is that if there is a need for certain > kind of a software why not make 'normal' version of that > and distribute it like ShareWare or PD. What means "normal"? I am speaking about normal programs, sold by Central Point Software, Fifth Generation Systems, etc. The self-spreading across LANs capability is a very useful and necessary feature. > So actually I am asking you what would be that kind of a need > that you have to do it viruslike? I can't thing of any. And > the benefits of using viruslike methods have to be so big > that they make up for the trouble caused by viruslike distribution > of software. The main problem is that when talking about beneficial viruses, most people think about what is well-known to be a virus (something nasty that spread without your permission and often destroys something) and then try to fit it into the frame "beneficial". Of course it doesn't fit. Instead, it should be the other way around - think of what is beneficial (good user interface, you have full control of it, performs useful functions) and then try to add virus-like capabilities to it (i.e. self replication) without losing any of the beneficial capabilities. Additionally, for the peace of mind of the general public, don't call it "virus", but something more sophisticated et voila! > And lets take an example if there is that kind of a beneficial > program that is distributed like a virus. Then when I got > software from someone they have to tell me whether they are > infected by this 'beneficial' virus or not otherwise I would > sue them. Of course they are telling you. The virus itself is telling you. It says "An old version of this software has been found; the policy of this LAN allows you to log in only if you are running the latest version of the software. Do you want me to update your software or to log you out?" You can't sue them, because the owner of the LAN has the full right to decide what the policy is - even if it is to format your hard disk before allowing you to log in. If you don't like it - just don't use the LAN. Of course, it has to warn you before performing the action and must allow you the choice to deny the action and not to log in. > If you want information about this subject try to locate > material from Fred Cohen who has been writing about this > a long time and then there has been articles in Virus Bulletin > and Virus News International and I have a feeling that Vesselin wrote > something about this a some time ago. I am afraid that the publications in VB and VNI have not payed enough attention to what Dr. Cohen talks about... On the other side, he often commits the mistake to think that some things are "obvious" to everybody, if they are obvious to him... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 15 Apr 93 13:05:38 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Survey mdallin@lamar.ColoState.EDU (ABCDefghIJKLm) writes: >To research it, I decided to throw together a survey, and send it to three >places - a general all interest network, a bbs with frequent up/downloads, >and to the experts on viruses (here). I have one comment on two of the questions in the survey: >2. Do you believe that some countries write viruses designed to infiltrate > computers in other countries? Well, as countries don't write viruses, but people do, this question can be assumed to mean either: 2. Do you believe that programmers in some countries write viruses designed to infiltrate computers in other countries? or 2. Do you believe that it is an official policy in some countries to write viruses designed to infiltrate computers in other countries? You should clarify what you mean.... - -frisk - -- Fridrik Skulason Frisk Software International phone: +354-1-694749 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-28801 ------------------------------ Date: 15 Apr 93 13:43:34 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Scanners getting bigger and slower Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz) writes: >But still, the more viruses there are, the more time you'll have to spend >searching, or, to put it in other words, there are more things to search for. >in every scanned file, that is, exclusive of various 'Turbo Scanning' >techniques...) True, but as I said, one can significantly increase the number of viruses that a program searches for, without affecting the speed noticably. >disinfector. Maybe a generic scanner, but what good is a scanner without a >disinfector? Generic disinfectors exist... - -frisk - -- Fridrik Skulason Frisk Software International phone: +354-1-694749 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-28801 ------------------------------ Date: Thu, 15 Apr 93 10:12:42 -0400 From: "Charles A. Patrick" Subject: Macintosh [and non-PC] Postings Of late I have noticed that there has been a distinct dearth of postings about NON-PC's. In particular, I have seen no postings about Macintosh virii. Certainly I have no recollection of postings about the most recent one that precipitated version 3.1 of Disinfectant. Has there been some change in policy? Is there an alternative forum for Macintosh virii? If a policy change was announced, it is very likely that I missed it since I (CHAGRIN) rarely read the administrivia issues. If it is indeed the case that postings for Macintosh virii will no longer be listed, please take my address of the mailing list. But please point me to the new Macintosh forum. [Moderator's note: No change in policy at all; the content of the group is what the contributors make it to be. If you'd like to see more Mac postings, then please submit postings.] Thank you. ------------------------------ Date: Thu, 15 Apr 93 11:40:54 -0400 From: Y. Radai Subject: Re: Should viral tricks be publicized? Inbar Raz writes: > I work as a programmer, as you probably know, and the main field I work in is > Data Security. .... > really a matter of being loyal, obedient and trustful .... > ... if you don't trust your people, .... Forgive me for yanking these words completely out of the context in which you wrote them, but still, all this talk of TRUST, etc. reminds me of something I wrote a few weeks ago: >> Btw, it should be noted that on Fidonet there appeared an article >> describing tricks which can be used by virus writers to prevent tra- >> cing and disassembly of their code. The reason I mention this parti- >> cular article is that it appeared under the name of someone who has >> been contributing to this forum recently, Inbar Raz. The article is >> called "Anti Debugging Tricks", and one of the virus writers found it >> useful enough to forward it to 40 Hex (Number 9). It's true that Vesselin has expressed the opinion that all tricks de- scribed in your article are relatively trivial to circumvent. How- ever, that's irrelevant from my point of view. It's hard for me to imagine that anyone who wrote such an article could have had any intention other than to help the *virus writers*, not the AV people. Do you care to deny that? (or do I have to quote passages from it to prove my point?) I have absolutely no complaints about the postings that you have submitted so far to the present forum. Nevertheless, it seems very strange to me that while you continue to submit articles on other subjects, you do not (unless I've missed some posting of yours) have a *single word of explanation* to offer on the above matter, which concerns you so personally. Isn't your silence an admission of guilt, Inbar ...? Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL ------------------------------ Date: Thu, 15 Apr 93 11:05:30 -0600 From: ST29701@vm.cc.latech.edu Subject: What is a fragmentation virus I have an old copy of the FAQ so pleas tell me if the answer to this question is in the current version of the FAQ. I have heard people talking about a new type of virus and a way for it to hide. They called it a fragmentation virus (this is not the name of a particular virus but a type of virus). Could someone give a detaled explination of this?? You can post the message here so others can see or send it to me directly. Thanks Alan ------------------------------ Date: Thu, 15 Apr 93 12:46:53 -0400 From: "Steven W. Smith" Subject: Re: Censorship/40-Hex David Hanson wrote: > >How about distribution of a "clean" version of 40-Hex to the "good" guys? >ie., Strip it of code, but leave comments and pseudocode. .. >This would be censorship, of course, but it certainly has an element of >reason missing from the fear response of total censorship. > >Comments? > OK, but only if you promise there won't be any code _OR_ naughty words. Maybe could get Tipper Gore to do the editing, eh? (note to the humorless: that was a joke.) In my opinion, "partial censorship" reeks as badly, if not worse, than total censorship. I've wondered where 40-Hex comes from, I'd read it, and I've got a career that I wouldn't flush down the toilet by doing something as stupid as releasing computer viruses. If you think an electronic publication like 40-Hex is "dangerous" I think you've lead a sheltered existance (no offense intended). If you want a truly dangerous document, consider the _U.S. Army Improvised Munitions Handbook_ - available to any yahoo with $9.95. _,_/| Steven W. Smith, Programmer/Analyst \o.O; Glendale Community College, Glendale Az. USA =(___)= SMITH_S@GC.BITNET U smith_s@gc.maricopa.edu "Barney must not be allowed to reproduce" ------------------------------ Date: Wed, 14 Apr 93 14:11:57 +0000 From: dnebing@andy.bgsu.edu (Dave Nebinger) Subject: Removing PingPong virus from boot sectors (PC) One of the IBM's that I manage has pingpong virus in the boot blocks of the hard drive. I have Norton's AntiVirus, but it will not remove it. What do I have to do to remove the pingpong virus, or is it really nothing to worry about? Dave Nebinger dnebing@andy.bgsu.edu Biology Network Manager ------------------------------ Date: Wed, 14 Apr 93 16:37:10 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: VSUM (PC) I have recently seen the new version of VSUM (currently VSUMX303) and must say that the user interface is much improved, particularly the part that lets you search the database for a particular string, I do not need to use LIST to examine the H! any more (also there is no more H!, been replaced by an .XDB). Detractors say that it is flawed in the same way that Ralf Brown's interrupt list is flawed and it does have errors but I cannot think of anything today that is perfect - certainly if you have to ask, it is a good place to start. I do still miss the old printable flat ASCII file but that was when VSUM still fit on a single 360k floppy. Today the hypercard-type file occupies nearly 2 Mb of disk space and I suppose that LIST on an XT might complete a search in my lifetime but one never knows. For those on the net, it is available via anonymous FTP from mcaffee.com or can be downloaded from many sources but be advised, even compressed it is over 800k - bare 2400 baud will take nearly an hour. Last year I heard about several other compilations "in the works" but have not seen any yet so at least for now it is still an essential work. Warmly, Padgett ------------------------------ Date: Wed, 14 Apr 93 22:59:55 -0400 From: Mikael Larsson Subject: McAfee latest version (PC) lastort@access.digex.com (Mike Lastort) writes: Hello Mike, > I was just wondering if there was an address where McAfee's programs are > available through Internet. I used to subscribe to Compu$$erve but have > given up that habit when I got this account. Any info on how to ftp > McAfee's programs would be greatly appreciated. Yes, McAfee Associates themselves have setup an FTP site where you can get the files.. the address is mcafee.com [192.187.128.1] and the antivirus files are to be find in pub/antivirus - You can also find their utilities in pub/utilities. If you have any problems with the program you can either mail to mcafee at support@mcafee.com or mail to me (mikael@vhc.se) since I am authorized McAfee Agent in Sweden. Best Regards, MiL - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Virus Help Centre Phone: +46-26 275740 Email: mikael@vhc.se Box 7018 Fax: +46-26 275720 or : mikael@abacus.hgs.se S-811 07 Sandviken BBS #1: +46-26 275710 Fido : 2:205/204 & 2:205/234 Sweden BBS #2: +46-26 275715 Authorized McAfee Agent! ------------------------------ Date: Wed, 14 Apr 93 22:59:44 -0400 From: Mikael Larsson Subject: Re: VSUM (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: > It for sure cannot contain "info about all known viruses", because > new viruses appear averagely three per day and it is updated monthly. > But this is not the only problem - I have found almost all articles in > VSUM to be very inaccurate, incomplete, verbose, and just plain > wrong... So, no, I don't agree that it can be considered to be quite > good... Well, Okay, I maybe expressed myself a bit dizzy, but I still think it is quite good for the average user - Okay, not for us who knows a lot about viruses, but for the "common-people" I think VSUM can be used with great satisfaction - even though it contains inaccurate information in some cases. What do you recommend as a better alternative, instead of VSUM then? MiL - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Virus Help Centre Phone: +46-26 275740 Email: mikael@vhc.se Box 7018 Fax: +46-26 275720 or : mikael@abacus.hgs.se S-811 07 Sandviken BBS #1: +46-26 275710 Fido : 2:205/204 & 2:205/234 Sweden BBS #2: +46-26 275715 Authorized McAfee Agent! ------------------------------ Date: Thu, 15 Apr 93 05:43:08 +0000 From: s9106568@sandcastle.cosc.brocku.ca (PAUL NOLL) Subject: Re: gerbil.doc virus (PC) Paul Ducklin (duck@nuustak.csir.co.za) wrote: : Thus spake colcloug%helios.usq.edu.au@zeus.usq.edu.au (Steven Colclough): : >anyone come across this one? The gerbil.doc virus? : >takes a text file, turns it into rubbish and at the top it says : >gerbil.doc. : This was one of the early Crazy Stories About Viruses which made it : into print -- in Computers and Security about three years back, as : I recall, under a title like "The Case of the Gerbil Virus That : Wasn't", or some such. : [Moderator's note: I remember it now; the article was written by Ray : Glath, and it described a (non)incident that was reported to him. The : bottom line was that no such virus existed.] : Software problem combined with an old, internal pre-release name : ["gerbil"] never mentioned in the manual, if my memory serves me. - -- I have read the article doing research on computer viruses for an University report. You are correct. Something about the program writting gerbil to file names if my memory is correct, but which word processor was it again? Be Seeing You. ############################################################### " We live on a placid island of ignorance, in the midst of black seas of infinity, and it was not meant that we should voyage far ... ! " -- H. P. Lovecraft (1890 - 1937) Paul Noll s9106568@sandcastle.cosc.BrockU.ca ############################################################### ------------------------------ Date: 15 Apr 93 08:26:45 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Help with Michelangelo! (PC) Robert_Hoerner@f2170.n492.z9.virnet.bad.se (Robert Hoerner) writes: >But the result is the same : you have to format your drive. No, not always. I have been able to recover practically everything from some Michelangelo-trashed drives, by rebuilding the MBR and DOS boot sector manually, and using programs like NDD to recover the FAT. However, in general this will only work if (a) the drive is large and (b) if the computer was rebooted, or turned of before the virus got a chance to overwrite all tracks. This is time-consuming and difficult - and should only be attempted if no decent backup exists. - -frisk - -- Fridrik Skulason Frisk Software International phone: +354-1-694749 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-28801 ------------------------------ Date: 15 Apr 93 08:30:14 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: "DIR" infection, or "Can internal commands infect" (PC) Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) writes: >unreported). There is a reason for all that: every program that needs more >memory MAY overwrite the TRANSIENT part in memory (so more memory is available >to programs). Small correction: Some TSRs may NOT overwrite that part, if they may get called while COMMAND.COM is active. This includes all programs that intercept INT 21, AH=4B, some INT 2FH functions etc... - -frisk - -- Fridrik Skulason Frisk Software International phone: +354-1-694749 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-28801 ------------------------------ Date: Thu, 15 Apr 93 09:41:28 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Censorship/40-Hex (PC) afrc-mis@augsburg-emh1.army.mil (David Hanson) writes: > How about distribution of a "clean" version of 40-Hex to the "good" guys? > ie., Strip it of code, but leave comments and pseudocode. And to have the "bad guys" suing the "good guys" for breach of copyright or something like that? Black is white. White is black. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Thu, 15 Apr 93 09:43:10 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: "DIR" infection, or "Can internal commands infect" (PC) Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) writes: > VB: > > DIR is an internal command and is executed by the currently loaded > > command interpreter. It DOES NOT require reloading of the command > > interpreter. Thus, even if the command interpreter on the floppy > > is infected, it WILL NOT be loaded (and executed) if you > > do a DIR on that floppy. Therefore, you CANNOT get infected this way. > This is only partialy true because of the following: It is ENTIRELY true. > COMMAND.COM is devided into 3 major parts: [excellent description deleted] > In conclusion: If you use a floppy drive system (assuming you've booted from > it) and you type "DIR" it is possible (but not likelly) that the TSR part of > COMMAND.COM will try to load the TRANSIENT part from the infected floppy. Wrong. It doesn't follow at all from your description. COMMAND.COM computes a checksum of the transient part and verifies it each time it displays the prompt. That is, after each program termination. EXTERNAL program. Any program can destroy the transient part of the command interpreter, but it will be reloaded right after this external program terminates. And it will be reloaded from your boot disk, BTW, not from the current one. (Well, more exactly, from the place pointed to by the COMSPEC variable.) During the reload, the checksum will be re-computed and DOS will keep insisting that you supply the real thing until the checksum matches. That's why you cannot use a different version of the command interpreter, even if you change COMSPEC to point to it. (You CAN use a different -copy- of the same command interpreter, located somewhere else, if you change the COMSPEC variable.) However, the DIR command is internal and its execution does NOT destroy the transient part of COMMAND.COM, therefore it NEVER causes its reloading. > However: to infect the TRANSIENT part alone in such a way > that the TSR will load exactly what you want is an un-easy task (however > possible), but the *INFECTED* COMMAND.COM should be present at boot time since > the TSR knows the file it is using to refresh the TRANSIENT by meens of a > CHECKSUM generated at first loading. That's true, but we are talking about the DIR command performing this. It it IMPOSSIBLE. > Thus: simply switching COMMAND.COM to an infected one (after the system is > already booted) will not sufice. More exactly, switching to an infected (or otherwise prepared) diskette that contains COMMAND.COM and using DIR to view the contents of the directory of this diskette WILL NOT cause reloading of the transient part of COMMAND.COM from the diskette and will not cause infection of the computer. (Except the simple case with an ANSI bomb, which I already discussed.) > My conclusion si also that it is not possible (in normal conditions) to get > infected just by typing "DIR". It is not possible under any conditions (ANSI stupidities excluded). > I think I explained above how you *might* execute some code by "DIR". Nope, you didn't. I challenge you to describe me a reproducible situation in which executing the internal DIR command (on an uninfected system and no ANSI keyboard programmability) will cause reloading of the command interpreter from the diskette that is being examined. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Thu, 15 Apr 93 06:50:49 +0000 From: fabbr001@staff.tc.umn.edu () Subject: Re: McAfee latest version (PC) lastort@access.digex.com (Mike Lastort) writes: >I was just wondering if there was an address where McAfee's programs are >available through Internet. I used to subscribe to Compu$$erve but have >given up that habit when I got this account. Any info on how to ftp >McAfee's programs would be greatly appreciated. Since you have access to the Usenet News and FTP, there is a good chance that you have archie installed on your system. Assuming you're on a Unix machine: Send this command(some pieces are optional, just my way): archie -N1000 -m10 -s scan > scan.loc & | | | | | |_ to start a backg. proc. | | | | |__ a file name to store the result | | | |__ the string you're looking for | | |__ option to match a (sub)string no-case sens. | |__ max. number of hits (increase if necessary) |__ niceness level Consult also the man pages for archie. - -- Mauricio Fabbri - University of Minnesota, Minneapolis, MN, USA Civil and Mineral Eng. Dept., and | In Brazil: Space Res. Instit. (INPE) Minnesota Supercomputer Institute | Lab. for Materials and Sensors (LAS) fabbri@msi.umn.edu | fabbri@las.inpe.br ------------------------------ Date: Thu, 15 Apr 93 10:26:03 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: New (?) virus ? (2294) (PC) v922340@kemp.si.hhs.nl (Ivar Snaaijer) writes: > The name of this virus is Terminator 2294. F-Prot can't detect it > and scan v100 recognizes it as Terminator 2. SCAN also calls a different (completely unrelated) virus "Terminator 2", so it is important to provide the virus IDs here: "your" virus is reported as [Term2] and [Bert] by SCAN 102 (only as [Term2] by SCAN 100) and the other one is reported as [Tm2]. > The virus seems to intercept INT > 13h and INT 21h and point them to 9f67:08f7 and 9f67:029C. The virus is The offsets are correct, but the segment depends on the amount of conventional memory in the system. The above values assume a 640 Kb system. > changes the encrypting number is some parts so it's almost imposible to > uncrypt it without debugging the virus, but it contains tricky code to avoid > that and it also hangs the system. Uh, what tricky code? The main decryption loop is trivial to debug and the rest of the code is almost straightforward... > time the virus hang the system and it seems to stay resident after pressing > CTRL-ALT-DEL so it can infect at boot time and then keep infecting normally No, that's not true. The virus does not survive warm reboot. However, due to the way it installs itself in memory and due to the fact that it is a fast infector, the first thing that it does is to infect the command interpreter. Of course, after a reboot, the virus will be present in memory - loaded there from the infected command interpreter. > thing a know for shure is that this virus only infects REAL .EXE's, not > disguized .COM's. That is, it checks the MZ magic number. It doesn't check for ZM, however. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Thu, 15 Apr 93 10:43:23 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Scanners and exe/com (PC) shakib.otaqui@almac.co.uk (Shakib Otaqui) writes: > Further reports on Fido-Net say that once uncompressed, SCAN > identifies the Taiwan virus in the file. F-Prot 2.07 says it has > ACAD. This is one and the same virus. The question is - which one exactly? Here are the possibilities: Full CARO name: F-Prot 2.07: SCAN 102: - --------------- ------------ --------- Jerusalem.AntiCAD.2576 Jerusalem (AntiCad-2576) Taiwan4 [T4] Jerusalem.AntiCAD.2900.Plastique Jerusalem (AntiCad-2900) Taiwan3 [T3] Jerusalem.AntiCAD.3088 Jerusalem (AntiCad-3088) Taiwan4 [T4] > Fido-Net Batchpower and Debug conferences. There are two variants > of the script: each produces a file called TNYCACHE.LZH, but the > executable within it is a COM file in one case and an EXE in the > other. There's a consensus that the COM version is a virus but > some disagreement about the EXE: some people have reported it as > harmless and others have said it also is infected. It should be trivial to verify whether the EXE file contains the virus; it might be a COM file converted to EXE format with the utility that comes with LZEXE. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 15 Apr 93 11:51:01 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Scanners and exe/com (PC) shakib.otaqui@almac.co.uk (Shakib Otaqui) writes: > Further reports on Fido-Net say that once uncompressed, SCAN > identifies the Taiwan virus in the file. F-Prot 2.07 says it has > ACAD. Well, those names are (sort of) aliases. SCAN calls some of the Jerusalem.AntiCad viruses "Taiwan", which may be slightly confusing, as they are not members of the "Taiwan" family at all. - -frisk - -- Fridrik Skulason Frisk Software International phone: +354-1-694749 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-28801 ------------------------------ Date: 15 Apr 93 14:00:29 +0000 From: tony@microware.co.uk (Tony Mountifield) Subject: Virus Defense Activated - System Halted ??? (PC) Hi Folks, I have a strange problem with a friend's 386SX PC (Elonex PC-320X). He had had some problems with system files disappearing, which could well have been finger trouble (he is fairly new to computing). This made his C: drive non-bootable, so I booted from the Elonex DOS 5 Setup Disk. It automatically started up SETUP.EXE, so I went through the questions (keyboard type, etc.). After accepting the default values for "Install to" (C:\DOS) and "Run Shell on startup" (YES), and trying to continue to the next screen, the system gave a series of beeps of different frequencies, and then cleared the screen and displayed the message "Virus Defense Activated - System Halted". At this point Control-ALT-Delete does not work, although the RESET button does. Does anyone know the cause and meaning of this message? I used both F-PROT (Nov 1992) and McAfee to scan both the hard disk and the Setup Diskette for Viruses, and they both gave an "all clear". Please Email responses - I will summarize if asked to. Thanks in advance, Tony. - -- Tony Mountifield (G4CJO) | Microware Systems (UK) Ltd. - -----------------------------------| Leylands Farm, Nobs Crook, Email: tony@microware.co.uk | Colden Common, WINCHESTER, SO21 1TH. (or: ...!uknet!mwuk!tony) | Tel: 0703 601990 Fax: 0703 601991 - ------------------------------------------------------------------------ ** Any opinions are mine, not Microware's - but you knew that anyway. ** - ------------------------------------------------------------------------ ------------------------------ Date: Thu, 15 Apr 93 10:51:29 -0400 From: karel@ic.uva.nl Subject: re: Virus Buster (PC) On 09 Apr 93 15:15:36 +0000 hq!fhi0055@dsac.dla.mil (Marc Poole) wrote: > In reviewing the software VIRUS BUSTER, I came across some very > interesting circumstances that might be of some interest to those > looking for Anti-viral software. > > When installing the software, there is a watchdog capability which does > not allow the document to be changed. This feature causes a redundant > hassle when modifying files. > > The watchdog feature also creates a large problem when trying to use > some executable files, for example the exe files to run a program (i.e. > windows, modem software, word processors). I allows the execution to > take place as far as loading the software, but does not allow the > software to actually run. On occasions, the software will run with no > problem, other times it just quits. > > On modem software, for example Quick Link II, it will not allow > uploading of any files. It also, more than often, will not let the > program run at all. > > That's as far as I got, after the few hassles, I cleaned off the virus > software and replaced it with another. > > Hope this helps. Marc's message puzzled me as I have been using Virus Buster for almost two years now and have not encountered similar problems. The Watchdog TSR is a combination of an activity monitor and a change detector, although the latter part is best left unused as this involves adding a checksum to the end of executable files which some programs don't like. In the newest Virus Buster system (v4.00) change detection is the sole task of the Buster program, which exits completely when done. VBTSR (a combination of the "old" VBShield and Watchdog) no longer supports it. If you want to give the "old" Virus Buster another try, Marc, you might try activating Watchdog with the flags I have been using lately: Watchdog /A /L- /M /N- /P /Q /R /T- Hope this helps. Karel Sprenger | Email: karel@ic.uva.nl OR ks@ic.uva.nl IC/IT, University of Amsterdam | phone: +31-20-525 2302 Turfdraagsterpad 9 | fax : +31-20-525 2084 NL-1012 XT AMSTERDAM | home : +31-20-675 0989 ------------------------------ Date: Thu, 15 Apr 93 14:30:19 +0000 From: lindsas@ecf.toronto.edu (LINDSAY STUART JOHN) Subject: FTP Available Virus Protection (PC) With a million virus protection programs out there I was wondering if someone could give me a hand. I have Central Point Anti-Virus protection but I've been told it isn't such an effective virus protection program. What is the best ftp-available (money is tight) virus protection program that I can use on it's own or in conjunction with CPAV? Thanks in advance. - -- ******************************************************************* * Stuart Lindsay Electrical Engineering, University of Toronto * * Address all Internet Correspondence to lindsas@ecf.utoronto.ca * ******************************************************************* ------------------------------ Date: Thu, 15 Apr 93 12:27:34 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Single state machines and warm reboots (PC) Several people have mentioned the ability of some viruses to survive warm reboots and suggested that only cold (power off) reboots be used. In fact what is happening is that the virus has intercepted the keyboard handler and is simulating a warm reboot rather than actually executing one. I know of no virus (and am sure will be corrected if wrong 8*) that can survive a *real* warm reboot. Next, since the PC is a single state machine, any program that runs is, while running, in complete control of the PC. Therefore if a warm reboot command is issued explicitly, a virus cannot intercept if issued as a direct call to ROM. Accordingly the following code is presented as an explicit way to generate a warm reboot that would be difficult (but not impossible - this is software after all but a virus would have to be looking for this specific sequence) to intercept (and there is a very large number of ways to express the same thing). XOR AX,AX MOV DS,AX MOV AX,1234 MOV [472],AX JMP FFFF:0000 For those who are interested, the 1234h in 0:472h tell the BIOS not to run the full POST but just to clear conventional memory (usually) and restart. Warmly, Padgett ps With reguard to the Russian virus that traps the "device ready" intercept: I have not studied this one but at BIOS time all interrupt vectors must point to ROM BIOS or something is wrong & this is easy to detect (single state again). ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 64] *****************************************